From 82bee3e9c2bd87789e316a975c8bd028334c818e Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Mon, 19 May 2025 14:56:21 -0400
Subject: [PATCH] [Rule Tuning] Microsoft Graph First Occurrence of Client
 Request (#4728)

* tuning 'Microsoft Graph First Occurrence of Client Request'

* updated update date
---
 ...l_access_graph_first_occurrence_of_client_request.toml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml
index 135c45efb..43f8661be 100644
--- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml
+++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/23"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/04/30"
+updated_date = "2025/05/19"
 
 [rule]
 author = ["Elastic"]
@@ -94,6 +94,9 @@ query = '''
 event.dataset: "azure.graphactivitylogs"
     and event.type: "access"
     and azure.graphactivitylogs.properties.c_idtyp: "user"
+    and azure.graphactivitylogs.properties.client_auth_method: 0
+    and http.response.status_code: 200
+    and url.domain: "graph.microsoft.com"
 '''
 
 
@@ -119,8 +122,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/"
 field = "new_terms_fields"
 value = [
     "azure.graphactivitylogs.properties.app_id",
-    "azure.graphactivitylogs.properties.user_principal_object_id",
-    "azure.tenant_id",
+    "azure.graphactivitylogs.properties.user_principal_object_id"
 ]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"