This detection rule identifies potential enumeration activities leveraging tools like AzureHound, SharpHound, and BloodHound within Microsoft cloud services, specifically targeting and mapping users, groups, roles, applications, and access relationships in Microsoft Entra ID (Azure AD) and Microsoft 365. The rule utilizes various log sources including Azure Graph API Activity Logs, Microsoft 365 Audit Logs, and Entra ID Sign-in Logs to monitor for patterns indicative of unauthorized identity discovery. The detection mechanism focuses on recognizing suspicious user agent strings associated with these tools in logs, which may suggest credential abuse or unauthorized access attempts. False positives arise from legitimate use by authorized security assessments or red team exercises, necessitating a careful review of the context and user activity surrounding the detections. Comprehensive investigation steps are outlined to verify tool usage, logged APId events, and suspicious user behavior. The rule encourages implementing conditional access and logging practices to strengthen overall security posture.