This rule, authored by Elastic, focuses on detecting anomalous access patterns within Microsoft Entra ID, specifically targeting potential session hijacking or token replay attacks. The detection mechanism is triggered when a user signs into Microsoft Entra ID and subsequently accesses Microsoft Graph from a different IP address using the same session ID within a five-minute window. This behavior could indicate that an attacker has stolen a session cookie or refresh/access token, allowing them to impersonate the user from a different location. The rule leverages ESQL for data querying, requiring integrations with Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs for effective operation. False positives may arise due to legitimate scenarios such as device switching or VPN use, which necessitates careful analysis of user actions and IP correlations during investigations. Recommendations for a confirmed malicious finding include revoking tokens, blocking IPs, and resetting user credentials. Additionally, monitoring for follow-on malicious activity such as lateral movement is advised.