This rule detects Azure AD Graph (graph.windows.net) activity where a combination of the OAuth client ID (azure.aadgraphactivitylogs.properties.app_id) and the signed-in user (user.id) appears for the first time within a tenant over a historical window. The rule fires when a user is observed accessing AAD Graph with a client identity that has not previously authenticated that user in the defined window, suggesting possible scenarios such as a first-party token swap (FOCI) using a new client, phishing-driven consent for an OAuth application, or an adversary operating under a client identity the user normally does not use. The detection is implemented as a new-terms rule over a data stream of Azure AD Graph activity logs, with a focus on user-facing activity and first-time (app_id, user.id) pairings. The rule maps to MITRE ATT&CK techniques related to Discovery (cloud account) and Use Alternate Authentication Material (application access token). The historical window is defined for first-seen terms and is tied to the query’s scope (currently a short-term window in the rule). The rule requires enabling the Azure AD Graph Activity Logs integration and ingesting logs into logs-azure.aadgraphactivitylogs-*. Investigation guidance emphasizes validating the app’s legitimacy, correlating with sign-in context and geography, checking user behavior around the same time, and auditing the source posture (user_agent.original, source IP, and organization). It also covers reviewing which resources were queried (url.path) and whether a single client is hitting many users (blast radius). Remediation steps include revoking refresh tokens and sessions, potentially disabling the user, revoking OAuth consent for non-sanctioned apps, and inspecting devices that may have been registered around the event. Note that there is a documented mismatch between the narrative (14-day first-seen window) and the history window in the rule syntax (now-7d) that should be reconciled for consistency.