Detects an unusually high ratio of 4xx HTTP responses from Azure AD Graph (graph.windows.net) per calling identity within a short time window. It analyzes Azure AD Graph Activity Logs (logs-azure.aadgraphactivitylogs-*) to compute per-user, per-origin metrics: total_calls, number of 4xx errors, error_rate, distinct URL paths, and involved OAuth app IDs. The rule triggers when total_calls > 20, 4xx errors >= 10, error_rate >= 0.4, and at least 15 distinct URL paths are observed in a 2-minute window, grouped by user.id and source ASN. This pattern—surges of 4xxs concentrated on a single user/ASN pair—is indicative of automated probing or token-restricted access attempts following identity compromise and may reflect attempts to enumerate permissions, tokens, or endpoints using a blocked app. The query surfaces triage fields such as user.id, source.as.number, and Esql.* (including app_ids, source_ips, and sample_paths) to aid investigation, correlation with sign-in tokens, and identification of offending clients. The rule mirrors ATT&CK discovery-related activity (Cloud Account and Cloud Service Discovery) and is intended to support rapid containment (token revocation, session termination, app access blocks) and targeted Conditional Access adjustments. False positives can arise from legitimate conditional access flows, red-team activity, or legacy AAD Graph usage, which should be exempted or tuned per tenant policy. Remediation guidance includes revoking refresh tokens, terminating sessions, blocking offending app usage of AAD Graph, and applying Conditional Access targeting the AAD Graph audience.