This Elastic detection rule flags Azure AD Graph (graph.windows.net) API requests that originate from user-agent strings associated with offensive tooling, scripting libraries, or generic HTTP clients. It targets logs from logs-azure.aadgraphactivitylogs-* where the actor_type is User and the user_agent.original field is populated. Traffic from well-known Microsoft UA strings (e.g., Microsoft.OData.Client, Microsoft Azure Graph Client Library, Microsoft ADO.NET Data Services) is considered legitimate; anything outside that recognised set—such as Python, aiohttp, curl, go-http-client, okhttp, axios, node-fetch, go-resty, or enumeration-focused user agents—may indicate developer prototyping against the legacy AAD Graph API or adversary tooling. The rule surfaces even a single event to support rapid triage because AAD Graph usage is being sunset and non-standard UAs are a strong signal of discovery or enumeration attempts. Investigation fields include user_id, app_id, url.path, http.response.status_code, and api_version to determine the caller, client, and target resource. The rule maps to MITRE ATT&CK discovery techniques (T1069.Cloud Groups, T1087.Cloud Account, T1526 Cloud Service Discovery). Remediation guidance covers token revocation, session management, device cleanup, blocking non-essential AAD Graph access, and applying Conditional Access. The detection requires the AzureADGraphActivityLogs integration configured in Elastic, ingested from Azure Event Hub, to enable this visibility. References point to Microsoft docs and community tooling for context.