This ES|QL detection rule flags bursts of Azure AD Graph activity that resemble ROADrecon’s graph enumeration using the aiohttp library. It watches logs-azure.aadgraphactivitylogs-* for a user-agent containing aiohttp and aggregates activity into 1-minute windows by user and tenant. If a single user/tenant generates five or more distinct endpoint requests within a minute, an alert is produced. The alert includes aggregated fields such as the calling user, tenant, time window, targeted endpoints, and supporting telemetry (source IPs, app IDs, HTTP methods, status codes, session IDs, and related properties) to aid rapid triage. The rule also documents a suppression policy that groups by user and tenant for a five-minute window to reduce noise. The accompanying investigation and remediation guidance maps the behavior to discovery and enumeration techniques (e.g., Cloud Groups, Cloud Account, Cloud Service Discovery) and suggests pivoting to sign-in and audit logs to correlate identity tokens and potential persistence activities. Practical responses include de-registering devices, revoking tokens and sessions, temporarily disabling the user if warranted, auditing OAuth grants and app role assignments, and, if the app has no legitimate AAD Graph dependency, blocking Graph access via the beta endpoint setting. The rule is intended to distinguish enumeration from operator activity by emphasizing GET-dominated traffic and the presence of a burst against AAD Graph with a hardcoded internal API version in the ROADrecon implementation.