Detects Microsoft Graph activity from delegated user tokens (public client, client_auth_method 0) where a single user session and source IP rapidly touches multiple high-value Graph endpoints indicative of reconnaissance. The rule aggregates activity from Azure Graph Activity Logs (logs-azure.graphactivitylogs-*) by user_principal_object_id, session ID (c_sid), source IP, tenant ID, and timestamps. It classifies each hit into recon categories: role_discovery, cross_tenant_recon, mailbox_recon, contact_harvest, and org_and_licensing_recon (with an ‘other’ fallback). A hit is considered high-value if it touches endpoints commonly used for discovery across roles, tenants, mailboxes, contacts, or organization/licensing data. The rule flags failed requests as relevant recon events too. The alert triggers when there are at least four distinct categories and a total of at least 20 high-value calls within a 60-second burst (burst_duration_seconds <= 60). The query also records sample paths, HTTP methods, status codes, user agents, and involved app IDs to facilitate investigation. Triage guidance includes verifying the touched endpoints, validating approved applications, correlating with sign-in logs for MFA/conditional access context, and checking failed_calls patterns. Remediation suggestions cover revoking refresh tokens for the user, restricting or blocking high-risk Graph patterns, and tightening conditional access or app consent policies. Note: the narrative mentions 3+ categories, while the implemented logic requires 4 categories and 20 high-value calls in a burst; this discrepancy should be resolved in policy tuning. Offline implications include possible false positives for onboarding or sync apps that enumerate resources during legitimate setup.