This rule monitors for the first occurrence of a request made to the Microsoft Graph API by a specific client application ID in a specified Azure tenant and user principal object ID. It leverages the Azure Graph Activity Logs and is aimed at detecting potential unauthorized access by identifying anomalous API requests that may indicate compromised user credentials or unauthorized application behavior. The detection is sensitive to events occurring in the past 14 days and can help uncover unauthorized access attempts following phishing, token theft, or OAuth abuse. False positives can arise from legitimate use cases including approved applications accessing resources and automated administrative tasks. Suggested investigation steps include correlating with sign-in logs, checking the legitimacy of application IDs, and ensuring proper response protocols are followed if unauthorized use is suspected.