Azure uncommon increase in API request sizes

Cortex XDR Analytics Alert Reference by data source

Product

Cortex XDR

Last date published

2025-04-07

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	5 Days
Required Data	Requires: Azure Audit Log
Detection Modules	Cloud
Detector Tags	Microsoft Graph Activity Logs
ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Exfiltration Over Alternative Protocol (T1048)
Severity	Informational

An Identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.

Exfiltrate data over Microsoft Graph API.

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Exfiltration Over Alternative Protocol (T1048)
Severity	Medium

An Identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.

Exfiltrate data over Microsoft Graph API.

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Exfiltration Over Alternative Protocol (T1048)
Severity	Medium

An Identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.

Exfiltrate data over Microsoft Graph API.

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Exfiltration Over Alternative Protocol (T1048)
Severity	Low

An Identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.

Exfiltrate data over Microsoft Graph API.

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.