Query Details

Function: AnonymizedMicrosoftGraphActivityLogs()

Anonymized Microsoft Graph Activity Logs

Query

let AzureIdRegex = "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}";
let ReplacementId = "<--AnonymizedAzureId-->";
let AnonymizedMicrosoftGraphActivityLogs = () {
    MicrosoftGraphActivityLogs
    | extend RequestUri = replace_regex(RequestUri, AzureIdRegex, ReplacementId)
};
AnonymizedMicrosoftGraphActivityLogs

About this query

Function: AnonymizedMicrosoftGraphActivityLogs()

Query Information

Description

This function removes the Azure Ids from the MicrosoftGraphActivityLogs and replaces them with an Id of your liking. This allows you to easily share your screen without showing the particular groups/users that are being queries with the GraphApi.

References

Defender XDR

Sentinel

let AzureIdRegex = "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}";
let ReplacementId = "<--AnonymizedAzureId-->";
let AnonymizedMicrosoftGraphActivityLogs = () {
    MicrosoftGraphActivityLogs
    | extend RequestUri = replace_regex(RequestUri, AzureIdRegex, ReplacementId)
};
AnonymizedMicrosoftGraphActivityLogs

Explanation

This query is designed to anonymize Azure IDs found in Microsoft Graph Activity Logs. It does this by identifying Azure IDs, which follow a specific pattern (a UUID format), and replacing them with a placeholder text ("<--AnonymizedAzureId-->"). This process helps in sharing the logs without revealing sensitive information about specific groups or users. The query is applicable in both Defender XDR and Sentinel environments, ensuring that the logs are anonymized consistently across different platforms.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 23, 2024

Tables

MicrosoftGraphActivityLogs

Keywords

MicrosoftGraphActivityLogsAzureIdsRequestUri

Operators

letextendreplace_regex

Actions

GitHub