Anonymized Microsoft Graph Activity Logs

# Function: AnonymizedMicrosoftGraphActivityLogs() ## Query Information #### Description This function removes the Azure Ids from the MicrosoftGraphActivityLogs and replaces them with an Id of your liking. This allows you to easily share your screen without showing the particular groups/users that are being queries with the GraphApi. #### References - https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview ## Defender XDR ```KQL let AzureIdRegex = "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}"; let ReplacementId = "<--AnonymizedAzureId-->"; let AnonymizedMicrosoftGraphActivityLogs = () { MicrosoftGraphActivityLogs | extend RequestUri = replace_regex(RequestUri, AzureIdRegex, ReplacementId) }; AnonymizedMicrosoftGraphActivityLogs ``` ## Sentinel ```KQL let AzureIdRegex = "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}"; let ReplacementId = "<--AnonymizedAzureId-->"; let AnonymizedMicrosoftGraphActivityLogs = () { MicrosoftGraphActivityLogs | extend RequestUri = replace_regex(RequestUri, AzureIdRegex, ReplacementId) }; AnonymizedMicrosoftGraphActivityLogs ```

Explanation

This query is designed to anonymize Azure IDs found in Microsoft Graph Activity Logs. It does this by identifying Azure IDs, which follow a specific pattern (a UUID format), and replacing them with a placeholder text ("<--AnonymizedAzureId-->"). This process helps in sharing the logs without revealing sensitive information about specific groups or users. The query is applicable in both Defender XDR and Sentinel environments, ensuring that the logs are anonymized consistently across different platforms.

KQL Search

Anonymized Microsoft Graph Activity Logs

Query

Explanation

Details

Actions