Function: AnonymizedMicrosoftGraphActivityLogs()
Anonymized Microsoft Graph Activity Logs
Query
let AzureIdRegex = "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}";
let ReplacementId = "<--AnonymizedAzureId-->";
let AnonymizedMicrosoftGraphActivityLogs = () {
MicrosoftGraphActivityLogs
| extend RequestUri = replace_regex(RequestUri, AzureIdRegex, ReplacementId)
};
AnonymizedMicrosoftGraphActivityLogsAbout this query
Function: AnonymizedMicrosoftGraphActivityLogs()
Query Information
Description
This function removes the Azure Ids from the MicrosoftGraphActivityLogs and replaces them with an Id of your liking. This allows you to easily share your screen without showing the particular groups/users that are being queries with the GraphApi.
References
Defender XDR
Sentinel
let AzureIdRegex = "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}";
let ReplacementId = "<--AnonymizedAzureId-->";
let AnonymizedMicrosoftGraphActivityLogs = () {
MicrosoftGraphActivityLogs
| extend RequestUri = replace_regex(RequestUri, AzureIdRegex, ReplacementId)
};
AnonymizedMicrosoftGraphActivityLogs
Explanation
This query is designed to anonymize Azure IDs found in Microsoft Graph Activity Logs. It does this by identifying Azure IDs, which follow a specific pattern (a UUID format), and replacing them with a placeholder text ("<--AnonymizedAzureId-->"). This process helps in sharing the logs without revealing sensitive information about specific groups or users. The query is applicable in both Defender XDR and Sentinel environments, ensuring that the logs are anonymized consistently across different platforms.
Details

Bert-Jan Pals
Released: December 23, 2024
Tables
Keywords
Operators