Query Details
App Enrichment AAD Non Interactive User Sign In Logs
Query
# MicrosoftGraphActivityLogs App Enrichment AADNonInteractiveUserSignInLogs Based ## Query Information #### Description This query enriches the *MicrosoftGraphActivityLogs* with Application information from the *AADNonInteractiveUserSignInLogs* table to get more context in the results. This query does have a limitation, a user must have signed in to the application to show up in the logs. An alternative KQL query is available that leverages the externaldata operator to solve this issue: [App Enrichment ExternalData](./AppEnrichmentExternalData.md) #### References - https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs ## Sentinel ```KQL let ApplicationName = AADNonInteractiveUserSignInLogs | where TimeGenerated > ago(30d) | summarize arg_max(TimeGenerated, *) by ResourceIdentity | project-rename ApplicationName = ResourceDisplayName | project ApplicationName, ResourceIdentity; MicrosoftGraphActivityLogs // Your filter here | lookup kind=leftouter ApplicationName on $left.AppId == $right.ResourceIdentity | project-reorder AppId, ApplicationName ```
Explanation
This query combines information from the MicrosoftGraphActivityLogs and AADNonInteractiveUserSignInLogs tables to show application details for user sign-ins. It enriches the logs with application names, but users must have signed in to the application to appear in the results.
Details
Bert-Jan Pals
Released: May 3, 2024
Tables
MicrosoftGraphActivityLogsAADNonInteractiveUserSignInLogs
Keywords
MicrosoftGraphActivityLogsAppEnrichmentAADNonInteractiveUserSignInLogsBased
Operators
letwheresummarizearg_maxbyproject-renameprojectlookupkindleftouterproject-reorder