Query Details
App Enrichment External Data
Query
# MicrosoftGraphActivityLogs App Enrichment ExternalData Based ## Query Information #### Description This query enriches the *MicrosoftGraphActivityLogs* with Application information Using the Azure_Application_ID list developed by [@Beercow](https://github.com/Beercow) 1000+ AppIds can be enriched with the [externaldata operator](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuredataexplorer) resulting in the query below. #### References - https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs - https://kqlquery.com/posts/graphactivitylogs/ ## Sentinel ```KQL let ApplicationInformation = externaldata (ApplicationName: string, AppId: string, Reference: string ) [h"https://raw.githubusercontent.com/Beercow/Azure-App-IDs/master/Azure_Application_IDs.csv"] with (ignoreFirstRecord=true, format="csv"); MicrosoftGraphActivityLogs // Your filter here | take 1000 | lookup kind=leftouter ApplicationInformation on $left.AppId == $right.AppId | project-reorder AppId, ApplicationName ```
Explanation
This query combines Microsoft Graph activity logs with application information using a list of Azure Application IDs. It retrieves data from the Azure_Application_ID list created by Beercow and enriches over 1000 AppIds with external data. The final result includes the AppId and ApplicationName for the Microsoft Graph activity logs.
Details
Bert-Jan Pals
Released: May 2, 2024
Tables
MicrosoftGraphActivityLogs
Keywords
MicrosoftGraphActivityLogs,ApplicationInformation,Azure_Application_ID,AppIds,ExternalData
Operators
externaldatawithformatlookupkindtakeproject-reorder