Query Details
Graph API Suspicious User Requests
Query
# List all GraphAPI requests of a suspicious user
### Sentinel
```KQL
let SuspiciousUserId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx";
let SearchWindow = 48h; //Customizable h = hours, d = days
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(SearchWindow)
| where UserId == SuspiciousUserId
| lookup kind=leftouter (IdentityInfo
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| project AccountObjectId, AccountDisplayName, AccountUPN)
on $left.UserId == $right.AccountObjectId
| project-reorder AccountDisplayName, AccountUPN, RequestMethod, RequestUri
```
Explanation
This query lists all GraphAPI requests made by a suspicious user within the last 48 hours. It also includes information about the user's account such as display name and UPN.
Details
Bert-Jan Pals
Released: April 21, 2024
Tables
MicrosoftGraphActivityLogs
Keywords
GraphAPI,SuspiciousUserId,SearchWindow,MicrosoftGraphActivityLogs,TimeGenerated,UserId,IdentityInfo,AccountObjectId,AccountDisplayName,AccountUPN,RequestMethod,RequestUri
Operators
where|==lookupkind=leftoutersummarizearg_maxprojectproject-reorder