List all GraphAPI requests of a suspicious user
Graph API Suspicious User Requests
Query
let SuspiciousUserId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx";
let SearchWindow = 48h; //Customizable h = hours, d = days
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(SearchWindow)
| where UserId == SuspiciousUserId
| lookup kind=leftouter (IdentityInfo
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| project AccountObjectId, AccountDisplayName, AccountUPN)
on $left.UserId == $right.AccountObjectId
| project-reorder AccountDisplayName, AccountUPN, RequestMethod, RequestUriAbout this query
List all GraphAPI requests of a suspicious user
Sentinel
Explanation
This query is designed to identify and list all Microsoft Graph API requests made by a specific user, considered suspicious, within a specified time frame. Here's a simplified breakdown of what the query does:
-
Define Variables:
SuspiciousUserId: This is the unique identifier (UserId) of the suspicious user whose activity you want to investigate.SearchWindow: This sets the time frame for the search, which is 48 hours by default but can be adjusted.
-
Filter Activity Logs:
- The query searches the
MicrosoftGraphActivityLogsfor any activity generated within the last 48 hours (SearchWindow) by the specifiedSuspiciousUserId.
- The query searches the
-
Join with Identity Information:
- It performs a left outer join with the
IdentityInfotable to enrich the data with additional user information. This includes the user's display name and user principal name (UPN). - The join is based on matching the
UserIdfrom the activity logs with theAccountObjectIdfrom the identity information.
- It performs a left outer join with the
-
Select and Order Columns:
- Finally, the query selects and reorders the columns to display the user's display name, UPN, the HTTP method used in the request, and the URI of the request.
In summary, this query helps you monitor and review the Graph API requests made by a specific user, providing context by including user identity details.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
MicrosoftGraphActivityLogsIdentityInfo
Keywords
MicrosoftGraphActivityLogsIdentityInfoAccountObjectIdAccountDisplayNameAccountUPNRequestMethodRequestUri
Operators
letwhereagolookupsummarizearg_maxprojectproject-reorder