Query Details

GraphAPIAuditEvents App Enrichment AADNonInteractiveUserSignInLogs Based

Graph API Audit Events App Enrichment AAD Non Interactive User Sign In Logs

Query

let ApplicationName = AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by ResourceIdentity
| project-rename ApplicationName = ResourceDisplayName
| distinct ApplicationName, ResourceIdentity;
GraphAPIAuditEvents
// Your filter here
| lookup kind=leftouter ApplicationName on $left.ApplicationId == $right.ResourceIdentity
| project-reorder ApplicationId, ApplicationName

About this query

GraphAPIAuditEvents App Enrichment AADNonInteractiveUserSignInLogs Based

Query Information

Description

This query enriches the GraphAPIAuditEvents with Application information from the AADNonInteractiveUserSignInLogs table to get more context in the results.

This query does have a limitation, a user must have signed in to the application to show up in the logs. An alternative KQL query is available that leverages the externaldata operator to solve this issue: GraphAPIAuditEvents App Enrichment ExternalData

References

Defender XDR

Explanation

This query is designed to enhance the data from the GraphAPIAuditEvents table by adding application information from the AADNonInteractiveUserSignInLogs table. Here's a simple breakdown of what the query does:

  1. Extract Application Information:

    • It looks at the AADNonInteractiveUserSignInLogs table for the last 30 days.
    • It identifies the most recent entry for each application (based on ResourceIdentity).
    • It renames the ResourceDisplayName to ApplicationName and keeps only distinct combinations of ApplicationName and ResourceIdentity.
  2. Enrich Audit Events:

    • It takes the GraphAPIAuditEvents data and attempts to match each event's ApplicationId with the ResourceIdentity from the previous step.
    • It uses a left outer join (lookup kind=leftouter) to add the ApplicationName to the audit events, even if there's no matching application information.
  3. Reorder Columns:

    • Finally, it rearranges the columns to place ApplicationId and ApplicationName at the beginning of the results.

Limitation: This query only works if a user has signed into the application, as it relies on sign-in logs for application information. An alternative method using the externaldata operator can be used to overcome this limitation.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 14, 2025

Tables

GraphAPIAuditEventsAADNonInteractiveUserSignInLogs

Keywords

GraphAPIAuditEventsApplicationAADNonInteractiveUserSignInLogsResourceIdentityApplicationIdApplicationName

Operators

letwhereagosummarizearg_maxbyproject-renamedistinctlookupkindonproject-reorder

Actions

GitHub