KQL Search

Query Details

HomeAI ToolsDevice Query

Graph API Audit Events App Enrichment AAD Non Interactive User Sign In Logs

Query

# GraphAPIAuditEvents App Enrichment AADNonInteractiveUserSignInLogs Based 

## Query Information

#### Description
This query enriches the *GraphAPIAuditEvents* with Application information from the *AADNonInteractiveUserSignInLogs* table to get more context in the results.

This query does have a limitation, a user must have signed in to the application to show up in the logs. An alternative KQL query is available that leverages the externaldata operator to solve this issue: [GraphAPIAuditEvents App Enrichment ExternalData](./GraphAPIAuditEvents%20-%20AppEnrichmentExternalData.md.md)

#### References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs

## Defender XDR
```KQL
let ApplicationName = AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by ResourceIdentity
| project-rename ApplicationName = ResourceDisplayName
| distinct ApplicationName, ResourceIdentity;
GraphAPIAuditEvents
// Your filter here
| lookup kind=leftouter ApplicationName on $left.ApplicationId == $right.ResourceIdentity
| project-reorder ApplicationId, ApplicationName
```

Explanation

This query is designed to enhance the data from the GraphAPIAuditEvents table by adding application information from the AADNonInteractiveUserSignInLogs table. Here's a simple breakdown of what the query does:

  1. Extract Application Information:

    • It looks at the AADNonInteractiveUserSignInLogs table for the last 30 days.
    • It identifies the most recent entry for each application (based on ResourceIdentity).
    • It renames the ResourceDisplayName to ApplicationName and keeps only distinct combinations of ApplicationName and ResourceIdentity.

  2. Enrich Audit Events:

    • It takes the GraphAPIAuditEvents data and attempts to match each event's ApplicationId with the ResourceIdentity from the previous step.
    • It uses a left outer join (lookup kind=leftouter) to add the ApplicationName to the audit events, even if there's no matching application information.

  3. Reorder Columns:

    • Finally, it rearranges the columns to place ApplicationId and ApplicationName at the beginning of the results.

Limitation: This query only works if a user has signed into the application, as it relies on sign-in logs for application information. An alternative method using the externaldata operator can be used to overcome this limitation.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 14, 2025

Tables

GraphAPIAuditEventsAADNonInteractiveUserSignInLogs

Keywords

GraphAPIAuditEventsApplicationAADNonInteractiveUserSignInLogsResourceIdentityApplicationIdApplicationName

Operators

letwhereagosummarizearg_maxbyproject-renamedistinctlookupkindonproject-reorder

Actions