KQL Search

Query Details

HomeAI ToolsDevice Query

Graph API Audit Events App Enrichment External Data

Query

# GraphAPIAuditEvents App Enrichment ExternalData Based 

## Query Information

#### Description
This query enriches the *GraphAPIAuditEvents* with Application information Using the Azure_Application_ID list developed by [@Beercow](https://github.com/Beercow) 1000+ AppIds can be enriched with the [externaldata operator](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuredataexplorer) resulting in the query below.

#### References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs
- https://kqlquery.com/posts/graphactivitylogs/

## Defender XDR
```KQL
let ApplicationInformation = externaldata (ApplicationName: string, AppId: string, Reference: string ) [h"https://raw.githubusercontent.com/Beercow/Azure-App-IDs/master/Azure_Application_IDs.csv"] with (ignoreFirstRecord=true, format="csv");
GraphAPIAuditEvents
// Your filter here
| take 1000
| lookup kind=leftouter ApplicationInformation on $left.ApplicationId == $right.AppId
| project-reorder ApplicationId, ApplicationName
```

Explanation

This query is designed to enhance the GraphAPIAuditEvents data by adding application information. Here's a simple breakdown of what it does:

  1. External Data Source: It uses an external CSV file containing application details, such as application names and IDs, hosted on GitHub by a user named Beercow. This file is imported into the query using the externaldata operator.

  2. Data Enrichment: The query takes up to 1000 records from the GraphAPIAuditEvents table and enriches them with application information by matching the ApplicationId from the audit events with the AppId from the external data.

  3. Output: The result is a reordered dataset that includes both the ApplicationId and the corresponding ApplicationName, providing a more informative view of the audit events.

In summary, this query enhances audit event logs by adding descriptive application names, making it easier to understand which applications are involved in the logged activities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 14, 2025

Tables

GraphAPIAuditEvents

Keywords

GraphAPIAuditEventsApplicationInformationAzureApplicationIDAppIdsExternalDataOperatorQueryLogs

Operators

letexternaldatawithtakelookuponproject-reorder

Actions