GraphAPIAuditEvents App Enrichment ExternalData Based
Graph API Audit Events App Enrichment External Data
Query
let ApplicationInformation = externaldata (ApplicationName: string, AppId: string, Reference: string ) [h"https://raw.githubusercontent.com/Beercow/Azure-App-IDs/master/Azure_Application_IDs.csv"] with (ignoreFirstRecord=true, format="csv");
GraphAPIAuditEvents
// Your filter here
| take 1000
| lookup kind=leftouter ApplicationInformation on $left.ApplicationId == $right.AppId
| project-reorder ApplicationId, ApplicationNameAbout this query
GraphAPIAuditEvents App Enrichment ExternalData Based
Query Information
Description
This query enriches the GraphAPIAuditEvents with Application information Using the Azure_Application_ID list developed by @Beercow 1000+ AppIds can be enriched with the externaldata operator resulting in the query below.
References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs
- https://kqlquery.com/posts/graphactivitylogs/
Defender XDR
Explanation
This query is designed to enhance the GraphAPIAuditEvents data by adding application information. Here's a simple breakdown of what it does:
-
External Data Source: It uses an external CSV file containing application details, such as application names and IDs, hosted on GitHub by a user named Beercow. This file is imported into the query using the
externaldataoperator. -
Data Enrichment: The query takes up to 1000 records from the GraphAPIAuditEvents table and enriches them with application information by matching the
ApplicationIdfrom the audit events with theAppIdfrom the external data. -
Output: The result is a reordered dataset that includes both the
ApplicationIdand the correspondingApplicationName, providing a more informative view of the audit events.
In summary, this query enhances audit event logs by adding descriptive application names, making it easier to understand which applications are involved in the logged activities.
Details

Bert-Jan Pals
Released: August 14, 2025
Tables
Keywords
Operators