KQL Search

Query Details

HomeAI ToolsDevice Query

Graph API Audit Events Graph Resource API Request Stats

Query

# GraphAPI Resource Request Statistics

## Query Information

#### Description
he requests that are executed by the Graph API are standardized, thus we can use the RequestUri to get statistics on which Resource is requested. The *{resource}* parameter is used for the resource in Microsoft Graph that you're referencing.


```
{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}
```
Source: [Use the Microsoft Graph API](https://learn.microsoft.com/en-us/graph/use-the-api)

The table below shows some examples of users, security and identity resources and the RequestUriPath associated with those requests.

|   RequestUriPath   | Resource      |
| ------------- | ------------- |
| */beta/users/microsoft.graph.delta()* | users |
|  */v1.0/security/alerts_v2* | security |
| */v1.0/identity/conditionalAccess/policies* | identity |

This line splits the *GraphAPIPath* at each */*, resulting in an array of elements. For the request */v1.0/security/alerts_v2* this array is ["","v1.0","security","alerts_v2"]. The [2] in the query selects the third element (count starts at 0) and the column *GraphAPIResource* is filled with this value. This now enables us to filter on particular resource types that are queried.

#### References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://kqlquery.com/posts/graphactivitylogs/

## Defender XDR
```KQL
GraphAPIAuditEvents
| extend ParsedUri = tostring(parse_url(RequestUri).Path)
// Normalize Data
| extend GraphAPIPath = tolower(replace_string(ParsedUri, "//", "/"))
// Extract 
| extend GraphAPIResource = tostring(split(GraphAPIPath, "/")[2])
| summarize TotalRequest = count() by GraphAPIResource
| sort by TotalRequest
```

Explanation

This query is designed to analyze and summarize the usage of different resources accessed through the Microsoft Graph API by examining the request URLs. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the GraphAPIAuditEvents table, which contains logs of requests made to the Microsoft Graph API.

  2. Parse the URL: It extracts the path part of the RequestUri using the parse_url function and stores it in a new column called ParsedUri.

  3. Normalize the Path: It converts the ParsedUri to lowercase and ensures there are no double slashes, storing the result in GraphAPIPath.

  4. Extract Resource Type: It splits the GraphAPIPath by the "/" character and selects the third element (index 2) to identify the specific resource being accessed (e.g., "users", "security", "identity"). This is stored in a new column called GraphAPIResource.

  5. Count Requests: It counts how many times each resource type is requested, summarizing this information in a column called TotalRequest.

  6. Sort Results: Finally, it sorts the results by the total number of requests for each resource type, allowing you to see which resources are accessed most frequently.

In summary, this query helps you understand which resources in the Microsoft Graph API are being accessed most often by analyzing the request logs.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 14, 2025

Tables

GraphAPIAuditEvents

Keywords

GraphAPIAuditEventsGraphAPIPathGraphAPIResourceRequestUriTotalRequest

Operators

extendtostringparse_urltolowerreplace_stringsplitsummarizecountbysort

Actions