KQL Search

Query Details

HomeAI ToolsDevice Query

Graph API Audit Events Graph URIAPI Request Stats

Query

# GraphAPI URI Request Statistics

## Query Information

#### Description
Retrieving request statistics gives us the opportunity for new use cases. One can now summarize all the GraphAPI request types easily with the following query. The unique deltatokens have been removed from the data, returning a better overview of the executed requests.

#### References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs

## Sentinel
```KQL
GraphAPIAuditEvents
| extend ParsedUri = tostring(parse_url(RequestUri).Path)
| summarize TotalRequest = count() by ParsedUri
| sort by TotalRequest
```

Explanation

This query is designed to analyze and summarize the types of requests made to the Microsoft Graph API by examining the request URIs. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the GraphAPIAuditEvents table, which contains logs of API requests.

  2. URI Parsing: For each request, it extracts the path part of the RequestUri using the parse_url function and stores it in a new column called ParsedUri.

  3. Counting Requests: It counts the total number of requests for each unique ParsedUri, effectively summarizing how many times each type of request was made.

  4. Sorting: Finally, it sorts the results by the total number of requests in ascending order, so you can see which request types are the most and least frequent.

Overall, this query provides a clear overview of the different types of requests made to the Graph API, helping to identify usage patterns or potential areas of interest.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 14, 2025

Tables

GraphAPIAuditEvents

Keywords

GraphAPIAuditEvents

Operators

extendtostringparse_urlsummarizecountbysort by

Actions