KQL Search

Query Details

HomeAI ToolsDevice Query

Graph API Audit Events IP Enrichment

Query

# GraphAPIAuditEvents IP Enrichment

## Query Information

#### Description
The IP information can be enriched using the [geo_info_from_ip_address()](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function) function, which returns the country, state, city, latitude and longitude of each IPv4 and IPv6 address.

#### References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs

## Defender XDR
```KQL
GraphAPIAuditEvents
| extend GeoIPInfo = geo_info_from_ip_address(IpAddress)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder IpAddress, country, state, RequestUri
```

Explanation

This KQL (Kusto Query Language) query is designed to enhance the data from GraphAPIAuditEvents by adding geographical information based on IP addresses. Here's a simple breakdown of what the query does:

  1. Data Source: It starts with GraphAPIAuditEvents, which contains audit logs from Microsoft Graph API.

  2. IP Enrichment: The query uses the geo_info_from_ip_address() function to gather geographical details for each IP address in the data. This function provides information such as the country, state, city, latitude, and longitude associated with each IP address.

  3. Extracting Geo Information: The query extracts specific geographical details (country, state, city, latitude, and longitude) from the enriched data and assigns them to new fields.

  4. Reordering Columns: Finally, it rearranges the columns to display the IP address, country, state, and request URI in a specific order.

In summary, this query enriches audit event data with geographical information based on IP addresses, making it easier to understand the origin of the network activity.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 14, 2025

Tables

GraphAPIAuditEvents

Keywords

GraphAPIAuditEventsIPGeoIPInfoCountryStateCityLatitudeLongitudeRequestUri

Operators

extendgeo_info_from_ip_address()tostring()parse_json()project-reorder

Actions