Graph API Audit Events IP Enrichment
Query
GraphAPIAuditEvents
| extend GeoIPInfo = geo_info_from_ip_address(IpAddress)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder IpAddress, country, state, RequestUriAbout this query
GraphAPIAuditEvents IP Enrichment
Query Information
Description
The IP information can be enriched using the geo_info_from_ip_address() function, which returns the country, state, city, latitude and longitude of each IPv4 and IPv6 address.
References
Defender XDR
Explanation
This KQL (Kusto Query Language) query is designed to enhance the data from GraphAPIAuditEvents by adding geographical information based on IP addresses. Here's a simple breakdown of what the query does:
-
Data Source: It starts with
GraphAPIAuditEvents, which contains audit logs from Microsoft Graph API. -
IP Enrichment: The query uses the
geo_info_from_ip_address()function to gather geographical details for each IP address in the data. This function provides information such as the country, state, city, latitude, and longitude associated with each IP address. -
Extracting Geo Information: The query extracts specific geographical details (country, state, city, latitude, and longitude) from the enriched data and assigns them to new fields.
-
Reordering Columns: Finally, it rearranges the columns to display the IP address, country, state, and request URI in a specific order.
In summary, this query enriches audit event data with geographical information based on IP addresses, making it easier to understand the origin of the network activity.
Details

Bert-Jan Pals
Released: August 14, 2025
Tables
Keywords
Operators