Query Details

Graph API Audit Events User Enrichment

Query

GraphAPIAuditEvents
| where EntityType == "user"
| lookup kind=leftouter (IdentityInfo
    | where TimeGenerated > ago(30d)
    | summarize arg_max(TimeGenerated, *) by AccountObjectId
    | project AccountObjectId, AccountDisplayName, AccountUpn)
    on $left.AccountObjectId == $right.AccountObjectId
| project-reorder AccountDisplayName, AccountUpn, RequestMethod, RequestUri

About this query

GraphAPIAuditEvents User Enrichment

Query Information

Description

This query enriches the MicrosoftGraphActivityLogs with userinformation from the IdentityInfo table to get more context in the results.

References

Defender XDR

Explanation

This query is designed to enhance the data from the MicrosoftGraphActivityLogs by adding user information from the IdentityInfo table. Here's a simple breakdown of what the query does:

  1. Filter Events: It starts by selecting events from the GraphAPIAuditEvents where the entity type is "user". This means it focuses only on activities related to user accounts.

  2. Enrich with User Information: The query then performs a left outer join with the IdentityInfo table. This table contains detailed user information. The join is based on the AccountObjectId, which is a unique identifier for user accounts.

  3. Time Constraint: It only considers user information from the last 30 days to ensure the data is recent.

  4. Select Latest Information: For each user, it picks the most recent record (using arg_max) to get the latest user details.

  5. Select Relevant User Details: It extracts specific user details such as AccountDisplayName and AccountUpn (User Principal Name).

  6. Reorder Columns: Finally, it rearranges the columns in the output to display the user's display name, UPN, request method, and request URI in a specific order.

Overall, this query helps provide more context to the activity logs by adding user-friendly information, making it easier to understand who performed certain actions.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 14, 2025

Tables

GraphAPIAuditEventsIdentityInfo

Keywords

GraphAPIAuditEventsMicrosoftGraphActivityLogsUserIdentityInfoAccountObjectIdAccountDisplayNameAccountUpnRequestMethodRequestUri

Operators

wherelookupkind=leftoutersummarizearg_maxbyprojectproject-reorderon==>ago*

Actions

GitHub