KQL Search

Query Details

HomeAI ToolsDevice Query

Graph API Audit Events User Enrichment

Query

# GraphAPIAuditEvents User Enrichment

## Query Information

#### Description
This query enriches the *MicrosoftGraphActivityLogs* with userinformation from the *IdentityInfo* table to get more context in the results.

#### References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identityinfo-table?view=o365-worldwide
- https://kqlquery.com/posts/graphactivitylogs/

## Defender XDR
```KQL
GraphAPIAuditEvents
| where EntityType == "user"
| lookup kind=leftouter (IdentityInfo
    | where TimeGenerated > ago(30d)
    | summarize arg_max(TimeGenerated, *) by AccountObjectId
    | project AccountObjectId, AccountDisplayName, AccountUpn)
    on $left.AccountObjectId == $right.AccountObjectId
| project-reorder AccountDisplayName, AccountUpn, RequestMethod, RequestUri
```

Explanation

This query is designed to enhance the data from the MicrosoftGraphActivityLogs by adding user information from the IdentityInfo table. Here's a simple breakdown of what the query does:

  1. Filter Events: It starts by selecting events from the GraphAPIAuditEvents where the entity type is "user". This means it focuses only on activities related to user accounts.

  2. Enrich with User Information: The query then performs a left outer join with the IdentityInfo table. This table contains detailed user information. The join is based on the AccountObjectId, which is a unique identifier for user accounts.

  3. Time Constraint: It only considers user information from the last 30 days to ensure the data is recent.

  4. Select Latest Information: For each user, it picks the most recent record (using arg_max) to get the latest user details.

  5. Select Relevant User Details: It extracts specific user details such as AccountDisplayName and AccountUpn (User Principal Name).

  6. Reorder Columns: Finally, it rearranges the columns in the output to display the user's display name, UPN, request method, and request URI in a specific order.

Overall, this query helps provide more context to the activity logs by adding user-friendly information, making it easier to understand who performed certain actions.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 14, 2025

Tables

GraphAPIAuditEventsIdentityInfo

Keywords

GraphAPIAuditEventsMicrosoftGraphActivityLogsUserIdentityInfoAccountObjectIdAccountDisplayNameAccountUpnRequestMethodRequestUri

Operators

wherelookupkind=leftoutersummarizearg_maxbyprojectproject-reorderon==>ago*

Actions