Query Details
User Enrichment
Query
# MicrosoftGraphActivityLogs User Enrichment
## Query Information
#### Description
This query enriches the *MicrosoftGraphActivityLogs* with userinformation from the *IdentityInfo* table to get more context in the results.
#### References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identityinfo-table?view=o365-worldwide
## Sentinel
```KQL
MicrosoftGraphActivityLogs
| where isnotempty(UserId)
| lookup kind=leftouter (IdentityInfo
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| project AccountObjectId, AccountDisplayName, AccountUPN)
on $left.UserId == $right.AccountObjectId
| project-reorder AccountDisplayName, AccountUPN, RequestMethod, RequestUri
```Explanation
This query combines data from Microsoft Graph activity logs with user information from the IdentityInfo table to provide more context in the results. It looks up user details based on their unique identifiers and then displays relevant information such as user display name, user principal name, request method, and request URI.
Details
Bert-Jan Pals
Released: April 20, 2024
Tables
MicrosoftGraphActivityLogsIdentityInfo
Keywords
MicrosoftGraphActivityLogs,User,IdentityInfo,TimeGenerated,AccountObjectId,AccountDisplayName,AccountUPN,RequestMethod,RequestUri
Operators
whereisnotemptylookupkindleftoutersummarizearg_maxprojectproject-reorder