Graph API runHuntingQuery
Run Hunting Query Execution
Query
MicrosoftGraphActivityLogs
| where RequestUri has "runHuntingQuery"
// Only list app based results
| where isnotempty(AppId)
| where ResponseStatusCode == 200
| project TimeGenerated, RequestUri, AppId, ResponseStatusCode, ResponseSizeBytesAbout this query
Graph API runHuntingQuery
Query Information
Description
This query lists successful runHuntingQuery Graph API calls from applications.
References
Defender XDR
Sentinel
MicrosoftGraphActivityLogs
| where RequestUri has "runHuntingQuery"
// Only list app based results
| where isnotempty(AppId)
| where ResponseStatusCode == 200
| project TimeGenerated, RequestUri, AppId, ResponseStatusCode, ResponseSizeBytes
Explanation
This query is designed to extract and list successful API calls made by applications to the "runHuntingQuery" endpoint of the Microsoft Graph API. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
MicrosoftGraphActivityLogstable, which contains logs of activities related to Microsoft Graph API. -
Filter by Endpoint: It filters the logs to only include those where the
RequestUricontains the term "runHuntingQuery". This means it's specifically looking for calls made to the "runHuntingQuery" endpoint. -
Application-Based Results: It further filters the results to only include entries where there is an associated
AppId, indicating that the request was made by an application rather than a user. -
Successful Calls: It only includes entries where the
ResponseStatusCodeis 200, which indicates a successful API call. -
Select Specific Fields: Finally, it projects (selects) specific fields to display:
TimeGenerated(when the log entry was created),RequestUri(the URI of the request),AppId(the ID of the application that made the request),ResponseStatusCode(the status code of the response), andResponseSizeBytes(the size of the response in bytes).
This query is useful for monitoring and auditing successful "runHuntingQuery" API calls made by applications, providing insights into which applications are making these calls and when.
Details

Bert-Jan Pals
Released: April 6, 2025
Tables
Keywords
Operators