KQL Search

Query Details

HomeAI ToolsDevice Query

Run Hunting Query Execution

Query

# Graph API runHuntingQuery 

## Query Information

#### Description
This query lists successful runHuntingQuery Graph API calls from applications.

#### References
- https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http

## Defender XDR
```KQL
MicrosoftGraphActivityLogs
| where RequestUri has "runHuntingQuery"
// Only list app based results
| where isnotempty(AppId)
| where ResponseStatusCode == 200
| project TimeGenerated, RequestUri, AppId, ResponseStatusCode, ResponseSizeBytes
```

## Sentinel
```KQL
MicrosoftGraphActivityLogs
| where RequestUri has "runHuntingQuery"
// Only list app based results
| where isnotempty(AppId)
| where ResponseStatusCode == 200
| project TimeGenerated, RequestUri, AppId, ResponseStatusCode, ResponseSizeBytes
```

Explanation

This query is designed to extract and list successful API calls made by applications to the "runHuntingQuery" endpoint of the Microsoft Graph API. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the MicrosoftGraphActivityLogs table, which contains logs of activities related to Microsoft Graph API.

  2. Filter by Endpoint: It filters the logs to only include those where the RequestUri contains the term "runHuntingQuery". This means it's specifically looking for calls made to the "runHuntingQuery" endpoint.

  3. Application-Based Results: It further filters the results to only include entries where there is an associated AppId, indicating that the request was made by an application rather than a user.

  4. Successful Calls: It only includes entries where the ResponseStatusCode is 200, which indicates a successful API call.

  5. Select Specific Fields: Finally, it projects (selects) specific fields to display: TimeGenerated (when the log entry was created), RequestUri (the URI of the request), AppId (the ID of the application that made the request), ResponseStatusCode (the status code of the response), and ResponseSizeBytes (the size of the response in bytes).

This query is useful for monitoring and auditing successful "runHuntingQuery" API calls made by applications, providing insights into which applications are making these calls and when.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 6, 2025

Tables

MicrosoftGraphActivityLogs

Keywords

MicrosoftGraphActivityLogs

Operators

hasisnotempty==project

Actions