KQL Search

Query Details

HomeAI ToolsDevice Query

Run Hunting Query Statistics

Query

# Statistics Graph API runHuntingQuery 

## Query Information

#### Description
This query lists the statistics for the objects that used the *runHuntingQuery* API call using the Graph API. This can help determine which applications access your security data and identify new applications that connect to this Graph API endpoint.

#### References
- https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http

## Defender XDR
```KQL
MicrosoftGraphActivityLogs
| where RequestUri has "runHuntingQuery"
| extend ObjectId = coalesce(UserId, AppId)
| extend ObjectType = iff(isempty(AppId), "User", "Application")
| summarize TotalCalls = count() by ObjectId, ObjectType
```

## Sentinel
```KQL
MicrosoftGraphActivityLogs
| where RequestUri has "runHuntingQuery"
| extend ObjectId = coalesce(UserId, AppId)
| extend ObjectType = iff(isempty(AppId), "User", "Application")
| summarize TotalCalls = count() by ObjectId, ObjectType
```

Explanation

This query is designed to analyze activity logs from the Microsoft Graph API, specifically focusing on the use of the runHuntingQuery API call. Here's a simple breakdown of what the query does:

  1. Data Source: It looks at logs from MicrosoftGraphActivityLogs, which record activities involving the Microsoft Graph API.

  2. Filter: It filters the logs to only include entries where the RequestUri contains the term runHuntingQuery. This isolates the logs related to the specific API call of interest.

  3. Identify Objects:

    • It determines whether the activity was performed by a user or an application.
    • It uses UserId and AppId to identify the object making the call.
    • If AppId is present, it labels the object as an "Application"; otherwise, it labels it as a "User".

  4. Summarize:

    • It counts the total number of times each object (user or application) has made the runHuntingQuery API call.
    • The results are grouped by the object identifier (ObjectId) and the type of object (ObjectType).

This query helps you understand which users or applications are accessing your security data through this specific API call, allowing you to monitor and potentially identify new or unexpected access patterns.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 7, 2025

Tables

MicrosoftGraphActivityLogs

Keywords

MicrosoftGraphActivityLogsUserApplicationObjectIdObjectTypeRequestUriAppId

Operators

wherehasextendcoalesceiffisemptysummarizecountby

Actions