Statistics Graph API runHuntingQuery
Run Hunting Query Statistics
Query
MicrosoftGraphActivityLogs
| where RequestUri has "runHuntingQuery"
| extend ObjectId = coalesce(UserId, AppId)
| extend ObjectType = iff(isempty(AppId), "User", "Application")
| summarize TotalCalls = count() by ObjectId, ObjectTypeAbout this query
Statistics Graph API runHuntingQuery
Query Information
Description
This query lists the statistics for the objects that used the runHuntingQuery API call using the Graph API. This can help determine which applications access your security data and identify new applications that connect to this Graph API endpoint.
References
Defender XDR
Sentinel
MicrosoftGraphActivityLogs
| where RequestUri has "runHuntingQuery"
| extend ObjectId = coalesce(UserId, AppId)
| extend ObjectType = iff(isempty(AppId), "User", "Application")
| summarize TotalCalls = count() by ObjectId, ObjectType
Explanation
This query is designed to analyze activity logs from the Microsoft Graph API, specifically focusing on the use of the runHuntingQuery API call. Here's a simple breakdown of what the query does:
-
Data Source: It looks at logs from
MicrosoftGraphActivityLogs, which record activities involving the Microsoft Graph API. -
Filter: It filters the logs to only include entries where the
RequestUricontains the termrunHuntingQuery. This isolates the logs related to the specific API call of interest. -
Identify Objects:
- It determines whether the activity was performed by a user or an application.
- It uses
UserIdandAppIdto identify the object making the call. - If
AppIdis present, it labels the object as an "Application"; otherwise, it labels it as a "User".
-
Summarize:
- It counts the total number of times each object (user or application) has made the
runHuntingQueryAPI call. - The results are grouped by the object identifier (
ObjectId) and the type of object (ObjectType).
- It counts the total number of times each object (user or application) has made the
This query helps you understand which users or applications are accessing your security data through this specific API call, allowing you to monitor and potentially identify new or unexpected access patterns.
Details

Bert-Jan Pals
Released: April 7, 2025
Tables
Keywords
Operators