GraphAPIAuditEvents App Enrichment AADNonInteractiveUserSignInLogs Based
Graph API Audit Events App Enrichment AAD Non Interactive User Sign In Logs
Query
let ApplicationName = AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by ResourceIdentity
| project-rename ApplicationName = ResourceDisplayName
| distinct ApplicationName, ResourceIdentity;
GraphAPIAuditEvents
// Your filter here
| lookup kind=leftouter ApplicationName on $left.ApplicationId == $right.ResourceIdentity
| project-reorder ApplicationId, ApplicationNameAbout this query
GraphAPIAuditEvents App Enrichment AADNonInteractiveUserSignInLogs Based
Query Information
Description
This query enriches the GraphAPIAuditEvents with Application information from the AADNonInteractiveUserSignInLogs table to get more context in the results.
This query does have a limitation, a user must have signed in to the application to show up in the logs. An alternative KQL query is available that leverages the externaldata operator to solve this issue: GraphAPIAuditEvents App Enrichment ExternalData
References
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs
Defender XDR
Explanation
This query is designed to enhance the data from the GraphAPIAuditEvents table by adding application information from the AADNonInteractiveUserSignInLogs table. Here's a simple breakdown of what the query does:
-
Extract Application Information:
- It looks at the
AADNonInteractiveUserSignInLogstable for the last 30 days. - It identifies the most recent entry for each application (based on
ResourceIdentity). - It renames the
ResourceDisplayNametoApplicationNameand keeps only distinct combinations ofApplicationNameandResourceIdentity.
- It looks at the
-
Enrich Audit Events:
- It takes the
GraphAPIAuditEventsdata and attempts to match each event'sApplicationIdwith theResourceIdentityfrom the previous step. - It uses a left outer join (
lookup kind=leftouter) to add theApplicationNameto the audit events, even if there's no matching application information.
- It takes the
-
Reorder Columns:
- Finally, it rearranges the columns to place
ApplicationIdandApplicationNameat the beginning of the results.
- Finally, it rearranges the columns to place
Limitation: This query only works if a user has signed into the application, as it relies on sign-in logs for application information. An alternative method using the externaldata operator can be used to overcome this limitation.
Details

Bert-Jan Pals
Released: August 14, 2025
Tables
Keywords
Operators