BEC Graph queries for ASC Graph Explorer - ToddMaxey/Technical-Documentation GitHub Wiki
Below is a collection of sample Microsoft Graph API queries for retrieving Azure AD sign-in and directory audit logs. These queries demonstrate how to apply targeted filters, define custom date ranges, and refine returned data using parameters such as $select, $orderby, $top, and $count.
You will need to modify the input data for the query with regards to ipAddress, createdDateTime, autonomousSystemNumber, userId, sessionId, correlationId, etc...
Sign-In Logs by IP Address
This example captures successful sign-ins from a specific IP address over a particular time interval. It uses a defined date range and filters by status/errorCode for successful authentication events:
/auditLogs/signIns?$filter=(ipAddress eq '192.0.2.123')
and (createdDateTime ge 1914-07-28T00:00:00Z)
and (createdDateTime le 1918-11-11T23:59:59Z)
and (status/errorCode eq 0)
&$select=userId,userPrincipalName,ipAddress,createdDateTime,status
&$orderby=createdDateTime desc
&$top=50
Sign-In Logs for a Specific User
Focus on the actions of a single user identified by a unique GUID. In this scenario, the user’s ID is replaced with a de-identified value that encodes a hacking-related phrase. A defined date range limits results to a particular period:
/auditLogs/signIns?$filter=(userId eq 'defaced0-0fce-bad0-feed-cafe0000c0d3')
and (createdDateTime ge 1939-09-01T00:00:00Z)
and (createdDateTime le 1945-09-02T23:59:59Z)
and (status/errorCode eq 0)
&$select=userId,userPrincipalName,ipAddress,createdDateTime,clientAppUsed
&$orderby=createdDateTime desc
&$top=50
Filtering by Autonomous System Number (ASN)
When network attributes matter, filtering by ASN can pinpoint sign-ins originating from specific network blocks. Note the reference to location/autonomousSystemNumber and a chosen date range:
/auditLogs/signIns?$filter=(autonomousSystemNumber eq 64512)
and (createdDateTime ge 1950-06-25T00:00:00Z)
and (createdDateTime le 1953-07-27T23:59:59Z)
and (status/errorCode eq 0)
&$select=userId,userPrincipalName,ipAddress,createdDateTime,location
&$orderby=createdDateTime desc
&$top=50
Filtering by Session ID
To focus on a single session’s activity, filter by sessionId. A distinct GUID is used, and the date range is again defined to narrow down the timeframe:
/auditLogs/signIns?$filter=(sessionId eq 'c0ffee00-1dea-f33d-babe-facefedcab12')
and (createdDateTime ge 1955-11-01T00:00:00Z)
and (createdDateTime le 1975-04-30T23:59:59Z)
and (status/errorCode eq 0)
&$select=userId,sessionId,ipAddress,createdDateTime,clientAppUsed
&$orderby=createdDateTime desc
&$top=50
Filtering by Correlation ID
Correlation IDs can stitch together related events across multiple systems. Using one as a filter can help locate sign-in logs from a particular incident:
/auditLogs/signIns?$filter=(correlationId eq 'cafe5e0d-fa11-dead-beef-00c0ffeeabcd')
and (createdDateTime ge 1990-08-02T00:00:00Z)
and (createdDateTime le 1991-02-28T23:59:59Z)
&$select=userId,userPrincipalName,ipAddress,createdDateTime,correlationId
&$orderby=createdDateTime desc
&$top=50
Directory Audit Logs for a Specific Initiating User
Beyond sign-ins, directory audit logs record administrative and configuration changes. This query targets entries initiated by a particular user, identified by a unique GUID:
/auditLogs/directoryAudits?$filter=initiatedBy/user/id eq 'badc0de5-1ced-fade-dec0-b0bafeedbeef'
&$select=id,activityDisplayName,category,initiatedBy,activityDateTime
&$orderby=activityDateTime desc
&$top=50
Filtering by Client Application
In cases where the authentication client matters—such as focusing on browser-based sign-ins—adjusting the filter to include clientAppUsed offers further granularity:
/auditLogs/signIns?$filter=(clientAppUsed eq 'Browser')
and (status/errorCode eq 0)
and (createdDateTime ge 1939-09-01T00:00:00Z)
and (createdDateTime le 1945-09-02T23:59:59Z)
&$select=userPrincipalName,ipAddress,clientAppUsed,createdDateTime
&$orderby=createdDateTime desc
&$top=50
Filtering by Risk Level
Focusing on sign-ins with elevated risk levels can be critical when investigating suspicious activity. By filtering on riskLevelDuringSignIn, it becomes easy to isolate such events:
/auditLogs/signIns?$filter=(riskLevelDuringSignIn eq 'high')
and (createdDateTime ge 1914-07-28T00:00:00Z)
and (createdDateTime le 1918-11-11T23:59:59Z)
&$select=userPrincipalName,ipAddress,createdDateTime,riskLevelDuringSignIn
&$orderby=createdDateTime desc
&$top=50
These examples illustrate how to build precise, context-specific queries using Microsoft Graph to examine authentication patterns and administrative changes in Azure AD. By combining targeted filters, custom date ranges, and various OData query parameters, it becomes straightforward to retrieve only the most relevant entries for analysis. The subtle use of unique GUIDs encoding security-themed phrases and the selection of particular historical date intervals add a layer of intrigue without detracting from the practical utility of these queries.