This query enriches the MicrosoftGraphActivityLogs with Application information Using the Azure_Application_ID list developed by @Beercow 1000+ AppIds can be enriched with the externaldata operator resulting in the query below.
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs
- https://kqlquery.com/posts/graphactivitylogs/
let ApplicationInformation = externaldata (ApplicationName: string, AppId: string, Reference: string ) [h"https://raw.githubusercontent.com/Beercow/Azure-App-IDs/master/Azure_Application_IDs.csv"] with (ignoreFirstRecord=true, format="csv");
MicrosoftGraphActivityLogs
// Your filter here
| take 1000
| lookup kind=leftouter ApplicationInformation on $left.AppId == $right.AppId
| project-reorder AppId, ApplicationName