he requests that are executed by the Graph API are standardized, thus we can use the RequestUri to get statistics on which Resource is requested. The {resource} parameter is used for the resource in Microsoft Graph that you're referencing.
{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}
Source: Use the Microsoft Graph API
The table below shows some examples of users, security and identity resources and the RequestUriPath associated with those requests.
| RequestUriPath | Resource |
|---|---|
| /beta/users/microsoft.graph.delta() | users |
| /v1.0/security/alerts_v2 | security |
| /v1.0/identity/conditionalAccess/policies | identity |
This line splits the GraphAPIPath at each /, resulting in an array of elements. For the request /v1.0/security/alerts_v2 this array is ["","v1.0","security","alerts_v2"]. The [2] in the query selects the third element (count starts at 0) and the column GraphAPIResource is filled with this value. This now enables us to filter on particular resource types that are queried.
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#what-data-is-available-in-the-microsoft-graph-activity-logs
- https://kqlquery.com/posts/graphactivitylogs/
MicrosoftGraphActivityLogs
| extend ParsedUri = tostring(parse_url(RequestUri).Path)
// Normalize Data
| extend GraphAPIPath = tolower(replace_string(ParsedUri, "//", "/"))
// Extract
| extend GraphAPIResource = tostring(split(GraphAPIPath, "/")[2])
| summarize TotalRequest = count() by GraphAPIResource
| sort by TotalRequest