KQL Query
Posts Categories whoami Projects Events KQL News
KQL Query

Hunting Through APIs - Logic App Edition

 included in KQL Sentinel Defender for Endpoint Threat Hunting Defender XDR SOC Automation
   843 words   4 minutes 

Logic Apps allow organizations to easily automate processes, in the last blog the APIs to run KQL are discussed. This blog builds upon the knowledge of the previous blog and explains how the Graph API, Azure Monitor API and Defender ATP API can also be integrated into Logic Apps.

If you do not run automation solutions via Logic Apps and Sentinel yet, I highly recommend having a look at the previous blogs and Logic Apps below to get an idea of what the possibilities are. All these examples and blogs below use KQL inside the Logic Apps to return valuable output.

Note: The previous blog discusses the required permissions and table scopes for all the APIs, it is recommended to read that blog before continuing with this blog. The Service Principals/Managed Identities in the Logic Apps need to have the same permissions to execute the queries.

Connectors

Logic Apps use so-called connectors to connect to an application or API, these are GUI wrappers around the API endpoints of the applications. For the Azure Monitor API and Defender ATP API such a wrapper is available, this makes it easier to collect data using these two APIs. The connector deals with the authentication to the API endpoints and simplifies the request, the engineer is only tasked with selecting the right resource and query to execute.

APIConnector AvailableConnector Name
Azure Monitor API    ✅  Azure Monitor Logs  
Graph API    ❌    -  
Defender ATP API  ✅  Microsoft Defender ATP  

API Overview

The image below displays the three API options:

  • Left: Azure Monitor API with the action Run query and list results
  • Middle: Defender ATP API with the action Advanced Hunting
  • Right: Graph API based on an HTTP call.

The Azure Monitor API and Defender ATP API do not require more explanation, connect the connector and use a KQL query to get results.

/images/LogicAppKQL/LogicApp.png

/images/LogicAppKQL/LogicApp2.png
Logic App Overview

Deploy Logic App: The Logic App displayed above is availble on GitHub. The Logic App can be deployed to show and compare the KQL capabilities of the Graph API, Azure Monitor API and Defender API.

Graph API

The Graph API can utilize the HTTP connector to make HTTP requests to the Graph API endpoints. In this case, you need to write the wrapper yourself, an example of this wrapper is given below (and is available on GitHub). This requires setting two variables, the ClientID and the TenantId for the application and tenant it needs to connect to.

The wrapper performs the following activities:

  1. It extracts the application secret from Azure Keyvault
  2. Connecting to the Graph API to get an access token
  3. Parse the access token
  4. Execute the graph.microsoft.com/v1.0/security/runHuntingQuery request

Get Secret

In this Logic App, the Graph API connects with a Service Principal with ThreatHunting.Read.All permissions, as described in the previous blog. The Managed Identity of the Logic App has Key Vault Secrets User permissions on the KeyVault to read the Secret.

/images/LogicAppKQL/KeyVault.png
Get Service Principal secret from KeyVault

Connect MS Graph API

Once the application secret has been retrieved a valid Graph API token needs to be requested. The result is a JSON body with the access_token and its metadata. The output of the HTTP call needs to be parsed, as described below, to return the access_token for executing the KQL query.

/images/LogicAppKQL/ConnectGraph.png
Connect MS Graph API

{
  "properties": {
    "access_token": {
      "type": "string"
 },
    "expires_in": {
      "type": "integer"
 },
    "ext_expires_in": {
      "type": "integer"
 },
    "token_type": {
      "type": "string"
 }
 },
  "type": "object"
}

Graph API runHuntingQuery

The last step is to use the parsed access_token from the last step in the Graph API call to execute a query. The query is added to the body of the request. This again returns a JSON object with the results, these can be parsed to further process the data depending on your needs.

/images/LogicAppKQL/GraphCall.png
Graph API runHuntingQuery

Best Practices

There are a couple of best practices to keep in mind while developing Logic Apps:

  • Use secure in and outputs for keys and other sensitive information.
  • Use Azure KeyVault to retrieve sensitive information, plain text credentials in logic apps can be easily extracted using the Azure Resource Graph.
  • Rename actions. All actions have default names, which should be renamed to reflect the function they perform. This helps others easily understand the Logic App’s purpose.
  • Avoid using personal accounts to authorize connectors. These accounts can be misused, and if the account is removed, the Logic App will fail.
  • Enable Application Insights for the Logic Apps (Documentation).
  • Regularly check the deployed logic apps for failures, or even better build automation to notify for failures of the Logic App. Things can break, and quickly solving it is recommended.
  • Use scopes to group related activities, this helps to keep the Logic App clean.

Happy hunting! 🏹

Related Blogs
Updated on 2025-07-15
 KQL
Back | Home