This blog introduces the new GraphApiAuditEvents table in Microsoft Defender XDR’s Advanced Hunting, a cost-free alternative to the MicrosoftGraphActivityLogs previously available in Sentinel. It compares their schemas, ingestion rates, delays, retention policies, and cost implications, highlighting key differences such as missing fields and consolidated identifiers. The post also explores practical hunting techniques, including parsing and analyzing RequestUri for endpoint insights, generating resource statistics, and detecting tools like AzureHound. Finally, it offers guidance on when and how to transition from MicrosoftGraphActivityLogs to GraphApiAuditEvents to balance visibility, cost, and detection capability.