Azure P2S Point To Site Connection Success Username And IP Parser
Query
//This will parse out username and local IP for Azure VPN connection success logs. Diagnostic settings must be enabled
let VPNlog = AzureDiagnostics
| where Message contains "Connection successful. Username=***"
| parse-kv Message as (Username:string,IP:string) with (pair_delimiter=' ', kv_delimiter='=')
| extend RedactedUserName = tolower(replace_string(Username,"***",""))
| project RedactedUserName,IP;
VPNlog //join on noninteractivelog where app id is Azure Public VPN, change app ID if required https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant?WT.mc_id=MVP_473477
| join (AADNonInteractiveUserSignInLogs | where AppId == "41b23e61-6c1e-4545-b367-cd054e0ed4b4" | extend newname = trim_start(@"\w{3}",UserPrincipalName)) on $left.RedactedUserName==$right.newname
| extend Country = parse_json(LocationDetails).countryOrRegion
| extend VT = iff(isnotempty(IPAddress),strcat(@"https://www.virustotal.com/gui/ip-address/",IPAddress),IPAddress)
//| where IPAddress != "" //You may want to filter our your own VPN IP as we are working with non-interactive logs
| project UserPrincipalName, IP, IPAddress, Country, VT, ResultTypeExplanation
This KQL query is designed to analyze Azure VPN connection success logs by extracting specific information and correlating it with Azure Active Directory (AAD) non-interactive user sign-in logs. Here's a simplified breakdown of what the query does:
-
Extract VPN Connection Details:
- The query starts by filtering the
AzureDiagnosticslogs to find messages that indicate a successful VPN connection, specifically those containing "Connection successful. Username=***". - It then parses these messages to extract the
UsernameandIP(local IP address) using key-value parsing.
- The query starts by filtering the
-
Redact and Normalize Username:
- The extracted
Usernameis processed to remove the placeholder "***" and convert it to lowercase, resulting inRedactedUserName.
- The extracted
-
Join with AAD Non-Interactive Logs:
- The query joins the VPN connection data with
AADNonInteractiveUserSignInLogsbased on theRedactedUserNameand a trimmed version of theUserPrincipalNamefrom the AAD logs. - It specifically looks for logs where the application ID corresponds to Azure Public VPN.
- The query joins the VPN connection data with
-
Enhance with Additional Information:
- The query extends the data with the
Countryinformation by parsing theLocationDetailsfield. - It also constructs a URL to VirusTotal for the IP address, allowing for further investigation if needed.
- The query extends the data with the
-
Output Relevant Information:
- Finally, the query projects (selects) the relevant fields:
UserPrincipalName,IP(local IP),IPAddress,Country,VT(VirusTotal URL), andResultType.
- Finally, the query projects (selects) the relevant fields:
This query is useful for security and network administrators who need to monitor and analyze successful VPN connections, correlate them with user sign-ins, and potentially investigate any suspicious IP addresses.
Details

Jay Kerai
Released: October 3, 2025
Tables
AzureDiagnosticsAADNonInteractiveUserSignInLogs
Keywords
AzureDiagnosticsUsernameIPVPNConnectionLogsUserSignInLocationDetailsCountryRegionAddress
Operators
let|wherecontainsparse-kvaswithextendtolowerreplace_stringprojectjoinon==parse_jsoniffisnotemptystrcat!=