KQL Search

Query Details

HomeAI ToolsDevice Query

Entra ID Entra Connect Sync Audit Events

Query

# Entra ID - Microsoft Entra Connect Sync Audit Events

## Query Information

### Description

Use the below query to parse the Entra Connect Sync Audit Logs.
**Note!** You must forward the Event Logs outlined in the below referenced article to your Log Analytics Workspace.

#### References

- [Audit administrator events in Microsoft Entra Connect Sync](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/admin-audit-logging)

### Author

- **Alex Verboon**

## Sentinel

```kql
SecurityEvent
| where EventSourceName == "Entra Connect Admin Actions"
| extend xml = parse_xml(tostring(EventData))
| extend data_text = coalesce(
        tostring(xml.EventData.Data),
        tostring(xml["EventData"]["Data"]["#text"])
    )
| where isnotempty(data_text)
| extend j = todynamic(data_text)
| extend
    ActionType      = tostring(j.ActionType),
    AuditEventType  = tostring(j.AuditEventType),
    Category        = tostring(j.Category),
    Name            = tostring(j.Name),
    Status          = tostring(j.Status),
    EventJsonTime   = tostring(j.Timestamp),
    User            = tostring(j.User),
    Details         = tostring(j.Details)
| project TimeGenerated, EventID, Name, ActionType, Status, User, EventJsonTime, Details
| order by TimeGenerated desc
```

Explanation

This query is designed to analyze audit logs from Microsoft Entra Connect Sync, specifically focusing on administrative actions. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at security events where the event source is "Entra Connect Admin Actions."

  2. XML Parsing: The query extracts and parses XML data from the event logs to make it easier to work with.

  3. Data Extraction: It pulls out specific pieces of information from the parsed data, such as:

    • ActionType: The type of action performed.
    • AuditEventType: The type of audit event.
    • Category: The category of the event.
    • Name: The name associated with the event.
    • Status: The status of the action (e.g., success or failure).
    • EventJsonTime: The timestamp of the event in JSON format.
    • User: The user who performed the action.
    • Details: Additional details about the event.

  4. Filtering: It ensures that only events with non-empty data are considered.

  5. Projection: The query selects specific columns to display: the time the event was generated, the event ID, and the extracted fields mentioned above.

  6. Ordering: Finally, it sorts the results by the time the event was generated, showing the most recent events first.

Overall, this query helps administrators monitor and audit actions taken within Microsoft Entra Connect Sync by providing a structured view of relevant events.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 29, 2025

Tables

SecurityEvent

Keywords

EntraConnectSyncAuditEvents

Operators

SecurityEventwhereextendparse_xmltostringcoalesceisnotemptytodynamicprojectorder bydesc

Actions