Query Details
Noise Auditlogs Operations
Query
// AuditLogs - Operation Noise Analysis
// AuditLogs captures every Entra ID/Azure AD change.
// Certain operations (token issuance, policy evaluation, app consent)
// generate massive volume with minimal detection value.
// =====================================================================
let _Window = 7d;
let _TotalAudit = toscalar(AuditLogs | where TimeGenerated > ago(_Window) | count);
AuditLogs
| where TimeGenerated > ago(_Window)
| summarize
EventCount = count(),
DistinctActors = dcount(tostring(InitiatedBy.user.userPrincipalName)),
DistinctTargets = dcount(tostring(TargetResources[0].displayName)),
ResultBreakdown = strcat(
"Success:", countif(Result == "success"),
" Failure:", countif(Result == "failure")
)
by OperationName, Category
| extend PctOfTotal = round(toreal(EventCount) * 100.0 / _TotalAudit, 1)
| extend FilterAction = case(
OperationName has_any ("Update policy", "Update user", "Update application") and PctOfTotal > 10,
"REVIEW: High-volume update operation - Consider filtering routine updates",
OperationName has_any ("consent", "Add delegated permission") and PctOfTotal > 5,
"REVIEW: Consent operations - Often noisy from app registrations",
OperationName has_any ("Add member to group", "Remove member from group") and PctOfTotal > 10,
"REVIEW: Group membership churn - Filter known sync service accounts",
OperationName has_any ("Update device", "Update service principal") and PctOfTotal > 5,
"FILTER: Device/SP updates - Usually automated, low detection value",
Category == "Policy" and PctOfTotal > 10,
"REVIEW: Policy operations noisy - Evaluate if conditional access eval logs needed",
PctOfTotal > 15, "HIGH VOLUME: >15% - Investigate source",
"OK"
)
| project
OperationName, Category, EventCount, PctOfTotal,
DistinctActors, DistinctTargets, ResultBreakdown, FilterAction
| order by EventCount desc
| take 30
Explanation
This query analyzes audit logs from Entra ID/Azure AD to identify high-volume operations that might be generating noise with minimal detection value. Here's a simplified breakdown of what the query does:
-
Time Frame: It looks at audit logs from the past 7 days.
-
Total Events: It calculates the total number of audit log events in this period.
-
Summarization: For each operation, it summarizes:
- The total number of events (
EventCount). - The number of distinct users who initiated these operations (
DistinctActors). - The number of distinct target resources affected (
DistinctTargets). - A breakdown of results into successes and failures (
ResultBreakdown).
- The total number of events (
-
Percentage Calculation: It calculates what percentage of the total audit logs each operation represents (
PctOfTotal). -
Filtering Recommendations: Based on the operation name and percentage of total events, it suggests actions:
- Review: For high-volume operations that might need filtering due to routine updates or consent operations.
- Filter: For operations like device or service principal updates that are usually automated and have low detection value.
- High Volume Alert: If any operation constitutes more than 15% of total events, it suggests investigating the source.
- OK: If none of the above conditions are met.
-
Output: It displays the top 30 operations by event count, showing their name, category, event count, percentage of total, distinct actors and targets, result breakdown, and suggested action.
-
Ordering: The results are ordered by the number of events in descending order to highlight the most frequent operations.
Details
David Alonso
Released: April 8, 2026
Tables
Keywords
Operators