Missing details in Azure Activity Logs – MICROSOFT.SECURITYINSIGHTS/ENTITIES/ACTION

This seems to be a limitation in Microsoft Sentinel audit logging.

The MICROSOFT.SECURITYINSIGHTS/ENTITIES/ACTION operation is a generic control‑plane event and is not listed in the official Sentinel Operations documentation. Azure Activity Logs intentionally capture only high‑level metadata (who, when, resource, operation name) and do not include data‑plane context such as the specific entity, action performed, or query that triggered it.

If KQL was executed, you may be able to partially correlate user activity using LAQueryLogs. However, entity interactions that don’t directly run a query (for example, navigating or pivoting through entity pages) aren’t captured there either.

As a mitigation, you can monitor or alert on ENTITIES/ACTION events from unexpected users, even though full action detail isn’t available.

I’ll also be raising this gap with the Sentinel feature team, as improved entity‑level audit visibility would significantly help with investigations and compliance.