Missing details in Azure Activity Logs – MICROSOFT.SECURITYINSIGHTS/ENTITIES/ACTION

The Azure Activity Logs are crucial for tracking access and actions within Sentinel. However, I’m encountering a significant lack of documentation and clarity regarding some specific operation types.

Resources consulted:

• https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data
• https://learn.microsoft.com/en-us/rest/api/securityinsights/entities?view=rest-securityinsights-2024-01-01-preview
• https://learn.microsoft.com/en-us/rest/api/securityinsights/operations/list?view=rest-securityinsights-2024-09-01&tabs=HTTP

My issue:

I observed unauthorized activity on our Sentinel workspace. The Azure Activity Logs clearly indicate the user involved, the resource, and the operation type:

"MICROSOFT.SECURITYINSIGHTS/ENTITIES/ACTION"

But that’s it.

No detail about what the action was, what entity it targeted, or how it was triggered. This makes auditing extremely difficult.

It's clear the person was in Sentinel and perform an activity through it, from search, KQL, logs to find an entity from a KQL query. But, that's all...

Strangely, this operation is not even listed in the official Sentinel Operations documentation linked above.

My question:

Has anyone encountered this and found a way to interpret this operation type properly?

Any insight into how to retrieve more meaningful details (action context, target entity, etc.) from these events would be greatly appreciated.