@Dean_Gross
Hey Dean, looking at the query under the hood it looks a like this
let data = AuditLogs
| where "{Result:lable}" == "All" or Result in ({Result})
| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != "", tostring(InitiatedBy.user.userPrincipalName), "unknown")
So when a UserPrincipalName is found in the 'InitiatedBy' column you will see it, when it isn't there it comes back as unknown. If you go an look at the AuditLogs table manually for 'Add service principal' and 'Update service principal' activities, for the ones coming back as unknown I would guess that they are being created or updated by other means other than your users actually doing it manually. For instance if you add a managed identity to a virtual machine or a logic app, it will create a service principal for you, but you won't have a UserPrincipalName in the InitiatedBy field. Or if you use something like Terraform to create service principals you will have the same issue.