ausgovcaf-cloudsoe/kql/windows-ipsec-detect-no-ike.kql

//KQL query to detect IPsec SAs without IKE
SecurityEvent 
| where EventID == 5451
| extend ed = parse_xml(EventData).EventData.Data
| mv-apply ed on 
(
    where ed['@Name'] == 'KeyingModuleName'
    | project KeyingModuleName = ed['#text']
)
| where KeyingModuleName !startswith "IKE"
| project TimeGenerated, Computer, Activity, KeyingModuleName