Hub
Cloud

Azure Activity Log

Azure Monitor Activity Log — control plane operations across VMs, storage, networking, and RBAC. Covers all 7 log categories: Administrative, Security, Service Health, Alert, Autoscale, Policy, and Recommendation.

View on GitHub

Quick Start

uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
  --path generators/cloud-azure-activity/generator.yml \
  --id azure-activity \
  --live-mode true

Event Types

Event IDDescriptionFrequencyCategory
admin-writeCreate/update resources (VM, Storage, NSG)~40%configuration
admin-actionActions (start/stop/restart VM, regen keys)~25%configuration
policy-complianceAzure Policy evaluation results~12%configuration
admin-deleteDelete resources~5%configuration
security-alertMicrosoft Defender for Cloud alerts~5%threat
service-healthService incidents, maintenance, advisories~5%configuration
autoscaleAutoscale scale-up/scale-down actions~3%configuration
resource-healthResource availability status changes~3%host
alertAzure Monitor metric/log alert activations~2%configuration

Realism Features

  • All 7 activity log categories with production-accurate distribution weights
  • Error injection (~5%) — Administrative operations produce failures (403, 409, 400, 404)
  • Azure resource ID format — proper /subscriptions/{sub}/resourceGroups/{rg}/providers structure
  • Identity with claims — Azure AD identity block with JWT claims, UPN, object ID, tenant ID
  • Multi-subscription environment — 3 Azure subscriptions (production, staging, development)
  • 12 Azure AD users across 8 departments including service accounts

Sample Output

{
    "@timestamp": "2026-03-04T14:22:31+00:00",
    "cloud": {
        "account": { "id": "a1b2c3d4-...", "name": "contoso-production" },
        "provider": "azure",
        "region": "eastus"
    },
    "event": {
        "action": "Microsoft.Compute/virtualMachines/write",
        "category": ["configuration"],
        "dataset": "azure.activitylogs",
        "outcome": "success",
        "type": ["creation", "change"]
    },
    "user": {
        "name": "john.smith@contoso.com",
        "email": "john.smith@contoso.com"
    },
    "azure": {
        "activitylogs": {
            "category": "Administrative",
            "operation_name": "Microsoft.Compute/virtualMachines/write",
            "result_type": "Success"
        }
    }
}

Parameters

ParameterDefaultDescription
agent_idf1a2b3c4-...Filebeat agent UUID
agent_version8.17.0Elastic Agent version
tenant_idaaaabbbb-0000-cccc-...Azure AD tenant ID
error_rate5Error injection rate (percentage, 0-100)

Related Generators

Cloud

AWS CloudTrail Management Events

AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.

Cloud

AWS GuardDuty Findings

AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.

Cloud

AWS VPC Flow Logs

AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.