Azure Entra ID (Azure AD)
Microsoft Entra ID sign-in and audit logs — interactive and non-interactive authentication, service principal sign-ins, and directory changes. Covers MFA, Conditional Access, AADSTS errors, and role/group management.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/cloud-azure-entra-id/generator.yml \
--id entra-id \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| signin-interactive-success | Interactive sign-ins (browser, desktop apps) | ~30% | authentication |
| signin-interactive-failure | Failed interactive sign-ins (AADSTS errors) | ~10% | authentication |
| signin-noninteractive-success | Token refresh, SSO, background auth | ~25% | authentication |
| signin-noninteractive-failure | Expired tokens, revoked sessions | ~5% | authentication |
| signin-service-principal | App/service principal authentication | ~15% | authentication |
| audit-directory-change | Directory changes (user/group/role/app mgmt) | ~15% | iam |
Realism Features
- 14 AADSTS error codes — bad password, locked, CA block, MFA required, KMSI interrupt
- 7 Conditional Access policies with enforced/reportOnly modes and grant controls
- 5 authentication methods — Password, FIDO2, Windows Hello, Authenticator push + passwordless
- Service principal sign-ins with client secrets, certificates, and federated credentials
- 21 audit operations across 6 categories (User, Group, App, Role, Policy, Device)
- 18 users across 9 departments including 2 admins and 2 service accounts
Sample Output
{
"@timestamp": "2026-03-04T10:15:22+00:00",
"cloud": {
"provider": "azure",
"account": { "id": "aaaabbbb-0000-cccc-1111-dddd2222eeee" }
},
"event": {
"action": "UserLoggedIn",
"category": ["authentication"],
"dataset": "azure.signinlogs",
"outcome": "success",
"type": ["start", "allowed"]
},
"user": {
"domain": "contoso.com",
"email": "sarah.jones@contoso.com",
"full_name": "Sarah Jones",
"name": "sarah.jones"
},
"azure": {
"signinlogs": {
"category": "SignInLogs",
"result_type": "0",
"properties": {
"app_display_name": "Microsoft Graph",
"client_app_used": "Browser",
"conditional_access_status": "success",
"is_interactive": true,
"risk_level_aggregated": "none",
"device_detail": {
"browser": "Chrome 122.0.0",
"operating_system": "Windows 10",
"trust_type": "Hybrid Azure AD joined"
},
"authentication_details": [{
"authentication_method": "Microsoft Authenticator (push notification)",
"succeeded": true
}]
}
}
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| agent_id | e3f4a5b6-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Elastic Agent version |
| tenant_id | aaaabbbb-0000-cccc-... | Azure AD / Entra ID tenant ID |
Related Generators
AWS CloudTrail Management Events
AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.
AWS GuardDuty Findings
AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.
AWS VPC Flow Logs
AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.