Microsoft 365 Unified Audit Log
Microsoft 365 Unified Audit Log — Azure AD sign-ins and MFA, Exchange mailbox activity, SharePoint/OneDrive file operations, Teams meetings and messaging, DLP alerts, and admin configuration changes.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/cloud-m365-audit/generator.yml \
--id m365-audit \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| UserLoggedIn | Successful user sign-in | ~20% | authentication |
| MailItemsAccessed | Email message accessed | ~15% | |
| FileAccessed | File opened/viewed | ~15% | file |
| Send | Email message sent | ~8% | |
| FileModified | File content changed | ~5% | file |
| UserLoginFailed | Failed user sign-in | ~5% | authentication |
| MessageSent | Teams chat/channel message | ~5% | web |
| SharingSet | File/folder shared | ~3% | file |
| FileDownloaded | File downloaded | ~3% | file |
| MeetingParticipantJoined | Joined a Teams meeting | ~3% | session |
| Add member to group | Add user to group/role | ~3% | iam |
| FileDeleted | File moved to recycle bin | ~2% | file |
| FileUploaded | File uploaded | ~2% | file |
| MailboxLogin | Mailbox sign-in | ~2% | authentication |
| Change user password | Password change | ~2% | iam |
| MemberAdded | Member added to team | ~2% | iam |
| Admin operations | Admin cmdlets and policies | ~5% | configuration |
Realism Features
- 5 workloads — Azure AD / Entra ID, Exchange Online, SharePoint / OneDrive, Microsoft Teams, and admin operations
- Shared state correlations — UserLoggedIn stores sessions; MailItemsAccessed and FileAccessed reuse same user+IP
- 8 login failure scenarios — AADSTS error codes (InvalidPassword, Locked, Disabled, MFA required, Conditional Access blocked)
- SharePoint site diversity — 8 sites with multiple document libraries and realistic folder paths
- Teams collaboration — 7 teams with 25 channels, weighted by activity
- 15 users across 7 departments + admin and service accounts
Sample Output
{
"@timestamp": "2026-03-04T14:22:31+00:00",
"event": {
"action": "FileAccessed",
"category": ["file"],
"dataset": "o365.audit",
"outcome": "success"
},
"user": {
"email": "sarah.jones@contoso.com",
"name": "sarah.jones"
},
"file": {
"directory": "sites/Engineering/Shared Documents/Architecture",
"name": "Architecture-Overview.docx"
},
"o365": {
"audit": {
"operation": "FileAccessed",
"workload": "SharePoint",
"record_type": "6"
}
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| agent_id | f7a1b2c3-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Elastic Agent version |
| error_rate | 5 | Error injection rate (percentage, 0-100) |
Related Generators
AWS CloudTrail Management Events
AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.
AWS GuardDuty Findings
AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.
AWS VPC Flow Logs
AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.