Entra ID Log Analyzer: Turning Raw Logs into Stories

If you’ve ever opened Entra ID logs in the middle of an analysis, you already know the pain. Thousands of JSON lines, timestamps in UTC, user IDs instead of names, and little to no context about what’s actually risky. It’s like trying to read a breach through static.

Why I Built It

The Entra ID Log Analyzer was built to fix that pain. It’s a browser-based analysis tool that parses, enriches, and visualizes authentication telemetry directly from Entra ID logs. There’s no SIEM dependency, no complex setup, and no custom KQL required. Just upload your JSON logs and get immediate visibility into what matters.

It’s designed for security analysts, ITDR engineers, and blue teamers who need fast, accurate insights from sign-in logs without spinning up heavy infrastructure.

How It Works

Once you feed it Entra ID sign-in logs, the tool automatically performs several layers of analysis:

• Authentication Outcome Mapping: Success and failure events are counted, normalized, and visualized with frequency distribution.

• User-to-IP Correlation: Each event is cross-referenced with geographic and ASN metadata to identify anomalies such as impossible travel or logins from unrecognized networks.

• Application Targeting: The analyzer highlights access attempts against key resources such as Azure Portal, Microsoft 365 apps, or PowerShell endpoints.

• Threat Distribution by Severity: A heuristic model assigns risk scores based on fields such as resultType, clientAppUsed, and device details.

Real Threat Detection in Action

In one analysis example, the tool processed six authentication events and immediately flagged a failed privileged access attempt targeting the Azure Portal by jane.smith@company.com.
This single event was marked as High Severity, standing out clearly from the noise of successful logins.

The analyzer also displays a risk score, in this case 15 out of 100. This number combines weighted factors, including failure ratios, event frequency, and behavioral anomalies. It’s not a verdict, it’s a signal that guides your next move.

Behavior Analytics and Timeline Visualization

The Behavioral Analysis tab provides a per-user breakdown, including event count, IP diversity, and device variance. This data helps analysts identify compromised accounts, session hijacking, or scripted login patterns.

The Hourly Activity Pattern visualization highlights peaks in authentication traffic. A sudden rise in failed logins outside normal activity hours can indicate a brute-force or password-spray attempt.

For example, if an account normally authenticates at 10:00 UTC but suddenly shows repeated failures at midnight, that’s a behavioral outlier worth investigating.

Lightweight, Private, and Browser-Only

All analysis is executed locally in your browser. The tool doesn’t transmit or store any sensitive data. This makes it ideal for on-the-fly investigations, internal security workshops, or validating suspicious activity before escalating to a complete incident response.

From an ITDR (Identity Threat Detection and Response) perspective, the Entra ID Log Analyzer serves as a rapid triage lens. It provides analysts with a structured way to interpret identity telemetry and quickly pivot between identity, application, and geographic context.

Integration and Advanced Use

For advanced investigations, the structured output can be exported directly into:

• Microsoft Sentinel for deeper correlation

• Microsoft Defender XDR for incident enrichment

• Jupyter notebooks for behavioral modeling or clustering

This flexibility enables the tool to serve as a bridge between raw log data and full-scale investigation workflows.

Try It Yourself

You can explore the live tool here: https://entra-id-log-analyze–eshlomo1.github.app

The open-source code is available at: https://github.com/eshlomo1/entra-id-log-analyze

It’s a lightweight identity forensics interface built for threat hunters, incident responders, and cloud security researchers who need clarity in the noise of modern authentication systems.

Closing Thoughts

Identity telemetry doesn’t lie, it tells stories about users, attackers, and everything in between. The challenge is decoding those stories fast enough to make a difference.

The Entra ID Log Analyzer gives you that lens. Upload your logs, analyze them locally, and extract the truth from the noise. Because sometimes, the difference between visibility and compromise is just one log file away.