ruialmeida-cyber/03-endpoint-authentication-behaviour-analysis

Windows 11 Identity Telemetry Analysis Lab — Endpoint Authentication & Access Behaviour Investigation 📅 5 March 2026 ✍️ Rui Almeida da Cunha 📧 rui.almeidadacunha@gmail.com ## Overview This repository documents an identity-focused security investigation conducted on a Windows 11 endpoint to analyse how authentication, privilege assignment, and session lifecycle events are represented in system-level security audit logs. The objective is to interpret identity behaviour as observable telemetry, establishing a structured baseline of normal authentication and access patterns before attempting anomaly detection. This work forms part of a broader progression toward identity-centric cloud security and Microsoft Entra ID analysis. ## Investigation Scope The analysis focuses on Windows Security Event Logs as a source of identity telemetry, specifically examining how identity activity is recorded at the endpoint level. The primary goal is to understand how authentication and access events translate into structured security signals that can later be correlated with cloud identity systems such as Microsoft Entra ID. ## Identity Telemetry Model The following Windows Event IDs were used as the core identity signal set: - 4624 → Successful authentication - 4625 → Authentication failure - 4672 → Privileged session context assignment - 4688 → Process creation events - 4634 → Session termination events These events represent the full lifecycle of identity activity from authentication to session closure. ## Data Collection Methodology Identity telemetry was extracted using: - Windows Event Viewer filtering - PowerShell-based log querying - Time-windowed analysis approach Observation windows: - 24 hours → short-term behavioural snapshot - 7 days → operational stability analysis - 30 days → longer-term identity behaviour trends A structured PowerShell script was used to extract event counts across each timeframe to ensure repeatability and consistency of analysis. ## Behavioural Analysis Approach The analysis treats identity not as a static configuration concept, but as a sequence of observable system behaviours. Authentication events are interpreted as identity validation signals, privilege assignment events as role elevation behaviour, process execution as identity-driven system interaction, and session termination events as lifecycle completion signals. This model aligns endpoint identity telemetry with cloud identity monitoring concepts used in Azure and Microsoft Entra ID environments. ## Key Observations Across all observation windows, authentication success events form the dominant signal class. Authentication failure frequency remains low relative to successful authentication events. Privileged session assignment consistently follows successful authentication activity. Process execution events remain stable and do not exhibit burst-based anomalies. Session lifecycle events indicate a small proportion of session termination relative to authentication volume, suggesting persistent or background session behaviour typical of managed systems. ## Cloud Identity Mapping This endpoint telemetry model can be conceptually mapped to cloud identity systems such as Microsoft Entra ID and Azure IAM services. Windows authentication events (4624, 4625) correspond to cloud sign-in activity, representing identity verification attempts. Privilege assignment events (4672) reflect elevated access context similar to role-based access activation in Entra ID environments. Process execution (4688) aligns with identity-driven workload interaction, and session termination (4634) reflects identity session lifecycle completion. This mapping enables cross-domain interpretation of identity behaviour between endpoint systems and cloud identity platforms, supporting a unified understanding of authentication and access patterns across hybrid environments. ## SOC & IAM Interpretation From an identity and access management perspective, the observed telemetry reflects stable authentication behaviour with no evidence of anomalous clustering or abnormal access patterns. The relationship between authentication success and privilege assignment remains consistent across all time windows, indicating expected identity behaviour in a controlled system environment. Low failure rates suggest stable credential usage and no observable brute-force or password-spraying patterns within the dataset. ## Technical Competencies Demonstrated This investigation demonstrates applied capability in identity behaviour analysis, Windows security log interpretation, structured telemetry extraction using PowerShell, and baseline modelling of authentication and access patterns. It also reflects the ability to map endpoint identity telemetry to cloud identity frameworks such as Microsoft Entra ID and Azure IAM systems. ## Cloud Security Relevance This work supports foundational development in identity-centric cloud security by reinforcing understanding of how authentication and access behaviour is represented in system logs. It provides a basis for later-stage correlation with cloud identity systems, including Microsoft Entra ID sign-in analysis and Azure security telemetry interpretation. ## Outcome This lab establishes a structured baseline of normal identity behaviour on a Windows 11 endpoint using security event logs. It demonstrates reproducible analysis of authentication, privilege assignment, process execution, and session lifecycle behaviour, forming a foundation for identity-focused security monitoring and cloud IAM progression. ## Portfolio Value Statement This project demonstrates applied identity telemetry analysis capability using Windows Security Event Logs, with structured interpretation of authentication, privilege assignment, and session lifecycle behaviour. It reflects foundational readiness for Identity and Access Management (IAM) roles by translating endpoint-level identity signals into cloud-aligned concepts used in Microsoft Entra ID and Azure identity systems. The work shows structured thinking in identity behaviour interpretation, basic detection of abnormal access patterns, and the ability to map technical telemetry into governance-relevant IAM insights. This aligns with entry-level IAM and cloud security roles focused on identity monitoring, authentication analysis, and access control interpretation within enterprise environments.