Azure Blob Storage Source

Onboarding Azure Blob Storage as a Data Transport log source in the Panther Console

Overview

Panther supports configuring Azure Blob Storage as a Data Transport to pull log data directly from your Azure container, allowing you to then write detections and perform investigations on this processed data.

Data can be sent compressed (or uncompressed). Learn more about compression specifications in Ingesting compressed data in Panther.

How to set up an Azure Blob Storage log source in Panther

To ingest logs from Azure Blob Storage, you will first verify in Azure that certain resource providers are registered for your subscription. You'll begin setting up the source in Panther, then create necessary Azure infrastructure, either using a provided Terraform template or manually in the Azure Console.

Prerequisite

To create an Azure Blob Storage log source, you must first ensure that within your Azure subscription settings, Microsoft.EventGrid and Microsoft.Storage are registered resource providers. Verify this by following these steps:

In your Azure Console, navigate to Subscriptions.
Select the subscription you will be creating your Azure resources in.
Within the subscription settings, click Resource providers.
In the Filter by name field, search for and locate Microsoft.EventGrid and Microsoft.Storage.
- For each of these providers, ensure the Status column has a value of Registered.

Step 1: Configure Azure Blob Storage in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Click the Custom Log Formats tile.
In the Azure Blob Storage tile on the slide-out panel, click Start.
On the Basic Info page, fill in the following:
- Name: Enter a descriptive name for your log source.
- Log Types: Select one or more log types to associate with this log source.
Click Setup.
On the Log Format page, select the stream type of the incoming logs:
- Auto
- Lines
- JSON
- JSON Array
Click Continue.
- The Configuration page will load.

Step 2: Create required Azure infrastructure

On the Infrastructure & Configuration page, you'll create required Azure infrastructure (either by using a Panther-provided Terraform template, or manually configuring resources in the Azure Console) and provide configuration values to Panther.

Using the Terraform template to create Azure infrastructure

After creating Azure resources using the Terraform template, Panther will ingest all logs written to any container in your created storage account. Ensure that the created Azure application has permission to read from each container.

Click Terraform Template to download the Terraform template.
If you do not already have the Azure CLI installed, install it by following Azure's How to install the Azure CLI documentation.
In a terminal, run az login.
Move the Terraform template to a new directory, and navigate to that directory.
Edit the panther.tfvars file to customize your deployment, e.g., by changing the region the infrastructure will be created in, and providing a custom storage account name.
Run the following Terraform commands to create the Azure resources:
1. terraform init
2. terraform apply -var-file="panther.tfvars"
After Terraform has finished creating the resources, copy the outputted values into the following fields in the Provide Azure configuration section of the Panther Console:
- Tenant ID
- Client ID
- Storage Account Name
- Storage Queue Name
- Client Secret
  - The client secret value will be redacted in your terminal. To view it, run terraform output secret, and copy the value without quotation marks.
    If you're running macOS, execute terraform output -raw secret | pbcopy to copy the value without printing it.
Select whether your Azure Blob storage is in Azure Government Cloud or Public Cloud.
Click Setup, then continue to Step 3: Verify setup in Panther.

Manually creating infrastructure in the Azure Console

Step 1: Create resource group and storage account

In your Azure Console, navigate to Subscriptions.
Select the subscription you will be creating your Azure resources in.
Click Resource groups.
2. Provide values for Name and Region.
  - Copy down or remember the value you provide for Name, as you'll need it later in this process.
3. Click Review and create.
4. Click Create.
Click the name of your newly created resource group.
Click Create.
On the Create a storage account page, in the Instance details section, enter values for Storage account name and Region.
2. Click Create.

Step 2: Add app registration and client secret

In the top search bar, search for "Microsoft Entra ID" and click on Microsoft Entra ID.
1. Enter a Name.
2. Click Register.
3. Securely copy and store the Application (client) ID value, as you'll need it later in this process.
Click on your newly registered app.
Click +New client secret.
1. Provide a Description.
2. Click Add.
3. Securely copy and store the Client Secret value, as you'll need it later in this process.

Step 3: Create queue and add permission

Navigate to your newly created storage account.
In the left-hand navigation bar, select Queues.
2. Enter a Name for the queue.
  - Copy down or remember the value you provide for Name, as you'll need it later in this process.
3. Click Ok.
Click on your newly created queue, then in the left-hand navigation bar, click Access Control (IAM).
1. Click +Add, then Add Role Assignment.
2. Search for "Storage Queue Data Message Processor" and select the matching role that populates.
3. Click on the Members tab.
4. Click +Select Members.
5. Search for the name of your registered app created in Step 2, and click Select.
6. Click Review+Assign.

Step 4: Create system topic and event subscription

In the top search bar, search for "Event Grid System Topics" and click on the matching page that populates.
1. Click +Create.
2. On the Create Event Grid System Topic page, fill in the following fields:
  - Topic Types: Select Storage Accounts (Blob & GPv2).
  - Subscription: Select the subscription you created your resource group in during Step 1.
  - Resource Group: Select the resource group you created in Step 1.
  - Resource: Select the storage account you created in Step 1.
3. Click Review+create.
4. Click Create.
Navigate back to your storage account.
In the left-hand navigation bar, click Events then +Event Subscription.
On the Create Event Subscription page, provide values for the following fields:
1. In the Event Subscription Details section, enter a Name.
2. In the Event Types section, for the Filter to Event Types field, select Blob Created.
3. In the Endpoint Details section, make the following selections:
  - Endpoint Type: Select Storage Queue.
  - Endpoint: Select the queue you created in Step 3.
4. Click Create.

Step 5: Create container and add permission

If you already have a container created, you only need to grant read permissions to the application you created in Step 2. In the instructions set below, start with Step 3.

Note that you will not need to provide information about this container to Panther, as all logs written to any container in your created storage account will be ingested.

Navigate to your newly created storage account.
In the left-hand navigation bar, select Containers.
2. Enter a Name for the container.
  - Copy down or remember the value you provide for Name, as you'll need it later in this process.
3. Click Create.
Click on your newly created container, then in the left-hand navigation bar, click Access Control (IAM).
2. Click Add Role Assignment.
4. Click on the Members tab.
5. Click +Select Members.
6. Search for the name of the registered app you created in Step 2, and click Select.
7. Click Review+Assign.

Step 6: Copy Azure configuration values back into the Panther Console

Return to the Infrastructure & Configuration page in your Panther Console.
In the Provide Azure configuration section, copy in values for the following fields:
- Tenant ID: This value can be found on your Azure Console's Microsoft Entra ID home page.
- Client ID: The application (client) ID generated in Step 2.
- Storage Account Name: The name you gave your storage account in Step 1.
- Storage Queue Name: The name you gave your queue in Step 3.
Select whether your Azure Blob storage is in Azure Government Cloud or Public Cloud.
Click Setup, then continue to Step 3: Verify setup in Panther.

Step 3: Verify setup in Panther

You will be directed to a success screen:

You can optionally enable one or more Detection Packs.
If you have not done so already, click Attach or Infer Schemas to attach one or more schemas to the source.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Viewing ingested logs

After your log source is configured, you can search ingested data using Search or Data Explorer.

PreviousPub/Sub Source NextMonitoring Log Sources

Last updated 2 months ago