Connecting Microsoft Entra ID Audit logs to your Panther Console
Overview
Panther supports ingesting Microsoft Entra ID (previously "Azure Active Directory") Audit logs via common Data Transport options, like Azure Event Hub and Blob Storage.
How to onboard Microsoft Entra ID Audit logs to Panther
You'll first create an Azure Blob Storage or Azure Event Hub source in Panther, then configure Azure to export logs to that location.
Step 1: Create the Microsoft Entra ID source in Panther
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Microsoft Entra ID Audit” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the Azure Event Hub option. Either leave this selection as-is, or select Azure Blob Storage.
Latency differs for these two options: If you select the Blob Storage option, Panther retrieves Entra ID files every hour. If you select Event Hub, the ingestion is near real-time.
To export Microsoft Defender XDR logs to Event Hubs or a storage account, follow the instructions below:
Sign in to your Azure dashboard.
Navigate to the Microsoft Entra ID service.
In the left-hand panel, click Audit logs.
Near the top of the page, click Export Data Settings.
\
Click Add Diagnostic Setting.
On the Diagnostic setting page, set the following values:
Diagnostic setting name: Enter a descriptive name.
Categories (under Logs): Select the following checkboxes:
AuditLogs
SignInLogs
NonInteractiveUserSignInLogs
ServicePrincipalSignInLogs
ManagedIdentitySignInLogs
Destination details: Select either Archive to a storage account or Stream to an event hub, based the type of log source you created in Panther in Step 1.
If you select Archive to a storage account, in the Storage account field, select your storage account.
If you select Stream to an event hub, in the Event hub namespace field, select your event hub.
In the upper left corner, click Save.
(Blog Storage transport only) Step 3: Assign a role to the container
This step is only applicable if you chose Azure Blob Storage in Step 1. If you used Azure Event Hub, skip this step.
Click on your newly created container, then in the left-hand navigation bar, click Access Control (IAM).
Click +Add.
Click Add Role Assignment.
Search for "Storage Blob Data Reader" and select the matching role that populates.
schema: Azure.Audit
description: Audit logs from Azure Active Directory
referenceURL: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
fields:
- name: Level
description: Severity level or type of the event (e.g., Informational, Error).
type: string
- name: callerIpAddress
description: IP address from which the event was initiated.
type: string
indicators:
- ip
- name: category
description: Category classification for the event (e.g., SignInLogs, AuditLogs).
type: string
- name: correlationId
description: Unique identifier to correlate multiple related events.
type: string
indicators:
- trace_id
- name: durationMs
description: Total time taken to complete the operation, in milliseconds.
type: bigint
- name: identity
description: Identifier for the user, application, or service principal.
type: string
- name: location
description: Geographical location or region where the event occurred.
type: string
- name: locationDetails
type: json
- name: networkLocationDetails
type: json
- name: operationName
required: true
description: Name of the operation or API call performed.
type: string
- name: operationVersion
description: Version number for the operation or API.
type: string
- name: properties
description: Nested object with additional attributes and details for the event.
type: object
fields:
- name: aadTenantId
type: string
- name: activityDateTime
description: Date and time of the activity.
type: timestamp
timeFormats:
- rfc3339
- name: activityDisplayName
description: Friendly display name for the activity.
type: string
- name: additionalDetails
description: Array of key-value pairs with extra context or metadata.
type: array
element:
type: object
fields:
- name: key
type: string
- name: value
type: string
- name: alternateSignInName
description: Alternate user sign-in name, if provided.
type: string
indicators:
- username
- name: appDisplayName
description: Display name of the application involved.
type: string
- name: appliedConditionalAccessPolicies
description: List of applied conditional access policies and their outcomes.
type: json
- name: appliedEventListeners
type: json
- name: appId
description: Application ID associated with the event.
type: string
- name: appServicePrincipalId
type: string
- name: authenticationAppDeviceDetails
type: json
- name: authenticationStrengths
type: json
- name: authenticationAppPolicyEvaluationDetails
type: json
- name: authenticationContextClassReferences
type: json
- name: authenticationDetails
type: json
- name: authenticationMethodsUsed
type: json
- name: authenticationProcessingDetails
type: json
- name: authenticationProtocol
type: string
- name: authenticationRequirement
type: string
- name: authenticationRequirementPolicies
type: json
- name: autonomousSystemNumber
type: string
- name: _billedSize
type: float
- name: category
type: string
- name: clientAppUsed
type: string
- name: clientCredentialType
type: string
- name: conditionalAccessAudiences
type: json
- name: conditionalAccessPolicies
type: json
- name: conditionalAccessStatus
type: string
- name: correlationId
type: string
- name: createdDateTime
type: timestamp
timeFormats:
- rfc3339
- name: crossTenantAccessType
type: string
- name: deviceDetail
type: json
- name: federatedCredentialId
type: string
- name: flaggedForReview
type: boolean
- name: globalSecureAccessIpAddress
type: string
- name: homeTenantId
type: string
- name: homeTenantName
type: string
- name: id
type: string
- name: incomingTokenType
type: string
- name: ipAddress
description: IP address associated with the nested resource.
type: string
indicators:
- ip
- name: ipAddressFromResourceProvider
description: IP address as recorded by the underlying resource provider.
type: string
indicators:
- ip
- name: _isBillable
type: string
- name: isDeleted
description: Whether the entity was deleted.
type: boolean
- name: initiatedBy
description: Actor (user or app) that initiated the event.
type: object
fields:
- name: app
type: object
fields:
- name: displayName
type: string
- name: servicePrincipalId
type: string
- name: appId
description: Application registration/client ID.
type: string
- name: user
description: User who performed the action.
type: object
fields:
- name: id
description: Object ID of the user.
type: string
- name: displayName
description: Name of the user as displayed in Azure AD.
type: string
indicators:
- username
- name: userPrincipalName
description: User Principal Name (UPN) of the user.
type: string
- name: ipAddress
description: IP address from which the user performed the action.
type: string
indicators:
- ip
- name: roles
type: json
- name: isProcessing
description: Whether the event is still being processed.
type: boolean
- name: loggedByService
description: Microsoft service that logged this event (e.g., AzureAD).
type: string
- name: location
description: Geographical or physical location information, represented as a JSON object.
type: json
- name: networkLocationDetails
description: Details about the network locations involved in the event.
type: json
- name: operationType
description: Type of operation performed.
type: string
- name: result
description: Result status for the operation.
type: string
- name: resultReason
description: Additional reason or code for the result of the operation.
type: string
- name: isInteractive
description: Indicates whether the sign-in was interactive.
type: boolean
- name: isRisky
type: boolean
- name: isTenantRestricted
description: Whether tenant restrictions were in effect.
type: boolean
- name: isThroughGlobalSecureAccess
description: Whether the event was routed through Global Secure Access.
type: boolean
- name: originalRequestId
description: Request ID of the original request if this was part of a chain.
type: string
- name: originalTransferMethod
description: Transfer method of the original request.
type: string
- name: privateLinkDetails
type: json
- name: processingTimeInMilliseconds
description: Time taken to process the event.
type: bigint
- name: resource
type: string
- name: resourceDisplayName
description: Display name of the resource.
type: string
- name: resourceGroup
type: string
- name: resourceId
description: Object ID of the resource accessed.
type: string
- name: resourceIdentity
type: string
- name: resourceProvider
type: string
- name: resourceOwnerTenantId
description: Tenant ID of the resource owner.
type: string
- name: resourceServicePrincipalId
description: Object ID of the service principal of the accessed resource.
type: string
- name: resourceTenantId
description: Tenant ID of the resource accessed.
type: string
- name: riskEventTypes
description: List of risk event types detected for this event.
type: json
- name: riskEventTypes_v2
description: Enhanced list of risk event types.
type: json
- name: riskLastUpdatedDateTime
description: Timestamp of the last risk update.
type: timestamp
timeFormats:
- rfc3339
- name: riskDetail
description: Details about the nature of detected risk.
type: string
- name: riskLevel
description: Final risk level after analysis.
type: string
- name: riskLevelAggregated
description: Aggregated risk level assigned to the event.
type: string
- name: riskLevelDuringSignIn
description: Risk level at the time of sign-in.
type: string
- name: riskState
description: State of risk for the user or session.
type: string
- name: rngcStatus
description: Status code for request nonce generation check.
type: string
- name: servicePrincipalId
description: Object ID of the service principal used.
type: string
- name: servicePrincipalCredentialKeyId
description: Key ID of the credential used by a service principal.
type: string
- name: servicePrincipalName
description: Name of the service principal.
type: string
- name: sessionId
description: Session identifier for the operation.
type: string
- name: sessionLifetimePolicies
description: Policies governing session lifetime for this operation.
type: json
- name: signInIdentifier
description: Primary identifier used to authenticate the user.
type: string
- name: signInIdentifierType
type: string
- name: signInTokenProtectionStatus
description: Status of token protection at sign-in.
type: string
- name: sourceSystem
type: json
- name: ssoExtensionVersion
description: Version of SSO browser extension.
type: string
- name: status
description: Status details about the sign-in attempt.
type: json
- name: targetResources
description: Array of resources that were targeted or affected by the operation.
type: array
element:
type: object
fields:
- name: displayName
description: Display name for the resource.
type: string
- name: id
description: Unique object ID of the resource.
type: string
- name: modifiedProperties
description: Properties on the resource that were modified.
type: array
element:
type: object
fields:
- name: oldValue
description: Previous value of the property.
type: string
- name: displayName
description: Name of the property modified.
type: string
- name: newValue
description: New value of the property.
type: string
- name: type
description: Resource type (e.g., User, Group, App).
type: string
- name: administrativeUnits
type: json
- name: groupType
description: Type of the group resource (if applicable).
type: string
- name: userPrincipalName
description: UPN of the user in the resource.
type: string
- name: tenantId
description: Tenant ID for the Azure AD tenant.
type: string
- name: timeGenerated
description: Date and time when this log entry was generated.
type: timestamp
timeFormats:
- rfc3339
- name: tokenIssuerName
description: Name of the authority that issued the token.
type: string
- name: tokenIssuerType
description: Type of issuer for the token.
type: string
- name: tokenProtectionStatusDetails
description: Information about token protection status.
type: json
- name: type
type: string
- name: uniqueTokenIdentifier
description: Unique identifier for the security token.
type: string
- name: userAgent
description: User agent string from the client.
type: string
- name: userDisplayName
description: Display name of the user.
type: string
indicators:
- username
- name: userId
description: Object ID of the user in Azure AD.
type: string
- name: userPrincipalName
description: UPN of the user.
type: string
indicators:
- username
- name: userType
type: string
- name: activity
description: Name or type of activity associated with the event.
type: string
- name: additionalInfo
description: Supplementary information about the event.
type: string
- name: detectedDateTime
description: Date and time when a risk or detection was initially observed.
type: timestamp
timeFormats:
- rfc3339
- name: detectionTimingType
description: Timing context for risk detection (e.g., real-time, offline).
type: string
- name: lastUpdatedDateTime
description: Date and time when this event was last updated.
type: timestamp
timeFormats:
- rfc3339
- name: mitreTechniqueId
description: MITRE ATT&CK technique identifier related to the event, if available.
type: string
- name: riskEventType
description: Type of risk event associated with the activity (e.g., UnfamiliarLocation).
type: string
- name: riskType
description: Classification for the type of risk detected.
type: string
- name: source
description: Originating Microsoft service or component for this log entry.
type: string
- name: identity
description: Identity related to this nested event.
type: string
- name: operationName
description: Name of the operation in the properties context.
type: string
- name: resultDescription
description: More detailed description of the operation result.
type: string
- name: resultType
description: High-level outcome for the operation (success, failure, etc.).
type: string
- name: C_DeviceId
description: Device ID associated with the event.
type: string
- name: C_Sid
description: Security identifier (SID) associated with the event.
type: string
- name: C_Iat
description: Issued At timestamp or ID for the event.
type: string
- name: C_Idtyp
description: Identity type code associated with the event.
type: string
- name: UserPrincipalObjectID
description: Object ID for the user principal.
type: string
- name: __UDI_RequiredFields_EventTime
description: Unix timestamp of when the event occurred.
type: timestamp
timeFormats:
- unix_auto
- name: __UDI_RequiredFields_RegionScope
description: Region scope for the event.
type: string
- name: __UDI_RequiredFields_TenantId
description: Tenant ID required for UDI compliance.
type: string
- name: __UDI_RequiredFields_UniqueId
description: Unique identifier for the event in UDI context.
type: string
- name: apiVersion
description: API version used for the operation.
type: string
- name: atContentH
description: Additional token or context information (header).
type: string
- name: atContentP
description: Additional token or context information (payload).
type: string
- name: clientAuthMethod
description: Client authentication method used (e.g., client secret, certificate).
type: string
- name: clientRequestId
description: Unique identifier for the client request.
type: string
- name: durationMs
description: Duration in milliseconds for the operation within properties.
type: bigint
- name: identityProvider
description: Identity provider involved in the authentication.
type: string
- name: operationId
description: Operation identifier.
type: string
- name: requestMethod
description: HTTP method used for the operation (GET, POST, etc.).
type: string
- name: requestUri
description: URI of the API or resource accessed.
type: string
- name: responseSizeBytes
description: Size of the response in bytes.
type: bigint
- name: responseStatusCode
description: HTTP status code of the response.
type: bigint
- name: roles
description: Roles assigned to the user or application.
type: string
- name: scopes
description: OAuth scopes requested by the operation.
type: string
- name: signInActivityId
description: Unique sign-in activity identifier.
type: string
- name: tokenIssuedAt
description: Time at which the token was issued.
type: timestamp
timeFormats:
- rfc3339
- name: wids
description: Well-known IDs or other identifiers involved.
type: string
- name: requestId
description: Unique request identifier.
type: string
- name: appOwnerTenantId
description: Tenant ID of the application owner.
type: string
- name: servicePrincipalCredentialThumbprint
description: Thumbprint of the credential used by a service principal.
type: string
- name: mfaDetail
description: Details about the multi-factor authentication step.
type: object
fields:
- name: authDetail
description: Details about the authentication process.
type: string
- name: authMethod
description: MFA method used (e.g., phone, app).
type: string
- name: resourceId
required: true
description: Unique identifier for the Azure resource related to the event.
type: string
- name: resultDescription
description: Additional context or explanation for the event result.
type: string
- name: resultSignature
description: Signature or unique identifier for the event result.
type: string
- name: resultType
description: Overall outcome of the event, such as Success, Failure, or Timeout.
type: string
- name: tenantId
description: Tenant ID for the Azure Active Directory tenant where the event occurred.
type: string
- name: time
required: true
description: Timestamp when the event occurred.
type: timestamp
timeFormats:
- rfc3339
- '%m/%d/%Y %I:%M:%S %p'
isEventTime: true
\
