Azure Monitor Logs

Connecting Azure Monitor logs to your Panther Console

Overview

Azure Monitor log ingestion is in open beta starting with Panther version 1.96, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports ingesting Azure Monitor logs by sending them to Azure Storage.

It's also possible to ingest Microsoft Defender for Cloud logs using this source by including the Security category during Step 2 of the onboarding process, below.

Panther retrieves Azure Monitor files once per hour.

How to onboard Azure Monitor logs to Panther

You'll first create an Azure Blob Storage source in Panther, then configure Azure to export logs to that location.

Step 1: Create an Azure Monitor source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Search for "Azure Monitor," then click its tile.
Click Start Setup.
Follow Panther's instructions for configuring an Azure Blob Storage Source.
- During Step 2: Create required Azure infrastructure, if you choose to create your Azure resources manually (instead of using Terraform), skip the step to create an Azure container, as one will automatically be created in your storage account in Step 2, below.
- After you have completed these instructions, continue to Step 2, below.

Step 2: Export Azure Monitor logs to Azure Blob storage

To export Azure Monitor logs to a Blob storage container:

In your Azure dashboard, navigate to the Monitor service.
In the left-hand navigation panel, click Activity Log.
Near the top of the page, click Export Activity Logs.
Click Add Diagnostic Setting.
On the Diagnostic setting page, provide values for the following fields:
- Diagnostic setting name: Enter a descriptive name.
- Categories (under Logs): Select each of the log categories you are interested in ingesting:
  - Administrative
  - Service health
  - Resource health
  - Alert
  - Autoscale
  - Security (Microsoft Defender for Cloud)
  - Recommendation
  - Policy
- Destination details: Select the Archive to a storage account checkbox, then select your destination Storage account.
In the upper left corner, click Save.
- Monitor Activity logs will now be saved to a Blob container in your storage account.

Step 3: Add role assignment to container

Click on your newly created container with the name insights-activity-logs, then in the left-hand navigation bar, click Access Control (IAM).
Click +Add.
Click Add Role Assignment.
Search for "Storage Blob Data Reader" and select the matching role that populates.
Click on the Members tab.
Click +Select Members.
Search for the name of the registered app you created during the Create required Azure infrastructure process on Azure Blob Storage Source, and click Select.
Click Review+Assign.
- Remember that because Panther retrieves Azure Monitor files once per hour, there could be a delay of up to one hour before initial data arrives in Panther.

Supported log types

Panther supports Azure Monitor Activity logs which are handled by the Azure.MonitorActivity schema.

Azure.MonitorActivity

fields:
  - name: time
    required: true
    description: The timestamp (UTC) of the event being logged.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: resourceId
    required: true
    description: The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name.
    type: string
  - name: tenantId
    description: The tenant ID of the Active Directory tenant that this event is tied to. This property is used only for tenant-level logs. It does not appear in resource-level logs.
    type: string
  - name: operationName
    required: true
    description: The name of the operation that this event is logging, for example Microsoft.Storage/storageAccounts/blobServices/blobs/Read. The operationName is typically modeled in the form of an Azure Resource Manager operation, Microsoft.<providerName>/<resourceType>/<subtype>/<Write|Read|Delete|Action>, even if it's not a documented Resource Manager operation.
    type: string
  - name: operationVersion
    description: The API version associated with the operation, if operationName was performed through an API (for example, http://myservice.windowsazure.net/object?api-version=2016-06-01). If no API corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future.
    type: string
  - name: category
    description: The log category of the event being logged. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. Typical log categories are Audit, Operational, Execution, and Request.
    type: string
  - name: resultType
    description: The status of the logged event, if applicable. Values include Started, In Progress, Succeeded, Failed, Active, and Resolved.
    type: string
  - name: resultSignature
    description: The substatus of the event. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.
    type: string
  - name: resultDescription
    description: The static text description of this operation; for example, Get storage file.
    type: string
  - name: durationMs
    description: The duration of the operation in milliseconds.
    type: bigint
  - name: callerIpAddress
    description: The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.
    type: string
    indicators:
      - ip
  - name: correlationId
    description: A GUID that's used to group together a set of related events. Typically, if two events have the same operationName value but two different statuses (for example, Started and Succeeded), they share the same correlationID value. This might also represent other relationships between events.
    type: string
    indicators:
      - trace_id
  - name: identity
    description: A JSON blob that describes the identity of the user or application that performed the operation. Typically, this field includes the authorization and claims or JWT token from Active Directory.
    type: json
  - name: level
    description: The severity level of the event. Values include Informational, Warning, Error, and Critical.
    type: string
  - name: location
    description: The region of the resource emitting the event; for example, East US or France South.
    type: string
  - name: properties
    description: Any extended properties related to this category of events. All custom or unique properties must be put inside this 'Part B' of the schema.
    type: json

PreviousAWS WAF NextBitwarden Logs

Last updated 21 days ago