Azure Monitor Logs

Connecting Azure Monitor logs to your Panther Console

Overview

Panther supports ingesting Azure Monitor logs via common Data Transport options, like Azure Event Hub and Blob Storage.

It's also possible to ingest Microsoft Defender for Cloud alerts using this source by including the Security category during Step 2 of the onboarding process, below.

How to onboard Azure Monitor logs to Panther

You'll first create an Azure Blob Storage or Azure Event Hub source in Panther, then configure Azure to export logs to that location.

Step 1: Create an Azure Monitor source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Search for "Azure Monitor," then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the Azure Event Hub option. Either leave this selection as-is, or select Azure Blob Storage.
Click Start Setup.
Follow Panther's instructions for configuring an Azure Event Hub or Azure Blob Storage Source.
- If you choose Azure Blob Storage and during Step 2: Create required Azure infrastructure you choose to create your Azure resources manually (instead of using Terraform), skip the step to create an Azure container, as one will automatically be created in your storage account in Step 2, below.

Latency differs for these two options: If you select the Blob Storage option, Panther retrieves Azure Monitor files every hour. If you select Event Hub, the ingestion is near real-time.

Step 2: Export Azure Monitor logs

To export Azure Monitor logs to Event Hubs or a storage account, follow the instructions below:

In your Azure dashboard, navigate to the Monitor service.
In the left-hand navigation panel, click Activity Log.
Near the top of the page, click Export Activity Logs.
Click Add Diagnostic Setting.
On the Diagnostic setting page, provide values for the following fields:
- Diagnostic setting name: Enter a descriptive name.
- Categories (under Logs): Select each of the log categories you are interested in ingesting:
  - Administrative
  - Service health
  - Resource health
  - Alert
  - Autoscale
  - Security (Microsoft Defender for Cloud)
  - Recommendation
  - Policy
- Destination details: Select either Archive to a storage account or Stream to an event hub Hub, based the Data Transport mechanism you used in Panther in Step 1.
  - If you select Archive to a storage account, in the Storage account field, select your storage account.
  - If you select Stream to an event hub, in the Event hub namespace field, select your event hub.
In the upper-left corner, click Save.

(Blog Storage transport only) Step 3: Assign a role to the container

This step is only applicable if you chose Azure Blob Storage in Step 1. If you used Azure Event Hub, skip this step.

Click on your newly created container with the name insights-activity-logs, then in the left-hand navigation bar, click Access Control (IAM).
Click +Add.
Click Add Role Assignment.
Search for "Storage Blob Data Reader" and select the matching role that populates.
Click on the Members tab.
Click +Select Members.
Search for the name of the registered app you created during the Create required Azure infrastructure process on Azure Blob Storage Source, and click Select.
Click Review+Assign.
- Remember that because Panther retrieves Azure Monitor files once per hour, there could be a delay of up to one hour before initial data arrives in Panther.

Supported log types

Panther supports Azure Monitor Activity logs which are handled by the Azure.MonitorActivity schema.

Azure.MonitorActivity

fields:
  - name: time
    required: true
    description: The timestamp (UTC) of the event being logged.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: resourceId
    required: true
    description: The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name.
    type: string
  - name: tenantId
    description: The tenant ID of the Active Directory tenant that this event is tied to. This property is used only for tenant-level logs. It does not appear in resource-level logs.
    type: string
  - name: operationName
    required: true
    description: The name of the operation that this event is logging, for example Microsoft.Storage/storageAccounts/blobServices/blobs/Read. The operationName is typically modeled in the form of an Azure Resource Manager operation, Microsoft.<providerName>/<resourceType>/<subtype>/<Write|Read|Delete|Action>, even if it's not a documented Resource Manager operation.
    type: string
  - name: operationVersion
    description: The API version associated with the operation, if operationName was performed through an API (for example, http://myservice.windowsazure.net/object?api-version=2016-06-01). If no API corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future.
    type: string
  - name: category
    description: The log category of the event being logged. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. Typical log categories are Audit, Operational, Execution, and Request.
    type: string
  - name: resultType
    description: The status of the logged event, if applicable. Values include Started, In Progress, Succeeded, Failed, Active, and Resolved.
    type: string
  - name: resultSignature
    description: The substatus of the event. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.
    type: string
  - name: resultDescription
    description: The static text description of this operation; for example, Get storage file.
    type: string
  - name: durationMs
    description: The duration of the operation in milliseconds.
    type: bigint
  - name: callerIpAddress
    description: The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.
    type: string
    indicators:
      - ip
  - name: correlationId
    description: A GUID that's used to group together a set of related events. Typically, if two events have the same operationName value but two different statuses (for example, Started and Succeeded), they share the same correlationID value. This might also represent other relationships between events.
    type: string
    indicators:
      - trace_id
  - name: identity
    description: A JSON blob that describes the identity of the user or application that performed the operation. Typically, this field includes the authorization and claims or JWT token from Active Directory.
    type: json
  - name: level
    description: The severity level of the event. Values include Informational, Warning, Error, and Critical.
    type: string
  - name: location
    description: The region of the resource emitting the event; for example, East US or France South.
    type: string
  - name: properties
    description: Any extended properties related to this category of events. All custom or unique properties must be put inside this 'Part B' of the schema.
    type: json

PreviousAxonius Logs (Beta)NextBitwarden Logs

Last updated 1 month ago

Was this helpful?