# Azure Monitor Logs ## Overview Panther supports ingesting [Azure Monitor logs](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs) via common [Data Transport](https://docs.panther.com/data-onboarding/data-transports) options, like Azure [Event Hub](https://docs.panther.com/data-onboarding/data-transports/azure/event-hub) and [Blob Storage](https://docs.panther.com/data-onboarding/data-transports/azure/blob-storage). It's also possible to ingest [Microsoft Defender for Cloud](https://azure.microsoft.com/en-us/products/defender-for-cloud/) alerts using this source by including the [Security category](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#security-category) during [Step 2 of the onboarding process](#step-2-export-azure-monitor-logs-to-azure-blob-storage), below. ## How to onboard Azure Monitor logs to Panther You'll first create an Azure Blob Storage or Azure Event Hub source in Panther, then configure Azure to export logs to that location. ### Step 1: Create an Azure Monitor source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. In the upper right corner, click **Create New**. 3. Search for "Azure Monitor," then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **Azure Event Hub** option. Either leave this selection as-is, or select **Azure Blob Storage**. 4. Click **Start Setup**. 5. Follow Panther's instructions for configuring an [Azure Event Hub](https://docs.panther.com/data-onboarding/data-transports/azure/event-hub) or [Azure Blob Storage Source](https://docs.panther.com/data-onboarding/data-transports/azure/blob-storage). * If you choose Azure Blob Storage and during [Step 2: Create required Azure infrastructure](https://docs.panther.com/data-transports/azure/blob-storage#step-2-create-required-azure-infrastructure) you choose to create your Azure resources manually (instead of using Terraform), skip [the step to create an Azure container](https://docs.panther.com/data-onboarding/data-transports/azure/blob-storage#step-5-create-container-and-add-permission), as one will automatically be created in your storage account in Step 2, below. {% hint style="info" %} Latency differs for these two options: If you select the **Blob Storage** option, Panther retrieves Azure Monitor files every hour. If you select **Event Hub**, the ingestion is near real-time. {% endhint %} ### Step 2: Export Azure Monitor logs To export Azure Monitor logs to Event Hubs or a storage account, follow the instructions below: 1. In your Azure dashboard, navigate to the **Monitor** service**.** 2. In the left-hand navigation panel, click **Activity Log**. 3. Near the top of the page, click **Export Activity Logs**. 4. Click **Add Diagnostic Setting**. 5. On the **Diagnostic setting** page, provide values for the following fields: * **Diagnostic setting name**: Enter a descriptive name. * **Categories** (under **Logs**): Select each of the log categories you are interested in ingesting: * [Administrative](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#administrative-category) * [Service health](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#administrative-category) * [Resource health](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#resource-health-category) * [Alert](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#alert-category) * [Autoscale](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#autoscale-category) * [Security](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#security-category) (Microsoft Defender for Cloud) * [Recommendation](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#recommendation-category) * [Policy](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#policy-category) * **Destination details**: Select either **Archive to a storage account** or **Stream to an event hub Hub**, based the Data Transport mechanism you used in Panther in [Step 1](#step-1-create-the-microsoft-defender-xdr-source-in-panther). * If you select **Archive to a storage account**, in the **Storage account** field, select your storage account. * If you select **Stream to an event hub**, in the **Event hub namespace** field, select your event hub. 6. In the upper-left corner, click **Save**. ### (Blog Storage transport only) Step 3: Assign a role to the container {% hint style="warning" %} This step is only applicable if you chose Azure Blob Storage in Step 1. If you used Azure Event Hub, skip this step. {% endhint %} 1. Click on your newly created container with the name `insights-activity-logs`, then in the left-hand navigation bar, click **Access Control (IAM)**. 2. Click **+Add**.\ ![In the panthertestcontainer3 Access Control (IAM) page, an arrow is drawn to the +Add button](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-0cf0e7d954d47ee1ba4917a8630b0a8e0c779dbe%2FIAM.webp?alt=media) 3. Click **Add Role Assignment**. 4. Search for "Storage Blob Data Reader" and select the matching role that populates.\ ![In the Add role assignment page of the Azure console, "storage blob" has been searched for in the search box. One of the results, Storage Blob Data Reader, is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-50fbb32cdf92d1f99768192395f37a535cc1c844%2Fadd%20role%20assign.webp?alt=media) 5. Click on the **Members** tab. 6. Click **+Select Members**. 7. Search for the name of the registered app you created during the [Create required Azure infrastructure process on Azure Blob Storage Source](https://docs.panther.com/data-transports/azure/blob-storage#step-2-create-required-azure-infrastructure), and click **Select**. 8. Click **Review+Assign**. * Remember that because Panther retrieves Azure Monitor files once per hour, there could be a delay of up to one hour before initial data arrives in Panther. ## Supported log types Panther supports Azure Monitor Activity logs which are handled by the Azure.MonitorActivity schema. ### Azure.MonitorActivity ```yaml fields: - name: time required: true description: The timestamp (UTC) of the event being logged. type: timestamp timeFormats: - rfc3339 - '%Y-%m-%d %H:%M:%SZ' - '%Y-%m-%d %H:%M:%S.%N' isEventTime: true - name: resourceId required: true description: The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name. type: string - name: tenantId description: The tenant ID of the Active Directory tenant that this event is tied to. This property is used only for tenant-level logs. It does not appear in resource-level logs. type: string - name: operationName required: true description: The name of the operation that this event is logging, for example Microsoft.Storage/storageAccounts/blobServices/blobs/Read. The operationName is typically modeled in the form of an Azure Resource Manager operation, Microsoft.///, even if it's not a documented Resource Manager operation. type: string - name: operationVersion description: The API version associated with the operation, if operationName was performed through an API (for example, http://myservice.windowsazure.net/object?api-version=2016-06-01). If no API corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future. type: string - name: category required: true description: The log category of the event being logged. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. Typical log categories are Audit, Operational, Execution, and Request. type: string - name: resultType description: The status of the logged event, if applicable. Values include Started, In Progress, Succeeded, Failed, Active, and Resolved. type: string - name: resultSignature description: The substatus of the event. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call. type: string - name: resultDescription description: The static text description of this operation; for example, Get storage file. type: string - name: durationMs description: The duration of the operation in milliseconds. type: bigint - name: callerIpAddress description: The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address. type: string indicators: - ip - name: correlationId description: A GUID that's used to group together a set of related events. Typically, if two events have the same operationName value but two different statuses (for example, Started and Succeeded), they share the same correlationID value. This might also represent other relationships between events. type: string indicators: - trace_id - name: identity description: A JSON blob that describes the identity of the user or application that performed the operation. Typically, this field includes the authorization and claims or JWT token from Active Directory. type: json - name: level description: The severity level of the event. Values include Informational, Warning, Error, and Critical. type: string - name: location description: The region of the resource emitting the event; for example, East US or France South. type: string - name: properties description: Any extended properties related to this category of events. All custom or unique properties must be put inside this 'Part B' of the schema. type: json - name: roleLocation description: The location of the role. type: string - name: providerGuid description: The GUID of the service provider that's emitting the event. type: string - name: providerName description: The name of the service provider that's emitting the event. type: string ```