Panther supports ingesting Microsoft Entra ID (previously "Azure Active Directory") Audit logs via common Data Transport options, like Azure Blob storage.
How to onboard Microsoft Entra ID Audit logs to Panther
You'll first create an Azure Blob Storage source in Panther, then configure Azure to export logs to that location.
Step 1: Create the Microsoft Entra ID source in Panther
Step 2: Export Microsoft Entra ID Audit logs to Azure Blob storage
Step 3: Add role assignment to container
Panther-managed detections
Panther supports Microsoft Entra ID audit and sign-in logs which are handled by the Azure.Audit schema.
The Azure.Audit log schema covers Microsoft Entra ID audit logs and sign-in logs. For more information, see the Microsoft documentation:
Copy schema: Azure.Audit
description: Audit logs from Azure Active Directory
referenceURL: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
fields:
- name: Level
type: bigint
- name: callerIpAddress
type: string
indicators:
- ip
- name: category
type: string
- name: correlationId
type: string
- name: durationMs
type: bigint
- name: identity
type: string
- name: location
type: string
- name: locationDetails
type: json
- name: networkLocationDetails
type: string
- name: operationName
required: true
type: string
- name: operationVersion
type: string
- name: properties
type: object
fields:
- name: aadTenantId
type: string
- name: activityDateTime
type: timestamp
timeFormats:
- rfc3339
- name: activityDisplayName
type: string
- name: additionalDetails
type: array
element:
type: object
fields:
- name: key
type: string
- name: value
type: string
- name: alternateSignInName
type: string
- name: appDisplayName
type: string
- name: appliedConditionalAccessPolicies
type: json
- name: appliedEventListeners
type: json
- name: appId
type: string
- name: appServicePrincipalId
type: string
- name: authenticationAppDeviceDetails
type: string
- name: authenticationAppPolicyEvaluationDetails
type: string
- name: authenticationContextClassReferences
type: string
- name: authenticationDetails
type: string
- name: authenticationMethodsUsed
type: string
- name: authenticationProcessingDetails
type: json
- name: authenticationProtocol
type: string
- name: authenticationRequirement
type: string
- name: authenticationRequirementPolicies
type: string
- name: autonomousSystemNumber
type: string
- name: _billedSize
type: float
- name: category
type: string
- name: clientAppUsed
type: string
- name: clientCredentialType
type: string
- name: conditionalAccessAudiences
type: json
- name: conditionalAccessPolicies
type: json
- name: conditionalAccessStatus
type: string
- name: correlationId
type: string
- name: createdDateTime
type: timestamp
timeFormats:
- rfc3339
- name: crossTenantAccessType
type: string
- name: deviceDetail
type: json
- name: federatedCredentialId
type: string
- name: flaggedForReview
type: boolean
- name: globalSecureAccessIpAddress
type: string
- name: homeTenantId
type: string
- name: homeTenantName
type: string
- name: id
type: string
- name: incomingTokenType
type: string
- name: ipAddress
type: string
indicators: [ip]
- name: ipAddressFromResourceProvider
type: string
- name: _isBillable
type: string
- name: isDeleted
type: boolean
- name: initiatedBy
type: object
fields:
- name: app
type: object
fields:
- name: displayName
type: string
- name: servicePrincipalId
type: string
- name: user
type: object
fields:
- name: id
type: string
- name: displayName
type: string
- name: userPrincipalName
type: string
- name: ipAddress
type: string
indicators: [ip]
- name: roles
type: json
- name: isProcessing
type: boolean
- name: loggedByService
type: string
- name: location
type: json
- name: operationType
type: string
- name: result
type: string
- name: resultReason
type: string
- name: isInteractive
type: boolean
- name: isRisky
type: boolean
- name: isTenantRestricted
type: boolean
- name: isThroughGlobalSecureAccess
type: boolean
- name: originalRequestId
type: string
- name: originalTransferMethod
type: string
- name: processingTimeInMilliseconds
type: bigint
- name: resource
type: string
- name: resourceDisplayName
type: string
- name: resourceGroup
type: string
- name: resourceId
type: string
- name: resourceIdentity
type: string
- name: resourceProvider
type: string
- name: resourceServicePrincipalId
type: string
- name: resourceTenantId
type: string
- name: riskEventTypes
type: string
- name: riskEventTypesV2
type: string
- name: riskLastUpdatedDateTime
type: timestamp
timeFormats:
- rfc3339
- name: riskDetail
type: string
- name: riskLevel
type: string
- name: riskLevelAggregated
type: string
- name: riskLevelDuringSignIn
type: string
- name: riskState
type: string
- name: servicePrincipalId
type: string
- name: servicePrincipalCredentialKeyId
type: string
- name: servicePrincipalName
type: string
- name: sessionId
type: string
- name: sessionLifetimePolicies
type: string
- name: signInIdentifier
type: string
- name: signInIdentifierType
type: string
- name: signInTokenProtectionStatus
type: string
- name: sourceSystem
type: string
- name: status
type: json
- name: targetResources
type: array
element:
type: object
fields:
- name: displayName
type: string
- name: id
type: string
- name: modifiedProperties
type: array
element:
type: object
fields:
- name: oldValue
type: string
- name: displayName
type: string
- name: newValue
type: string
- name: type
type: string
- name: administrativeUnits
type: json
- name: timeGenerated
type: timestamp
timeFormats:
- rfc3339
- name: tokenIssuerName
type: string
- name: tokenIssuerType
type: string
- name: tokenProtectionStatusDetails
type: json
- name: type
type: string
- name: uniqueTokenIdentifier
type: string
- name: userAgent
type: string
- name: userDisplayName
type: string
indicators:
- username
- name: userId
type: string
- name: userPrincipalName
type: string
indicators:
- username
- name: userType
type: string
- name: resourceId
required: true
type: string
- name: resultDescription
type: string
- name: resultSignature
type: string
- name: resultType
type: string
- name: tenantId
type: string
- name: time
required: true
isEventTime: true
type: timestamp
timeFormats:
- rfc3339
- '%m/%d/%Y %I:%M:%S %p'