> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/data-onboarding/supported-logs/entra-id-audit.md).

# Microsoft Entra ID Audit Logs

## Overview

Panther supports ingesting Microsoft Entra ID (previously "Azure Active Directory") Audit logs via common [Data Transport](/data-onboarding/data-transports.md) options, like Azure [Event Hub](/data-onboarding/data-transports/azure/event-hub.md) and [Blob Storage](/data-onboarding/data-transports/azure/blob-storage.md).

## How to onboard Microsoft Entra ID Audit logs to Panther

You'll first create an Azure Blob Storage or Azure Event Hub source in Panther, then configure Azure to export logs to that location.

### Step 1: Create the Microsoft Entra ID source in Panther

1. In the lefthand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New**.
3. Search for “Microsoft Entra ID Audit” then click its tile.
   * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **Azure Event Hub** option. Either leave this selection as-is, or select **Azure Blob Storage**.
4. Click **Start Setup**.
5. Follow Panther's instructions for configuring an [Azure Event Hub](/data-onboarding/data-transports/azure/event-hub.md) or [Azure Blob Storage Source](/data-onboarding/data-transports/azure/blob-storage.md).

{% hint style="info" %}
Latency differs for these two options: If you select the **Blob Storage** option, Panther retrieves Entra ID files every hour. If you select **Event Hub**, the ingestion is near real-time.
{% endhint %}

* If you choose Azure Blob Storage and during [Step 2: Create required Azure infrastructure](/data-onboarding/data-transports/azure/blob-storage.md#step-2-create-required-azure-infrastructure) you choose to create your Azure resources manually (instead of using Terraform), skip [the step to create an Azure container](https://docs.panther.com/data-onboarding/data-transports/azure/blob-storage#step-5-create-container-and-add-permission), as one will automatically be created in your storage account in Step 2, below.

### Step 2: Export Microsoft Entra ID Audit logs

To export Microsoft Defender XDR logs to Event Hubs or a storage account, follow the instructions below:

1. Sign in to your Azure dashboard.
2. Navigate to the **Microsoft Entra ID** servic&#x65;**.**
3. In the left-hand panel, click **Audit logs**.
4. Near the top of the page, click **Export Data Settings**.\
   ![The Microsoft Entra ID console is shown. An arrow is drawn from the "Audit logs" option in the navigation bar to a "Export data settings" button](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-494651d6c37ae5ccdbd7290e3daa2a91d525c7c5%252Fmicrosoft_entra_id.png%3Falt%3Dmedia\&width=300\&dpr=4\&quality=100\&sign=9bd4e213\&sv=2)
5. Click **Add Diagnostic Setting**.
6. On the **Diagnostic setting** page, set the following values:
   * **Diagnostic setting name**: Enter a descriptive name.
   * **Categories** (under **Logs**): Select the following checkboxes:
     * **AuditLogs**
     * **SignInLogs**
     * **NonInteractiveUserSignInLogs**
     * **ServicePrincipalSignInLogs**
     * **ManagedIdentitySignInLogs**
   * **Destination details**: Select either **Archive to a storage account** or **Stream to an event hub**, based the type of log source you created in Panther in [Step 1](#step-1-create-the-microsoft-entra-id-source-in-panther).

     * If you select **Archive to a storage account**, in the **Storage account** field, select your storage account.
     * If you select **Stream to an event hub**, in the **Event hub namespace** field, select your event hub.

     <figure><img src="/files/rjmtjfYyTVDCndKJVzSU" alt=""><figcaption></figcaption></figure>
7. In the upper left corner, click **Save**.

### (Blob Storage transport only) Step 3: Assign a role to the container

{% hint style="warning" %}
This step is only applicable if you chose Azure Blob Storage in Step 1. If you used Azure Event Hub, skip this step.
{% endhint %}

1. Click on your newly created container, then in the left-hand navigation bar, click **Access Control (IAM)**.
2. Click **+Add**.\
   ![In the panthertestcontainer3 Access Control (IAM) page, an arrow is drawn to the +Add button](/files/TTynbQbyaqcN8hjKRXtD)
3. Click **Add Role Assignment**.
4. Search for "Storage Blob Data Reader" and select the matching role that populates.\
   ![In the Add role assignment page of the Azure console, "storage blob" has been searched for in the search box. One of the results, Storage Blob Data Reader, is circled.](/files/yBR8sQB5nkdGON6kaXta)
5. Click on the **Members** tab.
6. Click **+Select Members**.
7. Search for the name of the registered app you created during the [Create required Azure infrastructure process on Azure Blob Storage Source](/data-onboarding/data-transports/azure/blob-storage.md#step-2-create-required-azure-infrastructure), and click **Select**.
8. Click **Review+Assign**.

## Panther-managed detections

See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Azure in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/master/rules/azure_signin_rules).

## Supported log types

Panther supports Microsoft Entra ID audit and sign-in logs which are handled by the [Azure.Audit](#azure.audit) schema.

### Azure.Audit

The Azure.Audit log schema covers Microsoft Entra ID audit logs and sign-in logs. For more information, see the Microsoft documentation:

* See [this page for general information about audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs), and [this page to view the audit log reference](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities).
* See [this page for general information about sign-in logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins), and [this page to view the sign-in log schema](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs).

```yaml
schema: Azure.Audit
description: Audit logs from Azure Active Directory
referenceURL: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
fields:
    - name: Level
      description: Severity level or type of the event (e.g., Informational, Error).
      type: string
    - name: callerIpAddress
      description: IP address from which the event was initiated.
      type: string
      indicators:
        - ip
    - name: category
      description: Category classification for the event (e.g., SignInLogs, AuditLogs).
      type: string
    - name: correlationId
      description: Unique identifier to correlate multiple related events.
      type: string
      indicators:
        - trace_id
    - name: durationMs
      description: Total time taken to complete the operation, in milliseconds.
      type: float
    - name: identity
      description: Identifier for the user, application, or service principal.
      type: string
    - name: location
      description: Geographical location or region where the event occurred.
      type: string
    - name: locationDetails
      type: json
    - name: networkLocationDetails
      type: json
    - name: operationName
      required: true
      description: Name of the operation or API call performed.
      type: string
    - name: operationVersion
      description: Version number for the operation or API.
      type: string
    - name: time
      description: Timestamp when the event occurred.
      type: timestamp
      timeFormats:
        - rfc3339
        - '%m/%d/%Y %I:%M:%S %p'
      isEventTime: true
    - name: properties
      description: Nested object with additional attributes and details for the event.
      type: object
      fields:
        - name: aadTenantId
          type: string
        - name: activityDateTime
          description: Date and time of the activity.
          type: timestamp
          timeFormats:
            - rfc3339
        - name: activityDisplayName
          description: Friendly display name for the activity.
          type: string
        - name: additionalDetails
          description: Array of key-value pairs with extra context or metadata.
          type: array
          element:
            type: object
            fields:
                - name: key
                  type: string
                - name: value
                  type: string
        - name: alternateSignInName
          description: Alternate user sign-in name, if provided.
          type: string
          indicators:
            - username
        - name: appDisplayName
          description: Display name of the application involved.
          type: string
        - name: appliedConditionalAccessPolicies
          description: List of applied conditional access policies and their outcomes.
          type: json
        - name: appliedEventListeners
          type: json
        - name: appId
          description: Application ID associated with the event.
          type: string
        - name: appServicePrincipalId
          type: string
        - name: authenticationAppDeviceDetails
          type: json
        - name: authenticationStrengths
          type: json
        - name: authenticationAppPolicyEvaluationDetails
          type: json
        - name: authenticationContextClassReferences
          type: json
        - name: authenticationDetails
          type: json
        - name: authenticationMethodsUsed
          type: json
        - name: authenticationProcessingDetails
          type: json
        - name: authenticationProtocol
          type: string
        - name: authenticationRequirement
          type: string
        - name: authenticationRequirementPolicies
          type: json
        - name: autonomousSystemNumber
          type: string
        - name: _billedSize
          type: float
        - name: category
          type: string
        - name: clientAppUsed
          type: string
        - name: clientCredentialType
          type: string
        - name: conditionalAccessAudiences
          type: json
        - name: conditionalAccessPolicies
          type: json
        - name: conditionalAccessStatus
          type: string
        - name: correlationId
          type: string
        - name: createdDateTime
          type: timestamp
          timeFormats:
            - rfc3339
        - name: crossTenantAccessType
          type: string
        - name: deviceDetail
          type: json
        - name: federatedCredentialId
          type: string
        - name: flaggedForReview
          type: boolean
        - name: globalSecureAccessIpAddress
          type: string
        - name: homeTenantId
          type: string
        - name: homeTenantName
          type: string
        - name: id
          type: string
        - name: incomingTokenType
          type: string
        - name: ipAddress
          description: IP address associated with the nested resource.
          type: string
          indicators:
            - ip
        - name: ipAddressFromResourceProvider
          description: IP address as recorded by the underlying resource provider.
          type: string
          indicators:
            - ip
        - name: _isBillable
          type: string
        - name: isDeleted
          description: Whether the entity was deleted.
          type: boolean
        - name: initiatedBy
          description: Actor (user or app) that initiated the event.
          type: object
          fields:
            - name: app
              type: object
              fields:
                - name: displayName
                  type: string
                - name: servicePrincipalId
                  type: string
                - name: appId
                  description: Application registration/client ID.
                  type: string
            - name: user
              description: User who performed the action.
              type: object
              fields:
                - name: id
                  description: Object ID of the user.
                  type: string
                - name: displayName
                  description: Name of the user as displayed in Azure AD.
                  type: string
                  indicators:
                    - username
                - name: userPrincipalName
                  description: User Principal Name (UPN) of the user.
                  type: string
                - name: ipAddress
                  description: IP address from which the user performed the action.
                  type: string
                  indicators:
                    - ip
                - name: roles
                  type: json
        - name: isProcessing
          description: Whether the event is still being processed.
          type: boolean
        - name: loggedByService
          description: Microsoft service that logged this event (e.g., AzureAD).
          type: string
        - name: location
          description: Geographical or physical location information, represented as a JSON object.
          type: json
        - name: networkLocationDetails
          description: Details about the network locations involved in the event.
          type: json
        - name: operationType
          description: Type of operation performed.
          type: string
        - name: result
          description: Result status for the operation.
          type: string
        - name: resultReason
          description: Additional reason or code for the result of the operation.
          type: string
        - name: isInteractive
          description: Indicates whether the sign-in was interactive.
          type: boolean
        - name: isRisky
          type: boolean
        - name: isTenantRestricted
          description: Whether tenant restrictions were in effect.
          type: boolean
        - name: isThroughGlobalSecureAccess
          description: Whether the event was routed through Global Secure Access.
          type: boolean
        - name: originalRequestId
          description: Request ID of the original request if this was part of a chain.
          type: string
        - name: originalTransferMethod
          description: Transfer method of the original request.
          type: string
        - name: privateLinkDetails
          type: json
        - name: processingTimeInMilliseconds
          description: Time taken to process the event.
          type: bigint
        - name: resource
          type: string
        - name: resourceDisplayName
          description: Display name of the resource.
          type: string
        - name: resourceGroup
          type: string
        - name: resourceId
          description: Object ID of the resource accessed.
          type: string
        - name: resourceIdentity
          type: string
        - name: resourceProvider
          type: string
        - name: resourceOwnerTenantId
          description: Tenant ID of the resource owner.
          type: string
        - name: resourceServicePrincipalId
          description: Object ID of the service principal of the accessed resource.
          type: string
        - name: resourceTenantId
          description: Tenant ID of the resource accessed.
          type: string
        - name: riskEventTypes
          description: List of risk event types detected for this event.
          type: json
        - name: riskEventTypes_v2
          description: Enhanced list of risk event types.
          type: json
        - name: riskLastUpdatedDateTime
          description: Timestamp of the last risk update.
          type: timestamp
          timeFormats:
            - rfc3339
        - name: riskDetail
          description: Details about the nature of detected risk.
          type: string
        - name: riskLevel
          description: Final risk level after analysis.
          type: string
        - name: riskLevelAggregated
          description: Aggregated risk level assigned to the event.
          type: string
        - name: riskLevelDuringSignIn
          description: Risk level at the time of sign-in.
          type: string
        - name: riskState
          description: State of risk for the user or session.
          type: string
        - name: rngcStatus
          description: Status code for request nonce generation check.
          type: string
        - name: servicePrincipalId
          description: Object ID of the service principal used.
          type: string
        - name: servicePrincipalCredentialKeyId
          description: Key ID of the credential used by a service principal.
          type: string
        - name: servicePrincipalName
          description: Name of the service principal.
          type: string
        - name: sessionId
          description: Session identifier for the operation.
          type: string
        - name: sessionLifetimePolicies
          description: Policies governing session lifetime for this operation.
          type: json
        - name: signInIdentifier
          description: Primary identifier used to authenticate the user.
          type: string
        - name: signInIdentifierType
          type: string
        - name: signInTokenProtectionStatus
          description: Status of token protection at sign-in.
          type: string
        - name: sourceSystem
          type: json
        - name: ssoExtensionVersion
          description: Version of SSO browser extension.
          type: string
        - name: status
          description: Status details about the sign-in attempt.
          type: json
        - name: targetResources
          description: Array of resources that were targeted or affected by the operation.
          type: array
          element:
            type: object
            fields:
                - name: displayName
                  description: Display name for the resource.
                  type: string
                - name: id
                  description: Unique object ID of the resource.
                  type: string
                - name: modifiedProperties
                  description: Properties on the resource that were modified.
                  type: array
                  element:
                    type: object
                    fields:
                        - name: oldValue
                          description: Previous value of the property.
                          type: string
                        - name: displayName
                          description: Name of the property modified.
                          type: string
                        - name: newValue
                          description: New value of the property.
                          type: string
                - name: type
                  description: Resource type (e.g., User, Group, App).
                  type: string
                - name: administrativeUnits
                  type: json
                - name: groupType
                  description: Type of the group resource (if applicable).
                  type: string
                - name: userPrincipalName
                  description: UPN of the user in the resource.
                  type: string
        - name: tenantId
          description: Tenant ID for the Azure AD tenant.
          type: string
        - name: timeGenerated
          description: Date and time when this log entry was generated.
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: tokenIssuerName
          description: Name of the authority that issued the token.
          type: string
        - name: tokenIssuerType
          description: Type of issuer for the token.
          type: string
        - name: tokenProtectionStatusDetails
          description: Information about token protection status.
          type: json
        - name: type
          type: string
        - name: uniqueTokenIdentifier
          description: Unique identifier for the security token.
          type: string
        - name: userAgent
          description: User agent string from the client.
          type: string
        - name: userDisplayName
          description: Display name of the user.
          type: string
          indicators:
            - username
        - name: userId
          description: Object ID of the user in Azure AD.
          type: string
        - name: userPrincipalName
          description: UPN of the user.
          type: string
          indicators:
            - username
            - email
        - name: userType
          type: string
        - name: activity
          description: Name or type of activity associated with the event.
          type: string
        - name: additionalInfo
          description: Supplementary information about the event.
          type: string
        - name: detectedDateTime
          description: Date and time when a risk or detection was initially observed.
          type: timestamp
          timeFormats:
            - rfc3339
        - name: detectionTimingType
          description: Timing context for risk detection (e.g., real-time, offline).
          type: string
        - name: lastUpdatedDateTime
          description: Date and time when this event was last updated.
          type: timestamp
          timeFormats:
            - rfc3339
        - name: mitreTechniqueId
          description: MITRE ATT&CK technique identifier related to the event, if available.
          type: string
          indicators:
            - mitre_attack_technique
        - name: riskEventType
          description: Type of risk event associated with the activity (e.g., UnfamiliarLocation).
          type: string
        - name: riskType
          description: Classification for the type of risk detected.
          type: string
        - name: source
          description: Originating Microsoft service or component for this log entry.
          type: string
        - name: identity
          description: Identity related to this nested event.
          type: string
        - name: operationName
          description: Name of the operation in the properties context.
          type: string
        - name: resultDescription
          description: More detailed description of the operation result.
          type: string
        - name: resultType
          description: High-level outcome for the operation (success, failure, etc.).
          type: string
        - name: C_DeviceId
          description: Device ID associated with the event.
          type: string
        - name: C_Sid
          description: Security identifier (SID) associated with the event.
          type: string
        - name: C_Iat
          description: Issued At timestamp or ID for the event.
          type: string
        - name: C_Idtyp
          description: Identity type code associated with the event.
          type: string
        - name: UserPrincipalObjectID
          description: Object ID for the user principal.
          type: string
        - name: __UDI_RequiredFields_EventTime
          description: Unix timestamp of when the event occurred.
          type: timestamp
          timeFormats:
            - unix_auto
        - name: __UDI_RequiredFields_RegionScope
          description: Region scope for the event.
          type: string
        - name: __UDI_RequiredFields_TenantId
          description: Tenant ID required for UDI compliance.
          type: string
        - name: __UDI_RequiredFields_UniqueId
          description: Unique identifier for the event in UDI context.
          type: string
        - name: apiVersion
          description: API version used for the operation.
          type: string
        - name: atContentH
          description: Additional token or context information (header).
          type: string
        - name: atContentP
          description: Additional token or context information (payload).
          type: string
        - name: clientAuthMethod
          description: Client authentication method used (e.g., client secret, certificate).
          type: string
        - name: clientRequestId
          description: Unique identifier for the client request.
          type: string
        - name: durationMs
          description: Duration in milliseconds for the operation within properties.
          type: float
        - name: identityProvider
          description: Identity provider involved in the authentication.
          type: string
        - name: operationId
          description: Operation identifier.
          type: string
        - name: requestMethod
          description: HTTP method used for the operation (GET, POST, etc.).
          type: string
        - name: requestUri
          description: URI of the API or resource accessed.
          type: string
        - name: responseSizeBytes
          description: Size of the response in bytes.
          type: bigint
        - name: responseStatusCode
          description: HTTP status code of the response.
          type: bigint
        - name: roles
          description: Roles assigned to the user or application.
          type: string
        - name: scopes
          description: OAuth scopes requested by the operation.
          type: string
        - name: signInActivityId
          description: Unique sign-in activity identifier.
          type: string
        - name: tokenIssuedAt
          description: Time at which the token was issued.
          type: timestamp
          timeFormats:
            - rfc3339
        - name: wids
          description: Well-known IDs or other identifiers involved.
          type: string
        - name: requestId
          description: Unique request identifier.
          type: string
        - name: appOwnerTenantId
          description: Tenant ID of the application owner.
          type: string
        - name: servicePrincipalCredentialThumbprint
          description: Thumbprint of the credential used by a service principal.
          type: string
        - name: mfaDetail
          description: Details about the multi-factor authentication step.
          type: object
          fields:
            - name: authDetail
              description: Details about the authentication process.
              type: string
            - name: authMethod
              description: MFA method used (e.g., phone, app).
              type: string
    - name: resourceId
      description: Unique identifier for the Azure resource related to the event.
      type: string
    - name: resultDescription
      description: Additional context or explanation for the event result.
      type: string
    - name: resultSignature
      description: Signature or unique identifier for the event result.
      type: string
    - name: resultType
      description: Overall outcome of the event, such as Success, Failure, or Timeout.
      type: string
    - name: tenantId
      description: Tenant ID for the Azure Active Directory tenant where the event occurred.
      type: string

```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/entra-id-audit.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
