LogoLogo
Knowledge BaseCommunityRelease NotesRequest Demo
  • Overview
  • Quick Start
    • Onboarding Guide
  • Data Sources & Transports
    • Supported Logs
      • 1Password Logs
      • Apache Logs
      • AppOmni Logs
      • Asana Logs
      • Atlassian Logs
      • Auditd Logs
      • Auth0 Logs
      • AWS Logs
        • AWS ALB
        • AWS Aurora
        • AWS CloudFront
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS Config
        • AWS EKS
        • AWS GuardDuty
        • AWS Security Hub
        • Amazon Security Lake
        • AWS S3
        • AWS Transit Gateway
        • AWS VPC
        • AWS WAF
      • Azure Monitor Logs
      • Bitwarden Logs
      • Box Logs
      • Carbon Black Logs
      • Cisco Umbrella Logs
      • Cloudflare Logs
      • CrowdStrike Logs
        • CrowdStrike Falcon Data Replicator
        • CrowdStrike Event Streams
      • Docker Logs
      • Dropbox Logs
      • Duo Security Logs
      • Envoy Logs
      • Fastly Logs
      • Fluentd Logs
      • GCP Logs
      • GitHub Logs
      • GitLab Logs
      • Google Workspace Logs
      • Heroku Logs
      • Jamf Pro Logs
      • Juniper Logs
      • Lacework Logs
        • Lacework Alert Channel Webhook
        • Lacework Export
      • Material Security Logs
      • Microsoft 365 Logs
      • Microsoft Entra ID Audit Logs
      • Microsoft Graph Logs
      • MongoDB Atlas Logs
      • Netskope Logs
      • Nginx Logs
      • Notion Logs
      • Okta Logs
      • OneLogin Logs
      • Orca Security Logs (Beta)
      • Osquery Logs
      • OSSEC Logs
      • Proofpoint Logs
      • Push Security Logs
      • Rapid7 Logs
      • Salesforce Logs
      • SentinelOne Logs
      • Slack Logs
      • Snowflake Audit Logs (Beta)
      • Snyk Logs
      • Sophos Logs
      • Sublime Security Logs
      • Suricata Logs
      • Sysdig Logs
      • Syslog Logs
      • Tailscale Logs
      • Teleport Logs
      • Tenable Vulnerability Management Logs
      • Thinkst Canary Logs
      • Tines Logs
      • Tracebit Logs
      • Windows Event Logs
      • Wiz Logs
      • Zeek Logs
      • Zendesk Logs
      • Zoom Logs
      • Zscaler Logs
        • Zscaler ZIA
        • Zscaler ZPA
    • Custom Logs
      • Log Schema Reference
      • Transformations
      • Script Log Parser (Beta)
      • Fastmatch Log Parser
      • Regex Log Parser
      • CSV Log Parser
    • Data Transports
      • HTTP Source
      • AWS Sources
        • S3 Source
        • CloudWatch Logs Source
        • SQS Source
          • SNS Source
        • EventBridge
      • Google Cloud Sources
        • Cloud Storage (GCS) Source
        • Pub/Sub Source
      • Azure Blob Storage Source
    • Monitoring Log Sources
    • Ingestion Filters
      • Raw Event Filters
      • Normalized Event Filters (Beta)
    • Data Pipeline Tools
      • Chronosphere Onboarding Guide
      • Cribl Onboarding Guide
      • Fluent Bit Onboarding Guide
        • Fluent Bit Configuration Examples
      • Fluentd Onboarding Guide
        • General log forwarding via Fluentd
        • MacOS System Logs to S3 via Fluentd
        • Syslog to S3 via Fluentd
        • Windows Event Logs to S3 via Fluentd (Legacy)
        • GCP Audit to S3 via Fluentd
      • Observo Onboarding Guide
      • Tarsal Onboarding Guide
    • Tech Partner Log Source Integrations
  • Detections
    • Using Panther-managed Detections
      • Detection Packs
    • Rules and Scheduled Rules
      • Writing Python Detections
        • Python Rule Caching
        • Data Models
        • Global Helper Functions
      • Modifying Detections with Inline Filters (Beta)
      • Derived Detections (Beta)
        • Using Derived Detections to Avoid Merge Conflicts
      • Using the Simple Detection Builder
      • Writing Simple Detections
        • Simple Detection Match Expression Reference
        • Simple Detection Error Codes
    • Correlation Rules (Beta)
      • Correlation Rule Reference
    • PyPanther Detections (Beta)
      • Creating PyPanther Detections
      • Registering, Testing, and Uploading PyPanther Detections
      • Managing PyPanther Detections in the Panther Console
      • PyPanther Detections Style Guide
      • pypanther Library Reference
      • Using the pypanther Command Line Tool
    • Signals
    • Policies
    • Testing
      • Data Replay (Beta)
    • Framework Mapping and MITRE ATT&CK® Matrix
  • Cloud Security Scanning
    • Cloud Resource Attributes
      • AWS
        • ACM Certificate
        • CloudFormation Stack
        • CloudWatch Log Group
        • CloudTrail
        • CloudTrail Meta
        • Config Recorder
        • Config Recorder Meta
        • DynamoDB Table
        • EC2 AMI
        • EC2 Instance
        • EC2 Network ACL
        • EC2 SecurityGroup
        • EC2 Volume
        • EC2 VPC
        • ECS Cluster
        • EKS Cluster
        • ELBV2 Application Load Balancer
        • GuardDuty Detector
        • GuardDuty Detector Meta
        • IAM Group
        • IAM Policy
        • IAM Role
        • IAM Root User
        • IAM User
        • KMS Key
        • Lambda Function
        • Password Policy
        • RDS Instance
        • Redshift Cluster
        • Route 53 Domains
        • Route 53 Hosted Zone
        • S3 Bucket
        • WAF Web ACL
  • Alerts & Destinations
    • Alert Destinations
      • Amazon SNS Destination
      • Amazon SQS Destination
      • Asana Destination
      • Blink Ops Destination
      • Custom Webhook Destination
      • Discord Destination
      • GitHub Destination
      • Google Pub/Sub Destination (Beta)
      • Incident.io Destination
      • Jira Cloud Destination
      • Jira Data Center Destination (Beta)
      • Microsoft Teams Destination
      • Mindflow Destination
      • OpsGenie Destination
      • PagerDuty Destination
      • Rapid7 Destination
      • ServiceNow Destination (Custom Webhook)
      • Slack Bot Destination
      • Slack Destination (Webhook)
      • Splunk Destination (Beta)
      • Tines Destination
      • Torq Destination
    • Assigning and Managing Alerts
      • Managing Alerts in Slack
    • Alert Runbooks
      • Panther-managed Policies Runbooks
        • AWS CloudTrail Is Enabled In All Regions
        • AWS CloudTrail Sending To CloudWatch Logs
        • AWS KMS CMK Key Rotation Is Enabled
        • AWS Application Load Balancer Has Web ACL
        • AWS Access Keys Are Used Every 90 Days
        • AWS Access Keys are Rotated Every 90 Days
        • AWS ACM Certificate Is Not Expired
        • AWS Access Keys not Created During Account Creation
        • AWS CloudTrail Has Log Validation Enabled
        • AWS CloudTrail S3 Bucket Has Access Logging Enabled
        • AWS CloudTrail Logs S3 Bucket Not Publicly Accessible
        • AWS Config Is Enabled for Global Resources
        • AWS DynamoDB Table Has Autoscaling Targets Configured
        • AWS DynamoDB Table Has Autoscaling Enabled
        • AWS DynamoDB Table Has Encryption Enabled
        • AWS EC2 AMI Launched on Approved Host
        • AWS EC2 AMI Launched on Approved Instance Type
        • AWS EC2 AMI Launched With Approved Tenancy
        • AWS EC2 Instance Has Detailed Monitoring Enabled
        • AWS EC2 Instance Is EBS Optimized
        • AWS EC2 Instance Running on Approved AMI
        • AWS EC2 Instance Running on Approved Instance Type
        • AWS EC2 Instance Running in Approved VPC
        • AWS EC2 Instance Running On Approved Host
        • AWS EC2 Instance Running With Approved Tenancy
        • AWS EC2 Instance Volumes Are Encrypted
        • AWS EC2 Volume Is Encrypted
        • AWS GuardDuty is Logging to a Master Account
        • AWS GuardDuty Is Enabled
        • AWS IAM Group Has Users
        • AWS IAM Policy Blocklist Is Respected
        • AWS IAM Policy Does Not Grant Full Administrative Privileges
        • AWS IAM Policy Is Not Assigned Directly To User
        • AWS IAM Policy Role Mapping Is Respected
        • AWS IAM User Has MFA Enabled
        • AWS IAM Password Used Every 90 Days
        • AWS Password Policy Enforces Complexity Guidelines
        • AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
        • AWS Password Policy Prevents Password Reuse
        • AWS RDS Instance Is Not Publicly Accessible
        • AWS RDS Instance Snapshots Are Not Publicly Accessible
        • AWS RDS Instance Has Storage Encrypted
        • AWS RDS Instance Has Backups Enabled
        • AWS RDS Instance Has High Availability Configured
        • AWS Redshift Cluster Allows Version Upgrades
        • AWS Redshift Cluster Has Encryption Enabled
        • AWS Redshift Cluster Has Logging Enabled
        • AWS Redshift Cluster Has Correct Preferred Maintenance Window
        • AWS Redshift Cluster Has Sufficient Snapshot Retention Period
        • AWS Resource Has Minimum Number of Tags
        • AWS Resource Has Required Tags
        • AWS Root Account Has MFA Enabled
        • AWS Root Account Does Not Have Access Keys
        • AWS S3 Bucket Name Has No Periods
        • AWS S3 Bucket Not Publicly Readable
        • AWS S3 Bucket Not Publicly Writeable
        • AWS S3 Bucket Policy Does Not Use Allow With Not Principal
        • AWS S3 Bucket Policy Enforces Secure Access
        • AWS S3 Bucket Policy Restricts Allowed Actions
        • AWS S3 Bucket Policy Restricts Principal
        • AWS S3 Bucket Has Versioning Enabled
        • AWS S3 Bucket Has Encryption Enabled
        • AWS S3 Bucket Lifecycle Configuration Expires Data
        • AWS S3 Bucket Has Logging Enabled
        • AWS S3 Bucket Has MFA Delete Enabled
        • AWS S3 Bucket Has Public Access Block Enabled
        • AWS Security Group Restricts Ingress On Administrative Ports
        • AWS VPC Default Security Group Restricts All Traffic
        • AWS VPC Flow Logging Enabled
        • AWS WAF Has Correct Rule Ordering
        • AWS CloudTrail Logs Encrypted Using KMS CMK
      • Panther-managed Rules Runbooks
        • AWS CloudTrail Modified
        • AWS Config Service Modified
        • AWS Console Login Failed
        • AWS Console Login Without MFA
        • AWS EC2 Gateway Modified
        • AWS EC2 Network ACL Modified
        • AWS EC2 Route Table Modified
        • AWS EC2 SecurityGroup Modified
        • AWS EC2 VPC Modified
        • AWS IAM Policy Modified
        • AWS KMS CMK Loss
        • AWS Root Activity
        • AWS S3 Bucket Policy Modified
        • AWS Unauthorized API Call
    • Tech Partner Alert Destination Integrations
  • Investigations & Search
    • Search
      • Search Filter Operators
    • Data Explorer
      • Data Explorer SQL Search Examples
        • CloudTrail logs queries
        • GitHub Audit logs queries
        • GuardDuty logs queries
        • Nginx and ALB Access logs queries
        • Okta logs queries
        • S3 Access logs queries
        • VPC logs queries
    • Visualization and Dashboards
      • Custom Dashboards (Beta)
      • Panther-Managed Dashboards
    • Standard Fields
    • Saved and Scheduled Searches
      • Templated Searches
        • Behavioral Analytics and Anomaly Detection Template Macros (Beta)
      • Scheduled Search Examples
    • Search History
    • Data Lakes
      • Snowflake
        • Snowflake Configuration for Optimal Search Performance
      • Athena
  • PantherFlow (Beta)
    • PantherFlow Quick Reference
    • PantherFlow Statements
    • PantherFlow Operators
      • Datatable Operator
      • Extend Operator
      • Join Operator
      • Limit Operator
      • Project Operator
      • Range Operator
      • Sort Operator
      • Search Operator
      • Summarize Operator
      • Union Operator
      • Visualize Operator
      • Where Operator
    • PantherFlow Data Types
    • PantherFlow Expressions
    • PantherFlow Functions
      • Aggregation Functions
      • Date/time Functions
      • String Functions
      • Array Functions
      • Math Functions
      • Control Flow Functions
      • Regular Expression Functions
      • Snowflake Functions
      • Data Type Functions
      • Other Functions
    • PantherFlow Example Queries
      • PantherFlow Examples: Threat Hunting Scenarios
      • PantherFlow Examples: SOC Operations
      • PantherFlow Examples: Panther Audit Logs
  • Enrichment
    • Custom Lookup Tables
      • Creating a GreyNoise Lookup Table
      • Lookup Table Examples
        • Using Lookup Tables: 1Password UUIDs
      • Lookup Table Specification Reference
    • Identity Provider Profiles
      • Okta Profiles
      • Google Workspace Profiles
    • Anomali ThreatStream
    • IPinfo
    • Tor Exit Nodes
    • TrailDiscover (Beta)
  • Panther AI (Beta)
    • Managing Panther AI Response History
  • System Configuration
    • Role-Based Access Control
    • Identity & Access Integrations
      • Azure Active Directory SSO
      • Duo SSO
      • G Suite SSO
      • Okta SSO
        • Okta SCIM
      • OneLogin SSO
      • Generic SSO
    • Panther Audit Logs
      • Querying and Writing Detections for Panther Audit Logs
      • Panther Audit Log Actions
    • Notifications and Errors (Beta)
      • System Errors
    • Panther Deployment Types
      • SaaS
      • Cloud Connected
        • Setting Up a Cloud Connected Panther Instance
      • Legacy Configurations
        • Snowflake Connected (Legacy)
        • Customer-configured Snowflake Integration (Legacy)
        • Self-Hosted Deployments (Legacy)
          • Runtime Environment
  • Panther Developer Workflows
    • Panther Developer Workflows Overview
    • Using panther-analysis
      • Public Fork
      • Private Clone
      • Panther Analysis Tool
        • Install, Configure, and Authenticate with the Panther Analysis Tool
        • Panther Analysis Tool Commands
        • Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool
      • CI/CD for Panther Content
        • Deployment Workflows Using Panther Analysis Tool
          • Managing Panther Content via CircleCI
          • Managing Panther Content via GitHub Actions
        • Migrating to a CI/CD Workflow
    • Panther API
      • REST API (Beta)
        • Alerts
        • Alert Comments
        • API Tokens
        • Data Models
        • Globals
        • Log Sources
        • Queries
        • Roles
        • Rules
        • Scheduled Rules
        • Simple Rules
        • Policies
        • Users
      • GraphQL API
        • Alerts & Errors
        • Cloud Account Management
        • Data Lake Queries
        • Log Source Management
        • Metrics
        • Schemas
        • Token Rotation
        • User & Role Management
      • API Playground
    • Terraform
      • Managing AWS S3 Log Sources with Terraform
      • Managing HTTP Log Sources with Terraform
    • pantherlog Tool
    • Converting Sigma Rules
    • MCP Server (Beta)
  • Resources
    • Help
      • Operations
      • Security and Privacy
        • Security Without AWS External ID
      • Glossary
      • Legal
    • Panther System Architecture
Powered by GitBook
On this page
  • Overview
  • How to onboard Microsoft Graph logs to Panther
  • Prerequisites
  • Step 1: Create a Microsoft Entra ID application
  • Step 2: Create a new Microsoft Graph Source in Panther
  • Supported log types
  • MicrosoftGraph.SecurityAlert

Was this helpful?

  1. Data Sources & Transports
  2. Supported Logs

Microsoft Graph Logs

Panther supports pulling logs directly from Microsoft Graph API

PreviousMicrosoft Entra ID Audit LogsNextMongoDB Atlas Logs

Last updated 4 months ago

Was this helpful?

Overview

Panther has the ability to fetch Microsoft Graph logs by querying the to obtain security alerts from the following Microsoft security products:

  • Azure Active Directory Identity Protection

  • Azure Information Protection

  • Microsoft 365 (Default, Cloud App Security, Custom Alerts)

  • Microsoft Defender for Cloud Apps

  • Microsoft Defender for Endpoint

  • Microsoft Defender for Identity

  • Microsoft Sentinel (formerly Azure Sentinel)

How to onboard Microsoft Graph logs to Panther

Prerequisites

  • Microsoft Defender for Endpoint and Identity alerts require additional user configuration prior to streaming alerting events to Panther. See for more information.

  • Microsoft Defender for Endpoint requires additional user roles to those required by the Microsoft Graph Security API. Only the users in both Microsoft Defender for Endpoint and Microsoft Graph Security API roles can have access to the Microsoft Defender for Endpoint data. Because application-only authentication is not limited by this, we recommend that you use an application-only authentication token.

  • Microsoft Defender for Identity alerts are available via the Microsoft Defender for Cloud Apps integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Defender for Cloud Apps.

Step 1: Create a Microsoft Entra ID application

  1. Click App Registrations in the left sidebar.

  2. Click New Registration.

  3. Fill in the fields:

    • Enter a descriptive name for your application.

    • For Supported account types, select Accounts in this organizational directory only.

  4. Click Register.

  5. On the left sidebar, click Certificates and Secrets.

  6. Click New Client Secret.

    • Add a description for the secret (e.g., Panther integration).

    • Set the Expires field to 24 Months.

  7. Click Add.

    • The Client Secret is hidden after you navigate away from this page; copy down the Value field and store it in a secure location - you will use this as your Client Secret value in Step 2.

  8. On the left sidebar, click API Permissions and then Add a permission.

  9. Find and click the Microsoft Graph APIs.

  10. Click Delegated permissions and select the SecurityEvents.Read.All permission.

  11. Click Application permissions and select the SecurityEvents.Read.All permission.

  12. Click Add permissions at the bottom of the page.

  13. After consent has been granted, click the Overview tab in the left sidebar to view your Application (client) ID and Directory (tenant) ID.

Step 2: Create a new Microsoft Graph Source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Select Microsoft Graph from the list of available log sources.

  4. Click Start Setup.

  5. On the next screen, fill in the fields:

    • Name: Enter a descriptive name for the source e.g., My Microsoft Graph logs.

    • Tenant ID: Enter your Tenant ID.

    • Log Types: Select at least one log type.

  6. Click Setup.

  7. On the Credentials page, enter your Client ID and Client Secret.

    • The Client Secret is the Value field you saved in Step 1.

  8. Click Setup.

  9. You will be redirected to a success screen in Panther:

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported log types

MicrosoftGraph.SecurityAlert

Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified.

fields:
    - name: activityGroupName
      description: Name or alias of the activity group (attacker) this alert is attributed to
      type: string
    - name: assignedTo
      description: Name or alias of the activity group (attacker) this alert is attributed to
      type: string
    - name: azureSubscriptionId
      description: Azure subscription ID, present if this alert is related to an Azure resource
      type: string
    - name: azureTenantId
      required: true
      description: Azure Active Directory tenant ID
      type: string
    - name: category
      description: Category of the alert (for example, credentialTheft, ransomware, etc)
      type: string
    - name: closedDateTime
      description: Time at which the alert was closed (UTC)
      type: timestamp
      timeFormat: rfc3339
    - name: cloudAppStates
      description: Security-related stateful information generated by the provider about the cloud application/s related to this alert
      type: array
      element:
        type: object
        fields:
            - name: destinationServiceIp
              description: Destination IP Address of the connection to the cloud application/service
              type: string
              indicators:
                - ip
            - name: destinationServiceName
              description: Cloud application/service name (for example 'Salesforce', 'DropBox', etc.)
              type: string
            - name: riskScore
              description: Provider-generated/calculated risk score of the Cloud Application/Service. Recommended value range of 0-1, which equates to a percentage
              type: string
    - name: comments
      description: Customer-provided comments on alert (for customer alert management)
      type: array
      element:
        type: string
    - name: confidence
      description: Confidence of the detection logic (percentage between 1-100)
      type: int
    - name: createdDateTime
      required: true
      description: Time at which the alert was created by the alert provider (UTC)
      type: timestamp
      timeFormat: rfc3339
    - name: description
      description: Alert description
      type: string
    - name: detectionIds
      description: Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record)
      type: array
      element:
        type: string
    - name: eventDateTime
      required: true
      description: Time at which the event(s) that served as the trigger(s) to generate the alert occurred (UTC)
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: feedback
      description: 'Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive'
      type: string
    - name: fileStates
      description: Security-related stateful information generated by the provider about the file(s) related to this alert
      type: array
      element:
        type: object
        fields:
            - name: fileHash
              description: Complex type containing file hashes (cryptographic and location-sensitive)
              type: object
              fields:
                - name: hashType
                  description: 'File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256'
                  type: string
                - name: hashValue
                  description: Value of the file hash
                  type: string
                  indicators:
                    - md5
                    - sha1
                    - sha256
            - name: name
              description: File name (without path)
              type: string
            - name: path
              description: Full file path of the file/imageFile
              type: string
            - name: riskScore
              description: Provider generated/calculated risk score of the alert file. Recommended value range of 0-1, which equates to a percentage
              type: string
    - name: hostStates
      description: Security-related stateful information generated by the provider about the host(s) related to this alert
      type: array
      element:
        type: object
        fields:
            - name: fqdn
              description: Host FQDN (Fully Qualified Domain Name) (for example, machine.company.com)
              type: string
              indicators:
                - hostname
            - name: isAzureAdJoined
              description: True if the host is domain joined to Azure Active Directory Domain Services
              type: boolean
            - name: isAzureAdRegistered
              description: True if the host registered with Azure Active Directory Device Registration (BYOD devices - that is, not fully managed by enterprise)
              type: boolean
            - name: isHybridAzureDomainJoined
              description: True if the host is domain joined to an on-premises Active Directory domain
              type: boolean
            - name: netBiosName
              description: The local host name, without the DNS domain name
              type: string
              indicators:
                - hostname
            - name: os
              description: Host Operating System. (For example, Windows10, MacOS, RHEL, etc.)
              type: string
            - name: privateIpAddress
              description: Private (not routable) IPv4 or IPv6 address (see RFC 1918) at the time of the alert
              type: string
              indicators:
                - ip
            - name: publicIpAddress
              description: Publicly routable IPv4 or IPv6 address (see RFC 1918) at time of the alert
              type: string
              indicators:
                - ip
            - name: riskScore
              description: Provider-generated/calculated risk score of the host. Recommended value range of 0-1, which equates to a percentage
              type: string
    - name: id
      required: true
      description: Provider-generated GUID/unique identifier
      type: string
    - name: incidentIds
      description: IDs of incidents related to current alert
      type: array
      element:
        type: string
    - name: lastModifiedDateTime
      description: Time at which the alert entity was last modified (UTC)
      type: timestamp
      timeFormat: rfc3339
    - name: malwareStates
      description: Threat Intelligence pertaining to malware related to this alert
      type: array
      element:
        type: object
        fields:
            - name: category
              description: Provider-generated malware category (for example, trojan, ransomware, etc.)
              type: string
            - name: family
              description: Provider-generated malware family (for example, 'wannacry', 'notpetya', etc.)
              type: string
            - name: name
              description: Provider-generated malware variant name (for example, Trojan:Win32/Powessere.H)
              type: string
            - name: severity
              description: Provider-determined severity of this malware
              type: string
            - name: wasRunning
              description: Indicates whether the detected file (malware/vulnerability) was running at the time of detection or was detected at rest on the disk
              type: boolean
    - name: networkConnections
      description: Security-related stateful information generated by the provider about the network connection(s) related to this alert
      type: array
      element:
        type: object
        fields:
            - name: applicationName
              description: Name of the application managing the network connection (for example, Facebook or SMTP)
              type: string
            - name: destinationAddress
              description: Destination IP address (of the network connection)
              type: string
              indicators:
                - ip
            - name: destinationLocation
              description: Location (by IP address mapping) associated with the destination of a network connection
              type: string
            - name: destinationDomain
              description: Destination domain portion of the destination URL. (for example 'www.contoso.com')
              type: string
              indicators:
                - domain
            - name: destinationPort
              description: Destination port (of the network connection)
              type: string
            - name: destinationUrl
              description: Network connection URL/URI string - excluding parameters. (for example 'www.contoso.com/products/default.html')
              type: string
              indicators:
                - url
            - name: direction
              description: 'Network connection direction. Possible values are: unknown, inbound, outbound'
              type: string
            - name: domainRegisteredDateTime
              description: Date when the destination domain was registered (UTC)
              type: timestamp
              timeFormat: rfc3339
            - name: localDnsName
              description: The local DNS name resolution as it appears in the host's local DNS cache (for example, in case the 'hosts' file was tampered with)
              type: string
            - name: natDestinationAddress
              description: Network Address Translation destination IP address
              type: string
              indicators:
                - ip
            - name: natDestinationPort
              description: Network Address Translation destination port
              type: string
            - name: natSourceAddress
              description: Network Address Translation source IP address
              type: string
              indicators:
                - ip
            - name: natSourcePort
              description: Network Address Translation source port
              type: string
            - name: protocol
              description: 'Network protocol. Possible values are: unknown, ip, icmp, igmp, ggp, ipv4, tcp, pup, udp, idp, ipv6, ipv6RoutingHeader, ipv6FragmentHeader, ipSecEncapsulatingSecurityPayload, ipSecAuthenticationHeader, icmpV6, ipv6NoNextHeader, ipv6DestinationOptions, nd, raw, ipx, spx, spxII'
              type: string
            - name: riskScore
              description: Provider generated/calculated risk score of the network connection. Recommended value range of 0-1, which equates to a percentage
              type: string
            - name: sourceAddress
              description: Source (i.e. origin) IP address (of the network connection)
              type: string
              indicators:
                - ip
            - name: sourceLocation
              description: Location (by IP address mapping) associated with the source of a network connection
              type: string
            - name: sourcePort
              description: Source (i.e. origin) IP port (of the network connection)
              type: string
            - name: status
              description: 'Network connection status. Possible values are: unknown, attempted, succeeded, blocked, failed'
              type: string
            - name: urlParameters
              description: Parameters (suffix) of the destination URL
              type: string
              indicators:
                - url
    - name: processes
      description: Security-related stateful information generated by the provider about the process or processes related to this alert
      type: array
      element:
        type: object
        fields:
            - name: accountName
              description: User account identifier (user account context the process ran under) for example, AccountName, SID, and so on
              type: string
              indicators:
                - username
            - name: commandLine
              description: The full process invocation commandline including all parameters
              type: string
            - name: createdDateTime
              description: Time at which the process was started (UTC)
              type: timestamp
              timeFormat: rfc3339
            - name: fileHash
              description: Complex type containing file hashes (cryptographic and location-sensitive)
              type: object
              fields:
                - name: hashType
                  description: 'File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256'
                  type: string
                - name: hashValue
                  description: Value of the file hash
                  type: string
                  indicators:
                    - md5
                    - sha1
                    - sha256
            - name: integrityLevel
              description: 'The integrity level of the process. Possible values are: unknown, untrusted, low, medium, high, system'
              type: string
            - name: isElevated
              description: True if the process is elevated
              type: boolean
            - name: name
              description: The name of the process' Image file
              type: string
            - name: parentProcessCreatedDateTime
              description: DateTime at which the parent process was started (UTC)
              type: timestamp
              timeFormat: rfc3339
            - name: parentProcessId
              description: The Process ID (PID) of the parent process
              type: bigint
            - name: parentProcessName
              description: The name of the image file of the parent process
              type: string
            - name: path
              description: Full path, including filename
              type: string
            - name: processId
              description: The Process ID (PID) of the process
              type: bigint
    - name: recommendedActions
      description: Vendor/provider recommended action(s) to take as a result of the alert (for example, isolate machine, enforce2FA, reimage host)
      type: array
      element:
        type: string
    - name: registryKeyStates
      description: Security-related stateful information generated by the provider about the registry keys related to this alert
      type: array
      element:
        type: object
        fields:
            - name: hive
              description: 'A Windows registry hive. Possible values are: unknown, currentConfig, currentUser, localMachineSam, localMachineSecurity, localMachineSoftware, localMachineSystem, usersDefault'
              type: string
            - name: key
              description: Current (i.e. changed) registry key (excludes HIVE)
              type: string
            - name: oldKey
              description: Previous (i.e. before changed) registry key (excludes HIVE)
              type: string
            - name: oldValueData
              description: Previous (i.e. before changed) registry key value data (contents)
              type: string
            - name: oldValueName
              description: Previous (i.e. before changed) registry key value name
              type: string
            - name: operation
              description: 'Operation that changed the registry key name and/or value. Possible values are: unknown, create, modify, delete'
              type: string
            - name: processId
              description: Process ID (PID) of the process that modified the registry key (process details will appear in the alert 'processes' collection)
              type: bigint
            - name: valueData
              description: Current (i.e. changed) registry key value data (contents)
              type: string
            - name: valueName
              description: Current (i.e. changed) registry key value name
              type: string
            - name: valueType
              description: 'Registry key value type. Possible values are: unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz'
              type: string
    - name: securityResources
      description: Resources related to current alert. For example, for some alerts this can have the Azure Resource value
      type: array
      element:
        type: object
        fields:
            - name: resource
              description: Name of the resource that is related to current alert
              type: string
            - name: resourceType
              description: 'Represents type of security resources related to an alert. Possible values are: attacked, related'
              type: string
    - name: severity
      required: true
      description: 'Alert severity - set by vendor/provider. Possible values are: unknown, informational, low, medium, high'
      type: string
    - name: sourceMaterials
      description: Hyperlinks (URIs) to the source material related to the alert, for example, provider's user interface for alerts or log search, etc
      type: array
      element:
        type: string
        indicators:
            - url
    - name: status
      required: true
      description: 'Alert lifecycle status (stage). Possible values are: unknown, newAlert, inProgress, resolved'
      type: string
    - name: tags
      description: User-definable labels that can be applied to an alert and can serve as filter conditions (for example 'HVA', 'SAW', etc.)
      type: array
      element:
        type: string
    - name: title
      required: true
      description: Alert title
      type: string
    - name: triggers
      description: Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation
      type: array
      element:
        type: object
        fields:
            - name: name
              description: Name of the property serving as a detection trigger
              type: string
            - name: type
              description: Type of the property in the key:value pair for interpretation. For example, String, Boolean etc
              type: string
            - name: value
              description: Value of the property serving as a detection trigger
              type: string
    - name: userStates
      description: Security-related stateful information generated by the provider about the user accounts related to this alert
      type: array
      element:
        type: object
        fields:
            - name: aadUserId
              description: AAD User object identifier (GUID) - represents the physical/multi-account user entity
              type: string
              indicators:
                - username
            - name: accountName
              description: Account name of user account (without Active Directory domain or DNS domain) - (also called mailNickName)
              type: string
              indicators:
                - username
            - name: domainName
              description: "NetBIOS/Active Directory domain of user account (that is, domain\account format)"
              type: string
              indicators:
                - domain
            - name: emailRole
              description: 'For email-related alerts - user account''s email ''role''. Possible values are: unknown, sender, recipient'
              type: string
            - name: isVpn
              description: Indicates whether the user logged on through a VPN
              type: boolean
            - name: logonDateTime
              description: Time at which the sign-in occurred (UTC)
              type: timestamp
              timeFormat: rfc3339
            - name: logonId
              description: User sign-in ID
              type: string
              indicators:
                - username
            - name: logonIp
              description: IP Address the sign-in request originated from
              type: string
              indicators:
                - ip
            - name: logonLocation
              description: Location (by IP address mapping) associated with a user sign-in event by this user
              type: string
            - name: logonType
              description: 'Method of user sign in. Possible values are: unknown, interactive, remoteInteractive, network, batch, service'
              type: string
            - name: onPremisesSecurityIdentifier
              description: Active Directory (on-premises) Security Identifier (SID) of the user
              type: string
              indicators:
                - username
            - name: riskScore
              description: Provider-generated/calculated risk score of the user account. Recommended value range of 0-1, which equates to a percentage
              type: string
            - name: userAccountType
              description: 'User account type (group membership), per Windows definition. Possible values are: unknown, standard, power, administrator'
              type: string
            - name: userPrincipalName
              description: 'User sign-in name - internet format: (user account name)@(user account DNS domain name)'
              type: string
              indicators:
                - username
    - name: vendorInformation
      required: true
      description: Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=Windows Defender ATP; subProvider=AppLocker)
      type: object
      fields:
        - name: provider
          description: Specific provider (product/service - not vendor company); for example, WindowsDefenderATP
          type: string
        - name: providerVersion
          description: Version of the provider or subprovider, if it exists, that generated the alert
          type: string
        - name: subProvider
          description: Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen
          type: string
        - name: vendor
          description: Name of the alert vendor (for example, Microsoft, Dell, FireEye)
          type: string
    - name: vulnerabilityStates
      description: Threat intelligence pertaining to one or more vulnerabilities related to this alert
      type: array
      element:
        type: object
        fields:
            - name: cve
              description: Common Vulnerabilities and Exposures (CVE) for the vulnerability
              type: string
            - name: severity
              description: Base Common Vulnerability Scoring System (CVSS) severity score for this vulnerability
              type: string
            - name: wasRunning
              description: Indicates whether the detected vulnerability (file) was running at the time of detection or was the file detected at rest on the disk
              type: boolean

Log in to and navigate to the Microsoft Entra ID service.

Click Grant admin consent on the API permissions page.

You will need to provide these to Panther in the next steps.

You can optionally enable one or more .

Reference: .

Microsoft Graph API
Microsoft's documentation
Detection Packs
Microsoft Documentation on Security Alerts
your Azure portal
The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day