Panther supports pulling logs directly from Microsoft Graph API
Overview
Panther has the ability to fetch Microsoft Graph logs by querying the Microsoft Graph API to obtain security alerts from the following Microsoft security products:
Azure Active Directory Identity Protection
Azure Information Protection
Microsoft 365 (Default, Cloud App Security, Custom Alerts)
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Sentinel (formerly Azure Sentinel)
How to onboard Microsoft Graph logs to Panther
Prerequisites
Microsoft Defender for Endpoint and Identity alerts require additional user configuration prior to streaming alerting events to Panther. See Microsoft's documentation for more information.
Microsoft Defender for Endpoint requires additional user roles to those required by the Microsoft Graph Security API. Only the users in both Microsoft Defender for Endpoint and Microsoft Graph Security API roles can have access to the Microsoft Defender for Endpoint data. Because application-only authentication is not limited by this, we recommend that you use an application-only authentication token.
Microsoft Defender for Identity alerts are available via the Microsoft Defender for Cloud Apps integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Defender for Cloud Apps.
Step 1: Create a Microsoft Entra ID application
Click App Registrations in the left sidebar.
Click New Registration.
Fill in the fields:
Enter a descriptive name for your application.
For Supported account types, select Accounts in this organizational directory only.
Click Register.
On the left sidebar, click Certificates and Secrets.
Click New Client Secret.
Add a description for the secret (e.g., Panther integration).
Set the Expires field to 24 Months.
Click Add.
The Client Secret is hidden after you navigate away from this page; copy down the Value fieldand store it in a secure location - you will use this as your Client Secret value in Step 4.
On the left sidebar, click API Permissions and then Add a permission.
Find and click the Microsoft Graph APIs.
Click Delegated permissions and select the SecurityEvents.Read.All permission.
Click Application permissions and select the SecurityEvents.Read.All permission.
Click Add permissions at the bottom of the page.
After consent has been granted, click the Overview tab in the left sidebar to view your Application (client) ID and Directory (tenant) ID.
Keep this browser window open as you work through the next steps.
Step 2: Create a new Microsoft Graph Source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Select Microsoft Graph from the list of available log sources.
Click Start Source Setup.
On the next screen, fill in the fields:
Name: Enter a descriptive name for the source e.g., My Microsoft Graph logs.
Tenant ID: Enter your Tenant ID.
Log Types: Select at least one log type.
Click Setup.
On the "Set Credentials" page, copy the Redirect URL and store it in a secure place.
You will need it in the next step.
Keep this browser window open as you work through the next steps.
Step 3: Configure the Redirect URL
Navigate back to the Microsoft Entra ID application.
On the left sidebar, click Authentication.
Click Add a platform.
Click the Web.
Enter your Redirect URL.
Click Configure.
Step 4: Finalize the onboarding in Panther
Navigate back to the Panther Console.
On the "Set Credentials"page, enter your Client IDand Client Secret (the Client Secret is the Value field you saved in the earlier steps of this documentation).
Click Setup.
On the "Verify Setup" screen, click Grant Access.
You will be redirected to a Microsoft page to authorize your app.
You will be redirected to a success screen in Panther:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
MicrosoftGraph.SecurityAlert
Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified.
fields: - name:activityGroupNamedescription:Name or alias of the activity group (attacker) this alert is attributed totype:string - name:assignedTodescription:Name or alias of the activity group (attacker) this alert is attributed totype:string - name:azureSubscriptionIddescription:Azure subscription ID, present if this alert is related to an Azure resourcetype:string - name:azureTenantIdrequired:truedescription:Azure Active Directory tenant IDtype:string - name:categorydescription:Category of the alert (for example, credentialTheft, ransomware, etc)type:string - name:closedDateTimedescription:Time at which the alert was closed (UTC)type:timestamptimeFormat:rfc3339 - name:cloudAppStates description: Security-related stateful information generated by the provider about the cloud application/s related to this alert
type:arrayelement:type:objectfields: - name:destinationServiceIpdescription:Destination IP Address of the connection to the cloud application/servicetype:stringindicators: - ip - name:destinationServiceNamedescription:Cloud application/service name (for example 'Salesforce', 'DropBox', etc.)type:string - name:riskScore description: Provider-generated/calculated risk score of the Cloud Application/Service. Recommended value range of 0-1, which equates to a percentage
type:string - name:commentsdescription:Customer-provided comments on alert (for customer alert management)type:arrayelement:type:string - name:confidencedescription:Confidence of the detection logic (percentage between 1-100)type:int - name:createdDateTimerequired:truedescription:Time at which the alert was created by the alert provider (UTC)type:timestamptimeFormat:rfc3339 - name:descriptiondescription:Alert descriptiontype:string - name:detectionIdsdescription:Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record)type:arrayelement:type:string - name:eventDateTimerequired:truedescription:Time at which the event(s) that served as the trigger(s) to generate the alert occurred (UTC)type:timestamptimeFormat:rfc3339isEventTime:true - name:feedback description: 'Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive'
type:string - name:fileStates description: Security-related stateful information generated by the provider about the file(s) related to this alert
type:arrayelement:type:objectfields: - name:fileHashdescription:Complex type containing file hashes (cryptographic and location-sensitive)type:objectfields: - name:hashType description: 'File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256'
type:string - name:hashValuedescription:Value of the file hashtype:stringindicators: - md5 - sha1 - sha256 - name:namedescription:File name (without path)type:string - name:pathdescription:Full file path of the file/imageFiletype:string - name:riskScore description: Provider generated/calculated risk score of the alert file. Recommended value range of 0-1, which equates to a percentage
type:string - name:hostStates description: Security-related stateful information generated by the provider about the host(s) related to this alert
type:arrayelement:type:objectfields: - name:fqdndescription:Host FQDN (Fully Qualified Domain Name) (for example, machine.company.com)type:stringindicators: - hostname - name:isAzureAdJoineddescription:True if the host is domain joined to Azure Active Directory Domain Servicestype:boolean - name:isAzureAdRegistered description: True if the host registered with Azure Active Directory Device Registration (BYOD devices - that is, not fully managed by enterprise)
type:boolean - name:isHybridAzureDomainJoineddescription:True if the host is domain joined to an on-premises Active Directory domaintype:boolean - name:netBiosNamedescription:The local host name, without the DNS domain nametype:stringindicators: - hostname - name:osdescription:Host Operating System. (For example, Windows10, MacOS, RHEL, etc.)type:string - name:privateIpAddressdescription:Private (not routable) IPv4 or IPv6 address (see RFC 1918) at the time of the alerttype:stringindicators: - ip - name:publicIpAddressdescription:Publicly routable IPv4 or IPv6 address (see RFC 1918) at time of the alerttype:stringindicators: - ip - name:riskScore description: Provider-generated/calculated risk score of the host. Recommended value range of 0-1, which equates to a percentage
type:string - name:idrequired:truedescription:Provider-generated GUID/unique identifiertype:string - name:incidentIdsdescription:IDs of incidents related to current alerttype:arrayelement:type:string - name:lastModifiedDateTimedescription:Time at which the alert entity was last modified (UTC)type:timestamptimeFormat:rfc3339 - name:malwareStatesdescription:Threat Intelligence pertaining to malware related to this alerttype:arrayelement:type:objectfields: - name:categorydescription:Provider-generated malware category (for example, trojan, ransomware, etc.)type:string - name:familydescription:Provider-generated malware family (for example, 'wannacry', 'notpetya', etc.)type:string - name:namedescription:Provider-generated malware variant name (for example, Trojan:Win32/Powessere.H)type:string - name:severitydescription:Provider-determined severity of this malwaretype:string - name:wasRunning description: Indicates whether the detected file (malware/vulnerability) was running at the time of detection or was detected at rest on the disk
type:boolean - name:networkConnections description: Security-related stateful information generated by the provider about the network connection(s) related to this alert
type:arrayelement:type:objectfields: - name:applicationNamedescription:Name of the application managing the network connection (for example, Facebook or SMTP)type:string - name:destinationAddressdescription:Destination IP address (of the network connection)type:stringindicators: - ip - name:destinationLocationdescription:Location (by IP address mapping) associated with the destination of a network connectiontype:string - name:destinationDomaindescription:Destination domain portion of the destination URL. (for example 'www.contoso.com')type:stringindicators: - domain - name:destinationPortdescription:Destination port (of the network connection)type:string - name:destinationUrl description: Network connection URL/URI string - excluding parameters. (for example 'www.contoso.com/products/default.html')
type:stringindicators: - url - name:directiondescription:'Network connection direction. Possible values are: unknown, inbound, outbound'type:string - name:domainRegisteredDateTimedescription:Date when the destination domain was registered (UTC)type:timestamptimeFormat:rfc3339 - name:localDnsName description: The local DNS name resolution as it appears in the host's local DNS cache (for example, in case the 'hosts' file was tampered with)
type:string - name:natDestinationAddressdescription:Network Address Translation destination IP addresstype:stringindicators: - ip - name:natDestinationPortdescription:Network Address Translation destination porttype:string - name:natSourceAddressdescription:Network Address Translation source IP addresstype:stringindicators: - ip - name:natSourcePortdescription:Network Address Translation source porttype:string - name:protocol description: 'Network protocol. Possible values are: unknown, ip, icmp, igmp, ggp, ipv4, tcp, pup, udp, idp, ipv6, ipv6RoutingHeader, ipv6FragmentHeader, ipSecEncapsulatingSecurityPayload, ipSecAuthenticationHeader, icmpV6, ipv6NoNextHeader, ipv6DestinationOptions, nd, raw, ipx, spx, spxII'
type:string - name:riskScore description: Provider generated/calculated risk score of the network connection. Recommended value range of 0-1, which equates to a percentage
type:string - name:sourceAddressdescription:Source (i.e. origin) IP address (of the network connection)type:stringindicators: - ip - name:sourceLocationdescription:Location (by IP address mapping) associated with the source of a network connectiontype:string - name:sourcePortdescription:Source (i.e. origin) IP port (of the network connection)type:string - name:status description: 'Network connection status. Possible values are: unknown, attempted, succeeded, blocked, failed'
type:string - name:urlParametersdescription:Parameters (suffix) of the destination URLtype:stringindicators: - url - name:processes description: Security-related stateful information generated by the provider about the process or processes related to this alert
type:arrayelement:type:objectfields: - name:accountName description: User account identifier (user account context the process ran under) for example, AccountName, SID, and so on
type:stringindicators: - username - name:commandLinedescription:The full process invocation commandline including all parameterstype:string - name:createdDateTimedescription:Time at which the process was started (UTC)type:timestamptimeFormat:rfc3339 - name:fileHashdescription:Complex type containing file hashes (cryptographic and location-sensitive)type:objectfields: - name:hashType description: 'File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256'
type:string - name:hashValuedescription:Value of the file hashtype:stringindicators: - md5 - sha1 - sha256 - name:integrityLevel description: 'The integrity level of the process. Possible values are: unknown, untrusted, low, medium, high, system'
type:string - name:isElevateddescription:True if the process is elevatedtype:boolean - name:namedescription:The name of the process' Image filetype:string - name:parentProcessCreatedDateTimedescription:DateTime at which the parent process was started (UTC)type:timestamptimeFormat:rfc3339 - name:parentProcessIddescription:The Process ID (PID) of the parent processtype:bigint - name:parentProcessNamedescription:The name of the image file of the parent processtype:string - name:pathdescription:Full path, including filenametype:string - name:processIddescription:The Process ID (PID) of the processtype:bigint - name:recommendedActions description: Vendor/provider recommended action(s) to take as a result of the alert (for example, isolate machine, enforce2FA, reimage host)
type:arrayelement:type:string - name:registryKeyStates description: Security-related stateful information generated by the provider about the registry keys related to this alert
type:arrayelement:type:objectfields: - name:hive description: 'A Windows registry hive. Possible values are: unknown, currentConfig, currentUser, localMachineSam, localMachineSecurity, localMachineSoftware, localMachineSystem, usersDefault'
type:string - name:keydescription:Current (i.e. changed) registry key (excludes HIVE)type:string - name:oldKeydescription:Previous (i.e. before changed) registry key (excludes HIVE)type:string - name:oldValueDatadescription:Previous (i.e. before changed) registry key value data (contents)type:string - name:oldValueNamedescription:Previous (i.e. before changed) registry key value nametype:string - name:operation description: 'Operation that changed the registry key name and/or value. Possible values are: unknown, create, modify, delete'
type:string - name:processId description: Process ID (PID) of the process that modified the registry key (process details will appear in the alert 'processes' collection)
type:bigint - name:valueDatadescription:Current (i.e. changed) registry key value data (contents)type:string - name:valueNamedescription:Current (i.e. changed) registry key value nametype:string - name:valueType description: 'Registry key value type. Possible values are: unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz'
type:string - name:securityResources description: Resources related to current alert. For example, for some alerts this can have the Azure Resource value
type:arrayelement:type:objectfields: - name:resourcedescription:Name of the resource that is related to current alerttype:string - name:resourceType description: 'Represents type of security resources related to an alert. Possible values are: attacked, related'
type:string - name:severityrequired:true description: 'Alert severity - set by vendor/provider. Possible values are: unknown, informational, low, medium, high'
type:string - name:sourceMaterials description: Hyperlinks (URIs) to the source material related to the alert, for example, provider's user interface for alerts or log search, etc
type:arrayelement:type:stringindicators: - url - name:statusrequired:truedescription:'Alert lifecycle status (stage). Possible values are: unknown, newAlert, inProgress, resolved'type:string - name:tags description: User-definable labels that can be applied to an alert and can serve as filter conditions (for example 'HVA', 'SAW', etc.)
type:arrayelement:type:string - name:titlerequired:truedescription:Alert titletype:string - name:triggers description: Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation
type:arrayelement:type:objectfields: - name:namedescription:Name of the property serving as a detection triggertype:string - name:type description: Type of the property in the key:value pair for interpretation. For example, String, Boolean etc
type:string - name:valuedescription:Value of the property serving as a detection triggertype:string - name:userStates description: Security-related stateful information generated by the provider about the user accounts related to this alert
type:arrayelement:type:objectfields: - name:aadUserIddescription:AAD User object identifier (GUID) - represents the physical/multi-account user entitytype:stringindicators: - username - name:accountName description: Account name of user account (without Active Directory domain or DNS domain) - (also called mailNickName)
type:stringindicators: - username - name:domainNamedescription:"NetBIOS/Active Directory domain of user account (that is, domain\account format)"type:stringindicators: - domain - name:emailRole description: 'For email-related alerts - user account''s email ''role''. Possible values are: unknown, sender, recipient'
type:string - name:isVpndescription:Indicates whether the user logged on through a VPNtype:boolean - name:logonDateTimedescription:Time at which the sign-in occurred (UTC)type:timestamptimeFormat:rfc3339 - name:logonIddescription:User sign-in IDtype:stringindicators: - username - name:logonIpdescription:IP Address the sign-in request originated fromtype:stringindicators: - ip - name:logonLocationdescription:Location (by IP address mapping) associated with a user sign-in event by this usertype:string - name:logonType description: 'Method of user sign in. Possible values are: unknown, interactive, remoteInteractive, network, batch, service'
type:string - name:onPremisesSecurityIdentifierdescription:Active Directory (on-premises) Security Identifier (SID) of the usertype:stringindicators: - username - name:riskScore description: Provider-generated/calculated risk score of the user account. Recommended value range of 0-1, which equates to a percentage
type:string - name:userAccountType description: 'User account type (group membership), per Windows definition. Possible values are: unknown, standard, power, administrator'
type:string - name:userPrincipalNamedescription:'User sign-in name - internet format: (user account name)@(user account DNS domain name)'type:stringindicators: - username - name:vendorInformationrequired:true description: Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=Windows Defender ATP; subProvider=AppLocker)
type:objectfields: - name:providerdescription:Specific provider (product/service - not vendor company); for example, WindowsDefenderATPtype:string - name:providerVersiondescription:Version of the provider or subprovider, if it exists, that generated the alerttype:string - name:subProviderdescription:Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreentype:string - name:vendordescription:Name of the alert vendor (for example, Microsoft, Dell, FireEye)type:string - name:vulnerabilityStatesdescription:Threat intelligence pertaining to one or more vulnerabilities related to this alerttype:arrayelement:type:objectfields: - name:cvedescription:Common Vulnerabilities and Exposures (CVE) for the vulnerabilitytype:string - name:severitydescription:Base Common Vulnerability Scoring System (CVSS) severity score for this vulnerabilitytype:string - name:wasRunning description: Indicates whether the detected vulnerability (file) was running at the time of detection or was the file detected at rest on the disk
type:boolean
