Azure Monitor Logs
Connecting Azure Monitor logs to your Panther Console
Overview
Panther supports ingesting Azure Monitor logs by sending them to Azure Storage.
It's also possible to ingest Microsoft Defender for Cloud logs using this source by including the Security category during Step 2 of the onboarding process, below.
How to onboard Azure Monitor logs to Panther
You'll first create an Azure Blob Storage source in Panther, then configure Azure to export logs to that location.
Step 1: Create an Azure Monitor source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Search for "Azure Monitor," then click its tile.
Click Start Setup.
Follow Panther's instructions for configuring an Azure Blob Storage Source.
During Step 2: Create required Azure infrastructure, if you choose to create your Azure resources manually (instead of using Terraform), skip the step to create an Azure container, as one will automatically be created in your storage account in Step 2, below.
After you have completed these instructions, continue to Step 2, below.
Step 2: Export Azure Monitor logs to Azure Blob storage
To export Azure Monitor logs to a Blob storage container:
In your Azure dashboard, navigate to the Monitor service.
In the left-hand navigation panel, click Activity Log.
Near the top of the page, click Export Activity Logs.
Click Add Diagnostic Setting.
On the Diagnostic setting page, provide values for the following fields:
Diagnostic setting name: Enter a descriptive name.
Categories (under Logs): Select each of the log categories you are interested in ingesting:
Security (Microsoft Defender for Cloud)
Destination details: Select the Archive to a storage account checkbox, then select your destination Storage account.
In the upper left corner, click Save.
Monitor Activity logs will now be saved to a Blob container in your storage account.
Step 3: Add role assignment to container
Click on your newly created container with the name
insights-activity-logs
, then in the left-hand navigation bar, click Access Control (IAM).Click +Add.
Click Add Role Assignment.
Search for "Storage Blob Data Reader" and select the matching role that populates.
Click on the Members tab.
Click +Select Members.
Search for the name of the registered app you created during the Create required Azure infrastructure process on Azure Blob Storage Source, and click Select.
Click Review+Assign.
Remember that because Panther retrieves Azure Monitor files once per hour, there could be a delay of up to one hour before initial data arrives in Panther.
Supported log types
Panther supports Azure Monitor Activity logs which are handled by the Azure.MonitorActivity schema.
Azure.MonitorActivity
fields:
- name: time
required: true
description: The timestamp (UTC) of the event being logged.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: resourceId
required: true
description: The resource ID of the resource that emitted the event. For tenant services, this is of the form /tenants/tenant-id/providers/provider-name.
type: string
- name: tenantId
description: The tenant ID of the Active Directory tenant that this event is tied to. This property is used only for tenant-level logs. It does not appear in resource-level logs.
type: string
- name: operationName
required: true
description: The name of the operation that this event is logging, for example Microsoft.Storage/storageAccounts/blobServices/blobs/Read. The operationName is typically modeled in the form of an Azure Resource Manager operation, Microsoft.<providerName>/<resourceType>/<subtype>/<Write|Read|Delete|Action>, even if it's not a documented Resource Manager operation.
type: string
- name: operationVersion
description: The API version associated with the operation, if operationName was performed through an API (for example, http://myservice.windowsazure.net/object?api-version=2016-06-01). If no API corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future.
type: string
- name: category
description: The log category of the event being logged. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. Typical log categories are Audit, Operational, Execution, and Request.
type: string
- name: resultType
description: The status of the logged event, if applicable. Values include Started, In Progress, Succeeded, Failed, Active, and Resolved.
type: string
- name: resultSignature
description: The substatus of the event. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.
type: string
- name: resultDescription
description: The static text description of this operation; for example, Get storage file.
type: string
- name: durationMs
description: The duration of the operation in milliseconds.
type: bigint
- name: callerIpAddress
description: The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.
type: string
indicators:
- ip
- name: correlationId
description: A GUID that's used to group together a set of related events. Typically, if two events have the same operationName value but two different statuses (for example, Started and Succeeded), they share the same correlationID value. This might also represent other relationships between events.
type: string
indicators:
- trace_id
- name: identity
description: A JSON blob that describes the identity of the user or application that performed the operation. Typically, this field includes the authorization and claims or JWT token from Active Directory.
type: json
- name: level
description: The severity level of the event. Values include Informational, Warning, Error, and Critical.
type: string
- name: location
description: The region of the resource emitting the event; for example, East US or France South.
type: string
- name: properties
description: Any extended properties related to this category of events. All custom or unique properties must be put inside this 'Part B' of the schema.
type: json
Last updated
Was this helpful?