Data Sources & Transports Supported Logs Microsoft Entra ID Audit Logs Connecting Microsoft Entra ID Audit logs to your Panther Console
Overview
Panther supports ingesting Microsoft Entra ID (previously "Azure Active Directory") Audit logs via common Data Transport options, like Azure Blob storage.
How to onboard Microsoft Entra ID Audit logs to Panther
You'll first create an Azure Blob Storage source in Panther, then configure Azure to export logs to that location.
Step 1: Create the Microsoft Entra ID source in Panther
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources .
Search for “Microsoft Entra ID Audit” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the Azure Blob Storage option.
Step 2: Export Microsoft Entra ID Audit logs to Azure Blob storage
To export Microsoft Entra ID Audit logs to a Blob storage container:
Sign in to your Azure dashboard.
Navigate to the Microsoft Entra ID service.
In the left-hand panel, click Audit logs .
Click Add Diagnostic Setting .
On the Diagnostic setting page, set the following values:
Diagnostic setting name : Enter a descriptive name.
Categories (under Logs ): Select the following checkboxes:
NonInteractiveUserSignInLogs
ServicePrincipalSignInLogs
ManagedIdentitySignInLogs
Destination details : Select the Archive to a storage account checkbox, then select your destination Storage account .
In the upper left corner, click Save .
Audit and sign-in logs will now be saved to a Blob container in your storage account.
Step 3: Add role assignment to container
Click on your newly created container, then in the left-hand navigation bar, click Access Control (IAM) .
Click Add Role Assignment .
Click on the Members tab.
Panther-managed detections
See Panther-managed rules for Azure in the panther-analysis GitHub repository .
Supported log types
Panther supports Microsoft Entra ID audit and sign-in logs which are handled by the Azure.Audit schema.
Azure.Audit
The Azure.Audit log schema covers Microsoft Entra ID audit logs and sign-in logs. For more information, see the Microsoft documentation:
Copy schema: Azure.Audit
description: Audit logs from Azure Active Directory
referenceURL: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
fields:
- name: Level
type: bigint
- name: callerIpAddress
type: string
indicators:
- ip
- name: category
type: string
- name: correlationId
type: string
- name: durationMs
type: bigint
- name: identity
type: string
- name: location
type: string
- name: locationDetails
type: json
- name: networkLocationDetails
type: string
- name: operationName
required: true
type: string
- name: operationVersion
type: string
- name: properties
type: object
fields:
- name: aadTenantId
type: string
- name: activityDateTime
type: timestamp
timeFormats:
- rfc3339
- name: activityDisplayName
type: string
- name: additionalDetails
type: array
element:
type: object
fields:
- name: key
type: string
- name: value
type: string
- name: alternateSignInName
type: string
- name: appDisplayName
type: string
- name: appliedConditionalAccessPolicies
type: json
- name: appliedEventListeners
type: json
- name: appId
type: string
- name: appServicePrincipalId
type: string
- name: authenticationAppDeviceDetails
type: string
- name: authenticationAppPolicyEvaluationDetails
type: string
- name: authenticationContextClassReferences
type: string
- name: authenticationDetails
type: string
- name: authenticationMethodsUsed
type: string
- name: authenticationProcessingDetails
type: json
- name: authenticationProtocol
type: string
- name: authenticationRequirement
type: string
- name: authenticationRequirementPolicies
type: string
- name: autonomousSystemNumber
type: string
- name: _billedSize
type: float
- name: category
type: string
- name: clientAppUsed
type: string
- name: clientCredentialType
type: string
- name: conditionalAccessAudiences
type: json
- name: conditionalAccessPolicies
type: json
- name: conditionalAccessStatus
type: string
- name: correlationId
type: string
- name: createdDateTime
type: timestamp
timeFormats:
- rfc3339
- name: crossTenantAccessType
type: string
- name: deviceDetail
type: json
- name: federatedCredentialId
type: string
- name: flaggedForReview
type: boolean
- name: globalSecureAccessIpAddress
type: string
- name: homeTenantId
type: string
- name: homeTenantName
type: string
- name: id
type: string
- name: incomingTokenType
type: string
- name: ipAddress
type: string
indicators: [ip]
- name: ipAddressFromResourceProvider
type: string
- name: _isBillable
type: string
- name: isDeleted
type: boolean
- name: initiatedBy
type: object
fields:
- name: app
type: object
fields:
- name: displayName
type: string
- name: servicePrincipalId
type: string
- name: user
type: object
fields:
- name: id
type: string
- name: displayName
type: string
- name: userPrincipalName
type: string
- name: ipAddress
type: string
indicators: [ip]
- name: roles
type: json
- name: isProcessing
type: boolean
- name: loggedByService
type: string
- name: location
type: json
- name: operationType
type: string
- name: result
type: string
- name: resultReason
type: string
- name: isInteractive
type: boolean
- name: isRisky
type: boolean
- name: isTenantRestricted
type: boolean
- name: isThroughGlobalSecureAccess
type: boolean
- name: originalRequestId
type: string
- name: originalTransferMethod
type: string
- name: processingTimeInMilliseconds
type: bigint
- name: resource
type: string
- name: resourceDisplayName
type: string
- name: resourceGroup
type: string
- name: resourceId
type: string
- name: resourceIdentity
type: string
- name: resourceProvider
type: string
- name: resourceServicePrincipalId
type: string
- name: resourceTenantId
type: string
- name: riskEventTypes
type: string
- name: riskEventTypesV2
type: string
- name: riskLastUpdatedDateTime
type: timestamp
timeFormats:
- rfc3339
- name: riskDetail
type: string
- name: riskLevel
type: string
- name: riskLevelAggregated
type: string
- name: riskLevelDuringSignIn
type: string
- name: riskState
type: string
- name: servicePrincipalId
type: string
- name: servicePrincipalCredentialKeyId
type: string
- name: servicePrincipalName
type: string
- name: sessionId
type: string
- name: sessionLifetimePolicies
type: string
- name: signInIdentifier
type: string
- name: signInIdentifierType
type: string
- name: signInTokenProtectionStatus
type: string
- name: sourceSystem
type: string
- name: status
type: json
- name: targetResources
type: array
element:
type: object
fields:
- name: displayName
type: string
- name: id
type: string
- name: modifiedProperties
type: array
element:
type: object
fields:
- name: oldValue
type: string
- name: displayName
type: string
- name: newValue
type: string
- name: type
type: string
- name: administrativeUnits
type: json
- name: timeGenerated
type: timestamp
timeFormats:
- rfc3339
- name: tokenIssuerName
type: string
- name: tokenIssuerType
type: string
- name: tokenProtectionStatusDetails
type: json
- name: type
type: string
- name: uniqueTokenIdentifier
type: string
- name: userAgent
type: string
- name: userDisplayName
type: string
indicators:
- username
- name: userId
type: string
- name: userPrincipalName
type: string
indicators:
- username
- name: userType
type: string
- name: resourceId
required: true
type: string
- name: resultDescription
type: string
- name: resultSignature
type: string
- name: resultType
type: string
- name: tenantId
type: string
- name: time
required: true
isEventTime: true
type: timestamp
timeFormats:
- rfc3339
- '%m/%d/%Y %I:%M:%S %p'
Last updated 3 months ago
