# Azure Logs ## Overview Panther supports ingesting Azure audit and sign-in logs via common [Data Transport](/~/changes/Dd8nx2iqd1Pp2OzWJaWk/data-onboarding/data-transports.md) options, like Azure Blob storage. ## How to onboard Azure logs to Panther You'll first create an Azure Blob Storage source in Panther, then configure Azure to export logs to that location. ### Step 1: Create the Azure source in Panther 1. In the lefthand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for “Azure,” then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **Azure Blob Storage** option. 4. Click **Start Setup**. 5. Follow Panther's instructions for configuring an [Azure Blob Storage Source](/~/changes/Dd8nx2iqd1Pp2OzWJaWk/data-onboarding/data-transports/azure-blob-storage.md). * If during [Step 2: Create required Azure infrastructure](/~/changes/Dd8nx2iqd1Pp2OzWJaWk/data-onboarding/data-transports/azure-blob-storage.md#step-2-create-required-azure-infrastructure) you choose to create your Azure resources manually (instead of using Terraform), skip [the step to create an Azure container](/~/changes/Dd8nx2iqd1Pp2OzWJaWk/data-onboarding/data-transports/azure-blob-storage.md#step-5-create-container-and-add-permission), as one will automatically be created in your storage account in Step 2, below. ### Step 2: Export Azure logs to Azure Blob storage To export Azure audit and sign-in logs to a Blob storage container: 1. Sign in to your Azure dashboard. 2. In the left-hand panel of the **Azure Active Directory**, click **Audit logs**. 3. Near the top of the page, click **Export Data Settings**.
In the Azure Console, the title of the page reads "Default Directory | Audit logs". There's an arrow pointing from "Audit logs" in the left-hand bar, to "Export Data Settings," near the top.
4. Click **Add Diagnostic Setting**. 5. On the **Diagnostic setting** page, set the following values: * **Diagnostic setting name**: Enter a descriptive name. * **Categories** (under **Logs**): Select the following checkboxes: * **AuditLogs** * **SignInLogs** * **NonInteractiveUserSignInLogs** * **ServicePrincipalSignInLogs** * **ManagedIdentitySignInLogs** * **Destination details**: Select the **Archive to a storage account** checkbox, then select your destination **Storage account**.
The Diagnostic setting page of the Azure console has four fields circled: Diagnostic setting name (a textfield), AuditLogs, SignInLogs, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, and ManagedIdentitySignInLogs (checkboxes), Archive to a storage account (a checkbox), and Storage account (a dropdown selector).
6. In the upper left corner, click **Save**. * Audit and sign-in logs will now be saved to a Blob container in your storage account. ### Step 3: Add role assignment to container 1. Click on your newly created container, then in the left-hand navigation bar, click **Access Control (IAM)**. 2. Click **+Add**.\ ![In the panthertestcontainer3 Access Control (IAM) page, an arrow is drawn to the +Add button](/files/TTynbQbyaqcN8hjKRXtD) 3. Click **Add Role Assignment**. 4. Search for "Storage Blob Data Reader" and select the matching role that populates.\ ![In the Add role assignment page of the Azure console, "storage blob" has been searched for in the search box. One of the results, Storage Blob Data Reader, is circled.](/files/yBR8sQB5nkdGON6kaXta) 5. Click on the **Members** tab. 6. Click **+Select Members**. 7. Search for the name of the registered app you created during the [Create required Azure infrastructure process on Azure Blob Storage Source](/~/changes/Dd8nx2iqd1Pp2OzWJaWk/data-onboarding/data-transports/azure-blob-storage.md#step-2-create-required-azure-infrastructure), and click **Select**. 8. Click **Review+Assign**. ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Azure in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/master/rules/azure_signin_rules). ## Supported log types Panther supports Azure `audit` and `signin` logs which are handled by the [Azure.Audit](#azure.audit) schema. ### Azure.Audit These are audit logs in the Azure Active Directory. For more information, see [Microsoft's documentation on audit logs.](https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs) ```yaml schema: Azure.Audit description: Audit logs from Azure Active Directory referenceURL: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs fields: - name: Level required: true type: bigint - name: callerIpAddress required: true type: string indicators: - ip - name: category required: true type: string - name: correlationId required: true type: string - name: durationMs required: true type: bigint - name: identity required: true type: string - name: operationName required: true type: string - name: operationVersion required: true type: float - name: properties required: true type: object fields: - name: activityDateTime required: true type: timestamp timeFormats: - rfc3339 - name: activityDisplayName required: true type: string - name: additionalDetails required: true type: array element: type: object fields: - name: key required: true type: string - name: value required: true type: string - name: category required: true type: string - name: correlationId required: true type: string - name: id required: true type: string - name: initiatedBy required: true type: object fields: - name: app required: true type: object fields: - name: displayName required: true type: string - name: servicePrincipalId required: true type: string - name: loggedByService required: true type: string - name: operationType required: true type: string - name: result required: true type: string - name: resultReason required: true type: string - name: targetResources required: true type: array element: type: object fields: - name: displayName required: true type: string - name: id required: true type: string - name: modifiedProperties required: true type: array element: type: object fields: - name: oldValue type: string - name: displayName required: true type: string - name: newValue required: true type: string - name: type required: true type: string - name: resourceId required: true type: string - name: resultSignature required: true type: string - name: tenantId required: true type: string - name: time required: true type: timestamp timeFormats: - rfc3339 ``` ### Azure.SignIn The `Azure.SignIn` schema is **deprecated**. Please use `Azure.Audit`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/~/changes/Dd8nx2iqd1Pp2OzWJaWk/data-onboarding/supported-logs/azure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.