Azure Log Monitoring

Integration Overview

Microsoft Azure is a cloud computing platform that offers more than 200 products and cloud services, including offerings for compute, networking, analytics, containers, databases, security, and more. Panther provides native support for Azure’s audit and sign-in logs, empowering you to continuously monitor your Azure account for suspicious activity. After ingesting Azure logs into Panther, your normalized data is then retained to power future security investigations in a serverless data lake powered by Snowflake.

Use Cases for Azure Logs

Panther offers native support for Azure.Audit and Azure.SignIn logs. Audit logs capture events like changes to applications, groups, users, and licenses, while Sign-in logs capture information about sign-in activity, user access, and sign-in errors. Common SIEM use cases for these log types include monitoring for:

  • Changes to your Azure system
  • Actions and their statuses performed in Azure
  • Activities within Azure containers

Onboarding Azure Logs in Panther

Panther’s integration for Azure is easy to configure, allowing you to onboard your log data in just a few minutes. We recommend using Azure Blob storage to stream your logs into Panther, though other data transport mechanisms are also available.

For more detailed steps on onboarding Azure logs or for supported schema for audit and sign-in logs, you can view our Azure documentation here.

Normalizing & Analyzing Azure Logs

As Panther ingests Azure logs, they are parsed, normalized, and stored in a Snowflake security data lake. This empowers security teams to craft detections, identify anomalies, and conduct investigations on your data in the context of days, weeks, or months.

Panther’s managed schema will apply normalization fields to your Azure logs, which standardize names for attributes and empower users to correlate and investigate data across all log types. For more on searching log data in Panther, check out our documentation on Investigations & Search.

Detection as Code

With Panther, your team won’t be confined to restrictive detection rules or domain-specific query languages as seen in many SIEM platforms. Panther is built with detection-as-code principles, giving you the ability to use Python to write expressive detections, and to integrate external systems like version control and CI/CD pipelines into your detection engineering workflows. This results in powerful, flexible, and reusable scripting of detections for your security team.

A number of pre-built detections for Azure are available in Panther, offering you the ability to immediately monitor for common IoCs and threats. You can explore our built-in detection coverage for Azure logs here.

Configuring Alerts

Panther fires alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of any Azure alerts. Alerts can also be forwarded to alert context or SOAR platforms for more remediation options.

Alerts are categorized in five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically assign severity based on specific log event attributes.

Customer Support

If you have any questions about configuring or monitoring Azure logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.

You can check out our documentation on configuring and monitoring Azure logs here, or customers can sign up for the Panther Community to share best practices or custom detections for monitoring Azure.

The Ideal SIEM Integration for Azure

With Panther, security teams don’t have to struggle with restrictive detection logic, waste time and resources on operational overhead, or pay skyrocketing costs to keep up with the growth of cloud data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.

Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM solution for Azure, request a demo today.

Escape Cloud Noise. Detect Security Signal.
Request a Demo