Microsoft Graph Log Monitoring

Integration Overview

The Microsoft Graph API offers a single endpoint to provide access to data and insights across Microsoft cloud services. Panther can collect, normalize, and monitor Microsoft Graph logs to enable security alerts from Microsoft products, services, and partners. Your normalized log data is then retained to power future security investigations in a data lake powered by the cloud-native data platform, Snowflake.

Use Cases for Microsoft Graph Logs

Panther has the ability to fetch Microsoft Graph Security Alert logs by querying the Microsoft Graph Security API, which allows users to obtain security alerts from various Microsoft Security products. Some common SIEM use cases for Microsoft Graph logs include monitoring for:

  • Security alerts and incidents detected by Microsoft Defender for Cloud
  • Risk policies triggered by Azure Active Directory Identity Protection
  • Alerts triggered by Microsoft Defender for Cloud Apps, Identity, and Endpoint
  • Alerts triggered by Azure Information Protection and Sentinel

Onboarding Microsoft Graph Logs in Panther

Panther’s integration for Microsoft Graph is fast and easy to configure, allowing you to onboard Microsoft Graph logs in just a few minutes. Simply select Microsoft Graph from the list of log sources in the Panther console, create a new Application is Azure Active Directory, and submit your credentials into the Panther setup menu.

For more details on onboarding Microsoft Graph logs or for supported log schema, you can view our Microsoft Graph documentation here.

Parsing, Normalizing, & Analyzing Logs

As Panther ingests your log data, it is parsed, normalized, and stored in a Snowflake security data lake. This allows you to build detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.

Panther then applies normalization fields to your logs, which standardizes names for attributes and empowers you to correlate data across all log sources. Panther’s various search tools - such as Query Builder, Data Explorer, and Indicator Search - allow you to investigate your normalized logs for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.

Built-in and Easily Customizable Detections

Pre-built detections for Microsoft Graph are available by default in Panther, offering users the ability to immediately monitor common IoCs and threats. You can explore our built-in detection coverage for Microsoft Graph logs here.

With Panther, you aren’t confined to rigid detections or proprietary languages as seen in many SIEM solutions. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.

Configuring Alerts

Panther generates alerts when your detection rules or policies for Microsoft Graph are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.

Alerts are categorized by five different severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.

Customer Support

If you have any questions about configuring or monitoring Microsoft Graph logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.

You can view our documentation on configuring and monitoring Microsoft Graph logs here, or customers can sign up for the Panther Community to share best practices or custom detections for Microsoft Graph logs.

The Ideal SIEM for Microsoft Graph

With Panther, your team doesn’t have to waste time and resources on operational overhead, pay excessive costs to keep up with the growth of cloud app data or struggle with restrictive detection logic. Panther was founded by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to solve them.

Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts. If you’re searching for a seamless SIEM platform for Microsoft Graph, request a demo today.

Escape Cloud Noise. Detect Security Signal.
Request a Demo