Microsoft Defender XDR Log Monitoring

Integration Overview

Microsoft Defender XDR is Microsoft's extended detection and response platform, unifying signals across endpoints, identities, email, and cloud applications. Panther integrates with Microsoft Defender XDR to ingest Advanced Hunting events via Azure Event Hub or Azure Blob Storage, giving security teams a centralized view of Defender telemetry alongside the rest of their security data. Normalized events are stored in Panther's Snowflake-powered security data lake for detection, investigation, and cross-source correlation.

Use Cases for Microsoft Defender XDR Logs

Common SIEM use cases for Microsoft Defender XDR logs include:

• Correlating Defender XDR alerts and hunting events with identity, network, and cloud logs for end-to-end investigation

• Writing detection-as-code rules against Advanced Hunting event data to catch threats across your Microsoft environment

• Centralizing Microsoft security telemetry in a unified data lake alongside non-Microsoft sources

Onboarding Microsoft Defender XDR Logs in Panther

Panther's integration for Microsoft Defender XDR is easy to configure, allowing you to onboard your log data in just a few minutes. Defender XDR logs are exported via Microsoft's Streaming API to either an Azure Event Hub or Azure Blob Storage, then ingested into Panther using Panther's Azure data transports. An Azure subscription with Owner or Contributor access is required.

For more detailed steps on onboarding Microsoft Defender XDR or for supported log schema, you can view our Microsoft Defender XDR documentation here.