Microsoft Entra ID Audit Log Monitoring

Integration Overview

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity platform, managing authentication and access for users, applications, and services across your organization. Entra ID audit and sign-in logs capture a comprehensive record of identity activity including user sign-ins, service principal authentication, managed identity activity, and administrative changes. Panther ingests these logs via Azure Event Hub or Blob Storage, normalizing and storing them in a Snowflake-powered security data lake for detection and investigation.

Use Cases for Microsoft Entra ID Audit Logs

Common SIEM use cases for Microsoft Entra ID audit logs include:

• Detecting suspicious sign-in activity including anomalous locations, failed authentications, and non-interactive sign-ins

• Monitoring service principal and managed identity authentication for unauthorized access patterns

• Correlating identity events with endpoint, network, and application logs for end-to-end investigation

Onboarding Microsoft Entra ID Audit Logs in Panther

Panther's integration for Microsoft Entra ID is easy to configure, allowing you to onboard your log data in just a few minutes. Entra ID audit and sign-in logs are exported via Azure Diagnostic Settings to either an Azure Event Hub (near real-time) or Blob Storage (hourly), then ingested into Panther using Panther's Azure data transports.

For more detailed steps on onboarding Microsoft Entra ID Audit logs or for supported log schema, you can view our Microsoft Entra ID documentation here.