Panther has the ability to fetch Microsoft Graph logs by querying the Microsoft Graph Security API to obtain security alerts from Microsoft Security products. These are integrated via a direct API integration where a Client ID and Secret ID are shared with the Panther Console. Once logging, detections can be applied to analyze data as it’s ingested into Panther.
Common security use cases for monitoring Microsoft Graph with Panther include:
- Alert on potential brute force attacks on Azure AD logins and MFA
- Correlate data across all log types including Azure
- Enrich Azure alerts with threat intelligence to further investigate potential threats
How it Works
Panther’s Microsoft Graph integration is simple and fast:
- Generate a Client ID and Secret ID value in Azure
- Put the values into Panther Console’s “Log Sources” page
- Logs will automatically start pulling from the following sources
- Ingested logs are parsed and normalized into p_fields so common IoC’s can be correlated across all log types
- Detections can be applied to logs pulled in from Graph API from Panther Packs
- If an alert fires, investigation tools such as indicator search and data explorer can be used to dig into historical data
You can learn more about Panther's supported log schema for Microsoft Graph here.
With the wide variety of Azure services made available via the Microsoft Graph API, security teams have the ability to correlate Microsoft-based security alerts with other security products in their environment in minutes. Learn how to protect Azure along with the rest of your security environment in our blog.