Issue

When ingesting Azure Activity Audit Logs from Azure Monitor using the out-of-the-box schema `Azure.MonitorActivity`, the data is not being classified because the payload body is coming in as Base64 encoded.

Resolution

To resolve this issue use the supported method to send Azure Activity logs to Azure Blob Storage. Follow the steps outlined in the Microsoft Azure documentation for sending Activity logs to Azure Storage.

Cause

This issue occurs when the Azure Activity Audit Logs are not sent to Azure Blob Storage in the format expected by Panther. When logs are ingested directly from Azure Monitor or through unsupported methods, the payload may be Base64 encoded, which prevents Panther from properly classifying and parsing the data.

Additional Information

If you continue to experience issues after following the recommended steps: