When ingesting Azure Activity Audit Logs from Azure Monitor using the out-of-the-box schema `Azure.MonitorActivity`, the data is not being classified because the payload body is coming in as Base64 encoded.
To resolve this issue use the supported method to send Azure Activity logs to Azure Blob Storage. Follow the steps outlined in the Microsoft Azure documentation for sending Activity logs to Azure Storage.
This issue occurs when the Azure Activity Audit Logs are not sent to Azure Blob Storage in the format expected by Panther. When logs are ingested directly from Azure Monitor or through unsupported methods, the payload may be Base64 encoded, which prevents Panther from properly classifying and parsing the data.
If you continue to experience issues after following the recommended steps:
Query the classification failures in Panther using the following SQL query (replace 'Your log source name' with your actual log source name):
select * from panther_monitor.public.classification_failures
where p_occurs_since('48 hours')
and p_source_label = 'Your log source name'
order by p_parse_time desc
limit 10
Contact Panther support and share the results of the query.