Set Up HTTPS Log Forwarding to Microsoft Sentinel
Focus
Focus
Prisma Access

Set Up HTTPS Log Forwarding to Microsoft Sentinel

Table of Contents

Set Up HTTPS Log Forwarding to Microsoft Sentinel

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
If you need to fulfill your organization's legal compliance requirements, you can easily forward firewall logs stored in Strata Logging Service to external destinations through Prisma Access. For example, you can forward logs using syslog to a SIEM for long term storage, SOC, or internal audit obligations.
Forward HTTPS logs from Strata Logging Service to Microsoft Sentinel by completing the following steps.
  1. Log in to your Microsoft Azure account, and create a log analytics workspace in your Sentinel.
  2. Create and deploy an agent web app to decompress data from Strata Logging Service.
    1. Install Visual Studio Code version 1.64.1 or a later version.
    2. Install the Azure Tools and Azure App Service extensions in Visual Studio Code.
    3. Obtain the agent web application’s code from GitHub.
      git clone https://github.com/PaloAltoNetworks/cdl-decompress-proxy-sentinel-ingest.git
      This is a sample application code and is not maintained by Palo Alto Networks. Don't use the code as-is but we recommend you to develop your own agent or customize this base version to align with your specific needs and requirements.
    4. Open the cdl-decompress-proxy-sentinel-ingest folder in Visual Studio Code.
      If you downloaded and extracted the ZIP folder in 2.c, ensure to navigate to the final folder in the extract called cdl-decompress-proxy-sentinel-ingest-master when you open the folder in Visual Studio Code.
    5. Click the Azure icon and sign in to Azure.
    6. Go to Resourcesyour subscriptionApp Services.
    7. Right click and select Create New Web App….
      Select the advanced option if you want to make use of previously created Azure resources.
    8. Enter a name.
    9. Choose the Python 3.9 runtime stack.
    10. Select an appropriate pricing tier.
      If you chose the advanced option, select the appropriate Azure resources when prompted.
      The agent web app takes few minutes to be created.
    11. Right click the new agent web app and choose Deploy to Web App….
    12. Select the correct folder.
      The correct folder, which is the final one in your ZIP extract or Git clone, should already be listed.
    13. Deploy when prompted.
      Visual Studio Code takes few minutes to deploy the web app.
  3. Connect the web app to the Log Analytics workspace.
    1. In Azure, navigate to the desired Log Analytics workspace, and select Agents managementLinux servers.
    2. Copy the Workspace ID and Primary Key values.
  4. (Optional) Enable an Azure Key Vault to store the workspace ID and primary key values as secrets in the key vault.
    1. In Azure, navigate to the agent web app.
    2. Select SettingsIdentitySystem assigned, change Status to On.
    3. Save and acknowledge any further prompts.
      Refer Microsoft’s documentation if you want to create a key vault.
  5. Copy the URL from your web app.
    1. In Azure, navigate to the agent web app.
    2. Copy the URL.
  6. From Prisma Access, open the Strata Logging Service app associated with your tenant.
    Go to Prisma AccessTenants and ServicesStrata Logging Service.
  7. Select Log Forwarding.
  8. Add an HTTPS Profile.
  9. Configure HTTPS Forwarding Profile.
    1. Enter the required values and information.
    2. Enter the URL that you copied in 5.
    3. Select Sentinel Authorization as the Client Authorization Type type.
    4. Enter the workspace ID and primary key that you copied in 3.b.
    5. Test Connection.
      If you are using secrets stored in a key vault, this may show an authentication error at first. Wait for few minutes and try again. If you receive any other error messages, log out and re-log in to Strata Logging Service, and setup the HTTPS Profile again.
  10. Click Next, and add appropriate filters for the log types that you forward to Microsoft Sentinel.
  11. Save the changes.
    The status of the HTTPS profile takes some time to change from Provisioning to Running.
  12. (Optional) Verify if the logs are forwarded to Microsoft Sentinel.
    1. Log in to Microsoft Sentinel.
    2. Go to Logs and run an appropriate query.
      The forwarded logs appear.