Learn how to enable activity logging on your Cloud NGFW for Azure
resource.
Where Can I Use This? | What Do I Need? |
|
- Cloud NGFW subscription
- Palo Alto Networks Customer Support Portal account
- Azure Marketplace subscription
|
Track administrator activity on Cloud NGFW for Azure to achieve
real-time reporting of activity across your deployment. If you have reason to
believe that an administrator account is compromised, the activity log provides you
with a full history of where an administrator navigated throughout the Cloud NGFW
tenant and what configuration changes they made so you can analyze in detail and
respond to all actions taken by the compromised account.
A log is an automatically generated, time-stamped file that provides an audit trail
for system events on the firewall or network traffic events that the firewall
monitors. Log entries contain artifacts, which are properties, activities, or
behaviors associated with the logged event, such as the application type or the IP
address of an attacker. Each log type records information for a separate event type.
For example, the firewall generates a Threat log to record traffic that matches a
spyware, vulnerability, or malware signature or a DoS attack that matches the
thresholds configured for a port scan or host sweep activity on the firewall.
The Cloud NGFW can send traffic, threat, and decryption logs to an Azure Log
Analytics Workspace that you will create in the Azure portal. The Log Analytics
Workspace is associated with a workspace ID, primary Key, and a secondary key, which
is retrieved through the logging API by the control plane.