If you need to fulfill your organization's legal compliance
requirements, you can easily forward firewall logs stored in Strata Logging Service to
external destinations through Prisma Access. For example, you can forward logs using
syslog to a SIEM for long term storage, SOC, or internal audit obligations.
Forward HTTPS logs from Strata Logging Service to Microsoft Sentinel by completing the following
steps.
Log in to your Microsoft Azure account, and create
a log analytics workspace in your Sentinel.
Create and deploy an agent web app to decompress data
from Strata Logging Service.
Install Visual Studio Code version 1.64.1
or a later version.
Install the Azure Tools and Azure App Service extensions
in Visual Studio Code.
Obtain
the agent web application’s code from GitHub.
This
is a sample application code and is not maintained by Palo Alto
Networks. Don't use the code as-is but we recommend you to develop
your own agent or customize this base version to align with your
specific needs and requirements.
Open the cdl-decompress-proxy-sentinel-ingest folder
in Visual Studio Code.
If you downloaded
and extracted the ZIP folder in 2.c, ensure
to navigate to the final folder in the extract called cdl-decompress-proxy-sentinel-ingest-master when
you open the folder in Visual Studio Code.
Click the Azure icon and sign in to Azure.
Go to Resourcesyour subscriptionApp Services.
Right click and select Create New Web App….
Select the advanced option if you want to make use of previously
created Azure resources.
Enter a name.
Choose the Python 3.9 runtime
stack.
Select an appropriate pricing tier.
If you
chose the advanced option, select the appropriate Azure resources
when prompted.
The agent web app takes few minutes to be created.
Right click the new agent web app and choose Deploy
to Web App….
Select the correct folder.
The correct
folder, which is the final one in your ZIP extract or Git clone,
should already be listed.
Deploy when prompted.
Visual
Studio Code takes few minutes to deploy the web app.
Connect the web app to the Log Analytics workspace.
In Azure, navigate to the desired Log Analytics
workspace, and select Agents managementLinux servers.
Copy
the Workspace ID and Primary Key values.
(Optional) Enable an Azure Key Vault to store
the workspace ID and primary key values as secrets in the key vault.
In Azure, navigate to the agent web app.
Select SettingsIdentitySystem assigned,
change Status to On.
Save and acknowledge any further
prompts.
Refer Microsoft’s documentation if you want to create
a key vault.
Copy the
URL from your web app.
In Azure, navigate to the agent web app.
Copy the URL.
From Prisma Access, open the Strata Logging Service app associated
with your tenant.
Go to Prisma AccessTenants and ServicesStrata Logging Service.
Select Sentinel Authorization as
the Client Authorization Type type.
Enter the workspace ID and primary key that you copied
in 3.b.
Test Connection.
If you are using secrets stored in a key vault, this
may show an authentication error at first. Wait for few minutes
and try again. If you receive any other error messages, log out
and re-log in to Strata Logging Service, and setup the HTTPS Profile again.
Click Next, and add appropriate
filters for the log types that you forward to Microsoft Sentinel.
Save the changes.
The status of the HTTPS profile takes some time to change
from Provisioning to Running.
(Optional) Verify if the logs are forwarded
to Microsoft Sentinel.