If you need to fulfill your organization's legal compliance
requirements, you can easily forward firewall logs stored in Cortex Data Lake to
external destinations through Prisma Access. For example, you can forward logs using
syslog to a SIEM for long term storage, SOC, or internal audit obligations.
Forward HTTPS logs from Cortex Data Lake to Microsoft Sentinel by completing the following
steps.
Log in to your Microsoft Azure account, and create
a log analytics workspace in your Sentinel.
Create and deploy an agent web app to decompress data
from Cortex Data Lake.
Install Visual Studio Code version 1.64.1
or a later version.
Install the Azure Tools and Azure App Service extensions
in Visual Studio Code.
Obtain
the agent web application’s code from GitHub.
Enter the workspace ID and primary key that you copied
in 3.b.
Test Connection
.
If you are using secrets stored in a key vault, this
may show an authentication error at first. Wait for few minutes
and try again. If you receive any other error messages, log out
and re-log in to Cortex Data Lake, and setup the HTTPS Profile again.
Click
Next
, and add appropriate
filters for the log types that you forward to Microsoft Sentinel.
Save
the changes.
The status of the HTTPS profile takes some time to change
from
Provisioning
to
Running
.
(
Optional
) Verify if the logs are forwarded
to Microsoft Sentinel.
cdl-decompress-proxy-sentinel-ingest-masterwhen you open the folder in Visual Studio Code.
If you chose the advanced option, select the appropriate Azure resources when prompted.The agent web app takes few minutes to be created.
The correct folder, which is the final one in your ZIP extract or Git clone, should already be listed.
Visual Studio Code takes few minutes to deploy the web app.
