Set Up HTTPS Log Forwarding to Microsoft Sentinel
Forward HTTPS logs from Cortex Data Lake to
Microsoft Sentinel.
- Log in to your Microsoft Azure account, and create a log analytics workspace in your Sentinel.
- Create and deploy an agent web app to decompress data from Cortex Data Lake.
- Install Visual Studio Code version 1.64.1 or a later version.
- Install the Azure Tools and Azure App Service extensions in Visual Studio Code.
- Obtain the agent web application’s code from GitHub.git clone https://github.com/PaloAltoNetworks/cdl-decompress-proxy-sentinel-ingest.gitDownload and extract the ZIP folder if you did not install Git.https://github.com/PaloAltoNetworks/cdl-decompress-proxy-sentinel-ingest/archive/refs/heads/master.zip
- Open thecdl-decompress-proxy-sentinel-ingestfolder in Visual Studio Code.
cdl-decompress-proxy-sentinel-ingest-masterwhen you open the folder in Visual Studio Code. - Click the Azure icon and sign in to Azure.
- Go to .
- Right click and selectCreate New Web App….Select the advanced option if you want to make use of previously created Azure resources.
- Enter a name.
- Choose thePython 3.9runtime stack.
- Select an appropriate pricing tier.
If you chose the advanced option, select the appropriate Azure resources when prompted.The agent web app takes few minutes to be created. - Right click the new agent web app and chooseDeploy to Web App….
- Select the correct folder.
The correct folder, which is the final one in your ZIP extract or Git clone, should already be listed. - Deploywhen prompted.
Visual Studio Code takes few minutes to deploy the web app.
- Connect the web app to the Log Analytics workspace.
- In Azure, navigate to the desired Log Analytics workspace, and select .
- Copy the Workspace ID and Primary Key values.
- (Optional) Enable an Azure Key Vault to store the workspace ID and primary key values as secrets in the key vault.
- In Azure, navigate to the agent web app.
- Select , changeStatustoOn.
- Saveand acknowledge any further prompts.Refer Microsoft’s documentation if you want to create a key vault.
- Copy the URL from your web app.
- In Azure, navigate to the agent web app.
- Copy the URL.
- From Prisma Access, open the Cortex Data Lake app associated with your tenant.Go to .
- SelectLog Forwarding.
- Add an HTTPS Profile.
- Configure HTTPS Forwarding Profile.
- Enter the required values and information.
- Enter the URL that you copied in 5.
- SelectSentinel Authorizationas theClient Authorization Typetype.
- Enter the workspace ID and primary key that you copied in 3.b.
- Test Connection.If you are using secrets stored in a key vault, this may show an authentication error at first. Wait for few minutes and try again. If you receive any other error messages, log out and re-log in to Cortex Data Lake, and setup the HTTPS Profile again.
- ClickNext, and add appropriate filters for the log types that you forward to Microsoft Sentinel.
- Savethe changes.The status of the HTTPS profile takes some time to change fromProvisioningtoRunning.
- (Optional) Verify if the logs are forwarded to Microsoft Sentinel.
- Log in to Microsoft Sentinel.
- Go toLogsand run an appropriate query.The forwarded logs appear.
