Set Up HTTPS Log Forwarding to Microsoft Sentinel

Forward HTTPS logs from Cortex Data Lake to Microsoft Sentinel.
  1. Log in to your Microsoft Azure account, and create a log analytics workspace in your Sentinel.
  2. Create and deploy an agent web app to decompress data from Cortex Data Lake.
    1. Install Visual Studio Code version 1.64.1 or a later version.
    2. Install the Azure Tools and Azure App Service extensions in Visual Studio Code.
    3. Obtain the agent web application’s code from GitHub.
      git clone
      Download and extract the ZIP folder if you did not install Git.
    4. Open the
      folder in Visual Studio Code.
      If you downloaded and extracted the ZIP folder in 2.c, ensure to navigate to the final folder in the extract called
      when you open the folder in Visual Studio Code.
    5. Click the Azure icon and sign in to Azure.
    6. Go to
      your subscription
      App Services
    7. Right click and select
      Create New Web App…
      Select the advanced option if you want to make use of previously created Azure resources.
    8. Enter a name.
    9. Choose the
      Python 3.9
      runtime stack.
    10. Select an appropriate pricing tier.
      If you chose the advanced option, select the appropriate Azure resources when prompted.
      The agent web app takes few minutes to be created.
    11. Right click the new agent web app and choose
      Deploy to Web App…
    12. Select the correct folder.
      The correct folder, which is the final one in your ZIP extract or Git clone, should already be listed.
    13. Deploy
      when prompted.
      Visual Studio Code takes few minutes to deploy the web app.
  3. Connect the web app to the Log Analytics workspace.
    1. In Azure, navigate to the desired Log Analytics workspace, and select
      Agents management
      Linux servers
    2. Copy the Workspace ID and Primary Key values.
  4. (
    ) Enable an Azure Key Vault to store the workspace ID and primary key values as secrets in the key vault.
    1. In Azure, navigate to the agent web app.
    2. Select
      System assigned
      , change
    3. Save
      and acknowledge any further prompts.
      Refer Microsoft’s documentation if you want to create a key vault.
  5. Copy the URL from your web app.
    1. In Azure, navigate to the agent web app.
    2. Copy the URL.
  6. From Prisma Access, open the Cortex Data Lake app associated with your tenant.
    Go to
    Prisma Access
    Tenants and Services
    Cortex Data Lake
  7. Select
    Log Forwarding
  8. Add an HTTPS Profile.
  9. Configure HTTPS Forwarding Profile.
    1. Enter the required values and information.
    2. Enter the URL that you copied in 5.
    3. Select
      Sentinel Authorization
      as the
      Client Authorization Type
    4. Enter the workspace ID and primary key that you copied in 3.b.
    5. Test Connection
      If you are using secrets stored in a key vault, this may show an authentication error at first. Wait for few minutes and try again. If you receive any other error messages, log out and re-log in to Cortex Data Lake, and setup the HTTPS Profile again.
  10. Click
    , and add appropriate filters for the log types that you forward to Microsoft Sentinel.
  11. Save
    the changes.
    The status of the HTTPS profile takes some time to change from
  12. (
    ) Verify if the logs are forwarded to Microsoft Sentinel.
    1. Log in to Microsoft Sentinel.
    2. Go to
      and run an appropriate query.
      The forwarded logs appear.

Recommended For You