Focus

Prisma Access

Set Up Syslog Forwarding to Microsoft Sentinel

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Set Up HTTPS Log Forwarding to Microsoft Sentinel

Integrate Prisma Access with Microsoft Defender for Cloud Apps

Set Up Syslog Forwarding to Microsoft Sentinel

Where Can I Use This?	What Do I Need?
`Prisma Access (Cloud Management)`	`Prisma Access` license

If you need to fulfill your organization's legal compliance requirements, you can easily forward firewall logs stored in Cortex Data Lake to external destinations through Prisma Access. For example, you can forward logs using syslog to a SIEM for long term storage, SOC, or internal audit obligations.

You can forward logs to Microsoft Sentinel. Before you begin, ensure to set up a Sentinel log analytics workspace. Create a self-signed certificate or use a public certificate for the Syslog receiver.

Create and deploy a data connector for Cortex Data Lake.

Search for Sentinel in your Azure account.

Select

Microsoft Sentinel

(your workspace)

Content hub

Search and select

Palo Alto Networks Cortex Data Lake

and install it.

Go to

Data connectors

and refresh the section to view the

Palo Alto Networks Cortex Data Lake

data connector.

Configure Linux Syslog agent according to the instructions you see in Microsoft Sentinel.

Select the Cortex Data Lake data connector.

Select

Open connector page

Configure the Linux agent according to the instructions.

It takes some time to view if the connection is successful. You can view the number of data connectors deployed in Sentinel, which is 1 in this scenario.

From Prisma Access, open the Cortex Data Lake app associated with your tenant.

Go to

Prisma Access

Tenants and Services

Cortex Data Lake

Select

Log Forwarding

Add a Syslog forwarding profile.

Configure the Syslog forwarding Profile.

Enter the required values and information.

Enter the Syslog server IPv4 address or FQDN.

Ensure that the value entered here matches the Subject Alternative Name (SAN) of the certificate installed on your syslog server.

Enter the port on which the syslog server is receiving and the facility.

Upload a self-signed certificate or a publicly signed certificate.

Test Connection

to ensure that Cortex Data Lake can communicate with the receiver.

Click

, and select the

CEF

format to forward logs.

Select only the

CEF

format.

Select the logs you want to forward, by adding appropriate filters.

Save

the changes.

The status of the Syslog profile takes some time to change from

Provisioning

Running

(Optional) Verify if the logs are forwarded to Microsoft Sentinel.

Go to

Logs

and run an appropriate query.

The forwarded logs appear.

(Optional) Add a workbook in your workspace to visualize and monitor the data.

Go to

Workbooks

Templates

Search for the

Palo Alto Networks Cortex Data Lake

workbook with

Content hub

as the content source.

View template

to view the populated data.

(Optional)

Save

the template to edit it.

Set Up HTTPS Log Forwarding to Microsoft Sentinel

Integrate Prisma Access with Microsoft Defender for Cloud Apps

Prisma Access Docs

Set Up Syslog Forwarding to Microsoft Sentinel

Prisma Access Docs

Set Up Syslog Forwarding to Microsoft Sentinel

Recommended For You

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner