Forum Discussion
Palo Alto Syslogs to Sentinel
Hi,
We are ingesting Palo Alto firewall logs into Sentinel that seems to be mostly working, however the fields are not populating correctly.
There is an additional field called 'AdditionalExtensions' that contains most of the pertinent information within the log in one big text string, such as destip, srcip, user, etc.
Has any one had this issue before? Would this issue be caused by configuration on the Firewall itself, the proxy forwarder, or is there something I can do within Sentinel itself?
Many thanks for any assistance
- CliveWatson
Microsoft
There is a ASIM parser for Palo
Main docs:
https://docs.microsoft.com/en-us/azure/sentinel/normalization
Parsers page:
Azure-Sentinel/Parsers/ASimNetworkSession at master · Azure/Azure-Sentinel - https://github.com/
and the parser itself, where that field is normalized:
Azure-Sentinel/ASimNetworkSessionPaloAltoCEF.yaml at master · Azure/Azure-Sentinel - https://github.com/
