Azure Sentinel with Palo Alto Network

Highlighted
New Contributor

Hi all,

My goal is push all logs from Palo Alto Network (PAN) firewall into Azure Sentinel then can monitor in dashboard like activities and threats. Following the guide of MS was:

  1. Configured PAN device forward logs under CEF format to syslog server 
  2. Created a Palo Alto Network connector from Azure Sentinel. Azure Sentinel status connected and got logs from syslog server

So when i click on Palo Alto overview workbook. The workbook displayed information like traffic...

But in Palo Alto Network Threat workbook -> There nothing displayed in here. Although in PAN Threat - LogCentralizedLogs i saw information

 

So in wonder that i was mistake when defined CEF logs from PAN ? Following this guide 

AS_PAN Workbook.pngAS_PAN Threat Logs.pngAS_Sastus.png

3 Replies
Highlighted

@tutrieu : the threat types in the second workbook are not typical threat types sent as THREAT by Palo Alto. Did you make sure to configure sending THREAT logs as desribed in Palo Alto Configure Syslog Monitoring steps 2, 3? Those steps need to be done in addition to the CEF configuration guide.

Highlighted

Thank you @Ofer_Shezaf yes i did follow MS and Palo Alto guide. And you mean i need handle CEF threat logs like define the threat before forward it to Azure Sentinel ?

Thank you

Highlighted

@tutrieu : generating logs on Palo Alto is arather long and complex process. For example, you need the relevant policies and your policies should actually log. Do you know if you get the relevant logs on a Palo Alto console, for example Panorama? In any case, I suggest starting with a support call to Palo Alto making sure you create the correct logs of type THREAT, and if so, a support call to our support to complete the loop.