Uploading Palo Alto firewall logs to MCAS and Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2417254%22%20slang%3D%22en-US%22%3EUploading%20Palo%20Alto%20firewall%20logs%20to%20MCAS%20and%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2417254%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20investigating%20the%20best%20way%20to%20get%20our%20Palo%20Alto%20firewall%20logs%20into%20MCAS%20and%20Sentinel.%20My%20present%20understanding%20is%20two%20different%20log%20collector%20methods%20would%20be%20required%20in%20parallel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20MCAS%20-%20Log%20collector%20running%20in%20Docker%3C%2FP%3E%3CP%3E-%20Sentinel%20-%20Syslog%20server%20with%20the%20OMA%20agent%20installed%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20the%20documentation%20is%20indicates%20MCAS%20processing%20is%20every%2024%20hours%2C%20I'm%20assuming%20the%20PA%20firewall%20logs%20cannot%20be%20passed%20over%20to%20Sentinel%20on%20the%20MCAS%20connector.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20run%20the%20docker%20log%20collector%20and%20the%20syslog%20via%20OMA%20on%20the%20same%20host%20if%20it%20has%20a%20high%20enough%20specification%20to%20take%20the%20load%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2417254%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Connectors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

Hi,

 

I'm investigating the best way to get our Palo Alto firewall logs into MCAS and Sentinel. My present understanding is two different log collector methods would be required in parallel.

 

- MCAS - Log collector running in Docker

- Sentinel - Syslog server with the OMA agent installed

 

As the documentation is indicates MCAS processing is every 24 hours, I'm assuming the PA firewall logs cannot be passed over to Sentinel on the MCAS connector.

 

Is it possible to run the docker log collector and the syslog via OMA on the same host if it has a high enough specification to take the load?

1 Reply
According to the article below, the MDCA (MCAS) integration with Sentinel includes the ability to forward discovery logs (from your firewalls that are already sending to MDCA) to Sentinel. You should not need to send them to Sentinel separately, if you use this integration.

https://docs.microsoft.com/en-us/defender-cloud-apps/siem-sentinel#integrating-with-microsoft-sentin...