Oct 17 2022 12:16 PM
I'm trying to get data from palo alto firewalls into sentinel. After fighting through some major issues with documentation and incorrect automatic configuration, we have the data getting into the CommonSecurityLog table. The problem is that most of the fields needed for the solution components are not parsed. They're just stuck in in the AdditionalExtensions column.
The end result is that the resources like playbooks included with the connector are useless. They expect and rely on fields like ReceiptTime, LogSeverity, DeviceAction, DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL. But none of them are parsed out. These all match appropriate CommonSecurityLog fields or the CEF name matching table at https://learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping
In https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Data%20Connectors/read... referred to in the connector page, I noted that implies the agent can only parse seven CEF fields, but it's in in broken english so it's not clear if this is a continuation of the poor documentation or an actual limitation (that I haven't seen referred to anywhere else).
Is the seven fields limitation present in the agent? If it is, why were resources like workbooks built out to depend on more fields? If it isn't a limitation, how do I get the other fields parsed?
Oct 18 2022 05:24 AM
Oct 18 2022 06:02 AM