Hey everyone! We've recently brought on a new client to our Security Operations Center and they're using Palo Alto and FortiGate firewalls. We're looking to get their firewall logs into Microsoft Sentinel effectively.
For those who have experience with this:
1. What's the most reliable method you've found for sending Palo Alto and FortiGate logs into Sentinel?
2. How do you manage to keep the alert volume reasonable so we don't end up overwhelmed with low-value alerts once everything is set up?
3. Do you have any tips for filtering, parsing, or tuning the logs to improve performance and alert accuracy?
I'd really appreciate any advice, shared experiences, or examples of what you did to avoid alert overflow. Thanks!
4 Answers
Just a heads up, make sure your client understands the potential costs involved with log ingestion into Sentinel.
You might also want to look into the Azure Syslog Gateway as an option for log ingestion.
Yes, using a syslog server is a must. For managing alerts, filter logs at the syslog server level using the syntax specific to your implementation. We used rsyslog to filter out a significant amount of logs before they even hit Sentinel, helping us save money. You can also set some filters directly on the Palo Alto/Panorama side, but there’s a query limit there. I personally recommend doing most of the filtering on the syslog server.
The simplest method is to set up a virtual machine as a syslog server, then install the Azure Monitor Agent on it. You’d create a data collection rule to route your logs to your Sentinel log space. It’s pretty straightforward!
Definitely! If you're dealing with high log volumes, make sure to have a skilled Linux admin fine-tune the server. The default settings aren’t great for managing that kind of load.
That’s exactly what we’re doing for our Cisco ASA devices too! We have an on-premise log forwarder configured with Azure Arc, the Azure Monitor Agent, and a data collection rule.