I've recently onboarded a new customer to our SOC services and need to integrate their Palo Alto and FortiGate firewalls into our Microsoft-based stack, specifically for log ingestion into Microsoft Sentinel. I'm looking for insights from anyone who's successfully done this in a production environment. What are the best and most reliable methods to send these logs to Sentinel? Additionally, how can we manage the signal-to-noise ratio to avoid overwhelming ourselves with low-value alerts once the ingestion is live? Any useful filtering, parsing, or tuning tips you've found helpful would be greatly appreciated. Thanks for your help!
4 Answers
A straightforward approach is to set up a virtual machine that runs a syslog server. You can use the Azure Monitor agent on that VM and then create a data collection rule to direct the logs to your Sentinel workspace. It's a solid setup for getting those logs flowing!
Right, and don’t forget to get a competent Linux admin involved to optimize the server settings. The default configurations often aren't designed for handling high log volumes efficiently.
Also, keep an eye out for the Azure Syslog Gateway. It can be very useful in simplifying the log ingestion process!
Make sure to inform the customer about potential costs associated with this ingestion process. It’s crucial they have a budget in mind before diving in.
Definitely follow the syslog server route. For managing alerts, you can implement filters directly on the syslog server using the syntax specific to your setup. We used rsyslog and filtered out a lot of unnecessary logs before they hit Sentinel, which saves on costs. You could also set up some filtering on the Palo's Panorama beforehand, but I'd recommend doing most of it on the syslog server to keep the process streamlined.
Absolutely! We're also in the early stages of configuring this for our Cisco ASA devices, utilizing an on-premise log forwarder along with Azure Arc and the Azure Monitor Agent. It’s coming together nicely!