PaloAlto - Cortex XDR integration with Microsoft Sentinel

Logic app02
Data connector default queries
Validation steps
Logic App connection flow
Summary by incidents
Configuration steps
Custom Data Connector view
Palo Alto attacks
Workbook

Inspiration

We at Inspira work as a Microsoft Security Providers to our MSSP customers and recently one of our customer opted for PA Cortex XDR solution, we ended setting up the XDR solution for them and later were required to integrate everything with SIEM for getting SPOG seamless operations.

What it does

This Solution gives you ability to get your Audit logs and incidents from Cortex portal to directly into Microsoft Sentinel using Custom Data Connector and let's you create additional queries which you want to run against incoming log set. The Solution also provides SOAR capabilities that you can perform using Cortex API calls and will give you live report with the help of Azure Workbooks.

How we built it

We have built a Custom Data Connector using a syslog ingestion method and built some of custom logic apps to help out your operational team members with automated incident response and Data enrichment.

Challenges we ran into

Data connector was first meant to be designed using logic app HTTP Data collector method but API calling kept giving us 302 error for page redirection, also there were some licensing issues with Cortex platform to use certain API calling method. We had to find a workaround and use Syslog ingestion due to that. Then log ingestion is also limited with getting the data over a UDP port and it was suppose to be to encrypted in transit and should have been decrypted at the syslog server and then to be forwarded to Log analytics workspace that was challenging. When we were suppose to create use cases in sentinel the logs were not good enough to come up with qualitative KQL rules. We could not configure the workbook as amazing as it could have been due to log scarcity. And finally the SOAR is never easy to build in a single go right, we were able to accomplish those after quite few attempts.

Accomplishments that we're proud of

Completing the end to end structure on unique product and getting done in between two big products in Security field to achieve the SPOG and simplify some efforts of Security Analysts on daily basis.

What we learned

Building a new custom data connector and uploading it to portal, setting up a syslog and configuring logic apps in efficient way with automation rules.