topic Re: prophaze waf Log Ingestion in Cortex XDR Management Console in Cortex XDR Discussions

prophaze waf Log Ingestion in Cortex XDR Management Console

RajeshPremSingh — Thu, 18 Apr 2024 18:37:18 GMT

I kindly request how to ingest prophaze waf Logs in the cortex console. If possible, could you guide how to proceed with this integration? Additionally, please share any related documents or resources that could be helpful in this process.

Re: prophaze waf Log Ingestion in Cortex XDR Management Console

jmazzeo — Tue, 05 Mar 2024 13:25:56 GMT

Hi @RajeshPremSingh, thanks for reaching us using the Live Community.

To ingest third party logs in the Cortex XDR tenant you need the Cortex XDR Pro Per-GB license.

If the Prophaze Waf supports sending logs to a syslog server, the procedure is the following:

Install a Broker VM instance in your environment.
Enable the Syslog applet in the Broker VM. Configure the vendor and product for the upcoming raw logs.
Create a custom parsing rule to convert the raw data into readable fields by the XDR console that can be used to stitch logs to alerts. This also requires Pro Per-GB license.

Please let me know if this helps.

If this post answers your question, please mark it as the solution.

Re: prophaze waf Log Ingestion in Cortex XDR Management Console

RajeshPremSingh — Tue, 05 Mar 2024 16:11:01 GMT

@jmazzeo possible to do API?

Re: prophaze waf Log Ingestion in Cortex XDR Management Console

jmazzeo — Tue, 05 Mar 2024 17:35:16 GMT

@RajeshPremSingh, not posible to ingest using API, only for the third party supported vendors.

Re: prophaze waf Log Ingestion in Cortex XDR Management Console

PoojalaSreenadh — Wed, 06 Mar 2024 05:37:58 GMT

Hi Jmazzeo,

I am Sreenadh, team member of Rajesh. could you please help with Create a custom parsing rule to convert the raw data into readable fields by the XDR console.

Re: prophaze waf Log Ingestion in Cortex XDR Management Console

jmazzeo — Wed, 06 Mar 2024 12:35:36 GMT

Hi @PoojalaSreenadh, I'll recommend you to watch this Webinar Series about Parsing rules and correlation.

This is the first one with the Parsing basics and how they work: https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-customer-success-webinar-series-part-1-getting-started/ta-p/575388

Also we have a full Youtube playlist about custom logs parsing from scratch: https://youtube.com/playlist?list=PLD6FJ8WNiIqXct0oWOxUfr0gDGOQLECGS&feature=shared

Re: prophaze waf Log Ingestion in Cortex XDR Management Console

PoojalaSreenadh — Wed, 06 Mar 2024 20:15:40 GMT

@jmazzeo ,

Thanks for the valuable information, we will go through the following videos and if additional information is required we connect with you.

Re: prophaze waf Log Ingestion in Cortex XDR Management Console

PoojalaSreenadh — Fri, 08 Mar 2024 05:12:03 GMT

Hi @jmazzeo ,

is there any possible way to ingest logs or alerts from prophase WAF through HTTP log collector to receive logs?

Re: prophaze waf Log Ingestion in Cortex XDR Management Console

jmazzeo — Fri, 08 Mar 2024 13:10:17 GMT

Hi @PoojalaSreenadh, yes, you can setup a HTTP collector to ingest logs in Raw, JSON, CEF, or LEEF formats.

Here is the official doc: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Set-up-an-HTTP-Log-Collector-to-Receive-Logs

And at the top of that doc you can see all the supported additional log ingestion methods: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Additional-Log-Ingestion-Methods

Re: prophaze waf Log Ingestion in Cortex XDR Management Console

PoojalaSreenadh — Fri, 08 Mar 2024 13:19:56 GMT

Hi@jmazzeo,

Thanks for the quick reply. we can go through it and let you know if any queries.