Firewalls Integration with Sentinel

Contributor

Hello,

 

We have integrated F5 (WAF Firewall) and Palo Alto firewall with Microsoft Sentinel, using CEF Collector, the Logs received in the server of CEF collector are have all the values of events as we see using tcpdump to capture that logs, but when trying to see that logs in CommonSecurityLogs table, there are some fields missing like ExternalId of event linked with Firewall, which is important for referencing the event in Sentinel with event in Firewall.

 

Is there any method to fetch these missing field, i'm thinking the out of box connector using logic app can implement this, but i want to ask if there is another method for that.

 

Thank you

2 Replies
Have you checked in the AdditionalExtensions column, some data is often in there for you to parse?
Value in this column is "microservice=N/A"
www.000webhost.com