Share via

Has anyone tried correlating Prisma threat logs with Microsoft Events before?

Vince Ian Cruz 0 Reputation points
2025-01-16T04:16:31.1666667+00:00

We are trying to correlate our threat logs with any Microsoft events that could be related to it. It would help us enrich the alerts. Has anyone done it before? Does Microsoft have templates on it?

Our current setup is, we have custom threat logs from Palo Alto Prisma connected via REST API. Our prediction is to do it via Sentinel Fusion rules to correlate those Prisma logs with Microsoft logs, but it would be a very hard thing to do as we need to look at all the Prisma threat signatures and throw those into a KQL. I'm not sure with the process of the latter. Does someone here have an idea or maybe a ready-made template from Microsoft that you could share? It is much appreciated.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,210 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 9,866 Reputation points Microsoft Employee
    2025-01-21T13:21:56.6866667+00:00

    Sentinel Fusion is based on a specific set of alerts. It is not a strong or global form of correlation. There is a URL in the fusion (multi-stage attack) rule description to see the full list.

    Sentinel now integrates with the Defender XDR portal (security.microsoft.com) where broad correlation is applied. This is based on entity mapping. This requires Sentinel alert rules with proper entity mapping. Verify by looking at the alerts in the XDR portal; you should see the entitles listed. For Prisma I assume that is IP and URL or domain mapping. Correlation will then be automatic.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.