By updating the requirements.txt file, I am able to re-deploy with Web App, and events are flowing from CDL into Sentinel via HTTPS. However, this function is creating distinct _CL files for each filter in CDL. I now have url_CL, userID_CL, and others, instead of flowing to the common event log that the official Palo Alto solution is parsing (and to which the older AMA/syslog solutions were sending events).
Describe the bug
By updating the requirements.txt file, I am able to re-deploy with Web App, and events are flowing from CDL into Sentinel via HTTPS. However, this function is creating distinct _CL files for each filter in CDL. I now have url_CL, userID_CL, and others, instead of flowing to the common event log that the official Palo Alto solution is parsing (and to which the older AMA/syslog solutions were sending events).
Is this Web App compatible with the official PaloAltoCDL solution, or will I need to create my own workbooks, analytics, etc.? https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAltoCDL