Microsoft Defender for Cloud Apps Integration Guide

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes, such as log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your Microsoft and third-party cloud services.

This document describes the steps to integrate Microsoft Defender for Cloud Apps with your WatchGuard Firebox.

Contents

• Microsoft Defender for Cloud Apps Integration Guide
  • Contents
  • Platform and Software
  • Test Topology
  • Set Up Microsoft Defender for Cloud Apps
  • Set Up Firebox
    • Add a Syslog Server
    • Add a proxy policies
  • Test the Integration

Platform and Software

Test Topology

Set Up Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender, which correlates singles from across the Microsoft Defender suite and provides incident-level detection, investigation, and powerful response capability. It is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.

1. Log in to the Microsoft 365 Defender portal.
2. Select Settings > Cloud Apps.
3. Under Cloud Discovery, select Automatic log upload > Data Sources.
4. Click Add data source....
   

5. In the Name text box, type the data source name.
6. From the Source drop-down list, select WatchGuard XTM.
7. Click View sample of expected log file > Download sample log. Make sure that the downloaded sample log matches your log files.
8. From the Receiver type drop-down list, select Syslog - UDP.

9. Click Add.
10. Select the Log collectors tab.
11. Click Add log collector....
12. In the Name text box, type the log collector name.
13. In the Host IP address or FQDN text box, type the log collector server IP address.
14. In the Data source(s) text box, select the data source you added.

15. Click Create.
16. Follow the guide to deploy the log collector server.

17. Click Close.

Set Up Firebox

Complete the steps in this section to set up your Firebox.

Add a Syslog Server

1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
2. Select System > Logging.
   The Logging page opens.
3. Select the Syslog Server tab.
4. Select the Send log messages to these syslog servers check box.
5. Click Add.
   The Syslog Server dialog box opens.
6. In the IP Address text box, type the IP address of your log collector server.
7. In the Port text box, type 514.
8. From the Log Format drop-down list, select IBM LEEF.
9. Do not change the default values for the other Syslog Server settings.

10. Click OK.
11. Click Save.

Add a proxy policies

When you add a proxy policy to your Firebox configuration file, you specify types of content that the Firebox must find as it examines network traffic. If the content matches (or does not match) the criteria you set in the proxy definition, the traffic is either allowed or denied, based on the criteria and settings you specify. In this example, we add a HTTPS-Proxy Policy with HTTPS-Client.Standard action.

• In the default firewall state, with no proxy policies and no traffic through the Firebox, you might see the message "Failed, Log format does not match the expected format for WATCHGUARD_XTM_SYSLOG" in the governance log. You can ignore this message.
• Verify your log format to make sure that it is formatted properly based on the sample log downloaded from Microsoft Defender for Cloud Apps.

• Make sure you select Send a log message when you want the Firebox to generate a log for an event.

Test the Integration

1. Log in to Microsoft 365 Defender portal.
2. Select Cloud apps > Governance log.
3. Confirm the status for the Parse Cloud Discovery log is Successful.
   

4. Select Cloud apps > Cloud Discovery.
5. Confirm the integration was successful.