Microsoft Azure Sentinel Integration Guide

Microsoft Azure Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise and provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

This document describes the steps to integrate Microsoft Azure Sentinel with your WatchGuard Firebox.

The Microsoft Azure Sentinel integration does not currently support WatchGuard Fireboxes deployed in Azure Government Community Cloud.

Contents

• Microsoft Azure Sentinel Integration Guide
• • Contents
  • • Platform and Software
    • Test Topology
  • Before You Begin
  • Set Up Azure Sentinel
  • Set Up the Firebox
  • Test the Integration
  • • Filter Logs
    • Parser Definition

Platform and Software

Test Topology

Before You Begin

Before you begin these procedures, make sure that:

• You have the workspace and resource group configured in Azure Sentinel.
• You have installed and configured rsyslog server.
• Your rsyslog server can receive WatchGuard Firebox logs.

Set Up Azure Sentinel

1. Log in to Microsoft Azure.
2. Enter Microsoft Sentinel.
3. Click your created workspace.

4. Click Content hub under Content management.

5. Search for the WatchGuard Firebox connector.
6. Click Install on the connector page.

7. Click Data connectors under Configuration.
8. Select the installed WatchGuard Firebox connector.
9. Click the Open connector page.

10. Under the Configuration, Click Download & install agent for non-Azure Linux machines, then follow the steps to install the Azure Sentinel Agent.

11. After the Azure Sentinel Agent installation completes, select Open your workspace agents configuration.

12. On the Syslog tab, add the facilities you need (for example, local0 to local7，kern and syslog).

13. Click Apply.
14. Go back to the WatchGuard Firebox connector page, and click Go to log analytics.

15. Click Functions > Workspace functions. Verify the WatchGuardFirebox function exists, and Sentinel can analyze the function.

Set Up the Firebox

1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
2. Select System > Logging.
   The Logging page opens.
3. Select the Syslog Server tab.
4. Select the Send log messages to these syslog servers check box.
5. Click Add.
   The Syslog Server dialogue box opens.
6. In the IP Address text box, type the IP address of your Azure Sentinel Agent.
7. In the Port text box, type 514.
8. From the Log Format drop-down list, select Syslog.
9. Select the syslog facility you need (for example, default settings).

10. Click OK.
11. Click Save.

You can configure logging in many areas in the Firebox configuration, such as policies and proxies. Make sure you select Send a log message when you want the Firebox to generate a log message for an event.

Test the Integration

1. After the Firebox starts to send log to Azure Sentinel Agent, in the WatchGuard Firebox connector page, select Go to log analytics.

2. Open a new query, and run the following command, Information about the query appears.

Filter Logs

Information from sources other than the Firebox can sometimes appear in Syslog data. For example, in the query results shown in the Test the Integration section of this document, localhost events are not related to the Firebox. To run a query that returns events from only the Firebox, you can filter the query by host name or computer.

Example query that excludes events from the host name localhost:

Example query that only includes events from the hostname M400:

Parser Definition

Users are able to check which Parsers are supported by WatchGuardFirebox connector.

1. In the WatchGuard Firebox connector log analysis page, select Functions > Workspace functions > WatchGuardFirebox.
2. Click Load the function code.

3. All support parsers displayed.