Microsoft Azure Sentinel Integration Guide

Microsoft Azure Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise and provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

This document describes the steps to integrate Microsoft Azure Sentinel with your WatchGuard Firebox.

The Microsoft Azure Sentinel integration does not currently support WatchGuard Fireboxes deployed in Azure Government Community Cloud.

Contents

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Microsoft Azure Sentinel Cloud
  • Microsoft Azure Sentinel Agent
  • Rsyslog Server
    • Version 8.24.0-57.el7_9.3
  • WatchGuard Firebox
    • Fireware v12.10

Test Topology

Test Topology

Before You Begin

Before you begin these procedures, make sure that:

  • You have the workspace and resource group configured in Azure Sentinel.
  • You have installed and configured rsyslog server.
  • Your rsyslog server can receive WatchGuard Firebox logs.

Set Up Azure Sentinel

  1. Log in to Microsoft Azure.
  2. Enter Microsoft Sentinel.
  3. Click your created workspace.

Screen shot of the workspace

  1. Click Content hub under Content management.

Screen shot of the workspace

  1. Search for the WatchGuard Firebox connector.
  2. Click Install on the connector page.

Screen shot of the data connectors

  1. Click Data connectors under Configuration.
  2. Select the installed WatchGuard Firebox connector.
  3. Click the Open connector page.

Screen shot of the Watchguard Firebox connector

  1. Under the Configuration, Click Download & install agent for non-Azure Linux machines, then follow the steps to install the Azure Sentinel Agent.

Screen shot of the agent installation

  1. After the Azure Sentinel Agent installation completes, select Open your workspace agents configuration.

Screen shot of the Instructions tab

  1. On the Syslog tab, add the facilities you need (for example, local0 to local7kern and syslog).

Screen shot of the Agents configuration

  1. Click Apply.
  2. Go back to the WatchGuard Firebox connector page, and click Go to log analytics.

Screen shot of the Watchguard Firebox connector

  1. Click Functions > Workspace functions. Verify the WatchGuardFirebox function exists, and Sentinel can analyze the function.

Screen shot of the function setup

Set Up the Firebox

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select System > Logging.
    The Logging page opens.
  3. Select the Syslog Server tab.
  4. Select the Send log messages to these syslog servers check box.
  5. Click Add.
    The Syslog Server dialogue box opens.
  6. In the IP Address text box, type the IP address of your Azure Sentinel Agent.
  7. In the Port text box, type 514.
  8. From the Log Format drop-down list, select Syslog.
  9. Select the syslog facility you need (for example, default settings).

Screen shot of the Syslog Server configuration

  1. Click OK.
  2. Click Save.

You can configure logging in many areas in the Firebox configuration, such as policies and proxies. Make sure you select Send a log message when you want the Firebox to generate a log message for an event.

Screen shot of the Logging dialog box

Test the Integration

  1. After the Firebox starts to send log to Azure Sentinel Agent, in the WatchGuard Firebox connector page, select Go to log analytics.

Screen shot of the Watchguard Firebox connector

  1. Open a new query, and run the following command, Information about the query appears.

Screen shot of the query

Filter Logs

Information from sources other than the Firebox can sometimes appear in Syslog data. For example, in the query results shown in the Test the Integration section of this document, localhost events are not related to the Firebox. To run a query that returns events from only the Firebox, you can filter the query by host name or computer.

Example query that excludes events from the host name localhost:

Screen shot of the query

Example query that only includes events from the hostname M400:

Screen shot of the query

Parser Definition

Users are able to check which Parsers are supported by WatchGuardFirebox connector.

  1. In the WatchGuard Firebox connector log analysis page, select Functions > Workspace functions > WatchGuardFirebox.
  2. Click Load the function code.

Screen shot of the query

  1. All support parsers displayed.

Screen shot of the query