Microsoft Sentinel with WatchGuard Firebox Integration Guide

This document describes the integration of Microsoft Sentinel with your WatchGuard Firebox.

Microsoft Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise and provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

The Microsoft Sentinel integration does not currently support Fireboxes deployed in Azure Government Community Cloud.

Contents

• Microsoft Sentinel with WatchGuard Firebox Integration Guide
  • Contents
  • Integration Summary
    • Topology
  • Before You Begin
  • Register the Syslog Server with Azure
  • Configure Microsoft Sentinel
  • Configure the Firebox
  • Test the Integration
    • Filter Logs
    • Parser Definition

Topology

To configure Microsoft Sentinel with your Firebox, complete these steps:

1. Register the Syslog Server with Azure
2. Configure Microsoft Sentinel
3. Configure the Firebox

Register the Syslog Server with Azure

To register the syslog server with Azure:

1. Log in to Microsoft Azure with an administrator account.
2. In the Search Resources, Services, and Docs search box, search for and select Azure Arc.
   The Azure Arc configuration page opens.
3. From the left navigation menu, select All Azure resources > Infrastructure > Machines.
   The Machines page opens.
4. From the Onboard/Create drop-down list, select Onboard existing machines.
   The Onboard Existing Machines with Azure Arc page opens.
5. From the Basics tab:
   • In the Project details section:
     1. From the Subscription drop-down list, select your subscription.
     2. From the Resource group drop-down list, select the group to which you want to register your syslog server.
   • In the Server details section:
     1. From the Region drop-down list, select the group where you want to register your syslog server.
     2. From the Operating system drop-down list, select Linux.
   • In the Authentication method section:
     • Select Authenticate machines manually.
   • Keep other values as their defaults, click Next.
6. From the Tags tab, click Next.
7. From the Download and run script tab,:
   1. Click Download to download the registration script.
   2. Click Close.
8. Run the registration script on the host you want to register with the Azure platform.
   After a short amount of time, a URL and verification code appear.
   

Disable Uncomplicated Firewall (UFW) on your host; else registration might fail.



9. Go to https://microsoft.com/devicelogin (external link) and type the verification code.



10. After registration is complete, view the host on Azure.



11. Click the name of the device.
    The Machine Overview page opens.
12. From the left navigation, select Settings > Extensions.
13. Click Add.
    The Install Extension page opens.
14. Select Azure Monitor Agent for Linux.
15. Click Next.
16. Click Review + create.
17. Click Create.
    

It might take some time for the Azure Monitor Agent to deploy.

18. Log in to the Microsoft Azure portal.
19. In the Search Resources, Services, and Docs search box, search for and select Microsoft Sentinel.
    The Microsoft Sentinel page opens with the list of workspaces that have Microsoft Sentinel installed.



20. From the list, select your workspace.
    The Microsoft Sentinel Overview page for the workspace you select opens.



21. On the Overview page, from the navigation menu, in the Content Management section, select Content Hub.
    The Content Hub page opens.
22. On the Content Hub page, search for and select the Syslog via AMA connector.
23. Click Open connector page at the bottom right of the page.
    The Syslog via AMA configuration page opens.
24. In the Configuration section, click +Create data collection rule.
    The Create Data Collection Rule configuration page opens.
25. From the Basic tab:
    1. In the Rule name text box, type a descriptive name for the rule.
    2. From the Subscription and Resource group drop-down list, select the subscription and resource group your syslog server is registered to.
    3. Click Next: Resources.
26. From the Resources tab:
    1. Select the machine that you have registered with Azure.
    2. Click Next: Collect.
27. From the Collect tab:
    1. Select Collect messages without PRI header (facility and severity).
    2. Select Minimum as the log level for each Facility.
    3. Click Next: Review + create.
28. From the Review + create tab, click Create.



29. Copy the command from the lower area of the page, and run the command from a command window on your computer.

Configure Microsoft Sentinel

To configure Microsoft Sentinel:

1. Log in to the Microsoft Azure portal.
2. In the Search Resources, Services, and Docs search box, search for and select Microsoft Sentinel.
   The Microsoft Sentinel page opens with the list of workspaces that have Microsoft Sentinel installed.



3. From the list of workspaces, select your workspace.
   The Microsoft Sentinel Overview page for your selected workspace opens.



4. On the Overview page, from the navigation menu, in the Content Management section, select Content Hub.
   The Content Hub page opens.
5. On the Content Hub page, search for and select the WatchGuard Firebox connector.
6. Click Install.
   The WatchGuard Firebox connector installs.
7. From the navigation menu, in the Configuration section, select Data Connectors.
   
8. Select the WatchGuard Firebox connector.



9. Click Go to Log Analytics.
   The Logs page opens.



10. From the navigation menu, select Functions > Workspace Functions.
11. Verify that the WatchGuardFirebox function exists and that Microsoft Sentinel can analyze the function.

Configure the Firebox

To configure your Firebox:

1. Log in to Fireware Web UI at https://<your firebox IP address>:8080.
2. Select System > Logging.
   The Logging page opens.
3. Select the Syslog Server tab.
4. Select the Send Log Messages to These Syslog Servers check box.
5. Click Add.
   The Syslog Server dialog box opens.



6. In the IP Address text box, type the IP address of your Microsoft Monitoring Agent.
7. In the Port text box, type 514.
8. From the Log Format drop-down list, select IBM LEEF.
9. For each type of device log message, from the drop-down list, select the syslog facility.
10. Click OK.
11. Click Save.

You can configure logging in many areas in the Firebox configuration, such as policies and proxies. Make sure you select Send a Log Message when you want the Firebox to generate a log message for an event.

Test the Integration

To test the integration of Microsoft Sentinel with your Firebox, after the Firebox starts to send logs to Microsoft Monitoring Agent:

1. Log in to the Microsoft Azure portal.
2. From the search box, search for and select Microsoft Sentinel.
3. Selected the workspace you created.
4. From the navigation menu, in the Configuration section, select Data Connectors.
5. Select the WatchGuard Firebox connector.



6. Select Go to Log Analytics.
   The Logs page opens.



7. Run queries to get the information you want.

You can use the queries to:

• Filter Logs
• View the Parse Definitions

Filter Logs

Information from sources other than the Firebox can sometimes appear in Syslog data. To run a query that returns events from only the Firebox, you can filter the query by host name or computer.

Example 1

Query that excludes events from the host name localhost:

Example 2

Query that includes events from only the hostname FireboxV-lab-Smart:

Parser Definition

Users can verify which parsers are supported by the WatchGuard Firebox connector.

To view the supported parsers:

• On the WatchGuard Firebox connector Logs page, from the navigation menu, select Functions > Workspace Functions > WatchGuardFirebox.