Microsoft Sentinel with WatchGuard Firebox Integration Guide
This document describes the integration of Microsoft Sentinel with your WatchGuard Firebox.
Microsoft Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise and provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.
The Microsoft Sentinel integration does not currently support Fireboxes deployed in Azure Government Community Cloud.
Contents
Integration Summary
The hardware and software used in this guide include:
- Microsoft Sentinel Cloud
- Microsoft Monitoring Agent
- Rsyslog Server with v8.24.0-57.el7_9.3
- Firebox with Fireware v12.10
Topology
Before You Begin
Before you begin these procedures, make sure that:
- You have configured the workspace and resource group in Microsoft Sentinel.
- You have installed and configured your rsyslog server.
- Your rsyslog server can receive Firebox logs.
To configure Microsoft Sentinel with your Firebox, complete these steps:
Configure Microsoft Sentinel
To configure Microsoft Sentinel:
- Log in to the Microsoft Azure portal.
- In the Search Resources, Services, and Docs search box, search for and select Microsoft Sentinel.
The Microsoft Sentinel page opens with the list of workspaces that have Microsoft Sentinel installed. - From the list, select your workspace.
The Microsoft Sentinel Overview page for your selected workspace opens. - On the Overview page, from the navigation menu, in the Content Management section, select Content Hub.
The Content Hub page opens. - On the Content Hub page, search for and select the WatchGuard Firebox connector.
- Click Install.
The WatchGuard Firebox connector installs. - From the navigation menu, in the Configuration section, select Data Connectors.
The Data Connectors page opens. - From the list of installed connectors, select WatchGuard Firebox.
- Click Open Connector Page.
The WatchGuard Firebox connector page opens. - In the Configuration section, select Install Agent on a Non-Azure Linux Machine, then click Download & Install Agent for Non-Azure Linux Machines, and follow the steps to install the Microsoft Monitoring Agent.
- After you install the Microsoft Monitoring Agent and configure it with the keys for your workspace ID, return to the WatchGuard Firebox connector page and click Open Your Workspace Agents Configuration .
The Legacy Agents Management page opens. - To add the facilities you want to collect data from, on the Syslog page, click Add Facility, then add the facilities you need. For example, local0 to local7, kern and syslog.
- Click Apply.
The agent configuration saves. - Return to the WatchGuard Firebox connector page.
- Click Go to Log Analytics.
The Logs page opens. - From the navigation menu, select Functions > Workspace Functions.
- Verify that the WatchGuardFirebox function exists and that Microsoft Sentinel can analyze the function.
Configure the Firebox
To configure your Firebox:
- Log in to Fireware Web UI at https://<your firebox IP address>:8080.
- Select System > Logging.
The Logging page opens. - Select the Syslog Server tab.
- Select the Send Log Messages to These Syslog Servers check box.
- Click Add.
The Syslog Server dialog box opens. - In the IP Address text box, type the IP address of your Microsoft Monitoring Agent.
- In the Port text box, type 514.
- From the Log Format drop-down list, select Syslog.
- For each type of device log message, from the drop-down list, select the syslog facility.
- Click OK.
- Click Save.
You can configure logging in many areas in the Firebox configuration, such as policies and proxies. Make sure you select Send a Log Message when you want the Firebox to generate a log message for an event.
Test the Integration
To test the integration of Microsoft Sentinel with your Firebox, after the Firebox starts to send logs to Microsoft Monitoring Agent:
- Log in to the Microsoft Azure portal.
- From the search box, search for and select Microsoft Sentinel.
- Selected the workspace you created.
- From the navigation menu, in the Configuration section, select Data Connectors.
- Select the WatchGuard Firebox connector.
- Select Go to Log Analytics.
The Logs page opens. - Run queries to get the information you want.
You can use the queries to:
- Filter Logs
- View the Parse Definitions
Filter Logs
Information from sources other than the Firebox can sometimes appear in Syslog data. To run a query that returns events from only the Firebox, you can filter the query by host name or computer.
Example 1
Query that excludes events from the host name localhost:
Example 2
Query that includes events from only the hostname M400:
Parser Definition
Users can verify which parsers are supported by the WatchGuard Firebox connector.
To view the supported parsers:
- On the WatchGuard Firebox connector Logs page, from the navigation menu, select Functions > Workspace Functions > WatchGuardFirebox.
- Click Load the Function Code.
All the supported parsers are displayed.