Microsoft Azure Sentinel Integration Guide
Microsoft Azure Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise and provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.
This document describes the steps to integrate Microsoft Azure Sentinel with your WatchGuard Firebox.
Platform and Software
The hardware and software used to complete the steps outlined in this document include:
- Microsoft Azure Sentinel Cloud
- Microsoft Azure Sentinel Agent
- Rsyslog Server
- WatchGuard Firebox
- Fireware v12.7
Before You Begin
Before you begin these procedures, make sure that:
- You have the workspace and resource group configured in Azure Sentinel.
- You have installed and configured rsyslog server.
- Your rsyslog server can receive WatchGuard Firebox logs.
Set Up Azure Sentinel
- Log in to Microsoft Azure Sentinel.
- Enter Azure Sentinel.
- Select your workspace.
- Select Data connectors.
- Search for the WatchGuard Firebox connector.
- Click Open connector page.
- On the Instructions tab, select Download & install agent for non-Azure Linux machines, then follow the steps to install the Azure Sentinel Agent.
- After the Azure Sentinel Agent installation completes, select Open your workspace agents configuration.
- On the Syslog tab, add the facilities you need (for example, local0 to local7，kern and syslog).
- Click Apply.
- Go back to the WatchGuard Firebox connector page, then below Configuration, click the Follow these steps link.
- To set up the function, follow the WatchGuard syslog Parser file description.
Sentinel is able to analyze the function.
Set Up the Firebox
- Log in to Fireware Web UI (https://<your firebox IP address>:8080).
- Select System > Logging.
The Logging page opens.
- Select the Syslog Server tab.
- Select the Send log messages to these syslog servers check box.
- Click Add.
The Syslog Server dialogue box opens.
- In the IP Address text box, type the IP address of your Azure Sentinel Agent.
- In the Port text box, type 514.
- From the Log Format drop-down list, select Syslog.
- Select syslog facility you need (for example, default settings).
- Click OK.
- Click Save.
You can configure logging in many locations in the Firebox configuration, such as policies and proxies. Make sure you select Send a log message when you want the Firebox to generate a log message for an event.
Test the Integration
- After the Firebox starts to send log to Azure Sentinel Agent, in the WatchGuard Firebox connector page, select Next steps.
- Select the first query sample, then click Run.
Information about the query appears.
Information from sources other than the Firebox can sometimes appear in Syslog data. For example, in the query results shown in the Test the Integration section of this document, localhost events are not related to the Firebox. To run a query that returns events from only the Firebox, you can filter the query by host name or computer.
Example query that excludes events from the host name localhost:
Example query that only includes events from the host name Member1: