Microsoft Azure Sentinel Integration Guide

Microsoft Azure Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise and provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

This document describes the steps to integrate Microsoft Azure Sentinel with your WatchGuard Firebox.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Microsoft Azure Sentinel Cloud
  • Microsoft Azure Sentinel Agent
  • Rsyslog Server
    • v8.24.0
  • WatchGuard Firebox
    • Fireware v12.7

Test Topology

Test Topology

Before You Begin

Before you begin these procedures, make sure that:

  • You have the workspace and resource group configured in Azure Sentinel.
  • You have installed and configured rsyslog server.
  • Your rsyslog server can receive WatchGuard Firebox logs.

Set Up Azure Sentinel

  1. Log in to Microsoft Azure Sentinel.
  2. Enter Azure Sentinel.

Screen shot of the workspace

  1. Select your workspace.

Screen shot of the workspace

  1. Select Data connectors.
  2. Search for the WatchGuard Firebox connector.

Screen shot of the data connectors

  1. Click Open connector page.

Screen shot of the Watchguard Firebox connector

  1. On the Instructions tab, select Download & install agent for non-Azure Linux machines, then follow the steps to install the Azure Sentinel Agent.

Screen shot of the agent installation

  1. After the Azure Sentinel Agent installation completes, select Open your workspace agents configuration.

Screen shot of the Instructions tab

  1. On the Syslog tab, add the facilities you need (for example, local0 to local7kern and syslog).

Screen shot of the Agents configuration

  1. Click Apply.
  2. Go back to the WatchGuard Firebox connector page, then below Configuration, click the Follow these steps link.

Screen shot of the Watchguard Firebox connector

  1. To set up the function, follow the WatchGuard syslog Parser file description.

Screen shot of the function setup

Screen shot of the function setup

Sentinel is able to analyze the function.

Screen shot of the function setup

Set Up the Firebox

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select System > Logging.
    The Logging page opens.
  3. Select the Syslog Server tab.
  4. Select the Send log messages to these syslog servers check box.
  5. Click Add.
    The Syslog Server dialogue box opens.
  6. In the IP Address text box, type the IP address of your Azure Sentinel Agent.
  7. In the Port text box, type 514.
  8. From the Log Format drop-down list, select Syslog.
  9. Select syslog facility you need (for example, default settings).

Screen shot of the Syslog Server configuration

  1. Click OK.
  2. Click Save.

You can configure logging in many locations in the Firebox configuration, such as policies and proxies. Make sure you select Send a log message when you want the Firebox to generate a log message for an event.

Screen shot of the Logging dialog box

Test the Integration

  1. After the Firebox starts to send log to Azure Sentinel Agent, in the WatchGuard Firebox connector page, select Next steps.

Screen shot of the Watchguard Firebox connector

  1. Select the first query sample, then click Run.

Screen shot of the Query sample

Information about the query appears.

Screen shot of the query

Filter Logs

Information from sources other than the Firebox can sometimes appear in Syslog data. For example, in the query results shown in the Test the Integration section of this document, localhost events are not related to the Firebox. To run a query that returns events from only the Firebox, you can filter the query by host name or computer.

Example query that excludes events from the host name localhost:

Screen shot of the query

Example query that only includes events from the host name Member1:

Screen shot of the query