Microsoft Sentinel with WatchGuard Firebox Integration Guide

This document describes the integration of Microsoft Sentinel with your WatchGuard Firebox.

Microsoft Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise and provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

The Microsoft Sentinel integration does not currently support Fireboxes deployed in Azure Government Community Cloud.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Microsoft Sentinel Cloud
  • Microsoft Monitoring Agent
  • Rsyslog Server with v8.24.0-57.el7_9.3
  • Firebox with Fireware v12.10

Topology

Test Topology

Before You Begin

Before you begin these procedures, make sure that:

  • You have configured the workspace and resource group in Microsoft Sentinel.
  • You have installed and configured your rsyslog server.
  • Your rsyslog server can receive Firebox logs.

To configure Microsoft Sentinel with your Firebox, complete these steps:

  1. Configure Microsoft Sentinel
  2. Configure the Firebox

Configure Microsoft Sentinel

To configure Microsoft Sentinel:

  1. Log in to the Microsoft Azure portal.
  2. In the Search Resources, Services, and Docs search box, search for and select Microsoft Sentinel.
    The Microsoft Sentinel page opens with the list of workspaces that have Microsoft Sentinel installed.

    3. Screen shot of the workspace list

  3. From the list, select your workspace.
    The Microsoft Sentinel Overview page for your selected workspace opens.

    4. Screen shot of the workspace

  4. On the Overview page, from the navigation menu, in the Content Management section, select Content Hub.
    The Content Hub page opens.

    5. Screen shot of the data connectors

  5. On the Content Hub page, search for and select the WatchGuard Firebox connector.
  6. Click Install.
    The WatchGuard Firebox connector installs.
  7. From the navigation menu, in the Configuration section, select Data Connectors.
    The Data Connectors page opens.

    8. Screen shot of the WatchGuard Firebox connector

  8. From the list of installed connectors, select WatchGuard Firebox.
  9. Click Open Connector Page.
    The WatchGuard Firebox connector page opens.

    10. Screen shot of the agent installation

  10. In the Configuration section, select Install Agent on a Non-Azure Linux Machine, then click Download & Install Agent for Non-Azure Linux Machines, and follow the steps to install the Microsoft Monitoring Agent.

    11. Screen shot of the Instructions tab

  11. After you install the Microsoft Monitoring Agent and configure it with the keys for your workspace ID, return to the WatchGuard Firebox connector page and click Open Your Workspace Agents Configuration .
    The Legacy Agents Management page opens.

    12. Screen shot of the Agents configuration

  12. To add the facilities you want to collect data from, on the Syslog page, click Add Facility, then add the facilities you need. For example, local0 to local7, kern and syslog.
  13. Click Apply.
    The agent configuration saves.
  14. Return to the WatchGuard Firebox connector page.

    15. Screen shot of the WatchGuard Firebox connector

  15. Click Go to Log Analytics.
    The Logs page opens.

    16. Screen shot of the function setup

  16. From the navigation menu, select Functions > Workspace Functions.
  17. Verify that the WatchGuardFirebox function exists and that Microsoft Sentinel can analyze the function.

Configure the Firebox

To configure your Firebox:

  1. Log in to Fireware Web UI at https://<your firebox IP address>:8080.
  2. Select System > Logging.
    The Logging page opens.
  3. Select the Syslog Server tab.
  4. Select the Send Log Messages to These Syslog Servers check box.
  5. Click Add.
    The Syslog Server dialog box opens.

    6. Screen shot of the Syslog Server configuration

  6. In the IP Address text box, type the IP address of your Microsoft Monitoring Agent.
  7. In the Port text box, type 514.
  8. From the Log Format drop-down list, select Syslog.
  9. For each type of device log message, from the drop-down list, select the syslog facility.
  10. Click OK.
  11. Click Save.

You can configure logging in many areas in the Firebox configuration, such as policies and proxies. Make sure you select Send a Log Message when you want the Firebox to generate a log message for an event.

Screen shot of the Logging dialog box

Test the Integration

To test the integration of Microsoft Sentinel with your Firebox, after the Firebox starts to send logs to Microsoft Monitoring Agent:

  1. Log in to the Microsoft Azure portal.
  2. From the search box, search for and select Microsoft Sentinel.
  3. Selected the workspace you created.
  4. From the navigation menu, in the Configuration section, select Data Connectors.
  5. Select the WatchGuard Firebox connector.

    6. Screen shot of the WatchGuard Firebox connector

  6. Select Go to Log Analytics.
    The Logs page opens.

    7. Screen shot of the query

  7. Run queries to get the information you want.

You can use the queries to:

  • Filter Logs
  • View the Parse Definitions

Filter Logs

Information from sources other than the Firebox can sometimes appear in Syslog data. To run a query that returns events from only the Firebox, you can filter the query by host name or computer.

Example 1

Query that excludes events from the host name localhost:

Screen shot of the query

Example 2

Query that includes events from only the hostname M400:

Screen shot of the query

Parser Definition

Users can verify which parsers are supported by the WatchGuard Firebox connector.

To view the supported parsers:

  1. On the WatchGuard Firebox connector Logs page, from the navigation menu, select Functions > Workspace Functions > WatchGuardFirebox.

    2. Screen shot of the query

  2. Click Load the Function Code.
    All the supported parsers are displayed.

    3. Screen shot of the query