Microsoft Cloud App Security Integration Guide

Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that supports various deployment modes, such as log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

This document describes the steps to integrate Microsoft Cloud App Security with your WatchGuard Firebox.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Microsoft Cloud App Security Cloud
  • WatchGuard Firebox
    • Fireware v12.5.7

Test Topology

Test Topology

Set Up Microsoft Cloud App Security

  1. Log in to Microsoft Cloud App Security.
  2. Select Settings > Log collectors.

Screen shot of the log collector Settings

  1. On the Data sources tab, click Add data source.

Screen shot of the log collector Settings

  1. In the Name text box, type the data source name.
  2. From the Source drop-down list, select WatchGuard XTM.
  3. From the Receiver type drop-down list, select Syslog - UDP.

Screen shot of the Add data source

  1. Click Add.
  2. Select the Log collectors tab.

Screen shot of the Add data source

  1. Click Add log collector.
  2. In the Name text box, type the log collector name.
  3. In the Host IP address or FQDN text box, type the log collector server IP address.
  4. In the Data source(s) text box, select the data source you added.

Screen shot of the Create log collector

  1. Click Create.
  2. Follow the guide to deploy the log collector server.

Screen shot of the Create log collector

  1. Click Close.

Set Up Firebox

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select System > Logging.
    The Logging page opens.
  3. Select the Syslog Server tab.
  4. Select the Send log messages to these syslog servers check box.
  5. Click Add.
    The Syslog Server dialog box opens.
  6. In the IP Address text box, type the IP address of your log collector server.
  7. In the Port text box, type 514.
  8. From the Log Format drop-down list, select IBM LEEF.
  9. Do not change the default values for the other Syslog Server settings.

Screen shot of the configure syslog server

  1. Click OK.
  2. Click Save.

You can configure logging in many locations in the Firebox configuration, such as policies and proxies. Make sure you select Send a log message when you want the Firebox to generate a log message for an event.

Screen shot of the Logging

Test the Integration

  1. Log in to Microsoft Cloud App Security.
  2. Select Settings > Governance log.
  3. Confirm that the status for Parse Cloud Discovery log is Successful.

Screen shot of the Governance log

  1. Select Discover > Cloud Discovery.
  2. Confirm that integration was successful.

Screen shot of the Cloud Discovery

Screen shot of the Cloud Discovery

Screen shot of the Cloud Discovery

Screen shot of the Cloud Discovery

In the default firewall configuration state, with no proxy policies and no traffic through the Firebox, you might see the message "Failed, Log format does not match the expected format for WATCHGUARD_XTM_SYSLOG" in the governance log. You can safely ignore this message.