Azure Sentinel /SIEM Integration (CEF or other connector)

Most SMB's that need a FireBox are eventually going to need an SIEM. Current SIEM capabilities to look at everything through syslog are a pain, and not something most SMB's are going to want to deal with. Azure Sentinel will be the default SIEM for nearly all SMB's that use Office 365, since ingestion of O365 data is free.

So, for the SMB base, we should really get some good SIEM integration. I mean, the price of a firebox is small compared to making the syslog stuff work cleanly, and many (including us) will only be using appliances that are fully integrated into SIEMs, like Sentinel. We will be making our decision Q2 next year, as dictated by our POAM required by our contracts.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Raven

    At this time, WatchGuard has started the process of looking into it and determining if/how it'd fit into our products.

    There's a previous discussion that you might want to look at here:
    https://community.watchguard.com/watchguard-community/discussion/comment/4882

    -James Carson
    WatchGuard Customer Support

  • Thanks, I had commented there also....just thought it worthwhile to post something about it in the "Product Enhancements" forum instead of the general forum :)

  • @James_Carson Any updates or thoughts on this? We're heading into our next quarterly cybersecurity review, and have to update status on this item. Last quarter it popped up as a discussion point, and we'll likely need to assign a plan-of-action this quarter. Without any update here, I can't see any other plan of action other than shifting over to Palo Alto or Fortigate to get the integration with our SIEM that we need. Just trying to be upfront about our needs and plans here.

    Thanks!

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Raven

    It looks like the development team is currently working through getting a connector built in order for this to work and is currently testing it. I don't have an ETA as to when this will be finished yet. I do not expect it to be done this quarter.

    If you'd like updates on this, I'd suggest opening a support case and mentioning somewhere that you'd like to track feature request FBX-14281 -- that'll provide you the most direct access to updates on it.

    -James Carson
    WatchGuard Customer Support

  • edited February 2021

    @James_Carson I have the same concern as @Raven . Logging is an essential element in the security requirements we are required to complete. The ability to forward the WG logs to our Sentinel instance affords us to review the content from one central SIEM. What progress has been made in creating a connector to accommodate this feature? I am certain this feature will be an essential element when considering the purchase of a WG vice another vendors product which does have this capability. This concern has been brought up in several blogs that I participate and I'd like to report back with the current status. Thank you for your assistance.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @KThomas
    There aren't any updates on this in the two months since the last comment. If you'd like updates on the status of that feature request, please open a support case and mention FBX-14281. The support rep that is assigned the case can set it up to notify you of updates on that request.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • NickNick WatchGuard Representative

    Hello,

    I'm happy to let you all know that this integration is now supported and documented below:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/Microsoft Azure Sentinel.html

    -NjM

  • edited June 2021

    Great, glad I came across this (Sentinel may prove central into some of the services we offer) - thanks @NickMedlock. Are you releasing any workbooks and rule templates to go along with the connector (it's no good just getting data in there)?

    All Fireboxes (T-Series, M-Series, FireboxV, Firebox Cloud etc.); EPDR, Advanced EPDR/Cytomic, Orion (Threat Hunting); WiFi, AuthPoint. WSC/Cloud. Management of a few hundred Fireboxes, and a few thousand EPDR endpoints. Platinum Partner. Views my own (if any!).

Sign In to comment.