SonicWall Firewall Log integration with Microsoft Sentinel

04/02/2024 5 People found this article helpful 468,633 Views

Description

What is Azure Sentinel

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel is your birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.
Data Source of Sentinel

To on-board Azure Sentinel, you first need to connect to your security sources. Azure Sentinel comes with several connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, and Microsoft 365 sources, including Office 365, Azure AD, Azure ATP, and Microsoft Cloud App Security, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel as well.

For SonicWall devices, we will use the standard syslog as data source, the format of syslog is CEF (aka Arcsight). We will need to run a forwarder on a Linux machine. The Linux can be a VM on Azure or a physical machine on the premise. In this article, we will use a VM on Azure.
Security Policy for the VM

Assume you already have a Linux based VM on Azure. If not, please create a VM first. The Linux forward agent need to get syslog packet from SonicWall Firewall, so you need to open UDP port 514 on this VM. This can be done by using below rule:
Running syslog forwarder on Azure
On the Azure Sentinel Page, click the "Data Connectors" under Configuration and choose the "SonicWall Firewall" as following:

Click the "Open connector page" as above.

You can now login into your Linux VM with SSH and following the instructions on the screen as shown below:

Once you have done the step 1 to 3, you successfully have setup the forwarder agent on Linux machine. Please write down the IP address of this Linux machine, you need to set this IP on the SonicWall Firewall side.

TIP: Refer to CEF Connector section in Azure Sentinel help link here for more details on this.
Configure syslog on SonicOS

Configure a syslog server using syslog format as ArcSight as following:

You can also configure what type of event will be sent out by syslog:
Integration with Azure Sentinel

Once you have done the above steps, you shall receive SonicOS generated CEF message in Sentinel Console

The syslog messages sent by SonicWall is categorized as "CommonSecurityLog". There are about 1Million events received from SonicWall device in the above example.

You may do further data analysis inside the Azure Sentinel workspace.

Reference:
Azure Sentinel Overview: https://docs.microsoft.com/en-us/azure/sentinel/overview
Microsoft Syslog forwarder: https://docs.microsoft.com/en-us/azure/sentinel/overview
Azure Sentinel data source: https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources