Recently I lead a team to introduce new infrastructure on Microsoft Azure to service tens of thousands of citizens as part of the Coronavirus response.
This meant that the infrastructure would be scaled up and out significantly to meet the demand.
As with all platforms, it’s essential to have appropriate monitoring and assessment of performance, health and security. Given the scale to which this platform would be provisioned, a central resource which would collect and provide analysis of all activity would be essential.
One area in particular, where this insight would be essential, would be the Web Application Firewalls (WAF). In this case, this would be an appliance that I have used on occasions before, the Barracuda CloudGen WAF, deployed in a Virtual Machine Scale Set (VMSS). The cool thing about this WAF being provisioned in the VMSS is that it can be easily scaled to meet demand via intelligent automation.
In this particular case, the WAF remained scaled in the double-figures to service an intense workload. That’s right… double figures!
Whilst scaling such an appliance can be a relatively straightforward task, monitoring and managing can be a little more cumbersome. Think of having to sift Web Access logs, Syslogs, Web Firewall logs across x number of different instances.
In order to make the monitoring of this element of the environment that little bit more straightforward, I opted for Azure Sentinel – all logs, in one place.
In this article, i’d like to share how I setup the WAF’s to send logs and telemetry to Azure Sentinel for collection and assessment.
Firstly, what is Azure Sentinel?
I’ve you’ve ever been part of a Security Operations team, or at least worked with them, you’ll appreciate the immense number of events which are ingested and need to be examined in order to determine legitimate issues, vulnerabilities or threats. The larger the estate, the more logs to be sifted through and assessed, all in an effort to ensure legitimate threats don’t go unnoticed.
It’s for this reason that Microsoft produced their own Security Information and Event Management (SIEM) solution, native to the cloud, known as Azure Sentinel. It uses Artificial Intelligence to perform intelligent security analytics to ensure that you are able to identify real threats quickly and avoids the typical burden of setting-up, maintaining and scaling infrastructure as with Traditional SIEMs. It provides tools which enable you to hunt and investigate suspicious activities with the ability to automate responses to common tasks and threats.
Exporting the Logs to Azure Sentinel
Given that one or more OMS Workspaces are added to Azure Sentinel, you will need the OMS Workspace ID and OMS Primary Key of the workspace you wish to receive events from your WAF instances.
You can obtain these details from the Data Connector page in Azure Sentinel
There are a number of connectors which can be added, in this case Barracuda CloudGen WAF. Upon selection, open the Connector Page
Instructions will open, including the Workspace details which will be needed to connect the WAF instances
On the Barracuda CloudGen WAF, navigate to the
Advanced tab, open
Export Logs, and choose
Add Export Log Server
… and enter the details of your OMS Workspace
The next step is to configure the format of the logs which are to be sent. The
Syslog Header should be set to
ArcSight Log Header with the rest set to
Microsoft Azure OMS
You may decide to tailor specific modules for sending. Here’s an example with a tailored Log Level
In the Azure Sentinel Data Connectors page, you’ll observe the Data types being received by the WAF instances.
In Log Analytics, you can search both the
CommonSecurityLog (Barracuda) and
Barracuda_CL logs being sent by your WAF instances.
Here are a few queries you can run:
CommonSecurityLog | where DeviceVendor == "Barracuda" | sort by TimeGenerated
CommonSecurityLog | where DeviceVendor == "Barracuda" | summarize count() by ApplicationProtocol, DestinationIP | sort by TimeGenerated
barracuda_CL | where Vendor_s == "Barracuda" and Product_s == "WAF" | sort by TimeGenerated
One of the neat features of Azure Sentinel is the ability to query a Livestream of logs being ingested, in this case from the WAFs
One thing to note
If you have two or more Barracuda Web Application Firewalls sending logs to a single OMS workspace, the hostname of each Barracuda Web Application Firewall must be unique for the OMS graphs to work correctly. You can configure the hostname under Domain Configuration in the BASIC > IP Configuration page.An excerpt from barracuda.com
Other Resources – Azure Sentinel
Quick Start – On-Board: https://docs.microsoft.com/en-gb/azure/sentinel/quickstart-onboard
Use built-in analytics to detect threats: https://docs.microsoft.com/en-gb/azure/sentinel/tutorial-detect-threats-built-in