Recently I lead a team to introduce new infrastructure on Microsoft Azure to service tens of thousands of citizens as part of the Coronavirus response.

This meant that the infrastructure would be scaled up and out significantly to meet the demand.

As with all platforms, it’s essential to have appropriate monitoring and assessment of performance, health and security. Given the scale to which this platform would be provisioned, a central resource which would collect and provide analysis of all activity would be essential.

One area in particular, where this insight would be essential, would be the Web Application Firewalls (WAF). In this case, this would be an appliance that I have used on occasions before, the Barracuda CloudGen WAF, deployed in a Virtual Machine Scale Set (VMSS). The cool thing about this WAF being provisioned in the VMSS is that it can be easily scaled to meet demand via intelligent automation.

In this particular case, the WAF remained scaled in the double-figures to service an intense workload. That’s right… double figures!

Whilst scaling such an appliance can be a relatively straightforward task, monitoring and managing can be a little more cumbersome. Think of having to sift Web Access logs, Syslogs, Web Firewall logs across x number of different instances.

In order to make the monitoring of this element of the environment that little bit more straightforward, I opted for Azure Sentinel – all logs, in one place.

In this article, i’d like to share how I setup the WAF’s to send logs and telemetry to Azure Sentinel for collection and assessment.

Firstly, what is Azure Sentinel?

I’ve you’ve ever been part of a Security Operations team, or at least worked with them, you’ll appreciate the immense number of events which are ingested and need to be examined in order to determine legitimate issues, vulnerabilities or threats. The larger the estate, the more logs to be sifted through and assessed, all in an effort to ensure legitimate threats don’t go unnoticed.

It’s for this reason that Microsoft produced their own Security Information and Event Management (SIEM) solution, native to the cloud, known as Azure Sentinel. It uses Artificial Intelligence to perform intelligent security analytics to ensure that you are able to identify real threats quickly and avoids the typical burden of setting-up, maintaining and scaling infrastructure as with Traditional SIEMs. It provides tools which enable you to hunt and investigate suspicious activities with the ability to automate responses to common tasks and threats.

Exporting the Logs to Azure Sentinel

Given that one or more OMS Workspaces are added to Azure Sentinel, you will need the OMS Workspace ID and OMS Primary Key of the workspace you wish to receive events from your WAF instances.

You can obtain these details from the Data Connector page in Azure Sentinel

There are a number of connectors which can be added, in this case Barracuda CloudGen WAF. Upon selection, open the Connector Page

Instructions will open, including the Workspace details which will be needed to connect the WAF instances

On the Barracuda CloudGen WAF, navigate to the Advanced tab, open Export Logs, and choose Add Export Log Server

… and enter the details of your OMS Workspace

The next step is to configure the format of the logs which are to be sent. The Syslog Header should be set to ArcSight Log Header with the rest set to Microsoft Azure OMS

You may decide to tailor specific modules for sending. Here’s an example with a tailored Log Level

In the Azure Sentinel Data Connectors page, you’ll observe the Data types being received by the WAF instances.

In Log Analytics, you can search both the CommonSecurityLog (Barracuda) and Barracuda_CL logs being sent by your WAF instances.

Here are a few queries you can run:

CommonSecurityLog​ 
| where DeviceVendor == "Barracuda"
| sort by TimeGenerated
CommonSecurityLog​ 
| where DeviceVendor == "Barracuda"
| summarize count() by ApplicationProtocol, DestinationIP​
| sort by TimeGenerated
barracuda_CL
| where Vendor_s == "Barracuda" and Product_s == "WAF"
| sort by TimeGenerated

One of the neat features of Azure Sentinel is the ability to query a Livestream of logs being ingested, in this case from the WAFs

Example Reference

One thing to note

If you have two or more Barracuda Web Application Firewalls sending logs to a single OMS workspace, the hostname of each Barracuda Web Application Firewall must be unique for the OMS graphs to work correctly. You can configure the hostname under Domain Configuration in the BASIC > IP Configuration page.

An excerpt from barracuda.com

Other Resources – Azure Sentinel

Quick Start – On-Board: https://docs.microsoft.com/en-gb/azure/sentinel/quickstart-onboard

Use built-in analytics to detect threats: https://docs.microsoft.com/en-gb/azure/sentinel/tutorial-detect-threats-built-in