F5 Advanced WAF Integration via Syslog/CEF for Microsoft Sentinel

F5, Inc.

F5 Advanced WAF Integration via Syslog/CEF for Microsoft Sentinel

F5, Inc.

Send real-time attack events and logs from F5’s Advanced WAF to your Microsoft Sentinel workspace

F5’s industry-leading BIG-IP Advanced Web Application Firewall (WAF) provides comprehensive application protection against threats and can be integrated with Microsoft Sentinel to analyze attack events and data in real-time.

BIG-IP Advanced WAF leverages behavioral analytics, automated learning capabilities, and risk-based policies to secure your website, mobile apps, and APIs—whether in a native or hybrid Azure environment. Core capabilities of BIG-IP Advanced WAF include:

  • Proactive bot defense protects against automated malicious bots while maintaining access for the good bots that help your business.
  • L7 DoS mitigation to thwart app-layer denial of service attacks
  • OWASP Top 10 compliance dashboard to monitor prevention of OWASP Top 10 threats.
  • API protocol security to secure REST/JSON, XML & GWT APIs
  • Behavioral analytics and machine learning provide highly accurate application-layer DoS detection and mitigation
  • In-Browser data encryption protects against data-extracting malware and keyloggers.
  • Virtual patching to mitigate code-level and common vulnerabilities
  • Real-time reporting and telemetry streaming capabilities allow for fast analysis of attacks and exportation of data to 3 party analytics and visualization tools such as Microsoft Sentinel

Integrating BIG-IP Advanced WAF with Microsoft Sentinel allows attack events and logs to be sent, visualized and analyzed in real-time within your Microsoft Sentinel workspace. Information can be transferred to Microsoft Sentinel in two different ways; either through use of F5’s Telemetry Streaming extension or by sending information in Common Event Format (CEF). The information below pertains to using the CEF method – if you would like to use F5’s Telemetry Streaming extension then please review this listing.

Within BIG-IP Advanced WAF, security logging profiles can be configured to send attack events and data to Microsoft Sentinel in CEF format over Syslog, using F5’s technology partner Arcsight. In order to enable this capability BIG-IP must be running v11.6.x or later. The resources below detail how to set up security logging profiles with CEF to begin sending data to Microsoft Sentinel, and a variety of options for deploying BIG-IP Advanced WAF on Azure from the Marketplace.

Additional Resources

· BIG-IP Advanced WAF Event Logging: Operations Guide | AskF5

· Configuring Application Security Event Logging | AskF5

· Deploy BIG-IP Advanced WAF Virtual Edition (PAYG) from the Azure Marketplace

· Deploy BIG-IP Best Virtual Edition (PAYG) from the Azure Marketplace

· Deploy BIG-IP Advanced WAF (BYOL) from the Azure Marketplace