A guide to sending your logs from FortiWeb to Microsoft Sentinel using the Azure Monitor Agent (AMA).
Introduction
Some clients may require forwarding logs to one or more centralized central log solution, such as Microsoft Sentinel. This approach supports advanced analytics, diverse compliance requirements, and various operational needs.
This guide provides a comprehensive walkthrough for integrating FortiWeb VM with Microsoft Sentinel via Azure Monitor Agent (AMA).
Data Flow
To ingest CEF logs from FortiWeb into Microsoft Sentinel, a dedicated Linux machine is configured to serve as proxy server for log collection and forwarding to the Microsoft Sentinel workspace.
The Linux machine is structured with two key components:
-
Syslog Daemon (Log Collector): using rsyslog , this daemon performs dual functions:
- Actively listens for logs messages in CEF format sent by FortiWeb over UDP /TCP 514.
- Forwards the recieved logs to Azure Monitor Agent (AMA) on localhost, using TCP port 28330.
-
Azure Monitor Agent (AMA): The agent parses the logs and then sends them to your Microsoft Sentinel (Log Analytics) workspace via HTTPS 443.
For more details please review this link.
Prerequisites:
- Log Analytics Workspace link.
- Microsoft Sentinel onboarded with the Log Analytics Workspace link.
- Dedicated linux VM link.
To establish the integration between Microsoft Sentinel and FortiGate, follow these steps:
- Install Fortinet FortiWeb Cloud WAF-as-a-Service connector
- Install Common Event Format Data Connector
- Create Data Collection Rule (DCR) (if you don't have one)
- Install CEF Collector on Linux VM
- Configure FortiWeb
Install Fortinet FortiWeb Cloud WAF-as-a-Service connector
- Navigate to Microsoft Sentinel workspace ---> Content management ---> Content hub.
- Search for "Fortinet FortiWeb Cloud WAF-as-a-Service connector" and install it.
This will install also some hunting queries, playbooks and workbook:
- Fortiweb - identify owasp10 vulnerabilities: Query searches threats and helps to identify threats matching owaspTop10 vulnerabilities.
- Fortiweb - Unexpected countries: Query searches requests by country and helps to identify requests coming from unexpected countries.
- FortiWeb Parser
- FortiWeb-enrichment: provides/updates the threat intel and essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack.
- Fortiweb - WAF Allowed threat: Detects WAF "Allowed" action on threat events.
- FortiWeb Workbook: depends on a FortiWeb parser based on a Kusto Function to work as expected which is deployed with the Microsoft Sentinel.
- FortiWeb-BlockIP-URL: Provides the automation on blocking the suspicious/malicious IP and URL on fortiweb cloud waf.
- Navigate to Microsoft Sentinel workspace ---> Content management ---> Content hub.
- Search for 'Common Event Format (CEF) and install it. This will deploy for you Common Event Format (CEF) via AMA.
- Open connector page for Common Event Format (CEF) via AMA.
Create Data collection rule DCR (if you don't have one)
- Use the same location as your log analytics workspace.
- Add linux machine as a resource.
- Collect facility log_local7 and set the min log level to be collected.
You can find below an ARM template example for DCR configuration:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dataCollectionRules_WAF_a_a_S_name": {
"defaultValue": "WAF-a-a-S",
"type": "String"
},
"workspaces_ya_ama_externalid": {
"defaultValue": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/ya-faz-sentinel-ama/providers/Microsoft.OperationalInsights/workspaces/ya-ama",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2023-03-11",
"name": "[parameters('dataCollectionRules_WAF_a_a_S_name')]",
"location": "westeurope",
"tags": {
"createdBy": "Sentinel"
},
"kind": "Linux",
"properties": {
"dataSources": {
"syslog": [
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"facilityNames": [
"local7"
],
"logLevels": [
"Notice",
"Warning",
"Error",
"Critical",
"Alert",
"Emergency"
],
"name": "sysLogsDataSource-1039681479"
},
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"facilityNames": [
"nopri"
],
"logLevels": [
"Emergency"
],
"name": "sysLogsDataSource-1697966155"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaces_ya_ama_externalid')]",
"name": "DataCollectionEvent"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"destinations": [
"DataCollectionEvent"
]
}
]
}
}
]
}Install the Common Event Format (CEF) collector on a Linux machine by executing the following Python script:
sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python3 Forwarder_AMA_installer.py- Configure Syslog Policy with log forwarder IP address, TCP 514 and CEF format.
- Navigate to Log and Report -> Log Config -> Global Log Settings -> Syslog
- Set Syslog Policy, the required log level and facility which should match the configure facility in your DCR.
- The following command show the rsyslog status:
sudo systemctl status rsyslog
- Start rsyslog
sudo systemctl start rsyslog
- Restart rsyslog
sudo systemctl restart rsyslog
- Validate that the syslog daemon is running on the TCP port and that the AMA is listening by reviewing the configuration file /etc/rsyslog.conf . After verification, use the following command to confirm:
sudo netstat -tuln
- Run the following command in the background to capture messages sent from a logger or a connected device:
sudo tcpdump -i any port 514 -A -vv &
After you complete the validation, we recommend that you stop the tcpdump: Type fg and then select Ctrl+C
- Verify the correct installation of the connector by running the troubleshooting script using one of the following commands:
sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python3 Sentinel_AMA_troubleshoot.py --cef
- Monitor the log ingestion per minute related to DCR from Monitoring --> Metrics
- Check data connector page and verify that the DCR is corectly assigned and that the log is well ingested in CommonSecurityLog Table.
You can review the link for more technical details about CEF integration With AMA.
Log forwarding to Microsoft Sentinel can lead to significant costs, making it essential to implement an efficient filtering mechanism.
In the Data Collection Rules (DCR) tab under the Collect section, you can define the minimum log level for each facility. When a log level is selected, Microsoft Sentinel will collect logs for the chosen level and all levels with higher severity. For instance, if you select LOG_ERR, Microsoft Sentinel will capture logs for LOG_ERR, LOG_CRIT, LOG_ALERT, and LOG_EMERG.
You can also configure the desired log type and log severity level directly through the log server options, ensuring precise control over which logs are forwarded to Microsoft Sentinel.
