F5 Advanced WAF Integration via Telemetry Streaming for Microsoft Sentinel

F5’s industry-leading BIG-IP Advanced Web Application Firewall (WAF) provides comprehensive application protection against threats and can be integrated with Microsoft Sentinel to analyze attack events and data in real-time.

BIG-IP Advanced WAF leverages behavioral analytics, automated learning capabilities, and risk-based policies to secure your website, mobile apps, and APIs—whether in a native or hybrid Azure environment. Core capabilities of BIG-IP Advanced WAF include:

• Proactive bot defense protects against automated malicious bots while maintaining access for the good bots that help your business.
• L7 DoS mitigation to thwart app-layer denial of service attacks
• OWASP Top 10 compliance dashboard to monitor prevention of OWASP Top 10 threats.
• API protocol security to secure REST/JSON, XML & GWT APIs
• Behavioral analytics and machine learning provide highly accurate application-layer DoS detection and mitigation
• In-Browser data encryption protects against data-extracting malware and keyloggers.
• Virtual patching to mitigate code-level and common vulnerabilities
• Real-time reporting and telemetry streaming capabilities allow for fast analysis of attacks and exportation of data to 3 party analytics and visualization tools such as Azure Sentinel

Integrating BIG-IP Advanced WAF with Microsoft Sentinel allows attack events and logs to be sent, visualized and analyzed in real-time within your Microsoft Sentinel workspace. Information can be transferred to Sentinel in two different ways; either through use of F5’s Telemetry Streaming extension or by sending information in Common Event Format (CEF). The information below pertains to using the F5 Telemetry Streaming method – if you would like to use the CEF approach then please review this listing.

F5’s Telemetry Streaming (TS) extension – a component of F5’s completely free Automation Toolchain – is used to aggregate and send data from BIG-IP Advanced WAF instances deployed on Azure, on-premises, or in any other environment to 3 party visualization or analytics tools. F5 Telemetry Streaming is compatible with BIG-IP versions 13.1 and later, making this a prerequisite to employing this integration. The resources below detail how to configure BIG-IP instances with Telemetry Streaming to permit data transfer to Azure Sentinel.

Additional Resources

· Getting started with BIG-IP Advanced WAF and Microsoft Sentinel

· F5 Telemetry Streaming Extension

· Deploy BIG-IP Advanced WAF Virtual Edition (PAYG) from the Azure Marketplace

· Deploy BIG-IP Best Virtual Edition (PAYG) from the Azure Marketplace

· Deploy BIG-IP Advanced WAF (BYOL) from the Azure Marketplace