Centralizing BIG-IP Advanced WAF Threat Visualization, Alerting, and Reporting With Azure Sentinel

Tom Atkins Thumbnail
Tom Atkins
Published November 22, 2022

Demand for business and consumer applications shows no sign of slowing and has resulted in the rapid proliferation of workloads across distributed, multi-cloud architectures. At the same time, cyberthreats have become increasingly prevalent and sophisticated, giving security teams little choice but to invest heavily in the latest and greatest technologies to protect their application portfolios and data. For many, this leads to deploying a medley of disparate solutions—generally from a multitude of vendors—to achieve a robust security posture against a wide range of threats. It follows that each solution likely offers unique event alerting capabilities and dashboards that are siloed from one another, making the task of compiling a comprehensive threat view across solutions tedious, time-consuming, and highly ineffective. This scenario could be depicted at a high level by Figure 1 below.

Figure 1: Example of multi-cloud architectures introducing security visibility and alerting complexity

Given that most organizations’ security teams are responsible for protecting complex architectures that consist of many more security devices and environments than shown in Figure 1, this operating model is clearly not scalable and could put apps and data under increased risk. For this reason, many have turned to Security Information & Event Management (SIEM) offerings to help aggregate, analyze, and visualize data across multiple security systems. Unsurprisingly, a 2022 Cybersecurity Insiders SIEM survey found that 80% of organizations have either already implemented a SIEM solution or plan to do so in the near future, with the primary motives being to achieve faster event detection and more efficient security operations. The same report noted that from 2021 to 2022 the SIEM market echoed the broader market's shift to cloud and SaaS-based offerings, with fewer electing to deploy hardware- or software-based SIEM solutions on-premises and more migrating to cloud-based SaaS solutions such as Azure Sentinel and Sumo Logic. Provided security vendors offer integrations with SIEM solutions then our example architecture from Figure 1 can be heavily simplified, with all threat events being compiled within a centralized SIEM tool, as shown in Figure 2.

Figure 2: Simplifying multi-cloud security alerting and visibility via the introduction of SIEM tools

Having observed this increase in SIEM adoption by customers in recent years, F5 has made validating SIEM integration with its suite of products a key focus. Whether that’s BIG-IP, NGINX, or F5 Distributed Cloud Services, each solution is compatible with a wide range of leading SIEM platforms including the likes of Splunk, Exabeam, and Microsoft Azure Sentinel.

Homing in on the latter, F5’s BIG-IP Advanced WAF has offered an integration with Azure Sentinel for several years now and is leveraged by a significant number of Azure customers. Regardless of where BIG-IP Advanced WAF instances are deployed—on-premises, in a colocation facility, on Azure or any other cloud environment—this integration allows Sentinel to collect real-time data from each and provide a consolidated threat view across an organization’s entire application portfolio. This scenario is reflected below in our third and final diagram.

Figure 3: Aggregating distributed BIG-IP Advanced WAF data and alerts within Azure Sentinel

Currently there are two methods for connecting BIG-IP Advanced WAF instances with Azure Sentinel—both of which are encouraged and entirely free. The first leverages F5 Telemetry Streaming which, as the name suggests, is an extension for BIG-IP that enables data to be streamed to third-party analytics solutions. The only requirement for this approach is that each instance must be operating software version v13.1 at a minimum. Alternatively, if you’re familiar with the more standard industry techniques which utilize either Syslog or CEF (Common Event Format), both of these are also supported.

If you are interested in learning more about connecting your BIG-IP Advanced WAF instances with Azure Sentinel, additional information for each integration method can be found at the Azure Marketplace listings below: