Demand for business and consumer applications shows no sign of slowing and has resulted in the rapid proliferation of workloads across distributed, multi-cloud architectures. At the same time, cyberthreats have become increasingly prevalent and sophisticated, giving security teams little choice but to invest heavily in the latest and greatest technologies to protect their application portfolios and data. For many, this leads to deploying a medley of disparate solutions—generally from a multitude of vendors—to achieve a robust security posture against a wide range of threats. It follows that each solution likely offers unique event alerting capabilities and dashboards that are siloed from one another, making the task of compiling a comprehensive threat view across solutions tedious, time-consuming, and highly ineffective. This scenario could be depicted at a high level by Figure 1 below.
Given that most organizations’ security teams are responsible for protecting complex architectures that consist of many more security devices and environments than shown in Figure 1, this operating model is clearly not scalable and could put apps and data under increased risk. For this reason, many have turned to Security Information & Event Management (SIEM)offerings to help aggregate, analyze, and visualize data across multiple security systems. Unsurprisingly, a 2022 Cybersecurity Insiders SIEM survey found that 80% of organizations have either already implemented a SIEM solution or plan to do so in the near future, with the primary motives being to achieve faster event detection and more efficient security operations. The same report noted that from 2021 to 2022 the SIEM market echoed the broader market's shift to cloud and SaaS-based offerings, with fewer electing to deploy hardware- or software-based SIEM solutions on-premises and more migrating to cloud-based SaaS solutions such as Azure Sentinel and Sumo Logic. Provided security vendors offer integrations with SIEM solutions then our example architecture from Figure 1 can be heavily simplified, with all threat events being compiled within a centralized SIEM tool, as shown in Figure 2.
Having observed this increase in SIEM adoption by customers in recent years, F5 has made validating SIEM integration with its suite of products a key focus. Whether that’s BIG-IP, NGINX, or F5 Distributed Cloud Services, each solution is compatible with a wide range of leading SIEM platforms including the likes of Splunk, Exabeam, and Microsoft Azure Sentinel.
Homing in on the latter, F5’s BIG-IP Advanced WAF has offered an integration with Azure Sentinel for several years now and is leveraged by a significant number of Azure customers. Regardless of where BIG-IP Advanced WAF instances are deployed—on-premises, in a colocation facility, on Azure or any other cloud environment—this integration allows Sentinel to collect real-time data from each and provide a consolidated threat view across an organization’s entire application portfolio. This scenario is reflected below in our third and final diagram.
Currently there are two methods for connecting BIG-IP Advanced WAF instances with Azure Sentinel—both of which are encouraged and entirely free. The first leverages F5 Telemetry Streaming which, as the name suggests, is an extension for BIG-IP that enables data to be streamed to third-party analytics solutions. The only requirement for this approach is that each instance must be operating software version v13.1 at a minimum. Alternatively, if you’re familiar with the more standard industry techniques which utilize either Syslog or CEF (Common Event Format), both of these are also supported.
If you are interested in learning more about connecting your BIG-IP Advanced WAF instances with Azure Sentinel, additional information for each integration method can be found at the Azure Marketplace listings below:
- BIG-IP Advanced WAF & Azure Sentinel Integration via F5 Telemetry Streaming
- BIG-IP Advanced WAF & Azure Sentinel Integration via CEF/Syslog
About the Author
Related Blog Posts
The everywhere attack surface: EDR in the network is no longer optional
All endpoints can become an attacker’s entry point. That’s why your network needs true endpoint detection and response (EDR), delivered by F5 and CrowdStrike.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.