WatchGuard Firebox integration

You can integrate WatchGuard Firebox with Sophos Central so that it sends data to Sophos.

This page gives you an overview of the integration.

WatchGuard Firebox product overview

WatchGuard provides a range of easy-to-deploy and manage firewalls tailored for businesses of every size. Their solutions focus on advanced threat detection and response, empowered by rapid visibility into network activity and backed by threat intelligence.

Sophos documents

Integrate WatchGuard Firebox

What we ingest

Sample alerts seen by Sophos:

blocked sites (reason IP scan attack)
ProxyDeny: DNS invalid number of questions
Authentication of ACCOUNT_TYPE user [USERNAME] from IP_ADDRESS was rejected, received an Access-Reject response from the (IP_ADDRESS) server
blocked sites (TOR blocking source)
SSL VPN user NAME from IP_ADDRESS logged in assigned virtual IP is IP_ADDRESS
Rogue Access Point detected at MAC, broadcasting SSID NAME
Authentication error. no matching session found for USERNAME.
Device already has the latest TYPE signature version VERSION
ProxyDrop: HTTP Virus found
ProxyStrip: HTTP header malformed
Cannot start the signature update for 'TOR'
Certificate (CERTIFICATE) is not valid.
ProxyDeny: SMTP To address
Wireless country specification from LiveSecurity Service was not received: error can't get country spec response from LiveSecurity Service, (retry_countN)
Manual MICROSOFT365 update started
'LIVESECURITY' feature expired (DATE) prior to package release date (DATE)
sendalarm: failed to send alarm message
blocked sites (ThreatSync destination)
WEB Microsoft IIS HTTP.sys Remote Code Execution Vulnerability (CVE-2015-1635)
WEB Apache HTTPD mod_proxy_ajp Denial Of Service (CVE-2011-3348)
Shutdown requested by system
VIRUS Eicar test string N
DDOS from client IP_ADDRESS detected.
WEB PHPUnit CVE-2017-9841 Arbitrary Code Execution Vulnerability
SSH Brute Force Login N

Filtering

We filter messages as follows:

Agent Filter

We ALLOW all logs.
We DROP various high-volume and low-value specified messages.

Platform Filter

We ALLOW Valid LEEF.
We DROP various reviewed and non-security related messages and logs.
We DROP various high-volume and low-value specified messages.

Sample threat mappings

We use one of these fields to determine the alert type, depending on the alert classification and the fields it includes.

fields.msg
fields.IPS_rule
leef.eventID

"value": "=> !isEmpty(fields.msg) ? is(fields.msg, 'IPS detected') ? searchRegexList(fields.IPS_rule, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ?  searchRegexList(fields.IPS_rule, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) :  fields.IPS_rule : searchRegexList(fields.msg, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(fields.msg, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : fields.msg : getNestedValue(_.referenceValues.code_translation, 'alert_translation', leef.eventId) ? getNestedValue(_.referenceValues.code_translation, 'alert_translation', leef.eventId) :  getNestedValue(_.globalReferenceValues.code_translation, 'alert_translation', leef.eventId) ? getNestedValue(_.globalReferenceValues.code_translation, 'alert_translation', leef.eventId) : leef.eventId"

Sample mappings:

{"alertType": "ProxyAllow: HTTP Range header", "threatId": "T1498", "threatName": "Network Denial of Service"}
{"alertType": "Scheduled GAV update started", "threatId": "TA0005", "threatName": "Defense Evasion"}
{"alertType": "IPS detected", "threatId": "T1562.001", "threatName": "Disable or Modify Tools"}