Integrating Radware WAF Logs with Microsoft Sentinel Using Logic Apps

If you're using Radware Web Application Firewall (WAF) within your organization for security monitoring, integrating it with Microsoft Sentinel provides enhanced visibility and analytics. While Radware does not have a built-in connector for Microsoft Sentinel, we can leverage Azure Logic Apps to ingest logs via API calls, process the data, and send it to Microsoft Sentinel. 

This guide walks you through the steps required to integrate Radware WAF logs with Microsoft Sentinel using Logic Apps. 

Prerequisites

Before beginning the integration process, ensure you have the following:

• An active Azure subscription with Microsoft Sentinel enabled.
• A Radware WAF API key with the necessary permissions to retrieve logs.
• An Azure Log Analytics Workspace connected to Microsoft Sentinel.
• Familiarity with Azure Logic Apps (basic understanding).
• The API endpoint and authentication details for Radware WAF.

High-Level Architecture

The integration follows these steps:

1. Azure Logic App triggers every 10 minutes to fetch Radware WAF logs.
2. API Call to Radware WAF retrieves logs in paginated format (200 logs per request).
3. Loop through pages until all logs (up to 10,000 per query) are fetched.
4. Parse the response to JSON format for each log entry.
5. Send logs individually to Microsoft Sentinel using the "Send Data" action in Logic Apps.

Step 1: Setting Up the Logic App Workflow

1. Create a new Logic App in Azure:
   • Navigate to the Azure Portal -> Logic Apps -> Create.
   • Choose Consumption Plan and select your preferred region.
   • Click Review + Create, then Create.
2. Add an HTTP Trigger:
   • Select Recurrence as the trigger.
   • Configure it to run every 10 minutes.
3. Configure the HTTP Action to Fetch Logs from Radware API:
   • Use the HTTP action in Logic Apps.
   • Set the method to POST.
   • Enter the Radware API URL.
   • Add the required headers (API key, content type, etc.).
   • Define the body payload to request logs for the past 10 minutes.
     • 

        

     • Example JSON body for the API request: 

       { 

         "startTime": "{addMinutes(utcNow(), -10)}", 

         "endTime": "{utcNow()}", 

         "limit": 200 

       } 

4. Implement Pagination to Retrieve All Logs:
   • Add a "Do Until" loop to keep fetching logs until totalHits is reached.
   • Extract the next page token from the response and append results.
5. Parse the JSON Response:
   • Use the "Parse JSON" action to structure the response.
   • Define the schema using a sample response from Radware WAF.
6. Send Logs to Microsoft Sentinel:
   • Use the "Azure Log Analytics - Send Data" action.
   • Map the Radware WAF log fields to the Log Analytics schema.
   • Select the appropriate Custom Table in Log Analytics or use CommonSecurityLog.
   • JSON Request body for Send Logs trigger (Below Screenshot)
     • 

        

   • Completed Logic App will look like this:

Step 2: Testing and Validation

1. Run a test execution of the Logic App.
2. Check the Logic Apps run history to ensure successful API calls and data ingestion.
3. Verify logs in Sentinel:
   • Navigate to Microsoft Sentinel -> Logs.
   • Run a KQL query:
     • RadwareEvents_CL | where TimeGenerated > ago(10m) 
     • 

        

Summary

Integrating Radware WAF logs with Microsoft Sentinel using Logic Apps provides a scalable and automated solution for security event monitoring. By following this guide, you can set up a seamless integration that enhances your organization's ability to detect and respond to threats in real time.