Better Together: Integrating Microsoft Sentinel with SonicWall Firewalls

Let’s demystify some questions surrounding the integration of Microsoft Sentinel and SonicWall Firewalls. Discover how these two powerful products can work together to enhance your organization’s security posture.


Getting Started

As cyber threats continue to evolve, organizations need robust security solutions to detect, respond to and prevent incidents. Microsoft Sentinel, a cloud-native Security Information and Event Management (SIEM) solution, provides intelligent security analytics and threat intelligence across the enterprise. SonicWall Next-Generation Firewalls (NGFWs), on the other hand, are a trusted network security solution that protects your network from external threats. Integrating these two products can significantly enhance your security operations.

Understanding Microsoft Sentinel and SonicWall Firewalls:

Microsoft Sentinel
Microsoft Sentinel is a scalable, cloud-native SIEM and Security Orchestration Automated Response (SOAR) solution. Uncover sophisticated threats and respond decisively with an intelligent, comprehensive security information and event management (SIEM) solution for proactive threat detection and hunting, threat investigation, and response. Microsoft Sentinel provides a consolidated way to acquire content like data connectors, workbooks, analytics and automations.

SonicWall Firewalls
SonicWall NGFWs provide the security, control and visibility to maintain an effective cybersecurity posture. SonicWall firewalls are designed to meet your specific security and usability needs, all at a cost that will protect your budget while securing your network infrastructure.

Features like stateful high availability and power supply redundancy deliver ‘always-on’ continuity, while superior UX and simpler, single-pane-of-glass management ease complexity. And with SD-WAN and DPI-SSL included, they offer an industry-leading TCO.

Features and Functionality

The integration of SonicWall NGFWs with Microsoft Sentinel can help organizations achieve a higher level of holistic visibility, security, real-time threat detection and response automation for their security infrastructure. These integration capabilities will enable our partners and customers to forward the firewall logs to the Microsoft Sentinel cloud platform, parse the logs, create custom workflows and automate the responses.

Configuration Steps

Integration can be configured in these simple steps:

1. Deploying a Microsoft Sentinel Workspace

  • Create a new resource using a custom template that builds the resources needed for Microsoft Sentinel.

2. Installing the SonicWall Solution for Microsoft Sentinel

  • Install the pre-defined “SonicWall Network Security” solution from the Microsoft Sentinel Content hub.
  • Configure the Common Event Format (CEF) via AMA data connector’s data collection rule to set the event filter types (Syslog facilities) to collect.
  • Configure the collection rules:
    • LOG_LOCAL* (0-7) to LOG_DEBUG

3. Installing the Operations Management Suite (OMS) or Log Analytics Agent

  • The OMS/Log Analytics Agent provides a Syslog relay. This agent should be installed on a host within the network and configure SonicOS to send ArcSight-formatted Syslog data to the agent. The Agent establishes a secure connection with Azure, so the log data is not sent to the cloud in plaintext.

4. Configuring a Syslog Server on a SonicWall Firewall

  • Configure a syslog server on your SonicWall NGFW and select Syslog Format as ArcSight (CEF) from the dropdown.
  • Specify the IP address/name of your Linux VM as the Syslog server, and Syslog Facility should be Local use 4.
    Note: Refer to this Knowledge Base Article for more information.
  • Validate that the OMS/Log Analytics Agent is receiving CEF messages and can connect to Azure.

5. Microsoft Sentinel Workbooks for SonicWall Firewalls

  • The “SonicWall Network Security” data connector includes workbooks containing a variety of queries for our various security services, as well as other traffic and security insights. You can configure the analytics rule, hunting query and workbooks as per your requirements.

Benefits of Integration

The integration of Microsoft Sentinel and SonicWall NGFWs offers several benefits for enhancing your organization’s security posture.

  • Holistic View: Microsoft Sentinel provides a bird’s-eye view across your infrastructure, reducing the stress of handling sophisticated attacks and numerous alerts.
  • Real-time Threat Detection: By ingesting SonicWall logs, you enhance your threat detection capabilities and gain visibility into network traffic, user behavior, and potential security incidents.
  • Threat Visibility and Proactive Hunting: Azure Sentinel provides intelligent security analytics, threat intelligence, and proactive hunting capabilities. It allows you to detect threats across your environment and respond promptly.
  • Automated Response: Combine Microsoft Sentinel’s SOAR capabilities with SonicWall’s real-time data to automate incident response. You can create/use playbooks to execute predefined actions based on specific events. This combination provides robust protection against evolving threats.


The SonicWall Firewalls and Microsoft Sentinel cloud platform integration is now available to all of our partners/customers.

For more detailed instructions, please refer to the SonicWall Firewall-Sentinel Integration Guide. Here is the data connector instructions article.

Better Together

Integrating the Microsoft Sentinel cloud platform with SonicWall Firewalls is a strategic move for organizations seeking comprehensive security. By leveraging the power of both platforms, you can proactively defend against threats, streamline incident responses, and stay ahead in the ever-evolving cybersecurity landscape.

Remember, security is a continuous journey, and this integration is a significant step toward a safer digital environment. Happy securing! 🔒🌐

We appreciate your continuous support, and please don’t hesitate to contact us if you have any queries or require more information. 😊

Chandan Kumar Singh
Product Manager | SonicWall
Chandan Singh is a Product Manager at SonicWall. He’s primarily responsible for third-party integrations with SonicWall products. With nearly a decade of cybersecurity experience, Singh has held various roles, from information security engineer in a SOC, to solution architect, where he helped customers find the best solution for them and design their security infrastructure.