Configuring Microsoft Azure Event Hubs to communicate with QRadar

The Microsoft Azure Event Hubs protocol collects events that are inside an Event Hub. This protocol collects events regardless of source provided they are inside the Event Hub. However, these events might not be parsable by an existing DSM.

Before you begin

To retrieve events in QRadar®, you need to create a Microsoft Azure Storage Account and an Event Hub entity under the Azure Event Hub Namespace. For every Namespace, port 5671 must be open. For every Storage Account, port 443 must be open.

The Namespace hostname is usually [Namespace Name].servicebus.windows.net and the Storage Account hostname is usually [Storage_Account_Name].blob.core.windows.net. The Event Hub must have at least one Shared Access Signature that is created with Listen Policy and at least one Consumer Group.

Procedure

  1. Obtain a Microsoft Azure storage account connection string by using one of the following methods.
    • If you want a log source that has full access to all permissions, obtain an access key. See step 2.
    • If you want a log source with specific permissions for access, create a shared access signature (SAS). See step 3.
    Important: To connect to a Microsoft Azure Event Hub, you must be able to create a block blob on the Azure Storage Account you select. Page and append blob types are not compatible with the Microsoft Azure Event Hubs Protocol.

    For more information, see Introduction to Azure Blob storage (https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction) and Understanding Block Blobs, Append Blobs, and Page Blobs (https://docs.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs). For further help, see Microsoft Support (https://azure.microsoft.com/en-us/support/options).

  2. Obtain a Microsoft Azure Storage Account Connection String and access key.
    Use this method to obtain values that give the log source full access to the storage account.

    The Storage Account Connection String contains authentication for the Storage Account Name and the Storage Account Key that is used to access the data in the Azure Storage account.

    1. Log in to the Azure Portal. (https://portal.azure.com)
    2. From the dashboard, in the All resources section, select a Storage account.
    3. From the All types list, disable Select All. In the filter items search box, type Storage Accounts, and then select Storage Accounts from the list.
    4. From the Storage account menu, select Access keys.
    5. Record the value for the Storage account name. Use this value for the Storage Account Name parameter value when you configure a log source in IBM® QRadar.
    6. From the key 1 or key 2 section, record the following values.
      • Key - Use this value for the Storage Account Key parameter value when you configure a log source in QRadar.
      • Connection string - Use this value for the Storage Account Connection String parameter value when you configure a log source in QRadar.
        Example: 
        DefaultEndpointsProtocol=https;AccountName=[Storage Account Name]
;AccountKey=[Storage Account Key];EndpointSuffix=core.windows.net

        Most storage accounts use core.windows.net for the end-point suffix, but this value can change depending on its location. For example, a government-related storage account might have a different endpoint suffix value. You can use the Storage Account Name and Storage Account Key values, or you can use the Storage Account Connection String value to connect to the Storage Account. You can use key1 or key2.

      QRadar creates a container that is named qradar in the provided storage blob.
      Tip: Through the Azure Event Hubs SDK, QRadar uses a container in the configured storage account blob to track event consumption from the Event Hub. A container that is named qradar is automatically created to store the tracking data, or you can manually create the container.
  3. Generate a shared access signature (SAS).
    Use this method to obtain values to give the log source specific permissions for accessing the storage account.
    1. Log in to the Azure Portal. (https://portal.azure.com)
    2. From the dashboard, in the All resources section, select a Storage account.
    3. From the All types list, disable Select All. In the filter items search box, type Storage Accounts, and then select Storage Accounts from the list.
    4. From the Storage account menu, select Shared access signature.
    5. Configure a SAS with the following permissions:
      Important: These permissions are the minimum amount that you must give to your SAS, so QRadar can access Microsoft Azure. You can give the SAS more permissions.
      Permission Value
      Allowed services Blob
      Allowed resource types

      Container

      Object
      Allowed permissions

      Read

      Write

      Delete

      List
    6. Click Generate SAS and connection string.
    7. Record the following value:
      Shared access signature - Use this value for the Storage Account Connection String parameter value when you configure a log source in QRadar.
      Example: 
      BlobEndpoint=[BlobEndpoint];QueueEndpoint=[QueueEndpoint];FileEndpoint=[FileEndpoint];TableEndpoint=[TableEndpoint];SharedAccessSignature=[Access Signature]
  4. Obtain a Microsoft Azure Event Hub Connection String.

    The Event Hub Connection String contains the Namespace Name, the path to the Event Hub within the namespace and the Shared Access Signature (SAS) authentication information.

    1. Log in to the Azure Portal (https://portal.azure.com).
    2. From the dashboard, in the All resources section, select an Event Hub. Record this value to use as the Namespace Name parameter value when you configure a log source in QRadar.
    3. In the Entities section, select Event Hubs. Record this value to use for the Event Hub Name parameter value when you configure a log source in QRadar.
    4. From the All types list, disable Select All. In the filter items search box, type event hub, and then select Event Hubs Namespace from the list.
    5. In the Event Hub section, select the event hub that you want to use from the list. Record this value to use for the Event Hub Name parameter value when you configure a log source in QRadar.
    6. In the Settings section, select Shared access policies.
      Important: In the Entities section, ensure that the Consumer Groups option is listed. If Event Hubs is listed, return to Step c.
      1. Select a POLICY that contains a Listen CLAIMS. Record this value to use for the SAS Key Name parameter value when you configure a log source in QRadar.
      2. Record the values for the following parameters:
        Primary key or Secondary key
        Use the value for the SAS Key parameter value when you configure a log source in QRadar. The Primary key and Secondary key are functionally the same.
        Connection string-primary key or Connection string-secondary key
        Use this value for the Event Hub Connection String parameter value when you configure a log source in QRadar. The Connection string-primary key and Connection string-secondary key are functionally the same.
        Example: 
        Endpoint=sb://[Namespace Name].servicebus.windows.net
/;SharedAccessKeyName=[SAS Key Name];SharedAccessKey=[SAS Key];
EntityPath=[Event Hub Name]
        You can use the Namespace Name, Event Hub Name, SAS Key Name and SAS Key values, or you can use the Event Hub Connection String value to connect to the Event Hub.
  5. In the Entities section, select Consumer groups. Record the value to use for the Consumer Group parameter value when you configure a log source in QRadar.
    Important: Do not use the $Default consumer group that is automatically created. Use an existing consumer group that is not in use or create a new consumer group. Each consumer group must be used by only one device, such as QRadar.