QRadar Network Insights installations on Microsoft Azure

You can send your Microsoft Azure network traffic to IBM QRadar Network Insights for content inspection and monitoring.
To deploy QRadar Network Insights on Microsoft Azure, follow this procedure:
  1. Review the minimum system requirements.

    Ensure that the instance that you plan to install can support the flow inspection level that you want to achieve.

  2. Install the QRadar components by using the IBM QRadar SIEM image on Microsoft Azure Marketplace.

    You must install a QRadar Console and a QRadar Network Insights managed host. Other managed hosts, such as flow processors, are optional. For information about how to install QRadar components on Microsoft Azure, see Configuring a Console on Microsoft Azure.

  3. Add the QRadar Network Insights managed host to the QRadar Console.
  4. Configure the flow sources.
  5. Configure a traffic mirroring session.
  6. Verify that the deployment is receiving flow data.

Deployment architecture

The following image shows the traffic flow in a deployment that includes two QRadar Network Insights mirror targets. One QRadar Network Insights instance is used as a flow source for a Flow Processor, while the other instance sends network traffic directly to the QRadar Console.
Figure 1. Example of a QRadar Network Insights deployment
Graphic that shows the mirrored traffic flow in a deployment that has a QRadar Console with one Flow Processor and two QRadar Network Insights hosts attached.

System requirements for QRadar Network Insights on Microsoft Azure installations

To prepare for the IBM QRadar Network Insights installation, ensure that your virtual appliance meets the minimum system requirements.
The QRadar Network Insights instance must meet the following requirements:
Requirement Value
Processor

16 cores (minimum) on a single NUMA node

Do not use virtual CPUs for QRadar Network Insights processing.

Memory

64 GB (minimum)

Storage
QRadar Network Insights requires two EBS General Purpose SSD volumes:
  • 1 x 98 GiB (OS and Software)
  • 1 x 250 GiB (Data)

The 98 GiB volume for the OS and software is configured automatically by the QRadar image. You must manually configure the additional 250 GiB volume for data.

Warning: It is not possible to increase storage after installation.
Networking
QRadar Network Insights requires a minimum of two NIC interfaces:
  • One management interface
  • One monitoring interface
    • The Maximum Transmission Unit (MTU) for the monitoring interface must be set to 9001.
    • For best results, use the accelerated networking option.
    • For larger compute-optimized instance types, you can add more monitoring interfaces.
Security Groups

The management interface must have an assigned security group that includes rules to allow SSH, NetFlow, and messaging connections between the QRadar Network Insights host and the QRadar Console and any flow collectors or processors that might be installed.

The monitoring interface must have an assigned security group that allows VXLAN traffic (UDP port 4789) from the mirror source. The Network ACL (VPC) level also must allow VXLAN traffic.

To view the system requirements for other IBM QRadar virtual appliances, see System requirements for virtual appliances in the IBM QRadar Installation Guide.

Traffic mirroring

Traffic mirroring uses a virtual network TAP to continuously stream network traffic from a Microsoft Azure instance (source) to a IBM QRadar Network Insights instance (target) for content inspection and monitoring.

Before you configure traffic mirroring, you must have a QRadar Network Insights instance with an attached monitoring interface.

If you are using a third-party packet broker, it must support VXLAN encapsulated traffic exports to the QRadar Network Insights monitoring port.

For more information about setting up a virtual network TAP, see the Microsoft Azure website (https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview).

Verifying that the QRadar Network Insights host is receiving flow data

After the traffic mirror session is configured, you can verify that the IBM QRadar Network Insights managed host is receiving flow data.

Before you begin

You must configure a QRadar Console and a QRadar Network Insights managed host in your Microsoft Azure environment.

You must configure a traffic mirroring session to forward traffic to the monitoring interface.

Procedure

  1. Use SSH to log in to the target QRadar Network Insights instance.
  2. To verify that the traffic is reaching the QRadar Network Insights instance, type this command:
    tcpdump -i <eth1>

    where <eth1> is the interface name of the mirror target.

  3. Alternatively, you can enable a network security group (NSG) flow log.
    NSG flow logs is a feature of Microsoft Azure Network Watcher that allows you to log information about IP traffic that is flowing through an NSG. The flow log data is useful when you want to verify that QRadar Network Insights is receiving mirrored traffic.
    For more information, see the following pages in the Microsoft Azure documentation portal.