Configuring a 7.5.0 virtual appliance on Microsoft Azure

Configure an IBM® QRadar® virtual appliance in Microsoft Azure by using the provided image.

Before you begin

You must acquire entitlement to a QRadar Software Node for any QRadar instance that is deployed from a third-party cloud marketplace. Entitlement to the software node must be in place before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM Support. If you experience any problems with Microsoft Azure infrastructure, refer to Microsoft Azure Support documentation. If IBM Support determines that your issue is caused by the Microsoft Azure infrastructure, you must contact Microsoft for support to resolve the underlying issue with the Microsoft Azure infrastructure.

You must use static IP addresses.

If you are installing IBM QRadar Network Insights, refer to minimum system requirements.

If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data gateway in Microsoft Azure (https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_hosted_azure.html).

If you deploy a managed host and a Console in the same virtual network, use the private IP address of the managed host to add it to the Console.

If you deploy a managed host and a Console in different virtual networks, you must allow firewall rules for the communication between the Console and the managed host. For more information, see QRadar port usage.

Procedure

  1. Go to the Microsoft Azure Marketplace (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/ibm.qradar750?tab=Overview).
    Note: The Plans + Pricing tab can be used to estimate pricing for certain VM sizes, but you don't choose your VM size on this screen. Refer to the Core and RAM columns when you are estimating pricing.
  2. Click Get It Now.
  3. Select QRadar SIEM Console 7.5.0 from the Software plan menu list and click Continue.
  4. Click Create to create an instance of the virtual appliance.
  5. Configure VM settings.
    1. Select an existing Resource Group or create a new one.
    2. Enter a virtual machine name.
      Note: The VM name must be 10 characters or fewer.
    3. Select a Region.
    4. Click See all sizes and select an x64-based size from the following list that meet the minimum System requirements for virtual appliances. (D-Series v4, B-Series, DC-Series, E-Series v4, F-Series v2, H-Series, D-Series v3, E-Series v3, D-Series v2)
    5. Enter a username for the administrator account.
    6. Choose an SSH public key or Password.

      For more information about creating and using an SSH public-private key pair for Linux® VMs in Microsoft Azure, see Microsoft documentation.

  6. Click Next: Disks >
    Important: You must run the following script available on Fix Central if you are installing a storage disk greater than 2 TB, Fix Central Azure 750 Image Storage Fix.

    For more information, see Microsoft Azure software installs when /store is 2TB or larger.

    1. Under the Data disks section, click Create and attach a new disk.
    2. Enter a name for your data disk.
    3. Leave the Source type as None (empty disk).
    4. Click Change Size.
    5. Select a Disk SKU.
    6. Estimate your storage needs and then enter a size in GiB. Click OK after the size is entered.
      The minimum size is 250 GiB. The added disk must be the second disk. It cannot be the third or greater disk. When the installation is complete, the disk contains the /store and /transient partitions.
      Warning: It is not possible to increase storage after installation.
    7. Click OK to add the data disk.
  7. Click Next : Networking >
    1. Create or select an existing Virtual Network.
    2. Create or select a Subnet for your Virtual Network.
    3. Under NIC network security group, select Advanced.
    4. Create or select a network security group that allows ports 22, and 443 for a QRadar Console, to create an allowlist of trusted IP addresses that can access your QRadar deployment.
      In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar.
  8. Click Review + Create.
  9. Click Create to deploy the instance. This might take a few minutes.
  10. When your VM is deployed in Microsoft Azure, click Go to resource.
  11. Add Additional Network Interfaces if installing a QRadar Network Insights 6500 appliance.
    1. Stop your virtual machine (VM).
    2. After the VM is stopped, click the Networking tab in the left menu of the VM overview page.
    3. Click Attach network interface then select a network interface from the drop down menu, or click Create and attach network interface if you don't already have on created.
    4. Configure the interface as wanted and ensure it is in the same subnet as the VM you created.
    5. Click Create.
    6. Return to the VM Overview tab and restart your VM.
  12. When the VM is ready, log in using either your key pair or password by typing one of the following commands.
    • To log in using SSH and your key pair, type the following command: 
      ssh -i <key.pem> user@<public_IP_address>
    • To log in using SSH and your password, type the following command: 
      ssh user@<public_IP_address>
  13. Type the following command to install the virtual appliance: 
    sudo /root/setup <appliance_id>

    For example, to deploy an Event Collector type the following command:

    sudo /root/setup 1599
    If the SSH session disconnects, type the following command to reconnect to the installer:
    sudo screen -r qradar

    You can install the following virtual appliance types:

    Appliance type ID Appliance type
    1299 Flow Collector
    1400 Data Node
    1599 Event Collector
    1699 Event Processor
    1799 Flow Processor
    1899 Event and Flow Processor
    3199 All-in-One (Console)
    4000 App host appliance
    6500 QRadar Network Insights
    7000 Data Gateway appliance
  14. Enter a password for the admin account for an QRadar SIEM All-in-One (QRadar Console) , or the root password for all other appliance types. Set a strong password that meets the following criteria.
    • Contains at least 5 characters
    • Contains no spaces
    • Can include the following special characters: @, #, ^, and *.

What to do next

For QRadar SIEM All-in-One (QRadar Console) installations, the QRadar instance uses Coordinated Universal Time (UTC). You can change the time zone of the instance. For more information about changing the time zone, see Configuring system time.

This image does not receive automatic software upgrades. You must manually upgrade your system to keep it up to date. To receive QRadar upgrade notifications, see: Receiving QRadar update notifications.

For all managed host (except data gateways) installations, see adding a managed host

For QRadar Network Insights installations, see Installations on Microsoft Azure for information about adding the virtual appliance as a managed host and configuring flow sources and traffic monitoring.