Microsoft Azure Active Directory

The IBM QRadar DSM for Microsoft Azure Active Directory Audit logs collects events such as user creation, role assignment, and group assignment events. The Microsoft Azure Active Directory Sign-in logs collects user sign-in activity events.

Please follow the below steps: 

  1. If you do not have an existing storage account, create a storage account. For more information, see Create a storage account (https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal). 

Important: You must have a storage account to connect to an event hub. For more information, see Microsoft Azure Event Hubs protocol FAQ

  1. If you do not have an existing event hub, create an event hub. For more information, see Quickstart: Create an event hub using Azure portal (https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create). 
  1. Configure Microsoft Azure Active Directory to forward events to an Azure Event Hub by streaming events through diagnostic logs. For more information see, Tutorial: Stream Azure Active Directory logs to an Azure Event Hub (https://docs.microsoft.com/en-ca/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub). 

Below is the IBM guide to create an EventHub and Storage account: 

https://www.ibm.com/docs/en/dsm?topic=options-configuring-microsoft-azure-event-hubs-communicate-qradar 

ID# 

From-Event Collector 

To - Microsoft 

Port 

Protocol 

Description 

Service Required For 

1 

X.X.X.X 

[Namespace Name].servicebus.windows.net 

5671 

TCP 

REST API 

  1. Used to query event hub. 

2. 

X.X.X.X 

[Storage_Account_Name].blob.core.windows.net 

443 

TCP 

REST API 

Used to store connection information about event hub.