Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
NOTE:
This blog post is outdated and some of the steps may not work correctly. If you have problems, please let us know at the Azure Log Integration forum.
With the first release of IBM QRadar's DSM for Azure Activity logs, you can now integrate your Azure logs to QRadar SIEM (Security Information and Event Management) and see it categorized correctly in QRadar.
By following the steps outlined here, you will be able to integrate the following logs to QRadar
At this time there are about 1400 events from Azure Activity logs that will successfully map to categorized events in QRadar.
Before continuing, please review the topic at Azure log integration. It covers the high level architecture of the integration.
If you have any previous version of Azure log integration installed, you will need to uninstall it first. Uninstalling it will remove all sources that are registered.
Steps to Uninstall –
Azlog removeazureid
3. In Control Panel -->Add remove programs --> Microsoft Azure log integration --> uninstall
Add-AzLogEventDestination -Name QRadarConsole1 -SyslogServer 10.0.0.5 -SyslogFormat LEEF
Name is a friendly name for the Destination
SyslogServer is the IP address of the QRadar console (you can specify Syslog Port if necessary).
.\azlog.exe createazureid
.\azlog authorize <SubscriptionID>
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign in