Qradar - Storage Account permissions issue

SteveJ 1 Reputation point
2021-12-07T11:17:18.42+00:00

Hi,

We have QRadar set up and I'm trying to get logs from an event hub over to QRadar. I have followed the instructions given by both IBM and Microsoft and created both the event hub and storage account as per these.
https://www.ibm.com/docs/en/dsm?topic=options-configuring-microsoft-azure-event-hubs-communicate-qradar
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs

When I run a test from QRadar for connectivity it outputs an error saying unable to connect to the storage account, see below:
Error: An error occurred that represents an exception for the Microsoft Azure Storage Service.
Error: Unable to connect to the Storage Account [****]. Ensure that the Storage Account Connection String is valid and that QRadar can connect to [****.blob.core.windows.net]
Error: The error didn't provide an error message that could be posted.

Before this, it is successful in parsing event hub and storage account connection string and subsequently the DNS resolution and TCP/SSL connections to both and it successfully downloads the certificates.

I don't know what I've done wrong here, are there permissions for QRadar that I need to set for the storage account? As I can't find these if there are.

I would much appreciate any help. Thanks in advance!

If you need any more info please let me know

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,265 questions
Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
654 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. deherman-MSFT 37,666 Reputation points Microsoft Employee
    2021-12-07T22:31:11.627+00:00

    @SteveJ
    It sounds like your storage account maybe unreachable. Please check the firewall setting and configuration settings of the storage account to make sure it is reachable from the internet or the appropriate IP addresses.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


  2. Peter Fischer 1 Reputation point
    2022-01-05T14:59:12.5+00:00

    Hi
    We get also an error when we test from Qradar.
    Attempting to parse the Storage Account Connection String. - Passed

    Checking the provided Storage Account's permissions. - Failed

    • Successfully parsed the Storage Account Connection String
    • Successfully created a reference to the Storage Account Container : aadeventhub-test
    • Checking if the container exist and creating it if it doesn't exist.
    • Error: An error occurred that represents an exception for the Microsoft Azure Storage Service.
    • Error: Unable to connect to the Storage Account [xxxx]. Ensure that the Storage Account Connection String is valid and that QRadar can connect to [xxxx.blob.core.windows.net]
    • Error: The error didn't provide an error message that could be posted.
    • Debug: com.microsoft.azure.storage.StorageException:

    Thank you for your help

    0 comments No comments

  3. _JJ learning Azure 0 Reputation points
    2023-05-26T16:19:22.07+00:00

    I am pushing my logs into Blob Storage, how do I sent this log to QRadar ?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.