This document is designed to provides QRadar step-by-step installation guidance on AWS environment.
2. Sufficient system resources subscription for QRadar deployment at Amazon including storage.
3. Valid QRadar software license.
02. After successful login, you will need to create an Amazon EC2 (Elastic Compute Cloud) instance on AWS.
Note: Amazon EC2 (Elastic Compute Cloud) is special type of virtual appliance image specifically build to use for AWS Cloud environment.
03. Please launch an EC2 Instance by clicking on EC2 and then click on launch Instance
04. After launching of the instance, it will prompt to select the AMI (Amazon Machine Image). Here you will need search for the QRadar AMI in the search bar and select the appropriate QRadar AMI for your installation.
There are primarily two types of AMIs available to use.
a. AWS Marketplace: You can find the AMIs available on AWS Marketplace where the AMIs are verified by the AWS.
b. Community AMIs: Within this option you can find the AMIs which are created by the users and permitted to share with AWS Users and community.
We have looked for the QRadar AMI in the search bar, filtered the available results with AWS Marketplace and Selected QRadar Console AMI.
05. Upon selecting the AMI, You will be provided the Product details, Suggested Instance types and its fees. Please review the details and continue to the next page by clicking continue.
06. Now you can select the suitable instance for your requirement among the available options. We have selected m4.4xlarge here. After selecting the instance with default capacity either you review and launch OR configure the instance details primarily for customize storage and network interfaces.
07. At the next step, it is possible to perform configuration on IAM roles, Network configuration etc. for EC2 instance. Here it is default settings and clicking on the next configuration details for default Storage assigned to EC2 instance.
08. At this step, it is possible to increase/reduce the disk capacity that has been by default assigned to the EC2 instance as per selected type of instance on step 6. We are keeping the default disk space of m4.4xlarge EC2 instance.
09. In next step you can optionally add tag to the EC2 instance that is being created. Assigning the Tag to the instance is helpful in various objectives such as inventory, billing, ownership etc.
10. Next page provides an important option to Configure Security Group. As we have selected AWS AMI at the beginning for QRadar, it provides automatically Port 443 TCP for HTTPS connection & Port 22 TCP for SSH connection to access the EC2 Instance. These are the primary method to access the QRadar console over the network.
Additionally, it allows to apply the source IP address/range to access the QRadar EC2 instance. Leaving the default configuration on source “0.0.0.0/0” would allow access the instance anywhere across the internet. As a security best practice, specific IP address/range should be defined here in order to whitelist the specific connections initiated from the mentioned IP address/range.
11. Once the appropriate settings applied, the EC2 instance with QRadar AMI is ready to launch. You can review and Launch the configured QRadar EC2 instance. It takes about 10Min to 40 Min depending on the type of selected AMI image and EC2 instance compute.
12. During the installation, you can check the subscription status, view & launch instances by clicking on Manage subscription and then selecting appropriate option available drop-down menu in Actions.
13. After the successful provisioning of the AMI, its status appears to be running and you are ready to login to QRadar through CLI. The first task to be carry out is to create a Key Pair that allows to connect securely to QRadar.
14. Key pair will need to create by selecting it in the Network & Security option available in Left pane.
15. You can select the type of key to be created either PEM format used for OpenSSH OR PPK format primarily used for PuTTY.
16. After creating the key, you will need to connect to QRadar using SSH Client as per below details.
17. Change the permission as shown in above screenshot and login using SSH
To log in to the AWS instance by using the key pair that you created when you configured the instance, type the following command:
ssh -i <key.pem> ec2-user@<public_IP_address>
Example: ssh -i "QRadar-KeyPair.pem" ec2-user@<Public_IP_Address>
Note: a. Use username ec2-user with SSH as it is the by default user for all AWS instance.
b. Use currently assigned Public IP to login which you can find by clicking on instance details like this:
18. After successful connecting to the installed QRadar instance, you will need to install the Console by running “sudo /root/setup_console.sh” command.
19. At the end it will apply the template enterprise and this step takes couple of minutes.
20. At the end installation wizard will ask you to supply the admin password, which you will use to login to GUI of QRadar instance.
21. After supplying the admin password, wait for 10 minutes while QRadar starts all the necessary services and then try to access QRadar GUI using the public IP only. QRadar GUI takes some time to start at first. Here you use username as admin and password what you have set up in last step.
22. At the first login QRadar will ask to change the password with specific password security policy. Upon changing and successful login to QRadar system, You will need to install the valid QRadar license that you have received from IBM as it is BYOL deployment.
You can click on Admin and then navigate to click on System and License Management to upload the license.
