IBM Support

QRadar: How to know what user created a log source in QRadar

Troubleshooting


Problem

How do I create a search to locate log sources created by users?

Resolving The Problem

 In this solution we want to create a search using SIM Audit to identify Log Sources manually created by users.

To create the search:
  1. Log in to the QRadar UI
  2. Click Log Activity tab.
  3. Click Add Filter > Log Source > Equals > Sim Audit 2::
  4. Click Add Filter > Event Name > Equals > Browse
  5. In the QID/Name search box add Sensor Device Added.
    image-20190503141440-1
  6. Click OK.
  7. Click Add filter > Username (Indexed) > Does not equal any of > admin.
  8. Click OK to add filter.
  9. Adjust the Start Time, End Time and Date
  10. Click Update.
Results:  You have a search to find users that have created log sources.
image-20190509161240-3

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
31 March 2020

UID

ibm10883224

Page Feedback