Question & Answer
Question
Is there a way for QRadar administrators to create a rule to find out when a user was added or deleted?
Answer
To resolve this issue.
QRadar creates an audit event (SIM Audit-2 events) for all the changes that are made on the Console.
- Log in to the QRadar User Interface.
- Click Log Activity tab
- Click on Add Filter
- Choose QID [Indexed].
- Locate the QID for this event, which is: 28250067
Event name: User Account Added
This event has all information about newly added QRadar user account. Using the Rule Wizard you can create an event rule to look for this event QID and have response as an Offense Email.
Similarly, there are events for User Account Deleted, Modified,
QID: 28250068 Event Name: User Account Deleted
For more information on creating Rules, please refer to the IBM Knowledge Center.
How is an offense created from a rule?
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Rules","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22000454