Troubleshooting
Problem
How do I create a search to locate log sources created by users?
Resolving The Problem
In this solution we want to create a search using SIM Audit to identify Log Sources manually created by users.
To create the search:
To create the search:
- Log in to the QRadar UI
- Click Log Activity tab.
- Click Add Filter > Log Source > Equals > Sim Audit 2::
- Click Add Filter > Event Name > Equals > Browse
- In the QID/Name search box add Sensor Device Added.
- Click OK.
- Click Add filter > Username (Indexed) > Does not equal any of > admin.
- Click OK to add filter.
- Adjust the Start Time, End Time and Date
- Click Update.
Results: You have a search to find users that have created log sources.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
31 March 2020
UID
ibm10883224