IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  QRadar User Creation/Remove/Disable Dates

    Posted Fri July 26, 2019 09:32 AM
    Hi,

    I would like to ask, how we can determine the user Add/Remove/Disable date of user created at QRadar SIEM from audit perspective. As, I am unable to find any such option in QRadar 7.3.0 user management section.

    Thanks.

    ------------------------------
    Rabil Shah Karedia
    ------------------------------


  • 2.  RE: QRadar User Creation/Remove/Disable Dates

    Posted Fri July 26, 2019 10:48 AM
    Hi Rabil,

    Everything done in QRadar is logged  as an audit event.  Go into the log activity tab, add a filter -->Category<--  --> High level Category<-- SIM Audit.   That will bring back a list of all audit events.  You can then either sort by low level category and look for events tagged as SIM Configuration Change and filter on that.  If you know the user name type it into the quick filter and you should easily be able to find the date and time.   The one caveat to that is the event would have to happened within the time period of your search.  If your search was over the past month and the user was added a year ago you will not see a result.

    Kind regards,

    ------------------------------
    Ray Meanrd
    ------------------------------

    Original Message