IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  QRadar User Creation/Remove/Disable Dates

    Posted Fri July 26, 2019 09:34 AM

    Hi,

    I would like to ask, How can we view the QRadar user creation/removal/deletion date-time information for audit perspective. 

    Version: QRadar 7.3.0

    Thanks.



    ------------------------------
    Rabil Shah Karedia
    ------------------------------


  • 2.  RE: QRadar User Creation/Remove/Disable Dates

    Posted Fri July 26, 2019 10:05 AM
    Edited by Jonathan Pechta Fri July 26, 2019 10:18 AM

    There is an internal log source that tracks changes in QRadar, called SIM Audit. You can add a filter and search for these log sources if you want. Our L3 team wrote an application to visualize the user activity in QRadar that is logged, called the QRadar Operations App. This might be an easy way to view audit activity by a certain user or view what admin might have deleted the user in question.

    If you don't want to use an app, you can review the SIM Audit log source from the Log Activity tab. Filter > Log Source (Indexed) > SIM AUDIT-2. The payload will contain a timestamp in the Syslog Header for the event and it will also be logged in the Start Time in the event details page as well.

    Not sure if this helps, but feel free to ask questions or if you run in to issues you can use the official support forum here: https://ibm.biz/qradarforums as this forum has more visibility for support and development team members.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


  • 3.  RE: QRadar User Creation/Remove/Disable Dates

    Posted Mon July 29, 2019 02:55 AM
    ​Hi Jonathan

    I ran the log search in log activity tab using filter (log source indexed-SIM2 Audit) and we are receiving logs like below,

    User login,
    User logout
    Search executed
    Search completed. etc. etc.

    However in order to check the user-created or deleted in the last 6 months in Qradar, I used the filter as below,

    Event Name is %PIX-0-502101
    Event Name is any of %APF-6-USER_NAME_CREATED
    Event Name is any of %PIX-0-502101
    Log source is SIM Audit-2::console00046


    However, I selected the duration as the last 6 months but no logs are showing. I tried searching for deleted user names as we deleted a few user names in last two months but it's not showing.


    Regards
    Asif Siddiqui







    ------------------------------
    Asif Siddiqui
    ------------------------------

    Original Message


  • 4.  RE: QRadar User Creation/Remove/Disable Dates

    Posted Mon July 29, 2019 03:12 PM
    Hi,
    here's an example of user creation in Qradar.

    Here's the payload: (be advised that I've changed the payload between the '  ' in my exemple for obvious reasons)
    Jul 15 00:00:00 127.0.0.1 'my_username'@'my_IP' (8112) /console/JSON-RPC/QRadar.saveUser QRadar.saveUser | [Configuration] [UserAccount] [AccountAdded] ID: '99' | Username: 'username_created' | Email: 'username_created@email.com' | Locale: null | Timezone: null | Description: 'username_created_description' | Role ID: '9' | Role Name: 'username_created role' | Security Profile ID: '9' | Security Profile Name: 'username_created_profile' | Tenant ID: '9'

    As described by Jonathan, these are logs in sim audit-2.
    I've looked in Qradar's /var/logs/ and there's nothing there except some tomcat logs that don't say much. For auditing purpose, you need to look in the sim-audit-2 log source.

    The best way to identify the logs you're looking for… is to execute the actions you want to monitor and look for them using a filter on Log source = "SIM Audit-2" and the time frame you've executed the action.

    Happy hunting!



    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------

    Original Message