IBM Security QRadar

 View Only
Expand all | Collapse all

QRadar User Creation/Remove/Disable Dates

  • 1.  QRadar User Creation/Remove/Disable Dates

    Posted Fri July 26, 2019 09:32 AM
    Hi,

    I would like to ask, how we can determine the user Add/Remove/Disable date of user created at QRadar SIEM from audit perspective. As, I am unable to find any such option in QRadar 7.3.0 user management section.

    Thanks.

    ------------------------------
    Rabil Shah Karedia
    ------------------------------


  • 2.  RE: QRadar User Creation/Remove/Disable Dates

    Posted Fri July 26, 2019 10:48 AM
    Hi Rabil,

    Everything done in QRadar is logged  as an audit event.  Go into the log activity tab, add a filter -->Category<--  --> High level Category<-- SIM Audit.   That will bring back a list of all audit events.  You can then either sort by low level category and look for events tagged as SIM Configuration Change and filter on that.  If you know the user name type it into the quick filter and you should easily be able to find the date and time.   The one caveat to that is the event would have to happened within the time period of your search.  If your search was over the past month and the user was added a year ago you will not see a result.

    Kind regards,

    ------------------------------
    Ray Meanrd
    ------------------------------