Volker is correct in seeing what has changed using that log source, but the problem I think you also have is policing change and versioning of any changes (I have seen this challenge in my environment).
QRadar is great in a number of areas however does not have any concept of versioning (e.g. roll back a change) nor policing of change (i.e. permitting change only on parts of the configuration).
It is a bit of a weakness given other real-time multi-tenant [voice/carrier] systems have had versioning/policing functions since the 1990s. For us this is more problematic when the SIEM is larger with multiple tenants or operating as a MSSP.
I'll chat behind the scenes to see where this sits in the list of to-dos with the development community.
Darren H.
------------------------------
Darren H.
------------------------------
Original Message:
Sent: Mon March 30, 2020 03:35 AM
From: Volker Scholz
Subject: Way to track content change
Hi Patryk,
you can use the Audit Logs of QRadar either with the CLI or with the WebGUI. Just filter on log source 'SIM Audit-2' and low level category 'SIM Configuration Change'.
I hope this helps...
Kind regards,
Volker
------------------------------
Volker Scholz
Original Message:
Sent: Fri March 27, 2020 07:47 AM
From: Patryk Prauze
Subject: Way to track content change
Hello all,
I'm looking for some way to track changes on a Qradar rules.
We have many people who develop new rules and make changes on existing ones, so we need some control on that.
I didn't find any solution but I believe that not only I struggle with that problem.
I will be grateful for all ideas :)
------------------------------
Patryk Prauze
------------------------------