IBM Security QRadar

 View Only

  • 1.  How to detect user not login for 60 days and trigger an email alert?

    Posted Tue March 07, 2023 07:49 AM

    Hi everyone,

    In QRadar, is there an way to notify user if they did not login for a specified period?



    ------------------------------
    Serene Yeo
    ------------------------------


  • 2.  RE: How to detect user not login for 60 days and trigger an email alert?

    Posted Mon March 13, 2023 09:27 AM

    Hi Serene,

    With User Behaviour Analytics (UBA) app it's quite simple.

    Go in "Use Case Manager" and search for "dormant". You'll see a rule called UBA : Dormant Account Used.

    In this rule you can find a reference set called "Dormant Accounts".

    By default UBA will put users that have no activity for the last 14 days in this reference set.

    You an configure the timeframe you want in : Admin Settings > User Analytics > UBA Settings

    Then "Dormant accounts threshold". Select the time you want (30 days instead of 14).

    To receive a daily email you will have to create a report.

    But first you will have to create a saved search.

    Go on "Log activity" and add a filter "reference set". Select "username exists in" and find the reference set called "UBA : Dormant Accounts".

    Save your search. Then create your report using this saved search (salect Table and as many lines you want).

    Hope it's what you was looking for.

    Regards



    ------------------------------
    Michael ROMAN
    ------------------------------

    Original Message


  • 3.  RE: How to detect user not login for 60 days and trigger an email alert?

    Posted Mon March 13, 2023 10:53 PM

    Hi Michael,

    Thank you for the information. I tried it out and it can only generate reporting daily or weekly. Is there a way to automate the process such that if a dormant user is detected, QRadar will send an email to notify user? The reason is because we have a policy in place where user account will be removed if they did not login for a certain period of time.



    ------------------------------
    Serene Yeo
    ------------------------------

    Original Message


  • 4.  RE: How to detect user not login for 60 days and trigger an email alert?

    Posted Sat March 25, 2023 04:18 AM

    Hello Serene,

    For this particular scenario you can create an offense and in email option you can set an email id to whom this offense details should be sent in real-time. Hope this will help you.



    ------------------------------
    Abdul Quadeer
    ------------------------------

    Original Message