SIM Audit
The SIM Audit category contains events that are related to user interaction with the IBM® QRadar® Console and administrative features.
The following table describes the low-level event categories and associated severity levels for the SIM Audit category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| SIM User Authentication | 16001 | Indicates a user login or logout on the Console. | 5 |
| SIM Configuration Change | 16002 | Indicates that a user changed the SIM configuration or deployment. | 3 |
| SIM User Action | 16003 | Indicates that a user initiated a process, such as starting a backup or generating a report, in the SIM module. | 3 |
| Session Created | 16004 | Indicates that a user session was created. | 3 |
| Session Destroyed | 16005 | Indicates that a user session was destroyed. | 3 |
| Admin Session Created | 16006 | Indicates that an admin session was created. | |
| Admin Session Destroyed | 16007 | Indicates that an admin session was destroyed. | 3 |
| Session Authentication Invalid | 16008 | Indicates an invalid session authentication. | 5 |
| Session Authentication Expired | 16009 | Indicates that a session authentication expired. | 3 |
| Risk Manager Configuration | 16010 | Indicates that a user changed the IBM QRadar Risk Manager configuration. | 3 |