Topic
  • 2 replies
  • Latest Post - ‏2015-11-03T22:55:12Z by Jonathan.Pechta (IBM)
Asadz
Asadz
59 Posts

Pinned topic How to audit sytem / web-users investigating suspicious activity?

‏2013-05-20T17:20:43Z |

I see some suspicious activity associated with the user of Qradar system , web-ui and console ssh access. Is there any way i can find the ip / user name of person logged in to the system lets say past 24 hours?

Like in linux i remember there was a LAST -r commands to show list of users who logged onto the system, does qradar application stores logins info in some sort of file / or log to query.

 

Thanks

 

  • DavidHawley - SIEMguru
    3 Posts

    Re: How to audit sytem / web-users investigating suspicious activity?

    ‏2015-11-03T21:01:26Z  

     

    If your QRadar is running RHEL you can track user activity with auditd the NIX C2 level auditing daemon.

  • Jonathan.Pechta (IBM)
    150 Posts

    Re: How to audit sytem / web-users investigating suspicious activity?

    ‏2015-11-03T22:55:12Z  

     

    If your QRadar is running RHEL you can track user activity with auditd the NIX C2 level auditing daemon.

    QRadar appliances automatically log events from users with the SIM Audit-2 log source. This is an internal DSM meant to specifically capture and audit QRadar users and commands. If you create a search against this log source, you will see audit events for searches, user activity, etc. You can then edit your search to group by event name or user name to further break down the activity taking place on the QRadar appliance.

     

    There is a chapter in the documentation that outlines the type of information captured in the audit log of QRadar. See chapter 22 of the following PDF: QRadar Admin Guide 7.2.5.