Topic
  • 1 reply
  • Latest Post - ‏2013-05-21T20:42:06Z by QRadar Grouppy
Asadz
Asadz
4 Posts

Pinned topic Suspicious login activity detected by Qradar

‏2013-05-21T06:18:35Z |

I'm investigating an offense happening under the Low Level Category:SIM Configuration Change, the payloads contains a rule which was suppose to match against anyone who has accessed user-mail box(on ms -exchange) but it seems someone changed / modified the rule.

I'am attaching the screenshot for your understanding.

Attachments

  • QRadar Grouppy
    QRadar Grouppy
    2 Posts

    Re: Suspicious login activity detected by Qradar

    ‏2013-05-21T20:42:06Z  

    This looks like a single event, not an offense . . .

    and yes, this looks like someone changed the rule.

    what is you question ?

    ps. QRadar audits all user activity (also from root)