• 1 reply
  • Latest Post - ‏2013-05-21T20:42:06Z by QRadar Groupie
4 Posts

Pinned topic Suspicious login activity detected by Qradar

‏2013-05-21T06:18:35Z |

I'm investigating an offense happening under the Low Level Category:SIM Configuration Change, the payloads contains a rule which was suppose to match against anyone who has accessed user-mail box(on ms -exchange) but it seems someone changed / modified the rule.

I'am attaching the screenshot for your understanding.


  • QRadar Groupie
    QRadar Groupie
    4 Posts

    Re: Suspicious login activity detected by Qradar


    This looks like a single event, not an offense . . .

    and yes, this looks like someone changed the rule.

    what is you question ?

    ps. QRadar audits all user activity (also from root)