Logged actions

The IBM QRadar audit logs are in the /var/log/audit directory. You can also search for these audit events in QRadar in the Log Activity tab.

The following list describes the categories of actions that are in the audit log file:

Administrator Authentication

Log in to the Administration Console.
Log out of the Administration Console.

Assets

Delete an asset.
Delete all assets.

Audit Log Access

A search that includes events that have a high-level event category of Audit.

Backup and Recovery

Edit the configuration.
Initiate the backup.
Complete the backup.
Fail the backup.
Delete the backup.
Synchronize the backup.
Cancel the backup.
Upload a backup.
Upload an invalid backup.
Initiate the restore.
Purge the backup.

Chart Configuration

Save flow or event chart configuration.

Content Management

Content export initiated.
Content export complete.
Content import initiated.
Content import complete.
Content update initiated.
Content update complete.
Content search initiated.
Applications added.
Applications modified.
Custom actions added.
Custom actions modified.
Ariel property added.
Ariel property modified.
Ariel property expression added.
Ariel property expression modified.
CRE rule added.
CRE rule modified.
Dashboard added.
Dashboard modified.
Device extension added.
Device extension modified.
Device extension association modified.
Grouping added.
Grouping modified.
Historical correlation profile added.
Historical correlation profile modified.
QID map entry added.
QID map entry modified.
Reference data created.
Reference data updated.
Security profile added.
Security profile modified.
Sensor device added.
Sensor device modified.

Custom Properties

Add a custom event property.
Edit a custom event property.
Delete a custom event property.
Edit a custom flow property.
Delete a custom flow property.

Custom Property Expressions

Add a custom event property expression.
Edit a custom event property expression.
Delete a custom event property expression.
Add a custom flow property expression.
Edit a custom flow property expression.
Delete a custom flow property expression.

Flow Sources

Add a flow source.
Edit a flow source.
Delete a flow source.

Groups

Add a group.
Delete a group.
Edit a group.

Historical Correlation

Add a historical correlation profile.
Delete a historical correlation profile.
Modify a historical correlation profile.
Enable a historical correlation profile.
Disable a historical correlation profile.
Historical correlation profile is running.
Historical correlation profile is canceled.

Licensing

Add a license key.
Delete a license key.
Delete license pool allocation.
Update license pool allocation.

Log Source Extension

Add an log source extension.
Edit the log source extension.
Delete a log source extension.
Upload a log source extension.
Upload a log source extension successfully.
Upload an invalid log source extension.
Download a log source extension.
Report a log source extension.
Modify a log sources association to a device or device type.

Offenses

Create an offense.
Hide an offense.
Close an offense.
Close all offenses.
Add a destination note.
Add a source note.
Add a network note.
Add an offense note.
Add a reason for closing offenses.
Edit a reason for closing offenses.

Protocol Configuration

Add a protocol configuration.
Delete a protocol configuration.
Edit a protocol configuration.

QIDmap

Add a QID map entry.
Edit a QID map entry.

IBM QRadar Vulnerability Manager

Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).

Create a scanner schedule.
Update a scanner schedule.
Delete a scanner schedule.
Start a scanner schedule.
Pause a scanner schedule.
Resume a scanner schedule.

Reference Sets

Create a reference set.
Edit a reference set.
Purge elements in a reference set.
Delete a reference set.
Add reference set elements.
Delete reference set elements.
Delete all reference set elements.
Import reference set elements.
Export reference set elements.

Reports

Add a template.
Delete a template.
Edit a template.
Generate a report.
Delete a report.
Delete generated content.
View a generated report.
Email a generated report.

Retention Buckets

Add a bucket.
Delete a bucket.
Edit a bucket.
Enable or disable a bucket.

Root Login

Log in to QRadar, as root user.
Log out of QRadar, as root user.

Rules

Add a rule.
Delete a rule.
Edit a rule.

Scanner

Add a scanner.
Delete a scanner.
Edit a scanner.

Scanner Schedule

Add a schedule.
Edit a schedule.
Delete a schedule.

Session Authentication

Create an administration session.
Terminate an administration session.
Deny an invalid authentication session.
Expire a session authentication.
Create an authentication session.
Terminate an authentication session.

SIM

Clean a SIM model.

Store and Forward

Add a Store and Forward schedule.
Edit a Store and Forward schedule.
Delete a Store and Forward schedule.

Syslog Forwarding

Add a syslog forwarding.
Delete a syslog forwarding.
Edit a syslog forwarding.

System Management

Shut down a system.
Restart a system.

User Accounts

Add an account.
Edit an account.
Delete an account.

User Authentication

Log in to the user interface.
Log out of the user interface.

User Authentication Ariel

Deny a login attempt.
Add an Ariel property.
Delete an Ariel property.
Edit an Ariel property.
Add an Ariel property extension.
Delete an Ariel property extension.
Edit an Ariel property extension.

User Roles

Add a role.
Edit a role.
Delete a role.

VIS

Discover a new host.
Discover a new operating system.
Discover a new port.
Discover a new vulnerability.