Viewing user login history

You can view the login history of users to determine if there has been unauthorized access to their account. You can enable and disable the tracking of login attempts, and specify the retention period for tracking login attempts.

About this task

If you enable the login history display, a Login History window displays the date, time and IP address of the last successful login, and the number of unsuccessful login attempts of a user since the last successful login.

If you specify a retention period for tracking login attempts, QRadar® retains login history for the selected number of days.

When you change the login retention period, it takes effect for a user the next time they log in. For example if you change the login retention from 14 days to 7 days, any administrator continues to see 14 days of login history for any user that has not logged in since the change was made.

Procedure

  1. On the Admin tab, click Authentication.
  2. Click General Authentication Settings.
  3. Enable Display Login History.
  4. Set the Login History Retention (in days) field to the number of days to retain the history of login attempts of a user.
    Note: The default is no value, which retains all login history.
  5. Click Save Settings.
  6. Close the Authentication window.