IBM Support

QRadar: How to create a rule to determine whether a user was added or deleted

Question & Answer


Is there a way for QRadar administrators to create a rule to find out when a user was added or deleted?


To resolve this issue.

QRadar creates an audit event (SIM Audit-2 events) for all the changes that are made on the Console.

  1. Log in to the QRadar User Interface.
  2. Click Log Activity tab
  3. Click on Add Filter
  4. Choose QID [Indexed].
  5. Locate the QID for this event, which is: 28250067
    Event name: User Account Added

This event has all information about newly added QRadar user account. Using the Rule Wizard you can create an event rule to look for this event QID and have response as an Offense Email.

Similarly, there are events for User Account Deleted, Modified,

QID: 28250068 Event Name: User Account Deleted

For more information on creating Rules, please refer to the IBM Knowledge Center.
How is an offense created from a rule?

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Rules","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018