IBM Support

QRadar: Where does the "Username" come from in Offenses where contributing events do not have one?

Question & Answer


Question

The offenses show a username, but sometimes when the related events are reviewed, they do not contain a username. This article answers the question, where does the username come for those offenses.

Answer

When an offense is created and none of the contributing events have a value for the username field, QRadar tries to extract it from the asset database. At the time of the offense creation, the last seen username for the asset with the source IP of the offense is used.
For example, the Offense 301 is created. The source IP is 10.0.0.1 and it shows "TestUserDavid" as the username for the Offense Source.
image-20221111184939-2
However, when the contributing events for that offense are reviewed, none of them seem to include a username:
image-20221111185131-3
In the Assets tab, we can see the one that QRadar used to pull this information:
image-20221111185532-4
Notes:
  • If the last seen username for that asset changed since the offense was created, the username in the assets tab might not match what is seen in the offense.
  • The username displayed in the offense is extracted only at the time of the offense creation. 
Use the following steps to see a historical list of usernames associated with the asset:
  1. Click the link in the asset ID (1017 in this case):
    image-20221117122036-1
  2. A new window opens, click All Users.
  3. Click in the "Last User" field under Asset Summary, this option display the username history.
    Note: If the Asset Profile Retention Period passed since the offense creation, the information is not available after that period the old entries are removed.
    image-20221117122314-1

    Result
    The administrator is able to see the username history for that asset.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwu1AAA","label":"Assets"},{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
21 November 2022

UID

ibm16838967

Page Feedback