IBM Support

QRadar: Where to find user events data when using the Map Events option

Troubleshooting


Problem

When an event is manually mapped, you might have to provide an audit record or need to track what changes the user performed to event mapping.

Resolving The Problem

There is no specific audit log or record to track when a user manually maps an event. The following information provides some guidance to get information of the action and identify the user who performed it.

When, an event is mapped that uses the Map Event option from the GUI the events are captured in the /var/log/qradar.log:

Example:
Jul 26 12:40:08 ::ffff:xx.xx.xx.xx [tomcat]
[d7d0xxxx-e2xx-4fxx-b4xx-99156cxxxxxx/SequentialEventDispatcher]
com.q1labs.core.shared.qidmap.QidMapFactory: [INFO]
[NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]DSM Event [CMD_EXECUTED]
created.
Jul 26 12:40:08 ::ffff:xx.xx.xx.xx [ecs-ep]
[6f7xxxxx-c4xx-40xx-b8xx-718992xxxxxx/SequentialEventDispatcher]
com.q1labs.core.shared.qidmap.QidMapFactory: [INFO]
[NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]DSM Event [CMD_EXECUTED]
created.
Jul 26 12:40:08 ::ffff:xx.xx.xx.xx [ecs-ec]
[d56xxxxx-bcxx-4axx-82xx-faf04axxxxxx/SequentialEventDispatcher]
com.q1labs.core.shared.qidmap.QidMapFactory: [INFO]
[NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]DSM Event [CMD_EXECUTED]
created.


Note: In this example, the entry [CMD_EXECUTED] correspond to the event mapped, which was an event called Command Executed. It can vary depending on the event name.

With the information that is provided in the qradar.log, a user can search in the /var/log/audit/audit.log and look for the following entries:

Jul 26 12:36:30 ::ffff:127.0.0.1 admin@xx.xx.xx.xx (Session) |
[Authentication] [Session] [AdminSessionCreated] UserName=admin
Jul 26 12:36:31 ::ffff:127.0.0.1 admin@xx.xx.xx.xx (Session) |
[Authentication] [User] [UserLogin] admin


A search can be performed to identify the users who are logged in to the system at a specific time and identify the user who manually performed the event mapping actions.



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Events","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 August 2018

UID

swg21990703