IBM Qradar SIEM Audit

Remember to change columns as needed and add new properties if you need.
Example : Rule propriety in CRE Rules Audit – what is the rule which was changed

1. Audit Changes Done To SIEM overall – Audit changes or actions done by users on the system

The search should use those filters :
High level – SIM Audit and low level – SIM Configuration Change


2. Reference Set Audit  – Audit changes done to reference set by users

The search should use those filters :
QID – 28250205 , 28250204 , 28250217
High level – SIM Audit and low level – SIM Configuration Change

3. CRE Rules – Audit changes done to rules

QID – 28250030, 28250319, 28250028, 28250029, 28250255, 28250256, 28250320

4. SIEM Backup activity

The search should use those filters :
Use predefined SIEM backup audit  and change the property in group by back to regular columns .
Use all four in one report and get a daily change activity audit on Qradar SIEM device.

Extract Properties Examples :

Rule Name: ( low level category – SIM configuration Change )

(Rule\sName|Event\sName)(\=\”|\:\’)([^\”\’]+) – capture group 3

Reference Value ( low level category – SIM configuration Change)

values\=\”\[([^\]]+)

ID ( low level category – SIM configuration Change)

Id\=\”([^\”]+)

The SIM Audit category contains events that are related to user interaction with the IBM® Security QRadar® Console and administrative features .

See Full list of low level categories for SIM Audit – http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_sim_audit.html

Source: https://qmasters.co/ibm-qradar-siem-audit/