IBM Qradar SIEM Audit

With 7.2.7 Patch came some simple and much needed searches which were already a part of Qradar capabilities , but wasn’t accessible  easily nor did you have any predefined searches to run .

After updating to 7.2.7 and installing extensions like PCI , those audit  searches will show up :

 After a quick view on those predefined searches , we will some audit data , but it’s still not much clear what are we looking on .

I Have built some basic searches as a suggestion from my experience  :

  • Remember to change columns as needed and add new properties if you need.

  • Example : Rule propriety in CRE Rules Audit – what is the rule which was changed

1. Audit Changes Done To SIEM overall – Audit changes or actions done by users on the system

The search should use those filters :

High level – SIM Audit and low level – SIM Configuration Change

2. Reference Set Audit  – Audit changes done to reference set by users

The search should use those filters :

QID – 28250205 , 28250204 , 28250217

High level – SIM Audit and low level – SIM Configuration Change

3. CRE Rules – Audit changes done to rules

QID – 28250030, 28250319, 28250028, 28250029, 28250255, 28250256, 28250320

4. SIEM Backup activity 

The search should use those filters :

Use predefined SIEM backup audit  and change the property in group by back to regular columns .

Use all four in one report and get a daily change activity audit on Qradar SIEM device.

Extract Properties Examples :

Rule Name: ( low level category – SIM configuration Change )

(Rule\sName|Event\sName)(\=\”|\:\’)([^\”\’]+) – capture group 3

Reference Value ( low level category – SIM configuration Change)


ID ( low level category – SIM configuration Change)


The SIM Audit category contains events that are related to user interaction with the IBM® Security QRadar® Console and administrative features .

See Full list of low level categories for SIM Audit – Link 

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at michelled@qmasters.co...

1 2 3 6

Join our newsletter!


linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram