Qradar, who created that user

Lets suppose we need to identify who created a new username (you could even script this and run it as a cron job to email you the daily results and use it as a compliance control)

cat /var/log/audit/audit.log | grep ‘AccountAdded’ | less

Jun 12 14:34:37 X&Y (7638) /console/JSON-RPC/QRadar.saveUser QRadar.saveUser | [Configuration] [UserAccount] [AccountAdded] ID: 24 | Username: ABC | Email: [email protected] | Description: | Role ID: 2 | Security Profile ID: 1

By analyzing the log line, we can verify that X&Y added new account ABC with the e-mail address of [email protected] at Jun the 12th at 14:43.