Topic
  • 4 replies
  • Latest Post - ‏2016-09-21T18:54:04Z by HasanGenc
RobWalker
RobWalker
1 Post

Pinned topic MPC: Unable to create new offense. The maximum number of active offenses has been reached.

‏2015-10-15T16:42:28Z | max offense reached

I've reached the maximum number of offenses and need to clean this up on the backend. Does anyone have the command to delete the oldest offenses? I've closed thousands but still get the same messages.

Unable to create new offense. The maximum number of offenses reached. Current offense numbers: active=3000, dormant=620. Limits: active=2500, dormant=100000.

  • KeithES
    KeithES
    2 Posts

    Re: MPC: Unable to create new offense. The maximum number of active offenses has been reached.

    ‏2015-10-17T08:39:35Z  

    Rob,

     

    An active offense is one that's received flows or events recently (the time is outlined in the manual - which I don't have handy) you are most likely closing inactive offenses that are older than that. You will have to search for offenses and use the 'received events or flows since...' search term to get the active offenses. I would recommend looking at your rules and sorting by the number of offenses they create - disable the one(s) that are creating the excessive number of offenses. 

     

    Keith

  • JonathanPechtaIBM
    JonathanPechtaIBM
    11 Posts

    Re: MPC: Unable to create new offense. The maximum number of active offenses has been reached.

    ‏2015-10-22T13:45:52Z  

    The maximum number of active offenses is 2,500 as described in the system notification and in the documentation. See page 15 here: http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.5/EN/b_qradar_system_notifications.pdf

     

    If an active offense does not receive an event update within 30 minutes, the offense status changes to dormant. If a new event occurs, the dormant offense is updated and changed back to active. After five days, dormant offenses that do not have event updates change to inactive. As Keith mentioned, you should review any rules that are triggering large numbers of offenses.

  • JonathanPechtaIBM
    JonathanPechtaIBM
    11 Posts

    Re: MPC: Unable to create new offense. The maximum number of active offenses has been reached.

    ‏2015-10-29T21:35:07Z  

    Also, I forgot to mention that you can also review your System Settings from the Admin tab. There is a global setting that defines how long offenses are retained for. By default, this value is set 30 days, which is the period of time that the system retains closed offense information. If you were to lower this value, closed offense data is cleared out faster.

     

    Offense data is kept track of in postgres in the offenses table.Every 2 hours the system evaluates offenses that are closed and cleans out closed offenses that are older than the global system setting for "Offense Retention Period".


     

     

  • HasanGenc
    HasanGenc
    3 Posts

    Re: MPC: Unable to create new offense. The maximum number of active offenses has been reached.

    ‏2016-09-21T18:54:04Z  

    Hi Jonathan,

    I am wondering that if we have AIO QRadar system or Distributed QRadar system. Do both of them have the same (default) offense count rights?

    Besides we have 10k license per EPS and then we will increase this license to 20k; is this active (2500) and inactive (100000) offense count limit remains as the same as old EPS license rights?

     

    In conclusion, I want to understand

    > offense counts depends on EPS license or QRadar Event Processor, Console, AIO QRadar hosts and their diagram or and so on ??

    > can we arrange active/inactive offense count rights being different from default on qradar? is there any risks or limitations ??

    Thanks in advance