Offenses API
The Offenses API returns the most recent offenses from QRadar. Results can be filtered by offense type or restricted to User and Entity Behavior Analytics (UEBA) offenses.
Overview
The Offenses API returns the most recent offenses from QRadar. Results can be filtered by offense type or restricted to User and Entity Behavior Analytics (UEBA) offenses.
Endpoint
GET /api/offenses
Query parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
| type | string | all | Filters offenses by offense type. If not specified, offenses of all types are returned.
Valid values: "all", "user", "entity" |
| ueba_offense | boolean | false | When set to true, returns only offenses associated with UEBA detections. Boolean values are case-insensitive. |
type parameter values
all: (default): Returns both user-related and entity-related offenses (up to 10 of each, total 20)user: Returns only user-related offenses (up to 20)entity: Returns only entity-related offenses (up to 20)
Filtering rules
- If no parameters are provided, the API returns the most recent offenses regardless of type.
- The type parameter can be used to limit results to a specific offense category.
- Setting
ueba_offense=truereturns only UEBA-related offenses. - Filter parameters can be combined to further refine results.
Response
The API returns a list of offenses containing information such as:
- Offense identifier
- Description
- Offense type
- Severity
- Magnitude
- Start time
- Last updated time
- Current status
Response example
{
"offenses": [
{
"id": 12345,
"description": "Multiple failed authentication attempts",
"offense_type": "security",
"severity": 7,
"magnitude": 8,
"start_time": "2026-06-15T10:15:00Z",
"last_updated_time": "2026-06-15T11:30:00Z",
"status": "OPEN"
}
]
}
Error handling
| HTTP Status | Description |
|---|---|
| 404 Not Found | Requested offense data could not be found. |
| 500 Internal Server Error | An unexpected error occurred while retrieving offenses. |