Offenses API

The Offenses API returns the most recent offenses from QRadar. Results can be filtered by offense type or restricted to User and Entity Behavior Analytics (UEBA) offenses.

Overview

The Offenses API returns the most recent offenses from QRadar. Results can be filtered by offense type or restricted to User and Entity Behavior Analytics (UEBA) offenses.

Endpoint

GET /api/offenses

Query parameters

Parameter Type Default Description
type string all Filters offenses by offense type. If not specified, offenses of all types are returned.

Valid values: "all", "user", "entity"

ueba_offense boolean false When set to true, returns only offenses associated with UEBA detections. Boolean values are case-insensitive.

type parameter values

  • all: (default): Returns both user-related and entity-related offenses (up to 10 of each, total 20)
  • user: Returns only user-related offenses (up to 20)
  • entity: Returns only entity-related offenses (up to 20)

Filtering rules

  • If no parameters are provided, the API returns the most recent offenses regardless of type.
  • The type parameter can be used to limit results to a specific offense category.
  • Setting ueba_offense=true returns only UEBA-related offenses.
  • Filter parameters can be combined to further refine results.

Response

The API returns a list of offenses containing information such as:

  • Offense identifier
  • Description
  • Offense type
  • Severity
  • Magnitude
  • Start time
  • Last updated time
  • Current status

Response example

{
  "offenses": [
    {
      "id": 12345,
      "description": "Multiple failed authentication attempts",
      "offense_type": "security",
      "severity": 7,
      "magnitude": 8,
      "start_time": "2026-06-15T10:15:00Z",
      "last_updated_time": "2026-06-15T11:30:00Z",
      "status": "OPEN"
    }
  ]
}

Error handling

HTTP Status Description
404 Not Found Requested offense data could not be found.
500 Internal Server Error An unexpected error occurred while retrieving offenses.