Offense API filters

Use the Offense API Filter field to filter out unwanted incidents from the Incident Overview app bubble graph.

The Incident Overview app displays all active incidents on your IBM QRadar system. The Incident Overview app works best when it displays 50 incidents or less. Enter filter strings in the Offense API Filter field to remove incidents you don't want to display.

By default, the Offense API Filter field contains the following filter string:

inactive=false and status="OPEN"

In most cases, you don't need to modify this field. However, if you have many offenses, you can use the Offense API Filter field to filter out those incidents that you don't want to see.

The Offense API Filter field uses filter strings that employ the QRadar /api/siem/offenses endpoint fields. The QRadar SIEM Offense API includes many different fields that you can filter on, and a range of filter syntax options. The following list provides some sample filter strings.

• To filter out incidents with a magnitude less than 4, use the following filter:

  inactive=false and status="OPEN" and magnitude > 3

• To filter out incidents with a magnitude less than 4 and a credibility less than 5, use the following filter:

  inactive=false and status="OPEN" and magnitude > 3 and credibility > 4

• To display active incidents in the Compliance Policy Violation category, use the following filter:

  inactive=false and status="OPEN" and categories contains "Compliance Policy Violation"

• To display active incidents that are assigned to User1, use the following filter:

  inactive=false and status="OPEN" and assigned_to="User1"