Offense API filters

Use the Offense API Filter field to filter out unwanted incidents from the Incident Overview app bubble graph.

The Incident Overview app displays all active incidents on your IBM® QRadar® system. The Incident Overview app works best when it displays 50 incidents or less. Enter filter strings in the Offense API Filter field to remove incidents you don't want to display.

By default, the Offense API Filter field contains the following filter string:

inactive=false and status="OPEN"

In most cases, you don't need to modify this field. However, if you have many offenses, you can use the Offense API Filter field to filter out those incidents that you don't want to see.

The Offense API Filter field uses filter strings that employ the QRadar /api/siem/offenses endpoint fields. The QRadar SIEM Offense API includes many different fields that you can filter on, and a range of filter syntax options. The following list provides some sample filter strings.

  • To filter out incidents with a magnitude less than 4, use the following filter:

    inactive=false and status="OPEN" and magnitude > 3
  • To filter out incidents with a magnitude less than 4 and a credibility less than 5, use the following filter:

    inactive=false and status="OPEN" and magnitude > 3 and credibility > 4
  • To display active incidents in the Compliance Policy Violation category, use the following filter:

    inactive=false and status="OPEN" and categories contains "Compliance Policy Violation"
  • To display active incidents that are assigned to User1, use the following filter:

    inactive=false and status="OPEN" and assigned_to="User1"
Note: The Offense API Filter parameter is mandatory. Do not leave this field blank.

Testing filters

If the filter string you enter is not a valid QRadar Offense API filter, an "Invalid API Filter" message is displayed.

To test more complex filters, use the /api/siem/offenses page in the latest version of the QRadar interactive API documentation page. To access the interactive API documentation interface, enter the following URL in your web browser: https://<ConsoleIPaddress>/api_doc/.

For more information about the QRadar SIEM Offense endpoint fields, API filtering syntax and the interactive API documentation page, see the IBM QRadar API Guide.