Offense Disposition Analysis

Offense Disposition Analysis (ODA) in the QRadar® Advisor with Watson™ app provides the most likely closing reasons that will be used for an offense under investigation based on the analysis of past similar offenses.

QRadar Advisor with Watson collects data from offenses that were closed during the previous 6 hours. For an offense to be analyzed with the Offense Disposition Analysis, it must be closed with a standard QRadar closing reason or a custom closing reason and investigated by the QRadar Advisor with Watson app.

Note: For Offense Disposition Analysis to be accurate, you should use one API key and password for each environment you are running QRadar Advisor with Watson.

There are not enough recent similar offenses to provide a disposition analysis

You might see the message There are not enough recent similar offenses to provide a disposition analysis. This message does not indicate a problem with ODA and is normal in the following cases:

Offense Disposition Analysis must collect enough metadata from your QRadar system before it can perform a disposition analysis. The disposition analysis requires closing information from at least 10 offenses with the same offense descriptions. If the app has not yet seen at least 10 closed offenses with the same description as the offense you are viewing, you will see this message. As more metadata is collected on closed offenses, this message eventually disappears and is replaced by the disposition analysis results. Note: You do not need to reinvestigate the offense for the results to be updated. When you view the investigation later, the ODA results are updated automatically if enough data was collected.
Offense Disposition Analysis collected data for 10 or more closed offenses with the same description as the offense you are viewing but the counts of different closing reasons are the same so Offense Disposition Analysis cannot make a recommendation. For example, if the offenses with the same description have been closed five times as False Positive, five times as Escalated, five times as Policy Violation and five times as Non-Issue, then ODA cannot make a top three closing reason recommendation and shows this message until more data is collected.
Offense Disposition Analysis is supported for offenses that are investigated by QRadar Advisor with Watson to stage 2 (Watson Enriched) or stage 3 (Expanded Local Context). If the offense is only auto-investigated to stage 1 (Local Mining), then you see this message regardless of how much data is collected. You can always reinvestigate the offense manually to see the results.
Offense Disposition Analysis is only supported if offenses are closed on your QRadar system with standard or custom QRadar closing reasons. If offenses are not closed on QRadar, then Offense Disposition Analysis is not able to collect any metadata and always show this message for all offenses.
The QRadar Advisor with Watson admin reset the data model from the QRadar Admin tab. Resetting the data model causes Offense Disposition Analysis to show this message until enough data can be collected again.
The QRadar Advisor with Watson admin changed the XFE credentials that are configured for QRadar Advisor with Watson to a new set of credentials. The Offense Disposition Analysis data is collected per XFE API key and changing the XFE API credentials can cause this message to be displayed until enough data is collected for the new credentials.
If you investigated an offense with version 1.X.X and then upgrade to version 2.0.0 or later, the offenses that were investigated by 1.X.X always show this message. Offense Disposition Analysis is only supported for offenses that are investigated by QRadar Advisor with Watson 2.0.0 and later.

Reset Training Model

You should reset the Offense Disposition Analysis training model if the following conditions apply:

You made major changes to your QRadar configuration such as implementing or tuning CRE rules or adding new log sources. Making major changes to your QRadar configuration can invalidate the current training.
You changed how you use the QRadar system's offense closing reasons. For example, if you add new custom closing reasons to replace the current reasons, if you discover that not all your QRadar users are using closing reasons in a consistent manner, or if you have bulk offense closures with inaccurate closing reasons.

To reset the Offense Disposition Training model in QRadar 7.3.3 or later, from the QRadar navigation menu, click Admin > QRadar Advisor with Watson > Disposition Analysis and then click Reset Training Model.