Closing offenses

Close an offense in the QRadar Analyst Workflow to remove it completely from your system.

About this task

The default offense retention period is 30 days. After the offense retention period expires, closed offenses are deleted from the system. You can protect an offense to prevent it from being deleted when the retention period expires.

After you close an offense, the offense is only displayed if you apply an IS filter for Status = Closed. If more events occur for an offense that is closed, a new offense is created.

When you close offenses, you must select a reason for closing the offense. If you have the Manage Offense Closing permission, you can add custom closing reasons. For more information about user role permissions, see the IBM QRadar Administration Guide.

Procedure

  1. From the Offenses table, do one of the following:
    • Select any offenses you want to close.
    • Click on a single offense listing to open the offense details.
  2. From the Actions list, select Close.
  3. Specify a closing reason from the Choose a resolution option list.
  4. In the text field, type a note to provide more information.

    Notes must not exceed 1,984 characters.

  5. Click OK.