Closing offenses

Close an offense to remove it completely from your system.

About this task

The default offense retention period is 30 days. After the offense retention period expires, closed offenses are deleted from the system. You can protect an offense to prevent it from being deleted when the retention period expires.

Closed offenses are no longer displayed in any list on the Offenses tab, including the All Offenses list. If you include closed offenses in a search, and the offense is still within the retention period, the offense is displayed in the search results. If more events occur for an offense that is closed, a new offense is created.

When you close offenses, you must select a reason for closing the offense. If you have the Manage Offense Closing permission, you can add custom closing reasons. For more information about user role permissions, see the IBM QRadar Administration Guide.

Procedure

  1. Click the Offenses tab.
  2. Select the offense that you want to close.
    To close multiple offenses, hold the Control key while you select each offense.
  3. From the Actions list, select Close.
  4. In the Reason for Closing list, specify a closing reason.

    To add a close reason, click the icon beside Reason for Closing to open the Custom Offense Close Reasons dialog box.

  5. Optional: In the Notes field, type a note to provide more information.

    The Notes field displays the note that was entered for the previous offense closing. Notes must not exceed 2,000 characters.

  6. Click OK.

Results

After you close offenses, the counts that are displayed on the By Category window of the Offenses tab can take several minutes to reflect the closed offenses.