IBM Support

QRadar: Offense Retention Policy Limitations

Question & Answer


Offense retention in QRadar is limited to a maximum of up to 2 years max. Is there a way to keep offenses in QRadar longer than 2 years?


Yes, if an administrator needs to keep offenses beyond the 2 year limit you can protect specific offenses. The Actions > Protect option from the QRadar user interface will flag an offense as protected, which prevents the offense from being purged during offense clean up.

To keep an offense in the system and prevent it from being delete, users can:

    1. Click the Offenses tab.
    2. Click All Offenses.
    3. Choose one of the following options:
      • Select the offense that you want to protect, and then select Protect from the Actions list box.
      • From the Actions list box, select Protect Listed.
    4. Click OK.

    Note: To protect multiple offenses, administrators can press Shift + Click to select multiple offenses from the user interface, then select Actions > Protect.

The maximum Offense Retention Period that can be selected in the user interface is 2 years. This is intentional to avoid excessive number of offenses from being created and stored for long periods of time in the user interface.

When a user decides to unprotect an offense that is beyond the offense retention period is not automatically deleted. There is an offense clean up task that runs hourly in QRadar to remove inactive offenses that are beyond their offense retention period

Note: If your administrator completes a Hard Clean of the SIM model from the Admin tab, this will purge all offense data, regardless if an offense is protected or not. A 'Hard Clean' cannot be undone and removes all offense data.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Offense Manager","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.0;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018