IBM Support

QRadar : Difference between First Persisted Time of offense and CRE event created as the rule's response

Question & Answer


When a rule fires an offense, why is the First Persisted Time of that offense different from the time of the CRE event that gets fired as rule response?
NOTE: The First Persisted Time is not displayed in the GUI. Instead, it is seen in the responses of the QRadar Offense API as first_persisted_time.


When a rule creates an offense on an Event Processor (EP), that event is sent to the console. It is then sent to the Magistrate Processing Core (MPC) for offense creation and the offense is then written by the MPC to the Postgres database on the console. The First Persisted Time is the time when the offense gets written to the Postgres database.
Along with an offense, a rule's response could be to dispatch a new CRE event. That event is usually used to rename offenses. This event is processed like all the other events in the system.
The mechanisms that write the offense to the Postgres database and the mechanism for the creation and processing of the CRE event, are different. Hence, there can be a difference between the time the offense gets written to the database (the First Persisted Time) and the time of the CRE event - this difference does not affect offense renaming.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
16 March 2022