IBM Support

QRadar: Managing open offenses

Question & Answer


Question

How can I triage open offenses when I have too many? What are the different type of offenses, and how can I manage the offense retention period?

Cause

By default, the process limit in QRadar is 2500 active offenses and 100000 overall offenses.
A tuned QRadar system usually does not produce more than 10 to 15 quality offenses per 1000 EPS per day. Quality offenses produce event and flow data fields in which good external observable information can be data mined by QRadar Advisor with Watson and researched by Watson for Cybersecurity.

Answer

Note: Offenses might be slow to load if there are too many historical correlation profiles with too many rules assigned. If your offenses are slow to load, you can either delete unneeded historical correlation profiles or edit them to contain fewer rules.
Active, dormant, and inactive offenses

If an active offense does not receive an event for more than 30 minutes, it turns dormant. If a dormant offense receives an event, it is recalled and updated like an active offense. If the recalled offense does not receive an event for more than 30 minutes, it turns dormant again. If a dormant offense does not receive an event for the dormant time of 5 days, it turns inactive. New offenses start in the active state by default. All active and recalled offenses turn inactive when QRadar is upgraded. An inactive offense cannot turn active again.

If QRadar detects a new event for an inactive offense, a new offense is created to receive the event. The only difference between an inactive and closed offense is that a closed offense was closed manually by a user and that inactive offenses are still shown in the UI by default. Inactive and closed offenses are deleted after the retention period elapses.

The default retention period of 30 days can be changed in the Admin tab in the System Settings > Database Settings. For better performance, it can be set to the suggested period of 3 days.
Offense settings

Protected and unprotected offenses
QRadar does not delete protected offenses after the retention period elapses, but it changes the state of then the same way as for unprotected offenses. As a result, protected offenses remain on the system indefinitely.

Using the Use Case Manager
Another way to investigate the noisiest rules and offenses is through visualization with the Use Case Manager application.

Searching Offenses

One way to search for Active offenses is through the offenses UI. This procedure illustrates a basic search.

  1. Log in to the QRadar UI.
  2. Open the Offenses tab.
  3. Click the Search drop-down, then Edit Search.
    Edit Search
  4. Set the Time Range to Recent "Event(s)/flow(s) received in the last 30 days".
    Search Offenses
    Result
    The search shows all active offenses in the last 30 days:
    Active OffensesIn this search, we can identify the active offenses and the number of events it took to get the offense generated.


The number of active and dormant offenses can be found by using the CLI by using the following instructions:

  1. SSH into the QRadar console.
  2. Enter the following command:
    psql -U qradar -c 'select active_code,count(*) from offense group by active_code;'
    Result
    Example output:
     active_code | count
    -------------+-------
               1 |     2
               3 |    95
               2 |     1
    (3 rows)

    The active_code correspond to the following:

    • 1: Code assigned to offenses that are currently collecting events - Active 
    • 2: Code assigned to offenses not receiving events for some time - Dormant
    • 3: Code assigned to dormant offenses not receiving events for a few days - Inactive

Clean SIM Model

    

Cleaning the SIM data model ensures that offenses are based on the most current rules, discovered servers, and network hierarchy. After tuning, it is recommended that you clean the SIM data model to ensure that QRadar displays only recent offenses.

If QRadar is no longer generating offenses, it might be caused by corrupted transactions in the magistrate (which is the process that creates and manages offenses) so clearing the SIM can fix the issue. Sometimes, simply restarting the ecs-ep would correct the issue but if corrupted offense transactions in the component, a SIM clean closes all active offenses and reset magistrate starting from fresh.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
11 January 2023

UID

ibm16845952