Question & Answer
If an active offense does not receive an event for more than 30 minutes, it turns dormant. If a dormant offense receives an event, it is recalled and updated like an active offense. If the recalled offense does not receive an event for more than 30 minutes, it turns dormant again. If a dormant offense does not receive an event for the dormant time of 5 days, it turns inactive. New offenses start in the active state by default. All active and recalled offenses turn inactive when QRadar is upgraded. An inactive offense cannot turn active again.
If QRadar detects a new event for an inactive offense, a new offense is created to receive the event. The only difference between an inactive and closed offense is that a closed offense was closed manually by a user and that inactive offenses are still shown in the UI by default. Inactive and closed offenses are deleted after the retention period elapses.
The default retention period of 30 days can be changed in the Admin tab in the System Settings > Database Settings. For better performance, it can be set to the suggested period of 3 days.
Protected and unprotected offenses
QRadar does not delete protected offenses after the retention period elapses, but it changes the state of then the same way as for unprotected offenses. As a result, protected offenses remain on the system indefinitely.
Using the Use Case Manager
Another way to investigate the noisiest rules and offenses is through visualization with the Use Case Manager application.
One way to search for Active offenses is through the offenses UI. This procedure illustrates a basic search.
- Log in to the QRadar UI.
- Open the Offenses tab.
- Click the Search drop-down, then Edit Search.
- Set the Time Range to Recent "Event(s)/flow(s) received in the last 30 days".
The search shows all active offenses in the last 30 days:
In this search, we can identify the active offenses and the number of events it took to get the offense generated.
The number of active and dormant offenses can be found by using the CLI by using the following instructions:
- SSH into the QRadar console.
- Enter the following command:
psql -U qradar -c 'select active_code,count(*) from offense group by active_code;'Result
active_code | count -------------+------- 1 | 2 3 | 95 2 | 1 (3 rows)
The active_code correspond to the following:
- 1: Code assigned to offenses that are currently collecting events - Active
- 2: Code assigned to offenses not receiving events for some time - Dormant
- 3: Code assigned to dormant offenses not receiving events for a few days - Inactive
Clean SIM Model
Cleaning the SIM data model ensures that offenses are based on the most current rules, discovered servers, and network hierarchy. After tuning, it is recommended that you clean the SIM data model to ensure that QRadar displays only recent offenses.
If QRadar is no longer generating offenses, it might be caused by corrupted transactions in the magistrate (which is the process that creates and manages offenses) so clearing the SIM can fix the issue. Sometimes, simply restarting the ecs-ep would correct the issue but if corrupted offense transactions in the component, a SIM clean closes all active offenses and reset magistrate starting from fresh.
Was this topic helpful?
11 January 2023