IBM Support

QRadar: Why open offense is inactive in the backend?

Question & Answer


Question

Why open offense is inactive in the backend?

Answer

For each offense, after opening the GUI, the end-user can see only two states, Open or Closed, while in the backend there are three different states.

offenses in GUI

In the backend including API, you can get three different states for each offense - Active, Dormant, and Inactive.

  • Active offenses - When a rule triggers an offense, the offense is active. In this state, QRadar is waiting to evaluate new events or flows against the offense rule test. When new events are evaluated, the offense clock is reset to keep the offense active for another 30 minutes.
  • Dormant offenses - An offense becomes dormant if new events or flows are not added to the offense within 30 minutes, or if QRadar did not process any events within 4 hours. An offense remains in a dormant state for 5 days. If an event is added while an offense is dormant, the five-day counter is reset. This offense is still open in GUI.
  • Inactive offenses - An offense becomes inactive after 5 days in a dormant state. In the inactive state, new events that trigger the offense rule test do not contribute to the inactive offense. They are added to a new offense. Inactive offenses are removed after the offense retention period elapses. In GUI, these offenses are marked as Closed.
    • Closed offenses - Closed offenses are removed after the offense retention period elapses. If more events occur for an offense that is closed, a new offense is created.

The dormant state is designed for removing the offense from the operational memory after 30 minutes in order to save resources. Nevertheless, during the time in GUI, the offense still has the OPEN state. For the same purpose, the system turns in the backend, the offense to the inactive state, although for the first 5 days it is dormant but not fully inactive.

Procedure

Use the following procedure to get to API:

  1. Enter the following URL to view the offenses 
    https://ConsoleIPaddress/api/siem/offenses
  2. Enter the offense id 
    https://ConsoleIPaddress/api/siem/offenses/offense_id
  3. Click 'Try It Out!' to get the response

offense in API

Once it is closed, then you have API field "close time" filled. It is 'null' during dormant state.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
09 December 2022

UID

ibm16371170