I am querying Qradar for Offenses using API. Recently I noticed the start_time, event_count and probably some other fields are modified in the first 1-2 minutes after offense creation.

This is especially visible in case of time range based offenses (two events in last 24h with same/different attributes). I am not talking about "future" events modifying the offense that is understandable but the older once.

For example when I get (2020-12-30 8:01) the offense start_time via API it is "2020-12-30 8:00" but when queried 2 minutes later it is 2020-12-29 8:00 (and appropriate events from 2020-12-29 are added).

I was told (by support) that adding the older events to offense (and appropriately updating start_time, event_count etc) depends on how quickly the magistrate process can handle this and that the harvester MPC thread fires up every 30 seconds and both may affect the delay from initial offense creation to final updates to these field.

Would it be possible to somehow mark an offense as "ready" with an additional field? So querying it via API we would know that older events will no longer be added and start_time will no longer be modified and event_count will be modified only by future events?

Is what I wrote understandable and possible?

Hi,

i assume you are aware about offense retention and considered some details from this article:

https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_Off_Retention.html

It is a normal offense behavior, that an active offense within 30 minutes and 4 hours will be updated, if new events are evaluated. After 4 hours an offense remains in dormant state for 5 days. If than an event is added in a dormant state, the 5 day counter will be reset.

After 5 days dormant an offense becomes inactive and new events do not contribute to the inactive offense, they will be added to a new offense.

Maybe you can enhance your API request with an offense search and combine this with additional search parameter like events equal to a threshold at a specific moment. And then quering the offenses regarding to the search result?

Hope this helps.

Regards,

Ralph