IBM Security QRadar

 View Only
  • 1.  Number of triggered Offense

    Posted Tue November 15, 2022 09:55 AM
    Hello Everyone,

    I hope you all doing well.. 

    I want to ask a question and need your advice based on your experience on QRadar regarding the triggered offenses. 
    my offense dashboard always have more than 1K offenses with 6k log sources environment including every thing but I think 1K offenses in average is too much and blocked visibility. i want to know the expected triggered offense if all rules tuned well [let's assume no need to fine tuning] may the offense number exceed more than 100 offenses in average ?

    Really appreciate your thoughts and share your experiences with number of offenses... 


    Donald Lavag

  • 2.  RE: Number of triggered Offense
    Best Answer

    IBM Champion
    Posted Wed November 16, 2022 02:24 AM

    you are absolutely right. 1000 offenses is 10 times to much.
    100 is maximum. The magic number is 42 of course. This should be your target.
    40 open offense can be worked on by a single analyst per day. 
    Even if you got 10 analysts working for your SOC team it's too much.
    Visibility does not scale well. 


    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [Karlsruhe] [Germany]

  • 3.  RE: Number of triggered Offense

    Posted Wed November 16, 2022 09:44 AM
    As Karl mentioned, you should aim up to 1 page per day (as I recall the default in QRadar was 40 items per page) - optimally being in the range of 20 to 30. How long it takes to follow-up and bring them to resolution should be taken in count. Also, some of your use cases might not be supported by rules/offenses but by reports - which means some time for reviewing these should be taken in count as well.
    (Even with up to 1 page of offenses per day if you miss some targets on reviews and resolution in only few days you might end up in a not-so-manageable situation)

    Dusan VIDOVIC