Offense retention

The state of an offense determines how long IBM® QRadar® keeps the offense in the system. The offense retention period determines how long inactive and closed offenses are kept before they are removed from the QRadar console.

Active offenses
When a rule triggers an offense, the offense is active. In this state, QRadar is waiting to evaluate new events or flows against the offense rule test. When new events are evaluated, the offense clock is reset to keep the offense active for another 30 minutes.
Dormant offenses
An offense becomes dormant if new events or flows are not added to the offense within 30 minutes, or if QRadar did not process any events within 4 hours. An offense remains in a dormant state for 5 days. If an event is added while an offense is dormant, the five-day counter is reset.
Inactive offenses
An offense becomes inactive after 5 days in a dormant state. In the inactive state, new events that trigger the offense rule test do not contribute to the inactive offense. They are added to a new offense.

Inactive offenses are removed after the offense retention period elapses.

Closed offenses
Closed offenses are removed after the offense retention period elapses. If more events occur for an offense that is closed, a new offense is created.

If you include closed offenses in a search, and the offense wasn't removed from the QRadar console, the offense is displayed in the search results.

The default offense retention period is 30 days. After the offense retention period expires, closed and inactive offenses are removed from the system. Offenses that are not inactive or closed are retained indefinitely.
Important: System performance is negatively impacted when the system retains many inactive and closed offenses. For optimum performance, set the retention period for the least amount of time possible. The suggested retention period is 3 days.

To prevent an offense from being removed from the system, you can protect it. Before you protect offenses, consider the performance impact that it might have. Some offenses impact system performance more than others. For example, offenses with large numbers of events and flows have a greater impact on performance. Offenses that have many targets and destinations impact performance more than an offense that has only a single target or destination.

If you need to re-create an offense after it is removed from the system, run a historical correlation job to analyze the historical data. For more information, see Historical correlation.