IBM Support

QRadar : Difference between Start Time and First Persisted Time for an offense

Question & Answer


Question

Why would there be differences between the Start Time and the First Persisted Time of an offense?
NOTE: While the Start Time is seen in the GUI in the offense listing, the First Persisted Time is seen in the responses of the QRadar Offense API as first_persisted_time.

Answer

Consider a rule that has a condition where five instances of a log-in event within five minutes, would cause an offense. Consider the first log-in event comes in at say 2:30 PM. It is a partial match for the rule. Consider four such events follow at 2:31 PM, 2:32 PM, 2:33 PM, and 2:34 PM causing the offense to be created on the Event Processor at 2:34 PM.
In the context of the scenario, the Start Time of the offense is 2:30 PM because that is the time when an event partially matched the rule that caused the offense.
Note:
In QRadar 7.5.0 Update Pack 3 and later when a new offense is created, the offense Start Time is not the timestamp of the first partial match. Instead, it is set to the Start Time of the first full match. After a few minutes, the Start Time of the offense will get updated to the timestamp of the first partially matched event.
When a rule creates an offense on an Event Processor (EP), that event is sent to the console. It is then sent to the Magistrate Processing Core (MPC) for offense creation and the offense is then written by the MPC to the Postgres database on the console. The First Persisted Time is the time when the offense is written to the Postgres database. In the example provided, the First Persisted Time will always be after 2:34 PM.
Some factors can cause further delay between the Start Time and the First Persisted Time. These factors are:
  • The component that persists the MPC offense model to Postgres, runs every 30 seconds
  • A busy MPC (mostly caused by many rules firing simultaneously) might cause delay in the offense creation
  • A busy Postgres database might cause delays when the offense has to be written to the Postgres database
 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
13 December 2023

UID

ibm16562881

Page Feedback