QRadar: Can closed offenses after a restore of a configuration backup be reopened?

Question & Answer

Question

After upgrading an old QRadar instance to migrate to a new appliance, I performed a backup and restore of the configuration and data as outlined in documentation. Why is every offense now marked as closed?

Cause

The restore process as it is designed, closes all the offenses in the system. This is to avoid issues with the database becoming corrupted. Unfortunately there is no way to reopen or recover those offenses because the system does not allow that type of action. This is because as soon as the offense is closed, it is then possible for a new offense to be created on the same criteria.

Answer

This is the normal behavior of restoring offenses to a new system or restoring to an existing system. This is due to the way offenses are tracked. The trackers aren't migrated because if you get an offense part way through being tracked and then restore on a new system it could get the offenses in a bad state. It is safer to just close the offenses.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Offense Manager","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Can closed offenses after a restore of a configuration backup be reopened?

Question & Answer

Question

Cause

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?