Retrieve a list of offenses currently in the system.
External DocumentationTo learn more, visit the QRadar documentation.

Parameters

ParameterDescription
FieldsUse this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.
FilterThis parameter is used to restrict the elements in a list base on the contents of various fields.
LimitThe amount of items to be returned. The default is 1000.

Example Output

[
	{
		"last_persisted_time": 1759366954361,
		"username_count": 1,
		"description": "<string>",
		"rules": [
			{
				"id": 31496,
				"type": "<string>"
			},
			{
				"id": 105308,
				"type": "<string>"
			}
		],
		"event_count": 9,
		"flow_count": 2,
		"assigned_to": null,
		"security_category_count": 4,
		"follow_up": false,
		"source_address_ids": [
			3052
		],
		"source_count": 2,
		"inactive": false,
		"protected": false,
		"closing_user": null,
		"destination_networks": [
			"<string>"
		],
		"source_network": "<string>",
		"category_count": 6,
		"close_time": null,
		"remote_destination_count": 2,
		"start_time": 61675019991,
		"magnitude": 0,
		"last_updated_time": 1522199112291,
		"credibility": 4,
		"id": 3454,
		"categories": [
			"<string>",
			"<string>"
		],
		"severity": 8,
		"policy_category_count": 1,
		"log_sources": [
			{
				"type_name": "<string>",
				"type_id": 7450,
				"name": "<string>",
				"id": 196
			},
			{
				"type_name": "<string>",
				"type_id": 36,
				"name": "<string>",
				"id": 57
			}
		],
		"closing_reason_id": null,
		"device_count": 3,
		"first_persisted_time": 594230603242,
		"offense_type": 0,
		"relevance": 2,
		"domain_id": 2,
		"offense_source": "<string>",
		"local_destination_address_ids": [
			261
		],
		"local_destination_count": 2,
		"status": "<string>"
	},
	{
		"last_persisted_time": 2794834496455,
		"username_count": 2,
		"description": "<string>",
		"rules": [
			{
				"id": 221100,
				"type": "<string>"
			}
		],
		"event_count": 7,
		"flow_count": 1,
		"assigned_to": null,
		"security_category_count": 1,
		"follow_up": false,
		"source_address_ids": [
			25807
		],
		"source_count": 1,
		"inactive": false,
		"protected": false,
		"closing_user": null,
		"destination_networks": [
			"<string>",
			"<string>"
		],
		"source_network": "<string>",
		"category_count": 3,
		"close_time": null,
		"remote_destination_count": 0,
		"start_time": 299247450809,
		"magnitude": 5,
		"last_updated_time": 1967953122980,
		"credibility": 4,
		"id": 28316,
		"categories": [
			"<string>",
			"<string>"
		],
		"severity": 1,
		"policy_category_count": 2,
		"log_sources": [
			{
				"type_name": "<string>",
				"type_id": 53,
				"name": "<string>",
				"id": 1100
			},
			{
				"type_name": "<string>",
				"type_id": 7,
				"name": "<string>",
				"id": 98
			}
		],
		"closing_reason_id": null,
		"device_count": 2,
		"first_persisted_time": 280236988039,
		"offense_type": 1,
		"relevance": 7,
		"domain_id": 0,
		"offense_source": "<string>",
		"local_destination_address_ids": [
			30064
		],
		"local_destination_count": 1,
		"status": "<string>"
	}
]

Workflow Library Example

List Offenses with Qradar and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop