Skip to main content
Update an offense.
External DocumentationTo learn more, visit the QRadar documentation.

Parameters

ParameterDescription
Assign toA user to assign the offense to.
Closing Reason IDThe ID of a closing reason. You must provide a valid closing_reason_id when you close an offense.
Offense IDThe ID of the offense to update.
StatusThe new status for the offense. Set to one of: OPEN, HIDDEN, CLOSED. When the status of an offense is being set to CLOSED, a valid closing_reason_id must be provided. To hide an offense, use the HIDDEN status. To show a previously hidden offense, use the OPEN status.

Example Output

{
	"last_persisted_time": 392126779240,
	"username_count": 1,
	"description": "<string>",
	"rules": [
		{
			"id": 74300,
			"type": "<string>"
		}
	],
	"event_count": 3,
	"flow_count": 2,
	"assigned_to": "<string>",
	"security_category_count": 4,
	"follow_up": false,
	"source_address_ids": [
		107794
	],
	"source_count": 1,
	"inactive": false,
	"protected": false,
	"closing_user": null,
	"destination_networks": [
		"<string>"
	],
	"source_network": "<string>",
	"category_count": 0,
	"close_time": null,
	"remote_destination_count": 1,
	"start_time": 1322355746223,
	"magnitude": 2,
	"last_updated_time": 2162697652069,
	"credibility": 2,
	"id": 91520,
	"categories": [
		"<string>",
		"<string>"
	],
	"severity": 5,
	"policy_category_count": 1,
	"log_sources": [
		{
			"type_name": "<string>",
			"type_id": 623,
			"name": "<string>",
			"id": 1660
		},
		{
			"type_name": "<string>",
			"type_id": 6,
			"name": "<string>",
			"id": 123
		}
	],
	"closing_reason_id": null,
	"device_count": 2,
	"first_persisted_time": 1273299772162,
	"offense_type": 2,
	"relevance": 1,
	"domain_id": 0,
	"offense_source": "<string>",
	"local_destination_address_ids": [],
	"local_destination_count": 1,
	"status": "<string>"
}

Workflow Library Example

Update Offense with Qradar and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop