When will events or flows stop contributing to an offense?

When will events or flows stop contributing to an offense?
A . When the offense becomes dormant
B . When the offense becomes inactive
C . After the offense is assigned to an analyst
D . When you protect the offense

View Answer

Answer: A

Explanation:

In IBM QRadar SIEM V7.5, events or flows stop contributing to an offense when the offense becomes dormant.

Here’s how it works:

Dormant Offense: An offense becomes dormant when there is no new activity contributing to it for a specified period. This indicates that the threat or incident has not had any further related events or flows.

Contribution Stoppage: Once an offense is marked as dormant, no additional events or flows are added to it, which helps in managing the offense lifecycle and resources within QRadar.

This behavior helps in distinguishing between active and inactive threats, allowing security analysts to focus on ongoing incidents.

Reference

The QRadar SIEM administration and user guides provide detailed explanations of offense management, including the conditions under which offenses become dormant and how this affects event and flow contributions.