IBM C1000-156 Exam - Topic 6 Question 39 Discussion

In IBM QRadar SIEM V7.5, events or flows stop contributing to an offense when the offense becomes dormant. Here's how it works:

Dormant Offense: An offense becomes dormant when there is no new activity contributing to it for a specified period. This indicates that the threat or incident has not had any further related events or flows.

Contribution Stoppage: Once an offense is marked as dormant, no additional events or flows are added to it, which helps in managing the offense lifecycle and resources within QRadar.

This behavior helps in distinguishing between active and inactive threats, allowing security analysts to focus on ongoing incidents.

Reference The QRadar SIEM administration and user guides provide detailed explanations of offense management, including the conditions under which offenses become dormant and how this affects event and flow contributions.