An open offense can be inactive in the Backend if there are no new events that arrived for at least 30 minutes. Despite this fact, the end-user (after opening the GUI) can see only two states (Open or Closed), while in the backend there are three different states.
In the backend (including API) you can get three different states for each offense – Active, Dormant, Inactive.
Active offenses – When a rule triggers an offense, the offense is active. In this state, QRadar is waiting to evaluate new events or flows against the offense rule test. When new events are evaluated, the offense clock is reset to keep the offense active for another 30 minutes.
Dormant offenses – An offense becomes dormant (seen in the screenshot above) if new events or flows are not added to the offense within 30 minutes, or if QRadar did not process any events within 4 hours. An offense remains in a dormant state for 5 days. If an event is added while an offense is dormant, the five-day counter is reset. This offense is still open in GUI.
Inactive offenses – An offense becomes inactive after 5 days in a dormant state. In the inactive state, new events that trigger the offense rule test do not contribute to the inactive offense. They are added to a new offense. Inactive offenses are removed after the offense retention period elapses. In GUI these are marked as Closed.
Closed offenses – Closed offenses are removed after the offense retention period elapses. If more events occur for an offense that is closed, a new offense is created.
The dormant state is designed for removing the offense from the operational memory (after 30 minutes) in order to save resources. Nevertheless, during the time in GUI, the offense still has the OPEN state. For the same purpose, the system turns in the backend, the offense to the inactive state (although for the first 5 days it is rather dormant but not fully inactive yet).
Once it will be closed then you have API field “close time” filled (during dormant state it is null).