Searching Incidents

approvalStatus

Select the approval status (APPROVED, POLICY_VIOLATION, UNAPPROVED, NA) you're interested in. Select from names in the drop-down menu.

Example

Show incidents with approved status

approvalStatus: APPROVED

changeType

Select the change type (MANUAL, AUTOMATED, COMPROMISE, OTHER) you're interested in. Select from names in the drop-down menu.

Example

Show incidents with manual change type

changeType: MANUAL

dispositionCategory

Select the disposition category (PATCHING, MALWARE, CONFIGURATION_CHANGE, etc) you're interested in. Select from names in the drop-down menu.

Example

Show incidents in the patching category

dispositionCategory: PATCHING

id

Use a text value ##### to define the incident ID.

Example

Show incidents with this ID

id: a2608bbc-0887-4052-90d4-4cdb5c4fcff4

name

Use quotes or backticks within values to find an incident by name.

Examples

Show incidents with this name

name: Windows Security Incident

Show any incidents that contain parts of name

name: "Windows Security Incident"

Show incidents that match exact value

name: `Windows Security Incident`

ruleId

Use a text value ##### to find incidents with a correlation rule ID.

Example

Show incidents with this rule ID

id: a2608bbc

ruleName

Use a text value ##### to find incidents with a certain correlation rule name.

Examples

Show incidents with this rule name

ruleName: Rule for create action

Show incidents that contain parts of name

ruleName: "create action"

Show incidents that match exact value

ruleName: 'create action'

status

Select the incident status you're interested in (OPEN or CLOSED or REOPENED). Select from names in the drop-down menu.

Example

Show incidents that are open

status: OPEN

type

Select the approval type you're interested in (DEFAULT or AUTOMATED). Select from names in the drop-down menu.

Example

Show incidents that are auto-approved

type: AUTOMATED

and

Use a boolean query to express your query using AND logic.

Example

Show approved incidents in patching category

approvalStatus: APPROVED and dispositionCategory: PATCHING

not

Use a boolean query to express your query using NOT logic.

Example

Show incidents that were not pre-approved

not changeType: PRE_APPROVED_CHANGE_CONTROL

or

Use a boolean query to express your query using OR logic.

Example

Show incidents with one of these categories

dispositionCategory: MALWARE or dispositionCategory: GENERAL_HACKING