Search FIM Incident Tokens
Select the approval status (APPROVED, POLICY_VIOLATION, UNAPPROVED, NA) you're interested in. Select from names in the drop-down menu.
Example
Show incidents with approved status
approvalStatus: APPROVED
Select the change type (MANUAL, AUTOMATED, COMPROMISE, OTHER) you're interested in. Select from names in the drop-down menu.
Example
Show incidents with manual change type
changeType: MANUAL
dispositionCategorydispositionCategory
Select the disposition category you're interested in. Select a value from the drop-down menu.
Example
Show incidents in the patching category
dispositionCategory: PATCHING
Use a text value ##### to define the incident ID.
Example
Show incidents with this ID
id: a2608bbc-0887-4052-90d4-4cdb5c4fcff4
Values: COMPLETED, IN_PROGRESS
markupStatus shows the state of event marking for the incident. When the markupStatus is completed, It means all the events under the incident are marked and added to that incident.
Note: - Report for an incident can only be created when markupStatus is COMPLETED for that incident.
Example
markupStatus: COMPLETED
Use quotes or backticks within values to find an incident by name.
Examples
Show incidents with this name
name: Windows Security Incident
Show any incidents that contain parts of name
name: "Windows Security Incident"
Show incidents that match exact value
name: `Windows Security Incident`
Use a text value ##### to find incidents with a correlation rule ID.
Example
Show incidents with this rule ID
id: a2608bbc
Filter the incidents based on the reviewers.
Example
reviewers: adavid@qualys
reviewedBy.user.namereviewedBy.user.name
Use the token to get details of all the incidents based on the reviewer's user name who actually reviewed the incident.
Example
reviewedBy.user.name: John Doe
Use a text value ##### to find incidents with a certain correlation rule name.
Examples
Show incidents with this rule name
ruleName: Rule for create action
Show incidents that contain parts of name
ruleName: "create action"
Show incidents that match exact value
ruleName: 'create action'
Values: DAYS, WEEKS, MONTHS
slaDurationKey token is used to filter incidents based on timeframes like DAYS, WEEKs, OR MONTHS.
Example
slaDuationKey: DAYS
slaDurationValueslaDurationValue
slaDurationValue token is used to filter incidents based on SLA set for a number of DAYs, WEEKs, OR MONTHs
Note: It'll filter out incidents with SLA set as 1 Day, 1 week, or 1 Month.
Example
slaDurationValue: 1
Values: true, false
slaRequired token is used to filter incidents based on SLA set or not.
Example
slaRequired: true
Select the incident status you're interested in (OPEN or CLOSED or REOPENED). Select from names in the drop-down menu.
Example
Show incidents that are open
status: OPEN
Select the approval type you're interested in (DEFAULT or AUTOMATED). Select from names in the drop-down menu.
Example
Show incidents that are auto-approved
type: AUTOMATED
Use a boolean query to express your query using AND logic.
Example
Show approved incidents in patching category
approvalStatus: APPROVED and dispositionCategory:
PATCHING
Use a boolean query to express your query using NOT logic.
Example
Show incidents that were not pre-approved
not changeType: PRE_APPROVED_CHANGE_CONTROL
Use a boolean query to express your query using OR logic.
Example
Show incidents with one of these categories
dispositionCategory: MALWARE or dispositionCategory:
GENERAL_HACKING