Search FIM Incident Tokens
incident.approvalStatusincident.approvalStatus
Select the approval status (APPROVED, POLICY_VIOLATION, UNAPPROVED, NA) you are interested in. Select from names in the drop-down menu.
Example
Show incidents with approved status
incident.approvalStatus: APPROVED
incident.changeTypeincident.changeType
Select the change type (MANUAL, AUTOMATED, COMPROMISE, OTHER) you're interested in. Select from names in the drop-down menu.
Example
Show incidents with a manual change type
incident.changeType: MANUAL
incident.dispositionCategoryincident.dispositionCategory
Select the disposition category you're interested in. Select a value from the drop-down menu.
Example
Show incidents in the patching category
incident.dispositionCategory: PATCHING
Use a text value ##### to define the incident ID.
Example
Show incidents with this ID
incident.id: a2608bbc-0887-4052-90d4-4cdb5c4fcff4
incident.markupStatusincident.markupStatus
This token shows the state of event marking for the incident. When the markupStatus is completed, it means all the events under the incident are marked and added to that incident.
Values: COMPLETED, IN_PROGRESS
Note: Report for an incident can only be created when markupStatus is COMPLETED for that incident.
Example
incident.markupStatus: COMPLETED
Use quotes or backticks within values to find an incident by name.
Examples
Show incidents with this name
incident.name: Windows Security Incident
Show any incidents that contain parts of name
incident.name: "Windows Security Incident"
Show incidents that match the exact value
incident.name: `Windows Security Incident`
Use a text value ##### to find incidents with a correlation rule ID.
Example
Show incidents with this rule ID
rule.id: a2608bbc
incident.slaRequiredincident.slaRequired
This token is used to filter incidents based on whether the SLA is set or not.
Values: true, false
Example
incident.slaRequired: true
incident.reviewedBy.nameincident.reviewedBy.name
Use the token to get details of all the incidents based on the reviewer's user name, who actually reviewed the incident.
Example
incident.reviewedBy.name: John Doe
Use a text value ##### to find incidents with a certain correlation rule name.
Examples
Show incidents with this rule name
rule.name: Rule for create action
Show incidents that contain parts of name
rule.name: "create action"
Show incidents that match the exact value
rule.name: 'create action'
incident.slaDurationKeyincident.slaDurationKey
This token is used to filter incidents based on timeframes like DAYS, WEEKS, OR MONTHS.
Values: DAYS, WEEKS, MONTHS
Example
incident.slaDurationKey: DAYS
incident.slaDurationValueincident.slaDurationValue
This token is used to filter incidents based on the SLA set for a number of DAYs, WEEKs, OR MONTHs.
Note: It will filter out incidents with SLA set as 1 Day, 1 week, or 1 Month.
Example
incident.slaDurationValue: 1
incident.reviewersincident.reviewers
Filter the incidents based on the reviewers.
Example
incident.reviewers: adavid@qualys
incident.statusincident.status
Select the incident status you're interested in (OPEN or CLOSED or REOPENED). Select from names in the drop-down menu.
Example
Show incidents that are open
incident.status: OPEN
Select the approval type you are interested in (DEFAULT or AUTOMATED). Select from names in the drop-down menu.
Example
Show incidents that are auto-approved
incident.type: AUTOMATED
Use a boolean query to express your query using AND logic.
Example
Show approved incidents in the patching category
incident.approvalStatus: APPROVED and incident.dispositionCategory: PATCHING
Use a boolean query to express your query using NOT logic.
Example
Show events for assets that don't have Windows operating system
not incident.type: AUTOMATED
Use a boolean query to express your query using OR logic.
Example
Show incidents with one of these categories
incident.dispositionCategory: MALWARE or incident.dispositionCategory: GENERAL_HACKING