Search Incidents Tokens
Click to view navigation pane

Search FIM Incident Tokens

approvalStatusapprovalStatus

Select the approval status (APPROVED, POLICY_VIOLATION, UNAPPROVED, NA) you're interested in. Select from names in the drop-down menu.

Example

Show incidents with approved status

approvalStatus: APPROVED

changeTypechangeType

Select the change type (MANUAL, AUTOMATED, COMPROMISE, OTHER) you're interested in. Select from names in the drop-down menu.

Example

Show incidents with manual change type

changeType: MANUAL

dispositionCategorydispositionCategory

Select the disposition category you're interested in. Select a value from the drop-down menu.

Example

Show incidents in the patching category

dispositionCategory: PATCHING

idid

Use a text value ##### to define the incident ID.

Example

Show incidents with this ID

id: a2608bbc-0887-4052-90d4-4cdb5c4fcff4

namename

Use quotes or backticks within values to find an incident by name.

Examples

Show incidents with this name

name: Windows Security Incident

Show any incidents that contain parts of name

name: "Windows Security Incident"

Show incidents that match exact value

name: `Windows Security Incident`

ruleIdruleId

Use a text value ##### to find incidents with a correlation rule ID.

Example

Show incidents with this rule ID

id: a2608bbc

ruleNameruleName

Use a text value ##### to find incidents with a certain correlation rule name.

Examples

Show incidents with this rule name

ruleName: Rule for create action

Show incidents that contain parts of name

ruleName: "create action"

Show incidents that match exact value

ruleName: 'create action'

statusstatus

Select the incident status you're interested in (OPEN or CLOSED or REOPENED). Select from names in the drop-down menu.

Example

Show incidents that are open

status: OPEN

typetype

Select the approval type you're interested in (DEFAULT or AUTOMATED). Select from names in the drop-down menu.

Example

Show incidents that are auto-approved

type: AUTOMATED

andand

Use a boolean query to express your query using AND logic.

Example

Show approved incidents in patching category

approvalStatus: APPROVED and dispositionCategory: PATCHING

notnot

Use a boolean query to express your query using NOT logic.

Example

Show incidents that were not pre-approved

not changeType: PRE_APPROVED_CHANGE_CONTROL

oror

Use a boolean query to express your query using OR logic.

Example

Show incidents with one of these categories

dispositionCategory: MALWARE or dispositionCategory: GENERAL_HACKING

reviewersreviewers

Filter the incidents based on the reviewers.

Example

reviewers: adavid@qualys

markupStatus markupStatus

Values: COMPLETED, IN_PROGRESS

markupStatus shows the state of event marking for the incident. When the markupStatus is completed, It means all the events under the incident are marked and added to that incident.

Note: - Report for an incident can only be created when markupStatus is COMPLETED for that incident. 

Example

markupStatus: COMPLETED

slaDurationKeyslaDurationKey

Values: DAYS, WEEKS, MONTHS

slaDurationKey token is used to filter incidents based on timeframes like DAYS, WEEKs, OR MONTHS.

Example

slaDuationKey: DAYS

slaDurationValueslaDurationValue

slaDurationValue token is used to filter incidents based on SLA set for a number of DAYs, WEEKs, OR MONTHs

Note: It'll filter out incidents with SLA set as 1 Day, 1 week, or 1 Month.

Example

slaDurationValue: 1

slaRequiredslaRequired

Values: true, false

slaRequired token is used to filter incidents based on SLA set or not.

Example

slaRequired: true