Searching Correlation Rules
Click to view navigation pane

Searching Correlation Rules

approvalStatusapprovalStatus

Select the approval status (APPROVED, POLICY_VIOLATION, UNAPPROVED) you're interested in. Select from names in the drop-down menu.

Example

Show rules with approved status

approvalStatus: APPROVED

approvalTypeapprovalType

Select the approval type (MANUAL, AUTOMATED) you're interested in. Select from names in the drop-down menu.

Example

Show correlation rules with manual approval type

approvalType: MANUAL

changeTypechangeType

Select the change type (MANUAL, AUTOMATED, COMPROMISE, OTHER) you're interested in. Select from names in the drop-down menu.

Example

Show rules with manual change type

changeType: MANUAL

createdBy.user.idcreatedBy.user.id

Use a text value ##### to find rules that are created by a user ID.

Example

Show rules with this ID

createdBy.user.id: 2384

createdBy.User.namecreatedBy.User.name

Use a text value ##### to find rules created by a user.

Examples

Show rules created by this user

CreatedBy.user.name: user12

Show users with usernames that contain parts of name

CreatedBy.user.name: "user"

Show users with usernames that match exact value

CreatedBy.user.name: `user12`

dispositionCategorydispositionCategory

Select the disposition category (PATCHING, MALWARE, CONFIGURATION_CHANGE, etc) you're interested in. Select from names in the drop-down menu.

Example

Show rules in the patching category

dispositionCategory: PATCHING

idid

Use a text value ##### to find a rule with a rule ID.

Example

Show rules with this ID

id: 003b9084-643f-f4af-8336-b2530663a

reviweresreviweres

Use a text value ##### to find rules reviewed by a reviewer.

Examples

Show rules reviewed by this reviewer

reviewers: reviewer476

Show rules with reviewers that contain parts of name

reviewers: "rev23"

Show rules with reviewers that match exact value

reviewers: 'rev23'

ruleNameruleName

Use a text value ##### to find rules with a certain name.

Examples

Show correlation rule with this rule name

ruleName: Rule for create action

Show correlation rules that contain parts of name

ruleName: "create action"

Show correlation rules that match exact value

ruleName: 'create action'

scheduleTypescheduleType

Select the schedule type (ONETIME, DAILY, WEEKLY, MONTHLY) you're interested in. Select from names in the drop-down menu.

Example

Show rules with daily schedule type

scheduleType: DAILY

statusstatus

Select the incident status you're interested in (OPEN or CLOSED or REOPENED). Select from names in the drop-down menu.

Example

Show incidents that are open

status: OPEN

updatedBy.user.idupdatedBy.user.id

Use a text value ##### to find rules updated by user ID.

Example

Show rules updated with this ID

updatedBy.user.id: 2384

updatedBy.user.nameupdatedBy.user.name

Use a text value ##### to find rules updated by a certain user.

Examples

Show rules updated by the user with username user12

updatedBy.user.name: user12

Show rules updated with username that contain parts of name

updatedBy.user.name: "user"

Show rules updated with username that match exact value

updatedBy.user.name: `user12`

andand

Use a boolean query to express your query using AND logic.

Example

Show approved correlation rules that are in patching category

approvalStatus: APPROVED and dispositionCategory: PATCHING

notnot

Use a boolean query to express your query using NOT logic.

Example

Show correlation rules that are configured for automatic approval.

not changeType: AUTOMATED

 

oror

Use a boolean query to express your query using OR logic.

Example

Show correlation rules with one of these categories

dispositionCategory: MALWARE or dispositionCategory: GENERAL_HACKING