Searching Correlation Rules

approvalStatus

Select the approval status (APPROVED, POLICY_VIOLATION, UNAPPROVED) you're interested in. Select from names in the drop-down menu.

Example

Show rules with approved status

approvalStatus: APPROVED

approvalType

Select the approval type (MANUAL, AUTOMATED) you're interested in. Select from names in the drop-down menu.

Example

Show correlation rules with manual approval type

approvalType: MANUAL

changeType

Select the change type (MANUAL, AUTOMATED, COMPROMISE, OTHER) you're interested in. Select from names in the drop-down menu.

Example

Show rules with manual change type

changeType: MANUAL

createdBy.user.id

Use a text value ##### to find rules that are created by a user ID.

Example

Show rules with this ID

createdBy.user.id: 2384

createdBy.user.name

Use a text value ##### to find rules created by a user.

Examples

Show rules created by this user

CreatedBy.user.name: user12

Show users with usernames that contain parts of name

CreatedBy.user.name: "user"

Show users with usernames that match exact value

CreatedBy.user.name: `user12`

dispositionCategory

Select the disposition category (PATCHING, MALWARE, CONFIGURATION_CHANGE, etc) you're interested in. Select from names in the drop-down menu.

Example

Show rules in the patching category

dispositionCategory: PATCHING

id

Use a text value ##### to find a rule with a rule ID.

Example

Show rules with this ID

id: 003b9084-643f-f4af-8336-b2530663a

reviewers

Use a text value ##### to find rules reviewed by a reviewer.

Examples

Show rules reviewed by this reviewer

reviewers: reviewer476

Show rules with reviewers that contain parts of name

reviewers: "rev23"

Show rules with reviewers that match exact value

reviewers: 'rev23'

ruleName

Use a text value ##### to find rules with a certain name.

Examples

Show correlation rule with this rule name

ruleName: Rule for create action

Show correlation rules that contain parts of name

ruleName: "create action"

Show correlation rules that match exact value

ruleName: 'create action'

scheduleType

Select the schedule type (ONETIME, DAILY, WEEKLY, MONTHLY) you're interested in. Select from names in the drop-down menu.

Example

Show rules with daily schedule type

scheduleType: DAILY

status

Select the incident status you're interested in (OPEN or CLOSED or REOPENED). Select from names in the drop-down menu.

Example

Show incidents that are open

status: OPEN

updatedBy.user.id

Use a text value ##### to find rules updated by user ID.

Example

Show rules updated with this ID

updatedBy.user.id: 2384

updatedBy.user.name

Use a text value ##### to find rules updated by a certain user.

Examples

Show rules updated by the user with username user12

updatedBy.user.name: user12

Show rules updated with username that contain parts of name

updatedBy.user.name: "user"

Show rules updated with username that match exact value

updatedBy.user.name: `user12`

and

Use a boolean query to express your query using AND logic.

Example

Show approved correlation rules that are in patching category

approvalStatus: APPROVED and dispositionCategory: PATCHING

not

Use a boolean query to express your query using NOT logic.

Example

Show correlation rules that are configured for automatic approval.

not changeType: AUTOMATED

or

Use a boolean query to express your query using OR logic.

Example

Show correlation rules with one of these categories

dispositionCategory: MALWARE or dispositionCategory: GENERAL_HACKING