Search Correlation Rules
rule.approvalStatusrule.approvalStatus
Select the approval status (APPROVED, POLICY_VIOLATION, UNAPPROVED) you're interested in. Select from names in the drop-down menu.
Example
Show rules with approvedstatus
rule.approvalStatus: APPROVED
rule.approvalTyperule.approvalType
Select the approval type (MANUAL, AUTOMATED) you are interested in. Select from names in the drop-down menu.
Example
Show correlation rules with the manual approval type
rule.approvalType: MANUAL
rule.changeTyperule.changeType
Select the change type (MANUAL, AUTOMATED, COMPROMISE, OTHER) you are interested in. Select from names in the drop-down menu.
Example
Show rules with the manual change type
rule.changeType: MANUAL
rule.createdBy.idrule.createdBy.id
Use a text value ##### to find rules that are created by a user ID.
Example
Show rules with this ID
rule.createdBy.id: 2384
rule.createdBy.namerule.createdBy.name
Use a text value ##### to find rules created by a user.
Examples
Show rules created by this user
rule.createdBy.name: user12
Show users with usernames that contain parts of name
rule.createdBy.name: "user"
Show users with usernames that match the exact value
rule.createdBy.name: `user12`
rule.dispositionCategoryrule.dispositionCategory
Select the disposition category (PATCHING, MALWARE, CONFIGURATION_CHANGE, etc) you're interested in. Select from names in the drop-down menu.
Example
Show rules in the patching category
rule.dispositionCategory: PATCHING
Use a text value ##### to find a rule with a rule ID.
Example
Show rules with this ID
rule.id: 003b9084-643f-f4af-8336-b2530663a
Use a text value ##### to find rules reviewed by a reviewer.
Examples
Show rules reviewed by this reviewer
rule.reviewers: reviewer476
Show rules with rule.reviewers that contain parts of name
rule.reviewers: "rev23"
Show rules with rule.reviewers that match exact value
rule.reviewers: 'rev23'
Use a text value ##### to find rules with a certain name.
Examples
Show correlation rule with this rule name
rule.name: Rule for create action
Show correlation rules that contain parts of name
rule.name: "create action"
Show correlation rules that match exact value
rule.name: 'create action'
rule.scheduleTyperule.scheduleType
Select the schedule type (ONETIME, DAILY, WEEKLY, MONTHLY) you're interested in. Select from names in the drop-down menu.
Example
Show rules with daily schedule type
rule.scheduleType: DAILY
Select the incident status you are interested in (OPEN, CLOSED, or REOPENED). Select from names in the drop-down menu.
Example
Show incidents that are open
rule.status: OPEN
rule.updatedBy.idrule.updatedBy.id
Use a text value ##### to find rules updated by user ID.
Example
Show rules updated with this ID
rule.updatedBy.id: 2384
rule.updatedBy.namerule.updatedBy.name
Use a text value ##### to find rules updated by a certain user.
Examples
Show rules updated by the user with username user12
rule.updatedBy.name: user12
Show rules updated with username that contains parts of name
rule.updatedBy.name: "user"
Show rules updated with username that match exact value
rule.updatedBy.name: `user12`
rule.slaDurationKeyrule.slaDurationKey
This token is used to filter incidents based on timeframes like DAYS, WEEKS, OR MONTHS.
Values: DAYS, WEEKS, MONTHS
Example
rule.slaDurationKey: DAYS
rule.slaDurationValuerule.slaDurationValue
This token is used to filter incidents based on the SLA set for a number of DAYs, WEEKs, OR MONTHs.
Note: It will filter out incidents with SLA set as 1 Day, 1 week, or 1 Month.
Example
rule.slaDurationValue: 1
rule.slaRequiredrule.slaRequired
This token is used to filter incidents based on whether the SLA is set or not.
Values: true, false
Example
rule.slaRequired: true
Use a boolean query to express your query using AND logic.
Example
Show approved correlation rules that are in the patching category
rule.approvalStatus: APPROVED and rule.dispositionCategory: PATCHING
Use a boolean query to express your query using NOT logic.
Example
Show correlation rules that are configured for automatic approval.
not rule.changeType: AUTOMATED
Use a boolean query to express your query using OR logic.
Example
Show correlation rules with one of these categories
rule.dispositionCategory: MALWARE or rule.dispositionCategory: GENERAL_HACKING