Searching Correlation Rules
Select the approval status (APPROVED, POLICY_VIOLATION, UNAPPROVED) you're interested in. Select from names in the drop-down menu.
Example
Show rules with approved status
approvalStatus: APPROVED
Select the approval type (MANUAL, AUTOMATED) you're interested in. Select from names in the drop-down menu.
Example
Show correlation rules with manual approval type
approvalType: MANUAL
Select the change type (MANUAL, AUTOMATED, COMPROMISE, OTHER) you're interested in. Select from names in the drop-down menu.
Example
Show rules with manual change type
changeType: MANUAL
createdBy.user.idcreatedBy.user.id
Use a text value ##### to find rules that are created by a user ID.
Example
Show rules with this ID
createdBy.user.id: 2384
createdBy.User.namecreatedBy.User.name
Use a text value ##### to find rules created by a user.
Examples
Show rules created by this user
CreatedBy.user.name: user12
Show users with usernames that contain parts of name
CreatedBy.user.name: "user"
Show users with usernames that match exact value
CreatedBy.user.name: `user12`
dispositionCategorydispositionCategory
Select the disposition category (PATCHING, MALWARE, CONFIGURATION_CHANGE, etc) you're interested in. Select from names in the drop-down menu.
Example
Show rules in the patching category
dispositionCategory: PATCHING
Use a text value ##### to find a rule with a rule ID.
Example
Show rules with this ID
id: 003b9084-643f-f4af-8336-b2530663a
Use a text value ##### to find rules reviewed by a reviewer.
Examples
Show rules reviewed by this reviewer
reviewers: reviewer476
Show rules with reviewers that contain parts of name
reviewers: "rev23"
Show rules with reviewers that match exact value
reviewers: 'rev23'
Use a text value ##### to find rules with a certain name.
Examples
Show correlation rule with this rule name
ruleName: Rule for create action
Show correlation rules that contain parts of name
ruleName: "create action"
Show correlation rules that match exact value
ruleName: 'create action'
Select the schedule type (ONETIME, DAILY, WEEKLY, MONTHLY) you're interested in. Select from names in the drop-down menu.
Example
Show rules with daily schedule type
scheduleType: DAILY
Select the incident status you're interested in (OPEN or CLOSED or REOPENED). Select from names in the drop-down menu.
Example
Show incidents that are open
status: OPEN
updatedBy.user.idupdatedBy.user.id
Use a text value ##### to find rules updated by user ID.
Example
Show rules updated with this ID
updatedBy.user.id: 2384
updatedBy.user.nameupdatedBy.user.name
Use a text value ##### to find rules updated by a certain user.
Examples
Show rules updated by the user with username user12
updatedBy.user.name: user12
Show rules updated with username that contain parts of name
updatedBy.user.name: "user"
Show rules updated with username that match exact value
updatedBy.user.name: `user12`
Use a boolean query to express your query using AND logic.
Example
Show approved correlation rules that are in patching category
approvalStatus: APPROVED and dispositionCategory: PATCHING
Use a boolean query to express your query using NOT logic.
Example
Show correlation rules that are configured for automatic approval.
not changeType: AUTOMATED
Use a boolean query to express your query using OR logic.
Example
Show correlation rules with one of these categories
dispositionCategory: MALWARE or dispositionCategory: GENERAL_HACKING