Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Incident search properties

    Incident search properties

    You can use the following properties to create custom search queries within the Incidents module.

    Incident search properties
    Property Format Description
    active Boolean

    Whether or not the incident can receive further detections. A clustered incident is active until it is resolved. A sequenced incident is active until its time window has elapsed, an operator modifies and publishes a new rule definition, or an operator resolves the incident.

    Select true to search for active incidents or false to search for inactive incidents.
    bounded_entity Boolean

    For sequenced incidents, whether or not 10 incidents exist for the same entity and rule. If this limit is reached, further incidents will not be created for the entity and rule until one or more of the existing incidents are marked as "Resolved" or "In review".

    Select true to search for incidents where associated entities have reached the rule limit or false to search for incidents where associated entities have not reached the rule limit.

    changed_status_at Timestamp The date/time the incident's status was last updated.
    changed_status_by String The name of the operator who updated the incident's status.
    changed_status_reason String The operator's comment that was provided when marking an incident as "Resolved" or "In review".
    created_by String The name of the policy associated with the incident.
    description String The incident's description.
    detections Integer The number of detections forming the incident.
    first_event Timestamp The date/time the incident's first detection was generated.
    id String The incident's unique identifier.
    last_event Timestamp The date/time the incident's last detection was generated.
    last_updated Timestamp The date/time the incident's detection count was last updated.
    score Integer The incident's risk score, derived from its detection(s).
    started Timestamp The date/time the incident was created.
    status String The incident status, such as new, in_review, or resolved.
    test_mode

    Boolean

    For sequenced incidents, whether or not they are in Test operation mode.

    Select true to search for incidents that are in Test mode or false to search for incidents that are in Enabled or Disabled mode.
    type String The incident type, such as clustered_incident or sequenced_incident.
    cluster_data.key String The cluster key used to form the clustered incident.
    cluster_data.key_value String The cluster key and value used to form the clustered incident.
    cluster_data.value String The cluster value used to form the clustered incident.
    Previous
    Next

    Incident search properties

    Incident search properties

    You can use the following properties to create custom search queries within the Incidents module.

    Incident search properties
    Property Format Description
    active Boolean

    Whether or not the incident can receive further detections. A clustered incident is active until it is resolved. A sequenced incident is active until its time window has elapsed, an operator modifies and publishes a new rule definition, or an operator resolves the incident.

    Select true to search for active incidents or false to search for inactive incidents.
    bounded_entity Boolean

    For sequenced incidents, whether or not 10 incidents exist for the same entity and rule. If this limit is reached, further incidents will not be created for the entity and rule until one or more of the existing incidents are marked as "Resolved" or "In review".

    Select true to search for incidents where associated entities have reached the rule limit or false to search for incidents where associated entities have not reached the rule limit.

    changed_status_at Timestamp The date/time the incident's status was last updated.
    changed_status_by String The name of the operator who updated the incident's status.
    changed_status_reason String The operator's comment that was provided when marking an incident as "Resolved" or "In review".
    created_by String The name of the policy associated with the incident.
    description String The incident's description.
    detections Integer The number of detections forming the incident.
    first_event Timestamp The date/time the incident's first detection was generated.
    id String The incident's unique identifier.
    last_event Timestamp The date/time the incident's last detection was generated.
    last_updated Timestamp The date/time the incident's detection count was last updated.
    score Integer The incident's risk score, derived from its detection(s).
    started Timestamp The date/time the incident was created.
    status String The incident status, such as new, in_review, or resolved.
    test_mode

    Boolean

    For sequenced incidents, whether or not they are in Test operation mode.

    Select true to search for incidents that are in Test mode or false to search for incidents that are in Enabled or Disabled mode.
    type String The incident type, such as clustered_incident or sequenced_incident.
    cluster_data.key String The cluster key used to form the clustered incident.
    cluster_data.key_value String The cluster key and value used to form the clustered incident.
    cluster_data.value String The cluster value used to form the clustered incident.
    Previous
    Next