Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Incident search properties

    Incident search properties

    You can use the following properties to create custom search queries within the Incidents module.

    Incident search properties
    Property Format Description
    changed_status_at Timestamp The date/time the incident's status was last updated.
    changed_status_by String The name of the operator who updated the incident's status.
    changed_status_reason String The operator's comment that was provided when resolving or reopening an incident.
    created_by String The name of the policy associated with the incident.
    description String The incident's description.
    detections Integer The number of detections forming the incident.
    first_event Timestamp The date/time the incident's first detection was generated.
    id String The incident's unique identifier.
    last_event Timestamp The date/time the incident's last detection was generated.
    last_updated Timestamp The date/time the incident's detection count was last updated.
    score Integer The incident's risk score, derived from its detection(s)
    started Timestamp The date/time the incident was created.
    status String The incident status, such as open or resolved.
    cluster_data.key String The cluster key used to form the incident.
    cluster_data.key_value String The cluster key and value used to form the incident.
    cluster_data.value String The cluster value used to form the incident.
    Previous
    Next

    Incident search properties

    Incident search properties

    You can use the following properties to create custom search queries within the Incidents module.

    Incident search properties
    Property Format Description
    changed_status_at Timestamp The date/time the incident's status was last updated.
    changed_status_by String The name of the operator who updated the incident's status.
    changed_status_reason String The operator's comment that was provided when resolving or reopening an incident.
    created_by String The name of the policy associated with the incident.
    description String The incident's description.
    detections Integer The number of detections forming the incident.
    first_event Timestamp The date/time the incident's first detection was generated.
    id String The incident's unique identifier.
    last_event Timestamp The date/time the incident's last detection was generated.
    last_updated Timestamp The date/time the incident's detection count was last updated.
    score Integer The incident's risk score, derived from its detection(s)
    started Timestamp The date/time the incident was created.
    status String The incident status, such as open or resolved.
    cluster_data.key String The cluster key used to form the incident.
    cluster_data.key_value String The cluster key and value used to form the incident.
    cluster_data.value String The cluster value used to form the incident.
    Previous
    Next