Introduction
In this article, the use of Lucene techniques in the incident management section will be explained.
Lucene Techniques in Incident Management
All Lucene techniques can be used in the incident management section, just like in the search section. A detailed example regarding this is given below:
For the incident owner "mahmut" user, the incident status is closed, the occurrence count is not 1 for the same incident, the risk score is between 0 and 30, the reason for closing the incident is not "Other" or "False Positive", an action or investigation has been taken for the incident, the incident category name is "Malware", the phrase "Threat Intelligence" must be present in the incident information, and the time interval must be between April 4 and April 14, 2023. An example query is shown below:
Query: !Incident.Count:1 !Close.Reason:(Other OR "False Positive") !Risk.Score:[0 TO 30] exists:Cards Category.Name:Malware Incident.Info:"Threat Intelligence" Time.Generated:["2023-04-01 00:00:00" TO "2023-04-14 23:59:59"]
Incident.Owner: Incident owner username
Incident.Status: Incident status
Incident Count: Incident occurrence count
Close.Reason: Reason for closing the incident
Risk.Score: Risk score given for the incident
"_exists_:Cards": Any action or investigation card created for the incident
Category.Name: Incident category name
Incident.Info: General incident information
Time.Generated:[X TO Y]: Time interval in which the incident should occur.