From 6e7e827ce8917bda1819aa97cd6828085fb5d032 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 14 May 2014 15:55:42 -0700 Subject: [PATCH 01/16] Significantly improve efficiency of indexing by simplifying and removing regex from props.conf and transforms.conf. --- default/props.conf | 8 +++----- default/transforms.conf | 34 +++++++++++----------------------- 2 files changed, 14 insertions(+), 28 deletions(-) diff --git a/default/props.conf b/default/props.conf index d88b24dc..800a7c4a 100755 --- a/default/props.conf +++ b/default/props.conf @@ -7,10 +7,7 @@ MAX_TIMESTAMP_LOOKAHEAD = 44 pulldown_type = true [pan_threat] -REPORT-search = extract_threat -REPORT-threatid = extract_threatid -REPORT-urlhost = extract_urlhost -REPORT-reportid = extract_reportid +REPORT-search = extract_threat, extract_threat_id, extract_dst_hostname, extract_major_content_type SHOULD_LINEMERGE = false lookup_table = threat_lookup threat_id lookup_table = app_lookup app @@ -24,6 +21,7 @@ FIELDALIAS-src_for_pan_threat = src_ip as src FIELDALIAS-dest_for_pan_threat = dst_ip as dest FIELDALIAS-dest-port_for_pan_threat = dst_port as dest_port FIELDALIAS-rule_name_for_pan_threat = rule_name as rule +FIELDALIAS-report_id_for_pan_threat = threat_id as report_id EVAL-user = coalesce(src_user,dst_user) EVAL-server_ip = if(isnull(direction) OR direction="client-to-server", dst_ip, src_ip) EVAL-client_ip = if(isnull(direction) OR direction="client-to-server", src_ip, dst_ip) @@ -61,7 +59,6 @@ FIELDALIAS-dest_for_pan_system = host as dest_ip, host as dest [pan_config] REPORT-search = extract_config -REPORT-configsubtype = extract_configsubtype SHOULD_LINEMERGE = false FIELDALIAS_config = "virtual_system" AS "vsys" "command" AS "cmd" "configuration_path" AS "path" # Field Aliases to map palo alto fields to the Splunk Common Information Model @@ -69,6 +66,7 @@ FIELDALIAS-dvc_for_pan_config = host as dvc FIELDALIAS-src_for_pan_config = src_ip as src FIELDALIAS-dest_for_pan_config = dst_ip as dest FIELDALIAS-dest_for_pan_config = host as dest_ip, host as dest +EVAL-log_subtype = "config" [pan_wildfire_report] REPORT-search = extract_wildfire_report diff --git a/default/transforms.conf b/default/transforms.conf index 2fcb38f9..0761208d 100755 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -1,26 +1,25 @@ -# TODO: add comments [pan_vendor_info_lookup] filename = pan_vendor_info.csv [pan_threat] DEST_KEY = MetaData:Sourcetype -REGEX = ([^,]+,[^,]+,[^,]+,THREAT,) +REGEX = ^[^,]+,[^,]+,[^,]+,THREAT, FORMAT = sourcetype::pan_threat [pan_traffic] DEST_KEY = MetaData:Sourcetype -REGEX = ([^,]+,[^,]+,[^,]+,TRAFFIC,) +REGEX = ^[^,]+,[^,]+,[^,]+,TRAFFIC, FORMAT = sourcetype::pan_traffic [pan_system] DEST_KEY = MetaData:Sourcetype -REGEX = ([^,]+,[^,]+,[^,]+,SYSTEM,) +REGEX = ^[^,]+,[^,]+,[^,]+,SYSTEM, FORMAT = sourcetype::pan_system [pan_config] DEST_KEY = MetaData:Sourcetype -REGEX = ([^,]+,[^,]+,[^,]+,CONFIG,) +REGEX = ^[^,]+,[^,]+,[^,]+,CONFIG, FORMAT = sourcetype::pan_config [threat_lookup] @@ -52,29 +51,18 @@ FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","futu DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","future_use3","virtual_system","event_id","object","future_use4","future_use5","module","severity","description","sequence_number","action_flags" -[extract_threatid] SOURCE_KEY = threat_id -REGEX = \((\d+)\) -FORMAT = threat_id::$1 +[extract_threat_id] +REGEX = \((?\d+)\) -[extract_urlhost] +[extract_dst_hostname] SOURCE_KEY = misc -REGEX = ^([^/]*)/ -FORMAT = dst_hostname::$1 +REGEX = ^(?[^/]*)/ -[extract_reportid] -SOURCE_KEY = threat_id -REGEX = \((\d+)\) -FORMAT = report_id::$1 - -[extract_domain] -REGEX = (?:[^:]*:){2}\d+ (\d+.\d+.\d+.\d+) -FORMAT = domain::$1 +[extract_major_content_type] +SOURCE_KEY = content_type +REGEX = ^(?[^/]*)/ -[extract_configsubtype] -#SOURCE_KEY = type -REGEX = ([^,]+,[^,]+,[^,]+,CONFIG,) -FORMAT = log_subtype::config [extract_wildfire_report] MV_ADD = true From c494457b07845f9689eb64cb806cf3aa21983e95 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 14 May 2014 16:09:49 -0700 Subject: [PATCH 02/16] Add url and filename fields and fix major_content_type field --- default/data/models/pan_logs.json | 37969 ++++++++++++++++++++++++---- default/props.conf | 3 +- default/transforms.conf | 3 + 3 files changed, 33458 insertions(+), 4517 deletions(-) diff --git a/default/data/models/pan_logs.json b/default/data/models/pan_logs.json index f3173f4d..446def63 100644 --- a/default/data/models/pan_logs.json +++ b/default/data/models/pan_logs.json @@ -1,4657 +1,33594 @@ { + "modelName": "pan_logs", + "displayName": "Palo Alto Networks Logs", + "description": "This datamodel represents all the syslogs produced by Palo Alto Networks devices. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated.", + "objectSummary": { + "Event-Based": 17, + "Transaction-Based": 0, + "Search-Based": 0 + }, "objects": [ { - "displayName": "All Logs", + "objectName": "log", + "displayName": "All Logs", + "parentName": "BaseEvent", "fields": [ { - "fieldName": "action", - "required": false, - "displayName": "action", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "action_flags", - "required": false, - "displayName": "action_flags", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "admin", - "required": false, - "displayName": "admin", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "app", - "required": false, - "displayName": "app", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "application", - "required": false, - "displayName": "application", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "bytes_received", - "required": false, - "displayName": "bytes_received", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "bytes_sent", - "required": false, - "displayName": "bytes_sent", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "category", - "required": false, - "displayName": "category", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "admin_ip", - "required": false, - "displayName": "admin_ip", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "admin_type", - "required": false, - "displayName": "admin_type", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "cmd", - "required": false, - "displayName": "cmd", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "command", - "required": false, - "displayName": "command", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "configuration_path", - "required": false, - "displayName": "configuration_path", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "content_type", - "required": false, - "displayName": "content_type", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "date_hour", - "required": false, - "displayName": "date_hour", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "date_mday", - "required": false, - "displayName": "date_mday", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "date_minute", - "required": false, - "displayName": "date_minute", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "date_month", - "required": false, - "displayName": "date_month", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "date_second", - "required": false, - "displayName": "date_second", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "date_wday", - "required": false, - "displayName": "date_wday", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "date_year", - "required": false, - "displayName": "date_year", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "date_zone", - "required": false, - "displayName": "date_zone", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "description", - "required": false, - "displayName": "description", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dest", - "required": false, - "displayName": "dest", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dest_ip", - "required": false, - "displayName": "dest_ip", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dest_port", - "required": false, - "displayName": "dest_port", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "direction", - "required": false, - "displayName": "direction", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dst_hostname", - "required": false, - "displayName": "dst_hostname", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dst_ip", - "required": false, - "displayName": "dst_ip", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dst_location", - "required": false, - "displayName": "dst_location", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dst_port", - "required": false, - "displayName": "dst_port", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "dst_user", - "required": false, - "displayName": "dst_user", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dst_zone", - "required": false, - "displayName": "dst_zone", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dvc", - "required": false, - "displayName": "dvc", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "egress_interface", - "required": false, - "displayName": "egress_interface", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "event_id", - "required": false, - "displayName": "event_id", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "eventtype", - "required": false, - "displayName": "eventtype", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "flags", - "required": false, - "displayName": "flags", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "generated_time", - "required": false, - "displayName": "generated_time", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "index", - "required": false, - "displayName": "index", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "ingress_interface", - "required": false, - "displayName": "ingress_interface", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "linecount", - "required": false, - "displayName": "linecount", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "log_forwarding_profile", - "required": false, - "displayName": "log_forwarding_profile", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "log_subtype", - "required": false, - "displayName": "log_subtype", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "log_type", - "required": false, - "displayName": "log_type", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "misc", - "required": false, - "displayName": "misc", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "module", - "required": false, - "displayName": "module", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "nat_dst_ip", - "required": false, - "displayName": "nat_dst_ip", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "nat_dst_port", - "required": false, - "displayName": "nat_dst_port", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "nat_src_ip", - "required": false, - "displayName": "nat_src_ip", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "nat_src_port", - "required": false, - "displayName": "nat_src_port", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "packets", - "required": false, - "displayName": "packets", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "packets_received", - "required": false, - "displayName": "packets_received", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "packets_sent", - "required": false, - "displayName": "packets_sent", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "path", - "required": false, - "displayName": "path", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "product", - "required": false, - "displayName": "product", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "protocol", - "required": false, - "displayName": "protocol", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "punct", - "required": false, - "displayName": "punct", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "receive_time", - "required": false, - "displayName": "receive_time", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "repeat_count", - "required": false, - "displayName": "repeat_count", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "result", - "required": false, - "displayName": "result", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "rule", - "required": false, - "displayName": "rule", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "rule_name", - "required": false, - "displayName": "rule_name", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "sequence_number", - "required": false, - "displayName": "sequence_number", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "serial", - "required": false, - "displayName": "serial", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "serial_number", - "required": false, - "displayName": "serial_number", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "session_id", - "required": false, - "displayName": "session_id", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "severity", - "required": false, - "displayName": "severity", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "splunk_server", - "required": false, - "displayName": "splunk_server", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "src", - "required": false, - "displayName": "src", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "src_ip", - "required": false, - "displayName": "src_ip", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "src_location", - "required": false, - "displayName": "src_location", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "src_port", - "required": false, - "displayName": "src_port", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "src_user", - "required": false, - "displayName": "src_user", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "src_zone", - "required": false, - "displayName": "src_zone", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "start_time", - "required": false, - "displayName": "start_time", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "tag", - "required": false, - "displayName": "tag", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "tag::eventtype", - "required": false, - "displayName": "tag::eventtype", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "report_id", - "required": false, - "displayName": "report_id", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "timeendpos", - "required": false, - "displayName": "timeendpos", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "timestartpos", - "required": false, - "displayName": "timestartpos", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "transport", - "required": false, - "displayName": "transport", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "type", - "required": false, - "displayName": "type", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "vendor", - "required": false, - "displayName": "vendor", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "virtual_system", - "required": false, - "displayName": "virtual_system", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "vsys", - "required": false, - "displayName": "vsys", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "ABLE_TO_TRANSFER_FILE", - "required": false, - "displayName": "application: capable of file transfer", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "DEFAULT_PORTS", - "required": false, - "displayName": "application: standard ports", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "RISK", - "required": false, - "displayName": "application: risk", - "comment": "", - "hidden": false, - "type": "number", - "multivalue": false - }, - { - "fieldName": "EXCESSIVE_BANDWIDTH", - "required": false, - "displayName": "application: excessive bandwidth", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "CATEGORY", - "required": false, - "displayName": "application: category", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "PRONE_TO_MISUSE", - "required": false, - "displayName": "application: prone to misuse", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "PERVASIVE_USE", - "required": false, - "displayName": "application: widely use", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "EVASIVE", - "required": false, - "displayName": "application: evasive", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "TECHNOLOGY", - "required": false, - "displayName": "application: technology", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "SUBCATEGORY", - "required": false, - "displayName": "application: subcategory", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "HAS_KNOWN_VULNERABILITY", - "required": false, - "displayName": "application: has known vulnerabilities", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "TUNNEL_OTHER_APPLICATION", - "required": false, - "displayName": "application: tunnels other applications", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "USED_BY_MALWARE", - "required": false, - "displayName": "application: used by malware", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", - "required": false, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.file.file_deleted{@pid}", - "required": false, - "displayName": "wildfire.report.file.file_deleted{@pid}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", - "required": false, - "displayName": "wildfire.report.file.file_deleted{@process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.file.file_written{@pid}", - "required": false, - "displayName": "wildfire.report.file.file_written{@pid}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.file.file_written{@process_image}", - "required": false, - "displayName": "wildfire.report.file.file_written{@process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.file.file_written{@written_file}", - "required": false, - "displayName": "wildfire.report.file.file_written{@written_file}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.id", - "required": false, - "displayName": "wildfire.report.id", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "wildfire.report.malware", - "required": false, - "displayName": "wildfire.report.malware", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.md5", - "required": false, - "displayName": "wildfire.report.md5", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.dns{@query}", - "required": false, - "displayName": "wildfire.report.network.dns{@query}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.dns{@type}", - "required": false, - "displayName": "wildfire.report.network.dns{@type}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", - "required": false, - "displayName": "wildfire.report.network.tcp-connection{@ip}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", - "required": false, - "displayName": "wildfire.report.network.tcp-connection{@pid}", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@port}", - "required": false, - "displayName": "wildfire.report.network.tcp-connection{@port}", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", - "required": false, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.TCP{@country}", - "required": false, - "displayName": "wildfire.report.network.TCP{@country}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.TCP{@ip}", - "required": false, - "displayName": "wildfire.report.network.TCP{@ip}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.TCP{@port}", - "required": false, - "displayName": "wildfire.report.network.TCP{@port}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.UDP{@country}", - "required": false, - "displayName": "wildfire.report.network.UDP{@country}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.UDP{@ip}", - "required": false, - "displayName": "wildfire.report.network.UDP{@ip}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.UDP{@port}", - "required": false, - "displayName": "wildfire.report.network.UDP{@port}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.url{@host}", - "required": false, - "displayName": "wildfire.report.network.url{@host}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.url{@method}", - "required": false, - "displayName": "wildfire.report.network.url{@method}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.url{@uri}", - "required": false, - "displayName": "wildfire.report.network.url{@uri}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.network.url{@user_agent}", - "required": false, - "displayName": "wildfire.report.network.url{@user_agent}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.process.process_created{@child_pid}", - "required": false, - "displayName": "wildfire.report.process.process_created{@child_pid}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", - "required": false, - "displayName": "wildfire.report.process.process_created{@child_process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", - "required": false, - "displayName": "wildfire.report.process.process_created{@parent_pid}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", - "required": false, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", - "required": false, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", - "required": false, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", - "required": false, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", - "required": false, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", - "required": false, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", - "required": false, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", - "required": false, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", - "required": false, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", - "required": false, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", - "required": false, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", - "required": false, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", - "required": false, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", - "required": false, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.sha256", - "required": false, - "displayName": "wildfire.report.sha256", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.size", - "required": false, - "displayName": "wildfire.report.size", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "wildfire.report.summary.entry", - "required": false, - "displayName": "wildfire.report.summary.entry", - "comment": "", - "hidden": true, - "type": "string", - "multivalue": false - }, - { - "fieldName": "wildfire.report.task", - "required": false, - "displayName": "wildfire.report.task", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "wildfire.report.version", - "required": false, - "displayName": "wildfire.report.version", - "comment": "", - "hidden": true, - "type": "number", - "multivalue": false - }, - { - "fieldName": "client_location", - "required": false, - "displayName": "client_location", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "dst_class", - "required": false, - "displayName": "dst_class", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "server_ip", - "required": false, - "displayName": "server_ip", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "server_location", - "required": false, - "displayName": "server_location", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "src_class", - "required": false, - "displayName": "src_class", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "client_ip", - "required": false, - "displayName": "client_ip", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - }, - { - "fieldName": "user", - "required": false, - "displayName": "user", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "BaseEvent", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "index=\"pan_logs\"" + "search": "index=\"pan_logs\"", + "owner": "log" } - ], - "objectName": "log" - }, + ], + "lineage": "log" + }, { - "displayName": "Traffic", + "objectName": "traffic", + "displayName": "Traffic", + "parentName": "log", "fields": [ { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "start_time", - "required": false, - "displayName": "start_time", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "bytes_received", - "required": false, - "displayName": "bytes_received", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes_sent", - "required": false, - "displayName": "bytes_sent", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "egress_interface", - "required": false, - "displayName": "egress_interface", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "ingress_interface", - "required": false, - "displayName": "ingress_interface", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "packets", - "required": false, - "displayName": "packets", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "packets_received", - "required": false, - "displayName": "packets_received", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "packets_sent", - "required": false, - "displayName": "packets_sent", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "log", + ], "calculations": [ { - "calculationID": "399y2eyb79j2a9k9", - "calculationType": "Eval", "outputFields": [ { - "fieldName": "dst_ip_port", - "required": false, - "displayName": "dst_ip_port", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false + "fieldName": "dst_ip_port", + "owner": "log.traffic", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip_port", + "comment": "", + "fieldSearch": "" } - ], - "expression": "dst_ip.\",\".dst_port", - "comment": "" + ], + "calculationID": "399y2eyb79j2a9k9", + "owner": "log.traffic", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "dst_ip.\",\".dst_port" } - ], + ], "constraints": [ { - "search": "type=\"TRAFFIC\"" + "search": "type=\"TRAFFIC\"", + "owner": "log.traffic" } - ], - "objectName": "traffic" - }, + ], + "lineage": "log.traffic" + }, { - "displayName": "Flow Start", + "objectName": "start", + "displayName": "Flow Start", + "parentName": "traffic", "fields": [ { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "start_time", - "required": false, - "displayName": "start_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "packets_sent", - "required": false, - "displayName": "packets_sent", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "packets_received", - "required": false, - "displayName": "packets_received", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "packets", - "required": false, - "displayName": "packets", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "ingress_interface", - "required": false, - "displayName": "ingress_interface", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "egress_interface", - "required": false, - "displayName": "egress_interface", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "bytes_sent", - "required": false, - "displayName": "bytes_sent", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes_received", - "required": false, - "displayName": "bytes_received", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "traffic", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "log_subtype=\"start\"" + "search": "log_subtype=\"start\"", + "owner": "log.traffic.start" } - ], - "objectName": "start" - }, + ], + "lineage": "log.traffic.start" + }, { - "displayName": "Flow End", + "objectName": "end", + "displayName": "Flow End", + "parentName": "traffic", "fields": [ { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "start_time", - "required": false, - "displayName": "start_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "packets_sent", - "required": false, - "displayName": "packets_sent", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "packets_received", - "required": false, - "displayName": "packets_received", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "packets", - "required": false, - "displayName": "packets", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "ingress_interface", - "required": false, - "displayName": "ingress_interface", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "egress_interface", - "required": false, - "displayName": "egress_interface", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "bytes_sent", - "required": false, - "displayName": "bytes_sent", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes_received", - "required": false, - "displayName": "bytes_received", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "traffic", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "log_subtype=\"end\"" + "search": "log_subtype=\"end\"", + "owner": "log.traffic.end" } - ], - "objectName": "end" - }, + ], + "lineage": "log.traffic.end" + }, { - "displayName": "Threat", + "objectName": "threat", + "displayName": "Threat", + "parentName": "log", "fields": [ { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "severity", - "required": false, - "displayName": "severity", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "log", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "type=\"THREAT\" (log_subtype=\"vulnerability\" OR log_subtype=\"virus\" OR log_subtype=\"spyware\")" + "search": "type=\"THREAT\" (log_subtype=\"vulnerability\" OR log_subtype=\"virus\" OR log_subtype=\"spyware\")", + "owner": "log.threat" } - ], - "objectName": "threat" - }, + ], + "lineage": "log.threat" + }, { - "displayName": "Vulnerability", + "objectName": "vulnerability", + "displayName": "Vulnerability", + "parentName": "threat", "fields": [ { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "severity", - "required": false, - "displayName": "severity", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "threat", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "log_subtype=\"vulnerability\"" + "search": "log_subtype=\"vulnerability\"", + "owner": "log.threat.vulnerability" } - ], - "objectName": "vulnerability" - }, + ], + "lineage": "log.threat.vulnerability" + }, { - "displayName": "Virus", + "objectName": "virus", + "displayName": "Virus", + "parentName": "threat", "fields": [ { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "severity", - "required": false, - "displayName": "severity", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "threat", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "log_subtype=\"virus\"" + "search": "log_subtype=\"virus\"", + "owner": "log.threat.virus" } - ], - "objectName": "virus" - }, + ], + "lineage": "log.threat.virus" + }, { - "displayName": "Spyware", + "objectName": "spyware", + "displayName": "Spyware", + "parentName": "threat", "fields": [ { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "severity", - "required": false, - "displayName": "severity", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "threat", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "log_subtype=\"spyware\"" + "search": "log_subtype=\"spyware\"", + "owner": "log.threat.spyware" } - ], - "objectName": "spyware" - }, + ], + "lineage": "log.threat.spyware" + }, { - "displayName": "URL Filtering", + "objectName": "url", + "displayName": "URL Filtering", + "parentName": "log", "fields": [ { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "dst_hostname", - "required": false, - "displayName": "dst_hostname", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "egress_interface", - "required": false, - "displayName": "egress_interface", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "ingress_interface", - "required": false, - "displayName": "ingress_interface", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "timeendpos", - "required": false, - "displayName": "timeendpos", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - } - ], - "comment": "", - "parentName": "log", - "calculations": [ - { - "inputField": "content_type", - "outputFields": [ - { - "fieldName": "major_content_type", - "required": false, - "displayName": "major_content_type", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false - } - ], - "comment": "", - "calculationID": "09k28rp5v6j38fr", - "calculationType": "Rex", - "expression": "(?.*)/" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], + ], + "calculations": [], "constraints": [ { - "search": "log_subtype=\"url\"" + "search": "log_subtype=\"url\"", + "owner": "log.url" } - ], - "objectName": "url" - }, + ], + "lineage": "log.url" + }, { - "displayName": "File Blocking", + "objectName": "file", + "displayName": "File Blocking", + "parentName": "log", "fields": [ { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "log", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "log_subtype=\"file\"" + "search": "log_subtype=\"file\"", + "owner": "log.file" } - ], - "objectName": "file" - }, + ], + "lineage": "log.file" + }, { - "displayName": "Data Filtering", + "objectName": "data", + "displayName": "Data Filtering", + "parentName": "log", "fields": [ { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "log", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "log_subtype=\"data\"" + "search": "log_subtype=\"data\"", + "owner": "log.data" } - ], - "objectName": "data" - }, + ], + "lineage": "log.data" + }, { - "displayName": "WildFire", + "objectName": "wildfire", + "displayName": "WildFire", + "parentName": "log", "fields": [ { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "report_id", - "required": false, - "displayName": "report_id", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "log", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "log_subtype=\"wildfire\"" + "search": "log_subtype=\"wildfire\"", + "owner": "log.wildfire" } - ], - "objectName": "wildfire" - }, + ], + "lineage": "log.wildfire" + }, { - "displayName": "WildFire Report", + "objectName": "wildfire_report", + "displayName": "WildFire Report", + "parentName": "log", "fields": [ { - "fieldName": "user", - "required": false, - "displayName": "user", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "client_location", - "required": false, - "displayName": "client_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "server_ip", - "required": false, - "displayName": "server_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "server_location", - "required": false, - "displayName": "server_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "client_ip", - "required": false, - "displayName": "client_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_class", - "required": false, - "displayName": "dst_class", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_class", - "required": false, - "displayName": "src_class", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", - "required": false, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.file.file_deleted{@pid}", - "required": false, - "displayName": "wildfire.report.file.file_deleted{@pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", - "required": false, - "displayName": "wildfire.report.file.file_deleted{@process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.file.file_written{@pid}", - "required": false, - "displayName": "wildfire.report.file.file_written{@pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.file.file_written{@process_image}", - "required": false, - "displayName": "wildfire.report.file.file_written{@process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.file.file_written{@written_file}", - "required": false, - "displayName": "wildfire.report.file.file_written{@written_file}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.id", - "required": false, - "displayName": "wildfire.report.id", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "wildfire.report.malware", - "required": false, - "displayName": "wildfire.report.malware", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.md5", - "required": false, - "displayName": "wildfire.report.md5", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.dns{@query}", - "required": false, - "displayName": "wildfire.report.network.dns{@query}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.dns{@type}", - "required": false, - "displayName": "wildfire.report.network.dns{@type}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", - "required": false, - "displayName": "wildfire.report.network.tcp-connection{@ip}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", - "required": false, - "displayName": "wildfire.report.network.tcp-connection{@pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@port}", - "required": false, - "displayName": "wildfire.report.network.tcp-connection{@port}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", - "required": false, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.TCP{@country}", - "required": false, - "displayName": "wildfire.report.network.TCP{@country}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.TCP{@ip}", - "required": false, - "displayName": "wildfire.report.network.TCP{@ip}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.TCP{@port}", - "required": false, - "displayName": "wildfire.report.network.TCP{@port}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.UDP{@country}", - "required": false, - "displayName": "wildfire.report.network.UDP{@country}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.UDP{@ip}", - "required": false, - "displayName": "wildfire.report.network.UDP{@ip}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.UDP{@port}", - "required": false, - "displayName": "wildfire.report.network.UDP{@port}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.url{@host}", - "required": false, - "displayName": "wildfire.report.network.url{@host}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.url{@method}", - "required": false, - "displayName": "wildfire.report.network.url{@method}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.url{@uri}", - "required": false, - "displayName": "wildfire.report.network.url{@uri}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.network.url{@user_agent}", - "required": false, - "displayName": "wildfire.report.network.url{@user_agent}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.process.process_created{@child_pid}", - "required": false, - "displayName": "wildfire.report.process.process_created{@child_pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", - "required": false, - "displayName": "wildfire.report.process.process_created{@child_process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", - "required": false, - "displayName": "wildfire.report.process.process_created{@parent_pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", - "required": false, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", - "required": false, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", - "required": false, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", - "required": false, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", - "required": false, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", - "required": false, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", - "required": false, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", - "required": false, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", - "required": false, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", - "required": false, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", - "required": false, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", - "required": false, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", - "required": false, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", - "required": false, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.sha256", - "required": false, - "displayName": "wildfire.report.sha256", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.size", - "required": false, - "displayName": "wildfire.report.size", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "wildfire.report.summary.entry", - "required": false, - "displayName": "wildfire.report.summary.entry", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "wildfire.report.task", - "required": false, - "displayName": "wildfire.report.task", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "wildfire.report.version", - "required": false, - "displayName": "wildfire.report.version", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "action", - "required": false, - "displayName": "action", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "action_flags", - "required": false, - "displayName": "action_flags", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "application", - "required": false, - "displayName": "application", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "category", - "required": false, - "displayName": "category", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "content_type", - "required": false, - "displayName": "content_type", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dest_ip", - "required": false, - "displayName": "dest_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dest_port", - "required": false, - "displayName": "dest_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "direction", - "required": false, - "displayName": "direction", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_ip", - "required": false, - "displayName": "dst_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_location", - "required": false, - "displayName": "dst_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_port", - "required": false, - "displayName": "dst_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "dst_user", - "required": false, - "displayName": "dst_user", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_zone", - "required": false, - "displayName": "dst_zone", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dvc", - "required": false, - "displayName": "dvc", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "flags", - "required": false, - "displayName": "flags", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "generated_time", - "required": false, - "displayName": "generated_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "log_forwarding_profile", - "required": false, - "displayName": "log_forwarding_profile", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "log_subtype", - "required": false, - "displayName": "log_subtype", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "misc", - "required": false, - "displayName": "misc", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "nat_dst_ip", - "required": false, - "displayName": "nat_dst_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "nat_dst_port", - "required": false, - "displayName": "nat_dst_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "nat_src_ip", - "required": false, - "displayName": "nat_src_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "nat_src_port", - "required": false, - "displayName": "nat_src_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "protocol", - "required": false, - "displayName": "protocol", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "receive_time", - "required": false, - "displayName": "receive_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "repeat_count", - "required": false, - "displayName": "repeat_count", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "rule", - "required": false, - "displayName": "rule", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "sequence_number", - "required": false, - "displayName": "sequence_number", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "serial_number", - "required": false, - "displayName": "serial_number", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "session_id", - "required": false, - "displayName": "session_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "src_ip", - "required": false, - "displayName": "src_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_location", - "required": false, - "displayName": "src_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_port", - "required": false, - "displayName": "src_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "src_user", - "required": false, - "displayName": "src_user", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_zone", - "required": false, - "displayName": "src_zone", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "type", - "required": false, - "displayName": "type", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "virtual_system", - "required": false, - "displayName": "virtual_system", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "ABLE_TO_TRANSFER_FILE", - "required": false, - "displayName": "application: capable of file transfer", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "DEFAULT_PORTS", - "required": false, - "displayName": "application: standard ports", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "RISK", - "required": false, - "displayName": "application: risk", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "EXCESSIVE_BANDWIDTH", - "required": false, - "displayName": "application: excessive bandwidth", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "CATEGORY", - "required": false, - "displayName": "application: category", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "PRONE_TO_MISUSE", - "required": false, - "displayName": "applicaiton: prone to misuse", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "PERVASIVE_USE", - "required": false, - "displayName": "application: widely use", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "EVASIVE", - "required": false, - "displayName": "application: evasive", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "TECHNOLOGY", - "required": false, - "displayName": "application: technology", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "SUBCATEGORY", - "required": false, - "displayName": "application: subcategory", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "HAS_KNOWN_VULNERABILITY", - "required": false, - "displayName": "application: has known vulnerabilities", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "TUNNEL_OTHER_APPLICATION", - "required": false, - "displayName": "application: tunnels other applications", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "USED_BY_MALWARE", - "required": false, - "displayName": "application: used by malware", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "applicaiton: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "log", + ], "calculations": [ { - "calculationID": "2rucodj8x0uul3di", - "calculationType": "Eval", "outputFields": [ { - "fieldName": "tcp_ip_port", - "required": false, - "displayName": "tcp_ip_port", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false + "fieldName": "tcp_ip_port", + "owner": "log.wildfire_report", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tcp_ip_port", + "comment": "", + "fieldSearch": "" } - ], - "expression": "tcp_ip_port", - "comment": "" - }, + ], + "calculationID": "2rucodj8x0uul3di", + "owner": "log.wildfire_report", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "tcp_ip_port" + }, { - "calculationID": "4kmhncs3aj198uxr", - "calculationType": "Eval", "outputFields": [ { - "fieldName": "udp_ip_port", - "required": false, - "displayName": "udp_ip_port", - "comment": "", - "hidden": false, - "type": "string", - "multivalue": false + "fieldName": "udp_ip_port", + "owner": "log.wildfire_report", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "udp_ip_port", + "comment": "", + "fieldSearch": "" } - ], - "expression": "mvzip(udp_ip,udp_port)", - "comment": "" + ], + "calculationID": "4kmhncs3aj198uxr", + "owner": "log.wildfire_report", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "mvzip(udp_ip,udp_port)" } - ], + ], "constraints": [ { - "search": "sourcetype=\"pan_wildfire_report\"" + "search": "sourcetype=\"pan_wildfire_report\"", + "owner": "log.wildfire_report" } - ], - "objectName": "wildfire_report" - }, + ], + "lineage": "log.wildfire_report" + }, { - "displayName": "Benign File", + "objectName": "benign", + "displayName": "Benign File", + "parentName": "wildfire", "fields": [ { - "fieldName": "report_id", - "required": false, - "displayName": "report_id", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "wildfire", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "category=\"benign\"" + "search": "category=\"benign\"", + "owner": "log.wildfire.benign" } - ], - "objectName": "benign" - }, + ], + "lineage": "log.wildfire.benign" + }, { - "displayName": "Malicious File", + "objectName": "malicious", + "displayName": "Malicious File", + "parentName": "wildfire", "fields": [ { - "fieldName": "report_id", - "required": false, - "displayName": "report_id", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "wildfire", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "category=\"malicious\"" + "search": "category=\"malicious\"", + "owner": "log.wildfire.malicious" } - ], - "objectName": "malicious" - }, + ], + "lineage": "log.wildfire.malicious" + }, { - "displayName": "Config", + "objectName": "config", + "displayName": "Config", + "parentName": "log", "fields": [ { - "fieldName": "user", - "required": false, - "displayName": "user", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "client_location", - "required": false, - "displayName": "client_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "server_ip", - "required": false, - "displayName": "server_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "server_location", - "required": false, - "displayName": "server_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "client_ip", - "required": false, - "displayName": "client_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_class", - "required": false, - "displayName": "dst_class", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_class", - "required": false, - "displayName": "src_class", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "result", - "required": false, - "displayName": "result", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "configuration_path", - "required": false, - "displayName": "configuration_path", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "admin_ip", - "required": false, - "displayName": "admin_ip", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "admin_type", - "required": false, - "displayName": "admin_type", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "admin", - "required": false, - "displayName": "admin", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "command", - "required": false, - "displayName": "command", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "action", - "required": false, - "displayName": "action", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "application", - "required": false, - "displayName": "application", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "category", - "required": false, - "displayName": "category", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "content_type", - "required": false, - "displayName": "content_type", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dest_ip", - "required": false, - "displayName": "dest_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dest_port", - "required": false, - "displayName": "dest_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "direction", - "required": false, - "displayName": "direction", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_ip", - "required": false, - "displayName": "dst_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_location", - "required": false, - "displayName": "dst_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_port", - "required": false, - "displayName": "dst_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "dst_user", - "required": false, - "displayName": "dst_user", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_zone", - "required": false, - "displayName": "dst_zone", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "flags", - "required": false, - "displayName": "flags", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "generated_time", - "required": false, - "displayName": "generated_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "log_forwarding_profile", - "required": false, - "displayName": "log_forwarding_profile", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "misc", - "required": false, - "displayName": "misc", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "nat_dst_ip", - "required": false, - "displayName": "nat_dst_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "nat_dst_port", - "required": false, - "displayName": "nat_dst_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "nat_src_ip", - "required": false, - "displayName": "nat_src_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "nat_src_port", - "required": false, - "displayName": "nat_src_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "protocol", - "required": false, - "displayName": "protocol", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "repeat_count", - "required": false, - "displayName": "repeat_count", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "rule", - "required": false, - "displayName": "rule", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "session_id", - "required": false, - "displayName": "session_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "src_ip", - "required": false, - "displayName": "src_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_location", - "required": false, - "displayName": "src_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_port", - "required": false, - "displayName": "src_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "src_user", - "required": false, - "displayName": "src_user", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_zone", - "required": false, - "displayName": "src_zone", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "ABLE_TO_TRANSFER_FILE", - "required": false, - "displayName": "application: capable of file transfer", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "DEFAULT_PORTS", - "required": false, - "displayName": "application: standard ports", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "RISK", - "required": false, - "displayName": "application: risk", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "EXCESSIVE_BANDWIDTH", - "required": false, - "displayName": "application: excessive bandwidth", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "CATEGORY", - "required": false, - "displayName": "application: category", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "PRONE_TO_MISUSE", - "required": false, - "displayName": "application: prone to misuse", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "PERVASIVE_USE", - "required": false, - "displayName": "application: widely use", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "EVASIVE", - "required": false, - "displayName": "application: evasive", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "TECHNOLOGY", - "required": false, - "displayName": "application: technology", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "SUBCATEGORY", - "required": false, - "displayName": "application: subcategory", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "HAS_KNOWN_VULNERABILITY", - "required": false, - "displayName": "application: has known vulnerabilities", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "TUNNEL_OTHER_APPLICATION", - "required": false, - "displayName": "application: tunnels other applications", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "USED_BY_MALWARE", - "required": false, - "displayName": "application: used by malware", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "log", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "type=\"CONFIG\"" + "search": "type=\"CONFIG\"", + "owner": "log.config" } - ], - "objectName": "config" - }, + ], + "lineage": "log.config" + }, { - "displayName": "System", + "objectName": "system", + "displayName": "System", + "parentName": "log", "fields": [ { - "fieldName": "user", - "required": false, - "displayName": "user", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_class", - "required": false, - "displayName": "src_class", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "client_location", - "required": false, - "displayName": "client_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "server_ip", - "required": false, - "displayName": "server_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "server_location", - "required": false, - "displayName": "server_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "client_ip", - "required": false, - "displayName": "client_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "bytes", - "required": false, - "displayName": "bytes", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "description", - "required": false, - "displayName": "description", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "module", - "required": false, - "displayName": "module", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "event_id", - "required": false, - "displayName": "event_id", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "severity", - "required": false, - "displayName": "severity", - "comment": "", - "hidden": false, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "action", - "required": false, - "displayName": "action", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "application", - "required": false, - "displayName": "application", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "category", - "required": false, - "displayName": "category", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "content_type", - "required": false, - "displayName": "content_type", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dest_ip", - "required": false, - "displayName": "dest_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dest_port", - "required": false, - "displayName": "dest_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "direction", - "required": false, - "displayName": "direction", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_ip", - "required": false, - "displayName": "dst_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_location", - "required": false, - "displayName": "dst_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_port", - "required": false, - "displayName": "dst_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "dst_user", - "required": false, - "displayName": "dst_user", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "dst_zone", - "required": false, - "displayName": "dst_zone", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "elapsed_time", - "required": false, - "displayName": "elapsed_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "flags", - "required": false, - "displayName": "flags", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "generated_time", - "required": false, - "displayName": "generated_time", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "log_forwarding_profile", - "required": false, - "displayName": "log_forwarding_profile", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "misc", - "required": false, - "displayName": "misc", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "nat_dst_ip", - "required": false, - "displayName": "nat_dst_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "nat_dst_port", - "required": false, - "displayName": "nat_dst_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "nat_src_ip", - "required": false, - "displayName": "nat_src_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "nat_src_port", - "required": false, - "displayName": "nat_src_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "protocol", - "required": false, - "displayName": "protocol", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "repeat_count", - "required": false, - "displayName": "repeat_count", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "rule", - "required": false, - "displayName": "rule", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "session_id", - "required": false, - "displayName": "session_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "src_ip", - "required": false, - "displayName": "src_ip", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_location", - "required": false, - "displayName": "src_location", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_port", - "required": false, - "displayName": "src_port", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "src_user", - "required": false, - "displayName": "src_user", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "src_zone", - "required": false, - "displayName": "src_zone", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "threat_id", - "required": false, - "displayName": "threat_id", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "ABLE_TO_TRANSFER_FILE", - "required": false, - "displayName": "application: capable of file transfer", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "DEFAULT_PORTS", - "required": false, - "displayName": "application: standard ports", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "RISK", - "required": false, - "displayName": "application: risk", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "number" - }, - { - "fieldName": "EXCESSIVE_BANDWIDTH", - "required": false, - "displayName": "application: excessive bandwidth", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "CATEGORY", - "required": false, - "displayName": "application: category", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "PRONE_TO_MISUSE", - "required": false, - "displayName": "application: prone to misuse", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "PERVASIVE_USE", - "required": false, - "displayName": "application: widely use", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "EVASIVE", - "required": false, - "displayName": "application: evasive", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "TECHNOLOGY", - "required": false, - "displayName": "application: technology", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "SUBCATEGORY", - "required": false, - "displayName": "application: subcategory", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "HAS_KNOWN_VULNERABILITY", - "required": false, - "displayName": "application: has known vulnerabilities", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "TUNNEL_OTHER_APPLICATION", - "required": false, - "displayName": "application: tunnels other applications", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" - }, - { - "fieldName": "USED_BY_MALWARE", - "required": false, - "displayName": "application: used by malware", - "comment": "", - "hidden": true, - "multivalue": false, - "owner": "log", - "type": "string" + "fieldName": "action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action_flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action_flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "app", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "application", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bytes_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "category", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "admin_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "admin_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cmd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cmd", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "command", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "command", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "configuration_path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "configuration_path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_hour", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_hour", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_mday", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_mday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_minute", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_minute", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_month", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_month", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_second", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_second", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_wday", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_wday", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_year", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_year", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "date_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "date_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "description", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "description", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dest_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dest_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "direction", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "direction", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_hostname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_hostname", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dvc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dvc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "egress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "egress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "elapsed_time", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "elapsed_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "event_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "event_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "flags", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "flags", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "generated_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "generated_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "index", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "index", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ingress_interface", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "ingress_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "linecount", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "linecount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_forwarding_profile", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_forwarding_profile", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_subtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "log_subtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "log_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "log_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "misc", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "misc", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "module", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "module", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_dst_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_dst_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_dst_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "nat_src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "nat_src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_received", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_received", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "packets_sent", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "packets_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "path", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "path", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "product", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "product", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "protocol", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "protocol", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "punct", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "punct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "receive_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "receive_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "repeat_count", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "repeat_count", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "result", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "result", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rule_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "rule_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sequence_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sequence_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "serial", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "serial_number", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "serial_number", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "session_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "session_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "severity", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_port", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_zone", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_zone", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "start_time", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "start_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tag::eventtype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "tag::eventtype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "report_id", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "report_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timeendpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timeendpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "timestartpos", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "timestartpos", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "transport", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "transport", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "virtual_system", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "virtual_system", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vsys", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "vsys", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ABLE_TO_TRANSFER_FILE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: capable of file transfer", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "DEFAULT_PORTS", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: standard ports", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "RISK", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: risk", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EXCESSIVE_BANDWIDTH", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: excessive bandwidth", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "CATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: category", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PRONE_TO_MISUSE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: prone to misuse", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "PERVASIVE_USE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: widely use", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "EVASIVE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: evasive", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TECHNOLOGY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: technology", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "SUBCATEGORY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: subcategory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "HAS_KNOWN_VULNERABILITY", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: has known vulnerabilities", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "TUNNEL_OTHER_APPLICATION", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: tunnels other applications", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "USED_BY_MALWARE", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "application: used by malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_deleted{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.file.file_written{@written_file}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.file.file_written{@written_file}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@query}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@query}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.dns{@type}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.dns{@type}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@port}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.TCP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.TCP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@country}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@country}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@ip}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@ip}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.UDP{@port}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.UDP{@port}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@host}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@host}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@method}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@method}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@uri}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@uri}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.network.url{@user_agent}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.network.url{@user_agent}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.size", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.task", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.task", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.report.version", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" } - ], - "comment": "", - "parentName": "log", - "calculations": [], + ], + "calculations": [], "constraints": [ { - "search": "type=\"SYSTEM\"" + "search": "type=\"SYSTEM\"", + "owner": "log.system" } - ], - "objectName": "system" + ], + "lineage": "log.system" } - ], - "description": "This datamodel represents all the syslogs produced by Palo Alto Networks devices. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated.", - "displayName": "Palo Alto Networks Logs", - "modelName": "pan_logs", - "objectSummary": { - "Event-Based": 17, - "Interface Implementations": 0, - "Search-Based": 0, - "Transaction-Based": 0, - "Interfaces": 0 - }, + ], "objectNameList": [ - "log", - "traffic", - "start", - "end", - "threat", - "vulnerability", - "virus", - "spyware", - "url", - "file", - "data", - "wildfire", - "wildfire_report", - "benign", - "malicious", - "config", + "log", + "traffic", + "start", + "end", + "threat", + "vulnerability", + "virus", + "spyware", + "url", + "file", + "data", + "wildfire", + "wildfire_report", + "benign", + "malicious", + "config", "system" ] -} \ No newline at end of file +} diff --git a/default/props.conf b/default/props.conf index 800a7c4a..7723230d 100755 --- a/default/props.conf +++ b/default/props.conf @@ -7,7 +7,7 @@ MAX_TIMESTAMP_LOOKAHEAD = 44 pulldown_type = true [pan_threat] -REPORT-search = extract_threat, extract_threat_id, extract_dst_hostname, extract_major_content_type +REPORT-search = extract_threat, extract_threat_id, extract_dst_hostname, extract_major_content_type, extract_filename SHOULD_LINEMERGE = false lookup_table = threat_lookup threat_id lookup_table = app_lookup app @@ -22,6 +22,7 @@ FIELDALIAS-dest_for_pan_threat = dst_ip as dest FIELDALIAS-dest-port_for_pan_threat = dst_port as dest_port FIELDALIAS-rule_name_for_pan_threat = rule_name as rule FIELDALIAS-report_id_for_pan_threat = threat_id as report_id +FIELDALIAS-url_for_pan_threat = misc as url EVAL-user = coalesce(src_user,dst_user) EVAL-server_ip = if(isnull(direction) OR direction="client-to-server", dst_ip, src_ip) EVAL-client_ip = if(isnull(direction) OR direction="client-to-server", src_ip, dst_ip) diff --git a/default/transforms.conf b/default/transforms.conf index 0761208d..34b7f37e 100755 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -63,6 +63,9 @@ REGEX = ^(?[^/]*)/ SOURCE_KEY = content_type REGEX = ^(?[^/]*)/ +[extract_filename] +SOURCE_KEY = misc +REGEX = (?[^/?]*)(?:\?.*){0,1}$ [extract_wildfire_report] MV_ADD = true From 84205923c3c9165b9ac3853f5ad7141e13dac5b5 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 14 May 2014 16:38:51 -0700 Subject: [PATCH 03/16] Change field threat_id to threat_name. Fix threat_id and report_id to match only the numerical identifier in the threat_name. --- default/data/models/pan_logs.json | 204 ++++++++++++++++++ .../data/ui/views/data_filtering_overview.xml | 4 +- default/data/ui/views/threat_detail.xml | 8 +- default/data/ui/views/threat_overview.xml | 24 +-- default/data/ui/views/wildfire_overview.xml | 2 +- default/props.conf | 2 +- default/savedsearches.conf | 2 +- default/transforms.conf | 4 +- 8 files changed, 227 insertions(+), 23 deletions(-) diff --git a/default/data/models/pan_logs.json b/default/data/models/pan_logs.json index 446def63..26dddd42 100644 --- a/default/data/models/pan_logs.json +++ b/default/data/models/pan_logs.json @@ -1921,6 +1921,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -3892,6 +3904,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -5886,6 +5910,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -7857,6 +7893,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -9828,6 +9876,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -11799,6 +11859,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -13770,6 +13842,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -15741,6 +15825,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -17700,6 +17796,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -19671,6 +19779,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -21642,6 +21762,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -23613,6 +23745,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -25584,6 +25728,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -27600,6 +27756,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -29571,6 +29739,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -31542,6 +31722,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -33513,6 +33705,18 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", diff --git a/default/data/ui/views/data_filtering_overview.xml b/default/data/ui/views/data_filtering_overview.xml index 59697a21..d623d312 100644 --- a/default/data/ui/views/data_filtering_overview.xml +++ b/default/data/ui/views/data_filtering_overview.xml @@ -107,7 +107,7 @@ Data Filter Events by Application - | `tstats` count FROM `node(log.data)` $user$ $src_ip$ $dst_ip$ $app$ $action$ $vsys$ `table(log.threat_id log.action log.src_ip log.app, count)` + | `tstats` count FROM `node(log.data)` $user$ $src_ip$ $dst_ip$ $app$ $action$ $vsys$ `table(log.threat_name log.action log.src_ip log.app, count)`$earliest$$latest$ @@ -140,7 +140,7 @@ diff --git a/default/data/ui/views/threat_detail.xml b/default/data/ui/views/threat_detail.xml index ff21c12c..900e54bb 100644 --- a/default/data/ui/views/threat_detail.xml +++ b/default/data/ui/views/threat_detail.xml @@ -10,7 +10,7 @@ - log.threat_id=" + log.threat_name=" " @@ -32,7 +32,7 @@ " - | `tstats` values(sourcetype) as sourcetype values(log.threat_id) as threat_id sum(log.bytes) as bytes sum(log.elapsed_time) as duration + | `tstats` values(sourcetype) as sourcetype values(log.threat_name) as threat_name sum(log.bytes) as bytes sum(log.elapsed_time) as duration FROM datamodel="pan_logs" WHERE (nodename="log.traffic" OR nodename="log.threat") $threat$ $user$ $application$ $location$ `groupby(log.session_id log.user log.server_ip log.application log.server_location)` | search sourcetype="pan_threat" bytes!="" server_location!="" user!="" | eval KB=bytes/1024 @@ -134,7 +134,7 @@
Threats by Bytes Transferred and Sessions - stats sum(KB) as "Transfer (KB)" count(session_id) as "Total Sessions" by threat_id + stats sum(KB) as "Transfer (KB)" count(session_id) as "Total Sessions" by threat_name$earliest$$latest$ @@ -158,7 +158,7 @@ diff --git a/default/data/ui/views/threat_overview.xml b/default/data/ui/views/threat_overview.xml index 5a9a49d7..01240253 100644 --- a/default/data/ui/views/threat_overview.xml +++ b/default/data/ui/views/threat_overview.xml @@ -19,10 +19,10 @@ log.dst_ip="" - - + + - log.threat_id=" + log.threat_name=" " @@ -53,7 +53,7 @@ Threat Subtypes - | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_id$ $vsys$ $app$ groupby _time log.log_subtype | timechart values(count) by log.log_subtype + | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby _time log.log_subtype | timechart values(count) by log.log_subtype $earliest$ $latest$ @@ -79,7 +79,7 @@ Severity - | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_id$ $vsys$ $app$ groupby _time log.severity | timechart values(count) by log.severity + | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby _time log.severity | timechart values(count) by log.severity $earliest$ $latest$ @@ -106,8 +106,8 @@ - Threat IDs - | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_id$ $vsys$ $app$ groupby log.threat_id + Threats + | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.threat_name $earliest$ $latest$ @@ -133,7 +133,7 @@ Threats by App - | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_id$ $vsys$ $app$ groupby log.app + | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.app $earliest$ $latest$ @@ -159,7 +159,7 @@ Threats by User - | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_id$ $vsys$ $app$ groupby log.user + | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.user $earliest$ $latest$ @@ -187,7 +187,7 @@ Source IP - | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_id$ $vsys$ $app$ groupby log.src_ip + | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.src_ip $earliest$ $latest$ @@ -213,7 +213,7 @@ Threats by Severity - | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_id$ $vsys$ $app$ groupby log.severity + | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.severity $earliest$ $latest$ @@ -239,7 +239,7 @@ Destination IP - | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_id$ $vsys$ $app$ groupby log.dst_ip + | `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.dst_ip $earliest$ $latest$ diff --git a/default/data/ui/views/wildfire_overview.xml b/default/data/ui/views/wildfire_overview.xml index 5e3f26ca..ce0ec07a 100644 --- a/default/data/ui/views/wildfire_overview.xml +++ b/default/data/ui/views/wildfire_overview.xml @@ -175,7 +175,7 @@ diff --git a/default/props.conf b/default/props.conf index 7723230d..afeb679f 100755 --- a/default/props.conf +++ b/default/props.conf @@ -35,7 +35,7 @@ SHOULD_LINEMERGE = false lookup_table = app_lookup app lookup_src_class = classification_lookup cidr AS src_ip OUTPUT classification AS src_class lookup_dst_class = classification_lookup cidr AS dst_ip OUTPUT classification AS dst_class -FIELDALIAS = "application" AS "app" "virtual_system" AS "vsys" "threatid" AS "threat_id" +FIELDALIAS = "application" AS "app" "virtual_system" AS "vsys" # Field Aliases to map palo alto fields to the Splunk Common Information Model FIELDALIAS-dvc_for_pan_traffic = host as dvc FIELDALIAS-transport_for_pan_traffic = protocol as transport diff --git a/default/savedsearches.conf b/default/savedsearches.conf index 821dbbb9..71cf1002 100755 --- a/default/savedsearches.conf +++ b/default/savedsearches.conf @@ -10,7 +10,7 @@ displayview = flashtimeline enableSched = 1 realtime_schedule = 0 request.ui_dispatch_view = flashtimeline -search = `pan_wildfire` | rex field=threat_id "\((?\d+)\)" | wildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report +search = `pan_wildfire` | wildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report disabled = 0 ######################## diff --git a/default/transforms.conf b/default/transforms.conf index 34b7f37e..25e2a0a8 100755 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -37,7 +37,7 @@ match_type = CIDR(cidr) [extract_threat] DELIMS = "," -FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","generated_time","src_ip","dst_ip","nat_src_ip","nat_dst_ip","rule_name","src_user","dst_user","application","virtual_system","src_zone","dst_zone","ingress_interface","egress_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dst_port","nat_src_port","nat_dst_port","flags","protocol","action","misc","threat_id","category","severity","direction","sequence_number","action_flags","src_location","dst_location","future_use4","content_type" +FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","generated_time","src_ip","dst_ip","nat_src_ip","nat_dst_ip","rule_name","src_user","dst_user","application","virtual_system","src_zone","dst_zone","ingress_interface","egress_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dst_port","nat_src_port","nat_dst_port","flags","protocol","action","misc","threat_name","category","severity","direction","sequence_number","action_flags","src_location","dst_location","future_use4","content_type" [extract_traffic] DELIMS = "," @@ -51,8 +51,8 @@ FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","futu DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","future_use3","virtual_system","event_id","object","future_use4","future_use5","module","severity","description","sequence_number","action_flags" -SOURCE_KEY = threat_id [extract_threat_id] +SOURCE_KEY = threat_name REGEX = \((?\d+)\) [extract_dst_hostname] From e182c49b62e4c4dfc4b39c6f7470bfc62800a7dc Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 14 May 2014 16:55:43 -0700 Subject: [PATCH 04/16] Content Dashboard: fix issues with data not showing up. --- default/data/ui/views/content_overview.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/default/data/ui/views/content_overview.xml b/default/data/ui/views/content_overview.xml index 51e5d7f7..59cfbc9d 100644 --- a/default/data/ui/views/content_overview.xml +++ b/default/data/ui/views/content_overview.xml @@ -81,7 +81,7 @@ Full Content Types - | `tstats` count(content_type) AS cc FROM pan_content WHERE earliest=$earliest$ latest=$latest$ $vsys$ $app$ $category$ $dst_ip$ $src_ip$ $content_type$ groupby _time content_type| timechart values(cc) by content_type + | `tstats` count FROM `node(log.url)` $vsys$ $app$ $category$ $dst_ip$ $src_ip$ $content_type$ groupby _time log.content_type | timechart values(count) by log.content_type $earliest$ $latest$ @@ -109,7 +109,7 @@
Content Types and Apps - | `tstats` count(content_type) AS cc FROM pan_content WHERE earliest=$earliest$ latest=$latest$ $vsys$ $app$ $category$ $dst_ip$ $src_ip$ $content_type$ groupby app content_type | stats values(cc) AS Count by content_type app | sort -Count | rename app AS Application | rename content_type AS "Content Type" + | `tstats` count FROM `node(log.url)` $vsys$ $app$ $category$ $dst_ip$ $src_ip$ $content_type$ `table(log.app log.content_type, count)`$earliest$$latest$ @@ -149,7 +149,7 @@
Non-Web Browsing Content Types - | `tstats` count(content_type) AS cc FROM pan_content WHERE earliest=$earliest$ latest=$latest$ $vsys$ $app$ $category$ $dst_ip$ $src_ip$ $content_type$ groupby app content_type | where app != "web-browsing" | stats values(cc) AS Count by content_type app | sort -Count | rename app AS Application | rename content_type AS "Content Type" + | `tstats` count FROM `node(log.url)` $vsys$ $app$ $category$ $dst_ip$ $src_ip$ $content_type$ app!="web-browsing" `table(log.app log.content_type, count)`$earliest$$latest$ @@ -181,7 +181,7 @@
Content Types and Web Categories - | `tstats` count(content_type) AS cc FROM pan_content WHERE earliest=$earliest$ latest=$latest$ $vsys$ $app$ $category$ $dst_ip$ $src_ip$ $content_type$ groupby category content_type | stats values(cc) AS Count by content_type category | sort -Count | rename category AS Category | rename content_type AS "Content Type" + | `tstats` count FROM `node(log.url)` $vsys$ $app$ $category$ $dst_ip$ $src_ip$ $content_type$ `table(log.category log.content_type, count)`$earliest$$latest$ From 0db62b4e11c002725a9d75e3f61d7bc5cedf125c Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 14 May 2014 17:05:47 -0700 Subject: [PATCH 05/16] Removed remaining references to "index=pan_logs". Now the `pan_index` macro is always used, so if you want to change the name of the index, you only need to change it in macros.conf. --- default/data/models/pan_logs.json | 2 +- default/data/ui/views/overview.xml | 2 +- default/savedsearches.conf | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/default/data/models/pan_logs.json b/default/data/models/pan_logs.json index 26dddd42..d29a738e 100644 --- a/default/data/models/pan_logs.json +++ b/default/data/models/pan_logs.json @@ -1985,7 +1985,7 @@ "calculations": [], "constraints": [ { - "search": "index=\"pan_logs\"", + "search": "`pan_index`", "owner": "log" } ], diff --git a/default/data/ui/views/overview.xml b/default/data/ui/views/overview.xml index b2f9bb39..24abfcd0 100644 --- a/default/data/ui/views/overview.xml +++ b/default/data/ui/views/overview.xml @@ -107,7 +107,7 @@
Recently Added to Applipedia - index=pan_logs sourcetype="pan_newapps" | dedup app{@name} sortby +_time | sort -_time | table _time app{@name} app.technology app.category app.subcategory app.risk | convert timeformat="%m/%d/%y" ctime(_time) | rename _time AS "Date added" | rename app{@name} AS Name | rename app.technology AS Technology | rename app.category AS Category | rename app.subcategory AS Subcategory | rename app.risk AS Risk + `pan_index` sourcetype="pan_newapps" | dedup app{@name} sortby +_time | sort -_time | table _time app{@name} app.technology app.category app.subcategory app.risk | convert timeformat="%m/%d/%y" ctime(_time) | rename _time AS "Date added" | rename app{@name} AS Name | rename app.technology AS Technology | rename app.category AS Category | rename app.subcategory AS Subcategory | rename app.risk AS Risk-2w@wnow diff --git a/default/savedsearches.conf b/default/savedsearches.conf index 71cf1002..b6d1a4b9 100755 --- a/default/savedsearches.conf +++ b/default/savedsearches.conf @@ -10,7 +10,7 @@ displayview = flashtimeline enableSched = 1 realtime_schedule = 0 request.ui_dispatch_view = flashtimeline -search = `pan_wildfire` | wildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report +search = `pan_wildfire` | wildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect `pan_index` sourcetype=pan_wildfire_report disabled = 0 ######################## @@ -27,5 +27,5 @@ displayview = flashtimeline enableSched = 1 realtime_schedule = 0 request.ui_dispatch_view = flashtimeline -search = index=pan_logs sourcetype=pan_newapps | table app{@name} | newapps | collect index=pan_logs sourcetype=pan_newapps +search = `pan_index` sourcetype=pan_newapps | table app{@name} | newapps | collect `pan_index` sourcetype=pan_newapps disabled = 0 From dfbdfcf9c2c092ffb6bab927cc46db690acbe4b3 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 14 May 2014 21:06:01 -0700 Subject: [PATCH 06/16] Update to latest panxapi (pan-python) library with better support for user-id and ip registration errors. --- bin/lib/pan/commit.py | 2 +- bin/lib/pan/xapi.py | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/bin/lib/pan/commit.py b/bin/lib/pan/commit.py index 6a593617..f366ff99 100644 --- a/bin/lib/pan/commit.py +++ b/bin/lib/pan/commit.py @@ -17,7 +17,7 @@ from __future__ import print_function import sys -valid_part = set([ +_valid_part = set([ 'device-and-network-excluded', 'policy-and-objects-excluded', 'shared-object-excluded', diff --git a/bin/lib/pan/xapi.py b/bin/lib/pan/xapi.py index e1bd4a10..e504b42f 100644 --- a/bin/lib/pan/xapi.py +++ b/bin/lib/pan/xapi.py @@ -322,6 +322,21 @@ def __get_response_msg(self): lines = [] # XML API response message formats are not documented + + # type=user-id register and unregister + path = './msg/line/uid-response/payload/*/entry' + elem = self.element_root.findall(path) + if len(elem) > 0: + if self.debug2: + print('path:', path, elem, file=sys.stderr) + for line in elem: + msg = '' + for key in line.keys(): + msg += '%s: %s ' % (key, line.get(key)) + if msg: + lines.append(msg.rstrip()) + return '\n'.join(lines) if lines else None + path = './msg/line' elem = self.element_root.findall(path) if len(elem) > 0: From 662e1947b254f6439be902afc7c49fafbb6cf7ef Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 14 May 2014 22:07:47 -0700 Subject: [PATCH 07/16] Support new fields in PAN-OS 6.0, including pcap_id and file_digest --- default/transforms.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/default/transforms.conf b/default/transforms.conf index 25e2a0a8..b70d5233 100755 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -37,7 +37,7 @@ match_type = CIDR(cidr) [extract_threat] DELIMS = "," -FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","generated_time","src_ip","dst_ip","nat_src_ip","nat_dst_ip","rule_name","src_user","dst_user","application","virtual_system","src_zone","dst_zone","ingress_interface","egress_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dst_port","nat_src_port","nat_dst_port","flags","protocol","action","misc","threat_name","category","severity","direction","sequence_number","action_flags","src_location","dst_location","future_use4","content_type" +FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","generated_time","src_ip","dst_ip","nat_src_ip","nat_dst_ip","rule_name","src_user","dst_user","application","virtual_system","src_zone","dst_zone","ingress_interface","egress_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dst_port","nat_src_port","nat_dst_port","flags","protocol","action","misc","threat_name","category","severity","direction","sequence_number","action_flags","src_location","dst_location","future_use4","content_type","pcap_id","file_digest","cloud_address" [extract_traffic] DELIMS = "," @@ -45,7 +45,7 @@ FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","futu [extract_config] DELIMS = "," -FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","future_use3","admin_ip","virtual_system","command","admin","admin_type","result","configuration_path","sequence_number","action_flags" +FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","future_use3","admin_ip","virtual_system","command","admin","admin_type","result","configuration_path","before_change","after_change","sequence_number","action_flags" [extract_system] DELIMS = "," From 644f74b8da157300034de028a0ed349dd16322f2 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Sat, 17 May 2014 13:56:40 -0700 Subject: [PATCH 08/16] Reverse part of `pan_index` macro commit because macros can't be used with 'collect' command. --- default/savedsearches.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/default/savedsearches.conf b/default/savedsearches.conf index b6d1a4b9..71cf1002 100755 --- a/default/savedsearches.conf +++ b/default/savedsearches.conf @@ -10,7 +10,7 @@ displayview = flashtimeline enableSched = 1 realtime_schedule = 0 request.ui_dispatch_view = flashtimeline -search = `pan_wildfire` | wildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect `pan_index` sourcetype=pan_wildfire_report +search = `pan_wildfire` | wildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report disabled = 0 ######################## @@ -27,5 +27,5 @@ displayview = flashtimeline enableSched = 1 realtime_schedule = 0 request.ui_dispatch_view = flashtimeline -search = `pan_index` sourcetype=pan_newapps | table app{@name} | newapps | collect `pan_index` sourcetype=pan_newapps +search = index=pan_logs sourcetype=pan_newapps | table app{@name} | newapps | collect index=pan_logs sourcetype=pan_newapps disabled = 0 From df8ce9cf3788a447a5d014a50e95bd72e8d00cb8 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Sun, 18 May 2014 09:24:26 -0700 Subject: [PATCH 09/16] Added new config and threat fields to data model. --- default/data/models/pan_logs.json | 1038 ++++++++++++++++++++++++++++- 1 file changed, 1029 insertions(+), 9 deletions(-) diff --git a/default/data/models/pan_logs.json b/default/data/models/pan_logs.json index d29a738e..93b3fdc1 100644 --- a/default/data/models/pan_logs.json +++ b/default/data/models/pan_logs.json @@ -1933,6 +1933,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -3916,6 +3976,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -5922,6 +6042,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -7905,6 +8085,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -9888,6 +10128,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -11872,12 +12172,72 @@ "fieldSearch": "" }, { - "fieldName": "_time", - "owner": "BaseEvent", - "type": "timestamp", + "fieldName": "after_change", + "owner": "log", + "type": "number", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, "displayName": "_time", "comment": "", @@ -13854,6 +14214,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -15837,6 +16257,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -17808,6 +18288,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -19791,6 +20331,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -21774,6 +22374,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -23734,26 +24394,86 @@ "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "url", + "displayName": "file_digest", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "pcap_id", "owner": "log", - "type": "string", + "type": "number", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "threat_name", + "displayName": "pcap_id", "comment": "", "fieldSearch": "" }, @@ -25740,6 +26460,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -27768,6 +28548,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -29751,6 +30591,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -31734,6 +32634,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", @@ -33717,6 +34677,66 @@ "comment": "", "fieldSearch": "" }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, { "fieldName": "_time", "owner": "BaseEvent", From 7ca9e1c39c7430b8ca0317ed94aa08fc72c77047 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Mon, 19 May 2014 17:20:16 -0700 Subject: [PATCH 10/16] Updated datamodel to use new WildFire Report XML format version 2.0 --- bin/retrieveWildFireReport.py | 2 +- default/data/models/pan_logs.json | 7880 ++++++++++++------- default/data/ui/views/wildfire_overview.xml | 4 +- default/props.conf | 10 +- 4 files changed, 5070 insertions(+), 2826 deletions(-) diff --git a/bin/retrieveWildFireReport.py b/bin/retrieveWildFireReport.py index 2ccfb76e..fdb78335 100644 --- a/bin/retrieveWildFireReport.py +++ b/bin/retrieveWildFireReport.py @@ -106,7 +106,7 @@ def retrieveWildFireData(apikey, serial, reportid): # get the report wfReportXml = retrieveWildFireData(PAN_WF_APIKEY, result['serial_number'], result['report_id']).read().strip() # Add the report id to the XML for correlation to the original WildFire log from the firewall - wfReportXml = wfReportXml.replace("", "\n "+result['report_id']+"", 1) + wfReportXml = wfReportXml.replace("", "\n"+result['report_id']+"", 1) result['wildfire_report'] = wfReportXml except: logger.warn("Error retrieving WildFire report for report id: %s" % result['report_id']) diff --git a/default/data/models/pan_logs.json b/default/data/models/pan_logs.json index 93b3fdc1..47dfcd34 100644 --- a/default/data/models/pan_logs.json +++ b/default/data/models/pan_logs.json @@ -1238,758 +1238,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "client_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "dst_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "dst_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "server_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "server_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "server_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "server_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "src_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "user", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "filename", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "after_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "before_change", "owner": "log", "type": "number", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.id", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "threat_name", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "after_change", + "fieldName": "wildfire.task_info.report.size", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.software", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.version", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.version", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -3281,758 +3413,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "pcap_id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.id", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@port}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "src_class", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "client_ip", - "owner": "log", - "type": "string", - "required": false, - "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "threat_name", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "after_change", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.version", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -5347,758 +5611,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "server_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "src_class", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "before_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "cloud_address", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "cloud_address", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "file_digest", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "pcap_id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.file_info.md5", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.version", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -7390,758 +7786,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "pcap_id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.id", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@port}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.version", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -9433,758 +9961,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "client_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "dst_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "dst_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "server_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "server_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "server_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "server_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "src_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "client_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "after_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "before_change", "owner": "log", "type": "number", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "before_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.id", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", - "type": "number", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", + "owner": "log", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "threat_name", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "after_change", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.version", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -11476,758 +12136,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "after_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.id", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.size", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "file_digest", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "pcap_id", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -13519,758 +14311,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "client_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "dst_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "dst_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "server_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "server_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "server_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "server_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "src_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "client_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "user", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "pcap_id", "owner": "log", "type": "number", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", - "type": "number", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.network.TCP{@country}", + "owner": "log", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "threat_name", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "after_change", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.version", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -15562,758 +16486,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.id", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@port}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "file_digest", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "pcap_id", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -17605,746 +18661,878 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "client_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "dst_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "server_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "server_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "src_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "client_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "after_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.file_info.md5", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "threat_name", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "after_change", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.version", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -19636,758 +20824,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", - "type": "number", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.md5", + "owner": "log", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@port}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.size", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "file_digest", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "pcap_id", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -21679,758 +22999,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "client_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "dst_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "dst_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "server_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "server_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "server_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "server_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "src_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "src_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "client_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "after_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "before_change", "owner": "log", "type": "number", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.id", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "threat_name", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "after_change", + "fieldName": "wildfire.task_info.report.size", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.software", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.version", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.version", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -23722,758 +25174,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "client_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "dst_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "dst_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "server_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "src_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "client_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.file_info.md5", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.version", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -25765,758 +27349,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "client_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "dst_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "client_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.file_info.size", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "after_change", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "before_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "file_digest", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "pcap_id", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -27853,758 +29569,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "client_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "dst_class", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "dst_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "server_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "url", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "threat_name", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "after_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.file_info.md5", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.version", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -29896,758 +31744,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": true, + "hidden": false, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "server_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "src_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "src_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "client_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "client_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "url", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "threat_name", "owner": "log", "type": "string", "required": false, "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "after_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cloud_address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "file_digest", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "file_digest", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pcap_id", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "wildfire.file_info.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "wildfire.file_info.size", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": true, - "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "wildfire.report.network.tcp-connection{@port}", - "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.version", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "file_digest", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "pcap_id", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -31939,758 +33919,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "client_location", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "server_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_location", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "server_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "src_class", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "src_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "client_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "client_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "user", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "filename", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "filename", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "major_content_type", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "major_content_type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "url", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "url", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "threat_name", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "after_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "before_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cloud_address", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "cloud_address", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "file_digest", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "file_digest", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "pcap_id", "owner": "log", "type": "number", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.file_info.filetype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.malware", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.file_info.malware", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.md5", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.file_info.md5", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.sha256", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.software", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.software", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.summary.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.summary.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.timeline.entry", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "threat_name", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "after_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "after_change", - "comment": "", - "fieldSearch": "" - }, - { - "fieldName": "before_change", - "owner": "log", - "type": "number", - "required": false, - "multivalue": false, - "hidden": false, - "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.timeline.entry", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.version", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.version", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.version", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, @@ -33982,758 +36094,890 @@ "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@deleted_file}", + "fieldName": "client_location", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@deleted_file}", + "displayName": "client_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@pid}", + "fieldName": "dst_class", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "dst_class", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "server_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@pid}", + "displayName": "server_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_deleted{@process_image}", + "fieldName": "server_location", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_deleted{@process_image}", + "displayName": "server_location", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@pid}", + "fieldName": "src_class", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@pid}", + "displayName": "src_class", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@process_image}", + "fieldName": "client_ip", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@process_image}", + "displayName": "client_ip", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.file.file_written{@written_file}", + "fieldName": "user", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.file.file_written{@written_file}", + "displayName": "user", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.id", + "fieldName": "filename", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.id", + "displayName": "filename", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.malware", + "fieldName": "major_content_type", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.malware", + "displayName": "major_content_type", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.md5", + "fieldName": "url", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.md5", + "displayName": "url", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@query}", + "fieldName": "threat_name", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@query}", + "displayName": "threat_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "after_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "after_change", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "before_change", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "before_change", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.dns{@type}", + "fieldName": "cloud_address", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.dns{@type}", + "displayName": "cloud_address", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@ip}", + "fieldName": "file_digest", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@ip}", + "displayName": "file_digest", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@pid}", + "fieldName": "pcap_id", "owner": "log", "type": "number", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@pid}", + "displayName": "pcap_id", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.file_info.filetype", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.file_info.filetype", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@port}", + "fieldName": "wildfire.file_info.malware", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@port}", + "displayName": "wildfire.file_info.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.tcp-connection{@process_image}", + "fieldName": "wildfire.file_info.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.tcp-connection{@process_image}", + "displayName": "wildfire.file_info.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@country}", + "fieldName": "wildfire.file_info.sha256", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@country}", + "displayName": "wildfire.file_info.sha256", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@ip}", + "fieldName": "wildfire.file_info.size", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@ip}", + "displayName": "wildfire.file_info.size", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.TCP{@port}", + "fieldName": "wildfire.id", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.TCP{@port}", + "displayName": "wildfire.id", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@country}", + "fieldName": "wildfire.task_info.report.malware", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@country}", + "displayName": "wildfire.task_info.report.malware", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@ip}", + "fieldName": "wildfire.task_info.report.md5", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@ip}", + "displayName": "wildfire.task_info.report.md5", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.UDP{@port}", + "fieldName": "wildfire.task_info.report.network.TCP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.UDP{@port}", + "displayName": "wildfire.task_info.report.network.TCP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@host}", + "fieldName": "wildfire.task_info.report.network.TCP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@host}", + "displayName": "wildfire.task_info.report.network.TCP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@method}", + "fieldName": "wildfire.task_info.report.network.TCP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@method}", + "displayName": "wildfire.task_info.report.network.TCP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@uri}", + "fieldName": "wildfire.task_info.report.network.UDP{@country}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@uri}", + "displayName": "wildfire.task_info.report.network.UDP{@country}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.network.url{@user_agent}", + "fieldName": "wildfire.task_info.report.network.UDP{@ip}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.network.url{@user_agent}", + "displayName": "wildfire.task_info.report.network.UDP{@ip}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_pid}", + "fieldName": "wildfire.task_info.report.network.UDP{@port}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_pid}", + "displayName": "wildfire.task_info.report.network.UDP{@port}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@child_process_image}", + "fieldName": "wildfire.task_info.report.network.dns{@query}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@child_process_image}", + "displayName": "wildfire.task_info.report.network.dns{@query}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_pid}", + "fieldName": "wildfire.task_info.report.network.dns{@response}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_pid}", + "displayName": "wildfire.task_info.report.network.dns{@response}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_created{@parent_process_image}", + "fieldName": "wildfire.task_info.report.network.dns{@type}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_created{@parent_process_image}", + "displayName": "wildfire.task_info.report.network.dns{@type}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_pid}", + "fieldName": "wildfire.task_info.report.network.url{@host}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_pid}", + "displayName": "wildfire.task_info.report.network.url{@host}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@child_process_image}", + "fieldName": "wildfire.task_info.report.network.url{@method}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@child_process_image}", + "displayName": "wildfire.task_info.report.network.url{@method}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_pid}", + "fieldName": "wildfire.task_info.report.network.url{@uri}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_pid}", + "displayName": "wildfire.task_info.report.network.url{@uri}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.process.process_terminated{@parent_process_image}", + "fieldName": "wildfire.task_info.report.network.url{@user_agent}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.process.process_terminated{@parent_process_image}", + "displayName": "wildfire.task_info.report.network.url{@user_agent}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@pid}", + "fieldName": "wildfire.task_info.report.platform", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@pid}", + "displayName": "wildfire.task_info.report.platform", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.file.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.file.Delete{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.mutex.CreateMutex{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.DeleteValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@child_process_image}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@pid}", + "fieldName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@pid}", + "displayName": "wildfire.task_info.report.process_list.process.process_activity.Create{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@process_image}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@process_image}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.registry.SetValueKey{@reg_key}", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.registry.SetValueKey{@reg_key}", + "displayName": "wildfire.task_info.report.process_list.process.registry.Create{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.sha256", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.sha256", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@data}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.size", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.size", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@key}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.summary.entry", + "fieldName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.summary.entry", + "displayName": "wildfire.task_info.report.process_list.process.registry.Set{@subkey}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.task", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.task", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "wildfire.report.version", + "fieldName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "wildfire.report.version", + "displayName": "wildfire.task_info.report.process_list.process.service.Create{@path}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_location", + "fieldName": "wildfire.task_info.report.process_list.process{@command}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "client_location", + "displayName": "wildfire.task_info.report.process_list.process{@command}", "comment": "", "fieldSearch": "" }, { - "fieldName": "dst_class", + "fieldName": "wildfire.task_info.report.process_list.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, - "hidden": false, + "hidden": true, "editable": true, - "displayName": "dst_class", + "displayName": "wildfire.task_info.report.process_list.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_ip", + "fieldName": "wildfire.task_info.report.process_list.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "server_ip", + "displayName": "wildfire.task_info.report.process_list.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "server_location", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "server_location", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "src_class", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "src_class", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "client_ip", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "client_ip", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "user", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "user", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "filename", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "filename", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "major_content_type", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "major_content_type", + "displayName": "wildfire.task_info.report.process_tree.process.child.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "url", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "url", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "threat_name", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "threat_name", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "after_change", + "fieldName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "after_change", + "displayName": "wildfire.task_info.report.process_tree.process.child.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "before_change", + "fieldName": "wildfire.task_info.report.process_tree.process{@name}", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "before_change", + "displayName": "wildfire.task_info.report.process_tree.process{@name}", "comment": "", "fieldSearch": "" }, { - "fieldName": "cloud_address", + "fieldName": "wildfire.task_info.report.process_tree.process{@pid}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "cloud_address", + "displayName": "wildfire.task_info.report.process_tree.process{@pid}", "comment": "", "fieldSearch": "" }, { - "fieldName": "file_digest", + "fieldName": "wildfire.task_info.report.process_tree.process{@text}", "owner": "log", "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "file_digest", + "displayName": "wildfire.task_info.report.process_tree.process{@text}", "comment": "", "fieldSearch": "" }, { - "fieldName": "pcap_id", + "fieldName": "wildfire.task_info.report.sha256", "owner": "log", - "type": "number", + "type": "string", "required": false, "multivalue": false, "hidden": true, "editable": true, - "displayName": "pcap_id", + "displayName": "wildfire.task_info.report.sha256", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.size", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.size", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.software", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.software", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.summary.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.summary.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.timeline.entry", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.timeline.entry", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.timeline.entry{@seq}", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.timeline.entry{@seq}", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.task_info.report.version", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.task_info.report.version", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "wildfire.version", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": true, + "editable": true, + "displayName": "wildfire.version", "comment": "", "fieldSearch": "" }, diff --git a/default/data/ui/views/wildfire_overview.xml b/default/data/ui/views/wildfire_overview.xml index ce0ec07a..f7a406a6 100644 --- a/default/data/ui/views/wildfire_overview.xml +++ b/default/data/ui/views/wildfire_overview.xml @@ -111,7 +111,7 @@
Possible Malware Traffic - | `tstats` count(traffic) FROM `node(log.traffic)` $src_ip$ $dst_ip$ $user$ $misc$ $vsys$ $app$ groupby _time log.traffic.dst_ip_port log.dst_ip log.dst_port log.src_ip log.user log.app | rename log.traffic.dst_ip_port AS ip_port | join type=inner ip_port [ | `tstats` count(log.wildfire_report) FROM datamodel="pan_logs" WHERE earliest=-1y latest=now nodename="log.wildfire_report" groupby log.wildfire.report.id log.wildfire_report.tcp_ip_port | rename log.wildfire_report.tcp_ip_port AS ip_port ] | dedup 1 log.src_ip log.user ip_port log.app | eval "Traffic Link" = "View Traffic Logs" | eval "WildFire Link" = "View WildFire Report" | table _time log.src_ip log.user log.dst_ip log.dst_port log.app log.wildfire.report.id "Traffic Link" "WildFire Link" | rex mode=sed field=ip_port "s/,/:/" | rename log.src_ip AS Source | rename log.dst_ip AS "Dest IP" | rename log.dst_port AS "Dest Port" | rename log.user AS User | rename log.app AS Application | rename log.wildfire.report.id AS "WildFire Report ID" | sort -_time + | `tstats` count(traffic) FROM `node(log.traffic)` $src_ip$ $dst_ip$ $user$ $misc$ $vsys$ $app$ groupby _time log.traffic.dst_ip_port log.dst_ip log.dst_port log.src_ip log.user log.app | rename log.traffic.dst_ip_port AS ip_port | join type=inner ip_port [ | `tstats` count(log.wildfire_report) FROM datamodel="pan_logs" WHERE earliest=-1y latest=now nodename="log.wildfire_report" groupby log.wildfire.id log.wildfire_report.tcp_ip_port | rename log.wildfire_report.tcp_ip_port AS ip_port ] | dedup 1 log.src_ip log.user ip_port log.app | eval "Traffic Link" = "View Traffic Logs" | eval "WildFire Link" = "View WildFire Report" | table _time log.src_ip log.user log.dst_ip log.dst_port log.app log.wildfire.id "Traffic Link" "WildFire Link" | rex mode=sed field=ip_port "s/,/:/" | rename log.src_ip AS Source | rename log.dst_ip AS "Dest IP" | rename log.dst_port AS "Dest Port" | rename log.user AS User | rename log.app AS Application | rename log.wildfire.id AS "WildFire Report ID" | sort -_time$earliest$$latest$ @@ -175,7 +175,7 @@ diff --git a/default/props.conf b/default/props.conf index afeb679f..95fddf52 100755 --- a/default/props.conf +++ b/default/props.conf @@ -75,11 +75,11 @@ KV_MODE = xml LINE_BREAKER = ((?!)) SHOULD_LINEMERGE = false TRUNCATE = 0 -FIELDALIAS-tcp_ip_for_pan_wildfire_report = wildfire.report.network.TCP{@ip} as tcp_ip -FIELDALIAS-tcp_port_for_pan_wildfire_report = wildfire.report.network.TCP{@port} as tcp_port -FIELDALIAS-udp_ip_for_pan_wildfire_report = wildfire.report.network.UDP{@ip} as udp_ip -FIELDALIAS-udp_port_for_pan_wildfire_report = wildfire.report.network.UDP{@port} as udp_port -FIELDALIAS-id_for_pan_wildfire_report = wildfire.report.id as report_id +FIELDALIAS-tcp_ip_for_pan_wildfire_report = wildfire.task_info.report.network.TCP{@ip} as tcp_ip +FIELDALIAS-tcp_port_for_pan_wildfire_report = wildfire.task_info.report.network.TCP{@port} as tcp_port +FIELDALIAS-udp_ip_for_pan_wildfire_report = wildfire.task_info.report.network.UDP{@ip} as udp_ip +FIELDALIAS-udp_port_for_pan_wildfire_report = wildfire.task_info.report.network.UDP{@port} as udp_port +FIELDALIAS-id_for_pan_wildfire_report = wildfire.id as report_id EVAL-tcp_ip_port = mvzip(tcp_ip,tcp_port) EVAL-udp_ip_port = mvzip(udp_ip,udp_port) From c2dabdfa5afc5215c8df26ffa1e7b7cbc1707677 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 21 May 2014 15:06:16 -0700 Subject: [PATCH 11/16] When both src_user and dst_user are NULL, set 'user' to 'unknown'. This allows for better handling of dashboard data. --- default/props.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/default/props.conf b/default/props.conf index 95fddf52..e19eea46 100755 --- a/default/props.conf +++ b/default/props.conf @@ -23,7 +23,7 @@ FIELDALIAS-dest-port_for_pan_threat = dst_port as dest_port FIELDALIAS-rule_name_for_pan_threat = rule_name as rule FIELDALIAS-report_id_for_pan_threat = threat_id as report_id FIELDALIAS-url_for_pan_threat = misc as url -EVAL-user = coalesce(src_user,dst_user) +EVAL-user = coalesce(src_user,dst_user,"unknown") EVAL-server_ip = if(isnull(direction) OR direction="client-to-server", dst_ip, src_ip) EVAL-client_ip = if(isnull(direction) OR direction="client-to-server", src_ip, dst_ip) EVAL-server_location = if(isnull(direction) OR direction="client-to-server", dst_location, src_location) @@ -43,7 +43,7 @@ FIELDALIAS-src_for_pan_traffic = src_ip as src FIELDALIAS-dest_for_pan_traffic = dst_ip as dest FIELDALIAS-dest-port_for_pan_traffic = dst_port as dest_port FIELDALIAS-rule_name_for_pan_traffic = rule_name as rule -EVAL-user = coalesce(src_user,dst_user) +EVAL-user = coalesce(src_user,dst_user,"unknown") EVAL-server_ip = if(isnull(direction) OR direction="client-to-server", dst_ip, src_ip) EVAL-client_ip = if(isnull(direction) OR direction="client-to-server", src_ip, dst_ip) EVAL-server_location = if(isnull(direction) OR direction="client-to-server", dst_location, src_location) From 9e6bec4c6071bd67277b5fd4f79df34e0b493ae3 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 21 May 2014 15:40:48 -0700 Subject: [PATCH 12/16] Change to dashboard form formatting to better work with Splunk 6.1.1 --- appserver/static/dashboard.css | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/appserver/static/dashboard.css b/appserver/static/dashboard.css index 06eb7af5..2696bef9 100644 --- a/appserver/static/dashboard.css +++ b/appserver/static/dashboard.css @@ -25,10 +25,11 @@ } */ -/* Shrink the form text inputs*/ -input, textarea, .uneditable-input { +/* Shrink the form text inputs */ +/* Removed because Splunk 6.1 spaces the fields differently */ +/*input, textarea, .uneditable-input { width: 120px; -} +}*/ /* Make the Search button on each dashboard blue instead of green */ From d9cfdcf4dc9ae2f32e23a4252859d45257e131f5 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 21 May 2014 15:56:29 -0700 Subject: [PATCH 13/16] Better debugging and error handling for some custom commands. Fixed error when adding a tag that already exists. --- bin/panTag.py | 79 ++++++++++++++++++++++++++++++------------ bin/retrieveNewApps.py | 3 +- 2 files changed, 59 insertions(+), 23 deletions(-) diff --git a/bin/panTag.py b/bin/panTag.py index 0a8f369c..13fd1497 100644 --- a/bin/panTag.py +++ b/bin/panTag.py @@ -26,9 +26,9 @@ ############################################ # How to Use this script # in the example below, we are blocking all ip's returned by the search -# example1: index=pan_logs 1.1.1.1 | stats dc(dst_ip) by dst_ip | panblock action="add" tag="malware-infected" device="1.0.0.1" +# example1: index=pan_logs 1.1.1.1 | stats dc(dst_ip) by dst_ip | pantag action="add" tag="malware-infected" device="1.0.0.1" # Adds a 'malware-infected' tag to the IP 1.1.1.1 on the firewall with ip 1.0.0.1 -# example2: index=pan_logs wine | stats dc(dst_ip) by dst_ip | panblock action="rem" group="shairpoint" device="sales-fw" +# example2: index=pan_logs wine | stats dc(dst_ip) by dst_ip | pantag action="rem" group="shairpoint" device="sales-fw" # Removes the 'shairpoint' tag from all dst_ip returned by the search on the firewall with hostname sales-fw ########################################### @@ -40,35 +40,55 @@ ########################################### ############################# -# Change the values below to suit your PAN configuration +# Change the values below to suit your PAN configuration, or +# supply these values in the Splunk search bar. +# # WARNING!!!! Password is stored in clear text. +# It is recommended to leave PANUSER and PANPASS commented out, +# and user the app configuration screen to provide these instead. ############################# + # firewall IP. you can provide this via the device parameter PAN = '192.168.4.100' -# admin account for the PAN device + +# Admin account for the PAN device #PANUSER = 'admin' -# password for the admin user. -# any special characters in the password must be URL/percent-encoded. + +# Password for the admin user. +# Any special characters in the password must be URL/percent-encoded. #PANPASS = 'admin' + # Defaults to vsys1. vsys substition is not supported at this time VSYS = 'vsys1' + # Name of the address group for bad actors TAG = 'bad-actor' + +# Add or Remove the tag (add or rem) ACTION = 'add' + # This is a default actor. ACTOR = '1.1.1.1' -# The field to grab the IP from -FIELD = None + # if you DO want to go through a proxy, e.g., HTTP_PROXY={squid:'2.2.2.2'} HTTP_PROXY = {} -# Fields that contain IP addresses and should be tagged if they exist + +# Default fields that contain IP addresses and should be tagged if they exist IP_FIELDS = ['src_ip', 'dst_ip', 'ip'] +# Enable debugging (script is otherwise silent unless there is an error) +DEBUG = False + ######################################################### # Do NOT modify anything below this line unless you are # certain of the ramifications of the changes ######################################################### +import splunk.mining.dcutils as dcu + +logger = dcu.getLogger().getChild('panTag') +logger.setLevel(20) + try: import splunk.Intersplunk # so you can interact with Splunk import splunk.entity as entity # for splunk config info @@ -76,23 +96,21 @@ import sys # for system params and sys.exit() import os import re # regular expressions checks in PAN messages - import splunk.mining.dcutils as dcu import traceback libpath = os.path.dirname(os.path.abspath(__file__)) sys.path[:0] = [os.path.join(libpath, 'lib')] import pandevice + import pan.xapi except Exception, e: - stack = traceback.format_exc() + stack = traceback.format_exc() + logger.warn(stack) if isgetinfo: splunk.Intersplunk.parseError(str(e)) - results = splunk.Intersplunk.generateErrorResults(str(e)) - logger.warn(stack) -logger = dcu.getLogger() ## Major props to Ledion. copying his function, verbatim and then adding comments and traceback and logging @@ -106,7 +124,7 @@ def getCredentials(sessionKey): # list all credentials entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey) except Exception, e: - stack = traceback.format_exc() + stack = traceback.format_exc() logger.warn(stack) logger.warn("entity exception") raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))) @@ -131,6 +149,14 @@ def tag(device, add_remove, ip_addresses, tag): args, kwargs = splunk.Intersplunk.getKeywordsAndOptions() + +if 'debug' in kwargs: + logger.info("Debugging enabled") + DEBUG = kwargs['debug'] + +if DEBUG: + logger.setLevel(10) + #parse the kwargs for ACTION, VSYS, PAN if kwargs.has_key('action'): ACTION = kwargs['action'] @@ -145,7 +171,9 @@ def tag(device, add_remove, ip_addresses, tag): if kwargs.has_key('tag'): TAG = kwargs['tag'] if kwargs.has_key('field'): - FIELD = kwargs['field'] + field = kwargs['field'] +else: + field = None # an empty dictionary. it will be used to hold system values settings = dict() @@ -167,8 +195,8 @@ def tag(device, add_remove, ip_addresses, tag): try: for result in results: - if FIELD and FIELD in result: - ADDRESSES.append(result[FIELD]) + if field and field in result: + ADDRESSES.append(result[field]) else: for field in IP_FIELDS: if field in result: @@ -180,13 +208,20 @@ def tag(device, add_remove, ip_addresses, tag): tag(device, ACTION, ADDRESSES, TAG) -except Exception, e: - stack = traceback.format_exc() - if isgetinfo: +except pan.xapi.PanXapiError, e: + if re.search(r"tag [^ ]* already exists, ignore", str(e)): + pass + else: + stack = traceback.format_exc() + logger.warn(stack) splunk.Intersplunk.parseError(str(e)) + results = splunk.Intersplunk.generateErrorResults(str(e)) - results = splunk.Intersplunk.generateErrorResults(str(e)) +except Exception, e: + stack = traceback.format_exc() logger.warn(stack) + splunk.Intersplunk.parseError(str(e)) + results = splunk.Intersplunk.generateErrorResults(str(e)) # output results splunk.Intersplunk.outputResults(results) diff --git a/bin/retrieveNewApps.py b/bin/retrieveNewApps.py index a69c64bc..2d350b8c 100644 --- a/bin/retrieveNewApps.py +++ b/bin/retrieveNewApps.py @@ -56,7 +56,8 @@ def retrieveNewApps(): sessionKey = settings['sessionKey'] try: - DEBUG = True if 'debug' in kwargs else False + if 'debug' in kwargs: + DEBUG = kwargs['debug'] # setup the logger. $SPLUNK_HOME/var/log/splunk/python.log logger = dcu.getLogger().getChild('retrieveNewApps') From 614df1381da65a2d038dbd43d78e0533209c1d67 Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 21 May 2014 16:21:34 -0700 Subject: [PATCH 14/16] Traffic Dashboard: minor change to field for more accurate results. --- default/data/ui/views/traffic_overview.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default/data/ui/views/traffic_overview.xml b/default/data/ui/views/traffic_overview.xml index 39e913f2..8b6d9c55 100644 --- a/default/data/ui/views/traffic_overview.xml +++ b/default/data/ui/views/traffic_overview.xml @@ -106,7 +106,7 @@ Applications by Bytes Transfered - | `tstats` sum(log.bytes_received) AS sbr sum(log.bytes_sent) AS sbs FROM `node(log.traffic.end)` $action$ $src_ip$ $dst_ip$ $dst_port$ $user$ $app$ groupby log.app | eval sumBytes = sbr + sbs | stats values(sumBytes) AS Bytes by log.app | `top(50)` + | `tstats` sum(log.bytes_received) AS sbr sum(log.bytes_sent) AS sbs FROM `node(log.traffic.end)` $action$ $src_ip$ $dst_ip$ $dst_port$ $user$ $app$ groupby log.app | eval sumBytes = sbr + sbs | stats values(sumBytes) AS Bytes by log.app | sort -Bytes | head 50 $earliest$ $latest$ From be862ca676a9c50450a44f9329481b245dd329ef Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 21 May 2014 20:38:36 -0700 Subject: [PATCH 15/16] WildFire Dashboard: fix drilldown issue --- default/data/ui/views/wildfire_overview.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/default/data/ui/views/wildfire_overview.xml b/default/data/ui/views/wildfire_overview.xml index f7a406a6..0f891543 100644 --- a/default/data/ui/views/wildfire_overview.xml +++ b/default/data/ui/views/wildfire_overview.xml @@ -133,11 +133,6 @@ - - - + + +
From c121c801e0efafdf01780c93b39e3b99d4e46a5a Mon Sep 17 00:00:00 2001 From: Brian Torres-Gil Date: Wed, 21 May 2014 20:51:37 -0700 Subject: [PATCH 16/16] Update version to 4.1.1 and update readme file. --- README.md | 17 +++++++++++++---- default/app.conf | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 5c779807..a7580c5c 100644 --- a/README.md +++ b/README.md @@ -11,8 +11,8 @@ Networks Firewall #### Latest Version #### * Splunk Version: 6.x -* App Version: 4.1 -* Last Modified: Apr 2013 +* App Version: 4.1.1 +* Last Modified: May 2014 * Authors: * Monzy Merza - Splunk, Inc. * Brian Torres-Gil - Palo Alto Networks @@ -93,9 +93,18 @@ If you have customized the built-in dashboards of a previous app version, then t ## What's new in this version ## -Version 4.1 +If upgrading from 3.x, please read the __Upgrade Notes__ above. + +Version 4.1.1 -If upgrading from a previous version, please read the __Upgrade Notes__ above. +- Handle new fields in latest PAN-OS syslogs and WildFire reports +- Significant improvements to indexing efficiency +- Improved handling of Dynamic Address Group tagging +- Improvements and minor updates for Splunk 6.1.x +- Fix minor dashboard issues +- Fix minor field parsing issue + +Version 4.1 - PAN-OS Data model including acceleration - Data model accelerated dashboards (replaces TSIDX-based dashboards) diff --git a/default/app.conf b/default/app.conf index 59f61133..b1d91408 100755 --- a/default/app.conf +++ b/default/app.conf @@ -5,7 +5,7 @@ label = Splunk for Palo Alto Networks [launcher] author= btorres-gil@paloaltonetworks.com description= The Splunk for Palo Alto Networks app is a set of field extractions, reports, lookups and dashboards which provide visibility into the Palo Alto Networks Firewall data. -version = 4.1 +version = 4.1.1 [package] id= SplunkforPaloAltoNetworks