|
| 1 | +type: object |
| 2 | +required: |
| 3 | +- id |
| 4 | +- name |
| 5 | +- description |
| 6 | +properties: |
| 7 | + id: |
| 8 | + type: string |
| 9 | + description: "Unique filter identifier, in order to allow future updates. Can be any string, but should contain only alfanumeric digits and dashes (e.g. uuid). This is read-only field and honored only during initial POST." |
| 10 | + create_timestamp: |
| 11 | + type: string |
| 12 | + format: "date-time" |
| 13 | + description: "Date of creation of this filter. This is read-only field." |
| 14 | + modify_timestamp: |
| 15 | + type: string |
| 16 | + format: "date-time" |
| 17 | + description: "Date of last modification of this filter. This is read-only field." |
| 18 | + create_user_id: |
| 19 | + type: integer |
| 20 | + description: "ID of user that created this filter. This is a read-only field." |
| 21 | + modify_user_id: |
| 22 | + type: integer |
| 23 | + description: "ID of user that last modified this filter. This is a read-only field." |
| 24 | + version: |
| 25 | + type: integer |
| 26 | + description: "Optional version of the filter (not used yet)" |
| 27 | + priority: |
| 28 | + type: integer |
| 29 | + description: "Optional - Priority of the filter. Higher priority filters are guaranteed to be used first. Negative priorities can be used as well. Default priority is 0" |
| 30 | + internal: |
| 31 | + type: boolean |
| 32 | + description: "This field is not used yet. Can be omitted." |
| 33 | + enabled: |
| 34 | + type: boolean |
| 35 | + description: "Optional - True enables the filter (defaults to True)" |
| 36 | + filter_on_sensor: |
| 37 | + type: boolean |
| 38 | + description: "True to push this filter to sensor. Note that, if filter was was pushed to sensor, it will not be enforced on the server. Note that only certain filters can be pushed to sensors today without loss of functionality. Defaults to False." |
| 39 | + filter_on_server: |
| 40 | + type: boolean |
| 41 | + description: "True to filter on server. Defaults to true. If false, server will treat this filter as pass-through (disabled)." |
| 42 | + track_metrics: |
| 43 | + type: boolean |
| 44 | + description: "Optional - True to capture metrics for this filter even when disabled. Defaults to true. Note: If we are metering disabled filter, we will resort to metering small sample set to reduce performance impact" |
| 45 | + hit_rate: |
| 46 | + type: float |
| 47 | + description: "Read Only - measured 15-min hit rate for a given filter as a rate (e.g. 0.01 equals to 1% hit rate). Note that this metrics will be available only for filters that are enabled or have trackMetrics turned on. Also, this metrics counts hit rate of the process, based on pathFilters, commandLineFilters and md5Filters. It doesn't take into the account the individual event hit rate." |
| 48 | + name: |
| 49 | + type: string |
| 50 | + description: "Name of this filter" |
| 51 | + description: |
| 52 | + type: string |
| 53 | + description: "Description of this filter - displayed in the UI" |
| 54 | + os_mask: |
| 55 | + type: integer |
| 56 | + description: "Optional - Which OS should this filter apply to (bitfield mask: 1:windows, 2:osx, 4:linux). Defaults to 7 (all OSs)" |
| 57 | + global: |
| 58 | + type: boolean |
| 59 | + description: "Optional - True to apply to all sensor groups. Defaults to true. If this is true, then sensor_ids and group_ids are ignored." |
| 60 | + group_ids: |
| 61 | + type: array |
| 62 | + description: "Optional - List of sensor group Ids where this filter applies to (if global == false). Defaults to empty list. Ignored if 'global' is true." |
| 63 | + items: |
| 64 | + type: integer |
| 65 | + sensor_ids: |
| 66 | + type: array |
| 67 | + description: "Optional - Array of sensor ids where filter applies (applies to all sensors in selected groups if empty). Ignored if 'global' is true." |
| 68 | + items: |
| 69 | + type: integer |
| 70 | + path_filters: |
| 71 | + type: array |
| 72 | + description: "Optional - Array of process path filters to use (supports globbing or regex patterns)." |
| 73 | + items: |
| 74 | + type: string |
| 75 | + command_line_filters: |
| 76 | + type: array |
| 77 | + description: "Optional - Array of command line filters to use. Can use regex patterns" |
| 78 | + items: |
| 79 | + type: string |
| 80 | + md5_filters: |
| 81 | + type: array |
| 82 | + description: "Optional - Array of MD5 checksums. Processes that match these MD5s will be filtered." |
| 83 | + items: |
| 84 | + type: string |
| 85 | + descendant_filtering_level: |
| 86 | + type: integer |
| 87 | + description: "Optional - 0 = filter only matched process, 1 = matched process and immediate children, 2 = matched up to second level of descendants etc. Special value -1 matches all descendants. If not provided, defaults to 0 (matched process only)" |
| 88 | + filter_all_events: |
| 89 | + type: boolean |
| 90 | + description: "Optional - If true, all events will be excluded for a given process (respecting descendant levels). If false, filters (below) will be applied to each event type. Defaults to true" |
| 91 | + regmod_filters: |
| 92 | + type: array |
| 93 | + description: "Optional - Filters are applied to the given event field. Can use regex patterns" |
| 94 | + items: |
| 95 | + type: string |
| 96 | + modload_filters: |
| 97 | + type: array |
| 98 | + description: "Optional - Filters are applied to the given event field. Can use regex patterns" |
| 99 | + items: |
| 100 | + type: string |
| 101 | + filemod_filters: |
| 102 | + type: array |
| 103 | + description: "Optional - Filters are applied to the given event field. Can use regex patterns" |
| 104 | + items: |
| 105 | + type: string |
| 106 | + non_binary_filemod_filters: |
| 107 | + type: array |
| 108 | + description: "Optional - Filters are applied to the given event field. Can use regex patterns" |
| 109 | + items: |
| 110 | + type: string |
| 111 | + netconn_filters: |
| 112 | + type: array |
| 113 | + description: "Optional - Filters are applied to the given event field. Can use regex patterns" |
| 114 | + items: |
| 115 | + type: string |
| 116 | + crossproc_filters: |
| 117 | + type: array |
| 118 | + description: "Optional - Filters are applied to the given event field. Can use regex patterns" |
| 119 | + items: |
| 120 | + type: string |
0 commit comments