deep-security · obpedro · Sep 13, 2022 · Sep 13, 2022 · Sep 13, 2022 · Sep 13, 2022
diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_antimalware_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_antimalware_dashboard.xml
@@ -14,7 +14,7 @@
     <panel>
       <chart>
         <title>Anti-Malware Event History</title>
-        <searchString>sourcetype=deepsecurity-antimalware | timechart count by act limit=10</searchString>
+        <searchString>(sourcetype=deepsecurity-antimalware OR sourcetype=deepsecurity-antimalware:json) | timechart count by action limit=10</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
@@ -44,7 +44,7 @@
     <panel>
       <table>
         <title>Anti-Malware Activity</title>
-        <searchString>sourcetype=deepsecurity-antimalware | top limit=5 cef_rulename | rename cef_rulename as "Malware Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-antimalware OR sourcetype=deepsecurity-antimalware:json) | top limit=5 signature | rename signature as "Malware Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -57,7 +57,7 @@
     <panel>
       <table>
         <title>Anti-Malware Computer Activity</title>
-        <searchString>sourcetype=deepsecurity-antimalware | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-antimalware OR sourcetype=deepsecurity-antimalware:json) | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -68,4 +68,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>
diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_appcontrol_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_appcontrol_dashboard.xml
@@ -14,7 +14,7 @@
     <panel>
       <chart>
         <title>Application Control Event History</title>
-        <searchString>sourcetype=deepsecurity-app_control | timechart count by act limit=10</searchString>
+        <searchString>(sourcetype=deepsecurity-app_control OR sourcetype=deepsecurity-app_control:json) | timechart count by action limit=10</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
@@ -44,7 +44,7 @@
     <panel>
       <table>
         <title>Application Control Activity</title>
-        <searchString>sourcetype=deepsecurity-app_control | top limit=5 cef_rulename | rename cef_rulename as "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-app_control OR sourcetype=deepsecurity-app_control:json) | top limit=5 signature | rename signature as "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -57,7 +57,7 @@
     <panel>
       <table>
         <title>Application Control Computer Activity</title>
-        <searchString>sourcetype=deepsecurity-app_control | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-app_control OR sourcetype=deepsecurity-app_control:json) | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -68,4 +68,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>
diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_firewall_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_firewall_dashboard.xml
@@ -15,7 +15,7 @@
       <map>
         <title>Firewall Events by Location</title>
         <search>
-          <query>sourcetype=deepsecurity-firewall src!="N/A" | iplocation src | geostats count by src globallimit=0 | sort -count</query>
+          <query>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) src!="N/A" | iplocation src | geostats count by src globallimit=0 | sort -count</query>
           <earliest>$timeframe.earliest$</earliest>
           <latest>$timeframe.latest$</latest>
         </search>
@@ -35,7 +35,7 @@
     <panel>
       <chart>
         <title>Firewall Event History</title>
-        <searchString>sourcetype=deepsecurity-firewall | timechart count by act limit=10</searchString>
+        <searchString>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) | timechart count by action limit=10</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
@@ -65,7 +65,7 @@
     <panel>
       <table>
         <title>Firewall Activity (Prevented)</title>
-        <searchString>sourcetype=deepsecurity-firewall act="Deny"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) action="blocked"| top limit=5 rule | rename rule AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -78,7 +78,7 @@
     <panel>
       <table>
         <title>Firewall Activity (Detected)</title>
-        <searchString>sourcetype=deepsecurity-firewall act="IDS:Deny"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) (act="IDS:Deny" OR ActionString="Detect Only: Deny") | top limit=5 rule | rename rule AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -93,7 +93,7 @@
     <panel>
       <table>
         <title>Firewall IP Activity (Prevented)</title>
-        <searchString>sourcetype=deepsecurity-firewall act="Deny" src!="N/A"| top limit=5 src  | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) action="blocked" src!="N/A"| top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -106,7 +106,7 @@
     <panel>
       <table>
         <title>Firewall IP Activity (Detected)</title>
-        <searchString>sourcetype=deepsecurity-firewall act="IDS:Deny" src!="N/A"| top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) (act="IDS:Deny" OR ActionString="Detect Only: Deny") src!="N/A" | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -121,7 +121,7 @@
     <panel>
       <table>
         <title>Firewall Computer Activity (Prevented)</title>
-        <searchString>sourcetype=deepsecurity-firewall act="Deny" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) action="blocked" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -134,7 +134,7 @@
     <panel>
       <table>
         <title>Firewall Computer Activity (Detected)</title>
-        <searchString>sourcetype=deepsecurity-firewall act="IDS:Deny" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) (act="IDS:Deny" OR ActionString="Detect Only: Deny") | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -149,7 +149,7 @@
     <panel>
       <table>
         <title>Firewall Port Activity (Prevented)</title>
-        <searchString>sourcetype=deepsecurity-firewall act="Deny" dpt &gt; 0 dpt!="N/A"| top limit=5 dpt | rename dpt as "Destination Port" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) action="blocked" dest_port &gt; 0 dest_port!="N/A"| top limit=5 dest_port | rename dest_port as "Destination Port" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -162,7 +162,7 @@
     <panel>
       <table>
         <title>Firewall Port Activity (Detected)</title>
-        <searchString>sourcetype=deepsecurity-firewall act="IDS:Deny" dpt &gt; 0 dpt!="N/A"| top limit=5 dpt | rename dpt as "Destination Port" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) (act="IDS:Deny" OR ActionString="Detect Only: Deny") dest_port &gt; 0 dest_port!="N/A"| top limit=5 dest_port | rename dest_port as "Destination Port" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -173,4 +173,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>
diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_integritymonitoring_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_integritymonitoring_dashboard.xml
@@ -14,7 +14,7 @@
     <panel>
       <chart>
         <title>Integrity Monitoring Event History</title>
-        <searchString>sourcetype=deepsecurity-integrity_monitoring  | eval severity=case(cef_severity=3, "Low", cef_severity=6, "Medium", cef_severity=8, "High", cef_severity=10, "Critical")| timechart count by severity limit=10</searchString>
+        <searchString>(sourcetype=deepsecurity-integrity_monitoring OR sourcetype=deepsecurity-integrity_monitoring:json) | timechart count by severity limit=10</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
@@ -44,7 +44,7 @@
     <panel>
       <table>
         <title>Integrity Monitoring Activity</title>
-        <searchString>sourcetype=deepsecurity-integrity_monitoring| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-integrity_monitoring OR sourcetype=deepsecurity-integrity_monitoring:json) | top limit=5 change_type | rename change_type AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -57,7 +57,7 @@
     <panel>
       <table>
         <title>Integrity Monitoring Computer Activity</title>
-        <searchString>sourcetype=deepsecurity-integrity_monitoring| top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-integrity_monitoring OR sourcetype=deepsecurity-integrity_monitoring:json) | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -68,4 +68,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>
diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_ips_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_ips_dashboard.xml
@@ -15,7 +15,7 @@
       <map>
         <title>Intrusion Prevention Events by Location</title>
         <search>
-          <query>sourcetype=deepsecurity-intrusion_prevention src!="N/A" | iplocation src | geostats count by src globallimit=0 | sort -count</query>
+          <query>(sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) src!="N/A" | iplocation src | geostats count by src globallimit=0 | sort -count</query>
           <earliest>$timeframe.earliest$</earliest>
           <latest>$timeframe.latest$</latest>
         </search>
@@ -26,7 +26,7 @@
     <panel>
       <chart>
         <title>Intrusion Prevention Event History</title>
-        <searchString>sourcetype=deepsecurity-intrusion_prevention | timechart count by act limit=10</searchString>
+        <searchString>(sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) | timechart count by action limit=10</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
@@ -56,7 +56,7 @@
     <panel>
       <table>
         <title>IPS Activity (Prevented)</title>
-        <searchString>sourcetype=deepsecurity-intrusion_prevention act="Reset"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="Reset" OR ActionString="Reset") | top limit=5 signature | rename signature AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -69,7 +69,7 @@
     <panel>
       <table>
         <title>IPS Activity (Detected)</title>
-        <searchString>sourcetype=deepsecurity-intrusion_prevention act="IDS:Reset"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="IDS:Reset" OR ActionString="Detect Only: Reset") | top limit=5 signature | rename signature AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -84,7 +84,7 @@
     <panel>
       <table>
         <title>IPS IP Activity (Prevented)</title>
-        <searchString>sourcetype=deepsecurity-intrusion_prevention act="Reset" | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="Reset" OR ActionString="Reset") | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -97,7 +97,7 @@
     <panel>
       <table>
         <title>IPS IP Activity (Detected)</title>
-        <searchString>sourcetype=deepsecurity-intrusion_prevention act="IDS:Reset" | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="IDS:Reset" OR ActionString="Detect Only: Reset") | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -112,7 +112,7 @@
     <panel>
       <table>
         <title>IPS Computer Activity (Prevented)</title>
-        <searchString>sourcetype=deepsecurity-intrusion_prevention act="Reset" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="Reset" OR ActionString="Reset") | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -125,7 +125,7 @@
     <panel>
       <table>
         <title>IPS Computer Activity (Detected)</title>
-        <searchString>sourcetype=deepsecurity-intrusion_prevention act="IDS:Reset" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <searchString>(sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="IDS:Reset" OR ActionString="Detect Only: Reset") | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -136,4 +136,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>