sensoroni: enabled: description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. forcedType: bool advanced: True helpLink: grid config: analyze: enabled: description: Enable or disable the analyzer. forcedType: bool advanced: True helpLink: cases timeout_ms: description: Timeout period for the analyzer. advanced: True helpLink: cases parallel_limit: description: Parallel limit for the analyzer. advanced: True helpLink: cases export: timeout_ms: description: Timeout period for the exporter to finish export-related tasks. advanced: True helpLink: reports cache_refresh_interval_ms: description: Refresh interval for cache updates. Longer intervals result in less compute usage but risks stale data included in reports. advanced: True helpLink: reports export_metric_limit: description: Maximum number of metric values to include in each metric aggregation group. advanced: True helpLink: reports export_event_limit: description: Maximum number of events to include per event list. advanced: True helpLink: reports csv_separator: description: Separator character to use for CSV exports. advanced: False helpLink: reports node_checkin_interval_ms: description: Interval in ms to checkin to the soc_host. advanced: True helpLink: grid node_description: description: Description of the specific node. helpLink: grid node: True forcedType: string sensoronikey: description: Shared key for sensoroni authentication. helpLink: grid global: True sensitive: True advanced: True soc_host: description: Host for sensoroni agents to connect to. helpLink: grid global: True advanced: True suripcap: pcapMaxCount: description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface. helpLink: pcap advanced: True analyzers: echotrail: api_key: description: API key for the Echotrail analyzer. helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False forcedType: string base_url: description: Base URL for the Echotrail analyzer. helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string elasticsearch: api_key: description: API key for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: True advanced: True forcedType: string base_url: description: Connection URL for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string auth_user: description: Username for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string auth_pwd: description: User password for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False forcedType: string num_results: description: Number of documents to return for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: False advanced: True forcedType: string index: description: Search index for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string time_delta_minutes: description: Time (in minutes) to search back for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: False advanced: True forcedType: int timestamp_field_name: description: Specified name for a documents' timestamp field for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: False advanced: True forcedType: string map: description: Map between observable types and search field for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string cert_path: description: Path to a TLS certificate for the Elasticsearch analyzer. helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string emailrep: api_key: description: API key for the EmailRep analyzer. helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the EmailRep analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: string greynoise: api_key: description: API key for the GreyNoise analyzer. helpLink: cases global: False sensitive: True advanced: True forcedType: string api_version: description: API version for the GreyNoise analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: string base_url: description: Base URL for the GreyNoise analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: string localfile: file_path: description: File path for the LocalFile analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: "[]string" malwarebazaar: api_key: description: API key for the malwarebazaar analyzer. helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False forcedType: string otx: api_key: description: API key for the OTX analyzer. helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the OTX analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: string pulsedive: api_key: description: API key for the Pulsedive analyzer. helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the Pulsedive analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: string spamhaus: lookup_host: description: Host to use for lookups. helpLink: cases global: False sensitive: False advanced: True forcedType: string nameservers: description: Nameservers used for queries. helpLink: cases global: False sensitive: False multiline: True advanced: True forcedTypes: "[]string" sublime_platform: api_key: description: API key for the Sublime Platform analyzer. helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the Sublime Platform analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: string live_flow: description: Determines if live flow analysis is used. helpLink: cases global: False sensitive: False advanced: True forcedType: bool mailbox_email_address: description: Source mailbox address used for live flow analysis. helpLink: cases global: False sensitive: False advanced: True forcedType: string message_source_id: description: ID of the message source used for live flow analysis. helpLink: cases global: False sensitive: False advanced: True forcedType: string threatfox: api_key: description: API key for the threatfox analyzer. helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False forcedType: string urlscan: api_key: description: API key for the Urlscan analyzer. helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the Urlscan analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: string enabled: description: Analyzer enabled helpLink: cases global: False sensitive: False advanced: True forcedType: bool timeout: description: Timeout for the Urlscan analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: int visibility: description: Type of visibility. helpLink: cases global: False sensitive: False advanced: True forcedType: string urlhaus: api_key: description: API key for the urlhaus analyzer. helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False forcedType: string virustotal: api_key: description: API key for the VirusTotal analyzer. helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the VirusTotal analyzer. helpLink: cases global: False sensitive: False advanced: True forcedType: string files: templates: reports: standard: case_report__md: title: Case Report Template description: The template used when generating a case report. Supports markdown format. file: True global: True syntax: md helpLink: reports productivity_report__md: title: Productivity Report Template description: The template used when generating a comprehensive productivity report. Supports markdown format. file: True global: True syntax: md helpLink: reports assistant_session_report__md: title: Assistant Session Report Template description: The template used when generating an assistant session report. Supports markdown format. file: True global: True syntax: md helpLink: reports custom: generic_report1__md: title: Custom Report 1 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md helpLink: reports generic_report2__md: title: Custom Report 2 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md helpLink: reports generic_report3__md: title: Custom Report 3 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md helpLink: reports generic_report4__md: title: Custom Report 4 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md helpLink: reports generic_report5__md: title: Custom Report 5 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md helpLink: reports generic_report6__md: title: Custom Report 6 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md helpLink: reports generic_report7__md: title: Custom Report 7 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md helpLink: reports generic_report8__md: title: Custom Report 8 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md helpLink: reports generic_report9__md: title: Custom Report 9 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md helpLink: reports addl_generic_report__md: title: Additional Custom Report description: A duplicatable custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. This is an unsupported feature due to the inability to edit duplicated reports via the SOC app. advanced: True file: True global: True syntax: md duplicates: True helpLink: reports