Devices
System Health & Performance
The System Health and Performance section of the Devices page provides information about the resource utilization, hostname, IP address, and system version numbers of managers and collectors. Various system statistics are also displayed in tabular form.

The system control options for each device at the top of the page give you the ability to reboot (or force reboot), and shut down a device instantly or after a selected time interval. There are also global reboot and shutdown options on the left side of the page that will affect every manager or collector in the devices list.

Integrations
There are numerous internal analysis components and external analysis appliances available as optional integrations to the Threat Discovery Engine. Having third-party integrations enabled provides a broader scope of detection and increases the alerting and threat factoring capabilities of the system. MetaDefender NDR leverages the analytic capabilities of third-party technologies through internal integration services that can be configured to interact with those technologies. Those services are designed to communicate with and consume the analysis results from those technologies to perform threat analysis on the content that is captured. They can be configured in the Devices page.
Note__: Integrations can be configured using either IPv4 or IPv6 addresses.
Literal IPv6 addresses are enclosed in square brackets, for example: http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/
When the URL also contains a port number the notation is: https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/ where the trailing 443 is the example's port number.

Some sections in the UI require brackets around the ipv6 address:
- IPv6 Syslog address
- Admin > Globals > Network > Upstream HTTP Proxy
- Admin > Globals > Devices > OPSWAT > OPSWAT Metadefender Core Hosting: Remote Host
By default, post-processors for the following integration features are active:
- InQuest File Analyzer – Factors variables and data associated with files and their alerts to generate threat scores.
- InQuest Session Header TDE – Provides threat scoring for TCP sessions by assessing scores of the other InQuest post-processors.
- InQuest Threat Discovery Engine – Discovers threats embedded within sessions based on the weekly updated MetaDefender ND proprietary signature pack.
- InQuest Threat Score Engine – Generates and assigns a threat score from 0 to 10 to the sessions using InQuest proprietary scoring algorithms above all configured integrations.
- InQuest URL Analyzer – Performs URL analysis for threat scoring.
- InQuest RetroHunt Historic TDE – Scans files stored 2 weeks ago with the latest signatures. The time interval can be set in the Devices page.
Post-processors for the following integration features can be activated, but the configuration of each integration may be required:
- MetaDefender NDR Automatic Updates – Enables MetaDefender NDR cloud connectivity for automatically retrieving and applying code, signature, and intelligence (C2) updates.
- Cuckoo Sandbox - Sandbox that performs dynamic malware analysis.
- Falcon Sandbox - Automated malware analysis system.
- VMRay Analyzer - Malware sandbox for analysis and reputation.
- FireEye AX – Hardware appliance that performs dynamic analysis of files.
- InQuest Eyelet Reputation - Cloud-based reputation database
- InQuest MultiAV – Provides cloud-based hash analysis.
- InQuest Threat Exchange – Enables communication with the MetaDefender NDR cloud reputation database to exchange information on file hashes.
- Joe Sandbox - Sandbox for deep malware analysis
- OPSWAT MetaDefender Core – Hardware appliance that leverages multiple AV engines to scan files.
- OPSWAT MetaDefender Sandbox – Emulation based dynamic analysis platfrom
- VirusTotal – Online service used to look up AV reports for known-bad hashes.
- ICAP – Protocol for submitting files to InQuest.
Note: Activation of MetaDefender NDR MultiAV and VirusTotal are mutually exclusive. We recommend enabling InQuest MultiAV over VirusTotal.
Integration features can be activated or deactivated by clicking Administration > Devices. Software and hardware configuration is generally required for the integration features that are not activated by default. Toggling the activation status will either cause jobs to be created for an integration or prevent jobs from being created for an integration. To activate or deactivate post-processors for an integration feature, toggle the corresponding On or Off buttons.
Each of the integration features have options that can be supplied to the corresponding integration service. For instance, if the VirusTotal integration is enabled, a private API key supplied by VirusTotal has to be added so that MetaDefender NDR can use the service.
Also, external integrations may either require cloud connectivity or can be on-premise. For example: With VirusTotal, only file hashes are submitted to the cloud. However, with OPSWAT Metascan, if there's a hardware product available in the customer environment, we connect to it and send files.
Configuring Collector Properties
Collector properties (or options) pertain to each collector and are independent. Administration > Devices. By default, MetaDefender NDR Cloud MultiAV has a pre-populated property value. Properties for each collector can be added, modified, or deleted in your deployment. To add new properties pertaining to a particular integration feature on a specific collector:
- Go to Administration > Devices, and click Show Configuration corresponding to an integration option for which you want to configure properties.

Note: To remove a property and its value that is no longer required, click Delete corresponding to that property and then click Save. To modify the value of a property, click Edit corresponding to that property, change the value, and then click Save.
For example, to configure the FireEye AX host:
- Click Show Configuration to open the Add Property menu.
- Select FireEye AX: URL for the FireEye AX API (eg. https://10.10.10.10:443) and under the Value column, specify the host IP as required.
- Click Save. A message appears stating the collector is saved with the configured properties successfully.
Collector Properties and Values
The following are the properties and default values available for the collector configuration on this page. Furthermore, there are several options that can be applied globally across collectors, such as proxies, banners, password complexity requirements and so on by clicking Administration > Globals.
Note: The global MIME exceptions will always take precedence over the sandbox inclusion MIME inclusion lists. If a MIME type is in both the inclusion list for a sandbox as well as the global exclusion list, that MIME type will not be submitted to the sandbox.
For further information on MIME exceptions, see the Performance Tuning Recommendations
cuckoo_auto_submit Cuckoo Sandbox Cuckoo SandboxAutomatically submit files (true/false, default=false)cuckoo_mime_include Cuckoo Sandbox Cuckoo SandboxOnly submit these MIME types (comma separated, default=all)cuckoo_no_syslog Cuckoo Sandbox Cuckoo SandboxPrevent CEF messages from being sent (true/false, default=false)cuckoo_report_alert Cuckoo Sandbox AlertsCuckoo report received (true/false, default=false)cuckoo_syslog_host Cuckoo Sandbox Cuckoo SandboxSyslog Host(s) & Port(s) (ipport ipport)cuckoo_threatscore_eq Cuckoo Sandbox Cuckoo SandboxExclude files that already have a Threat Score equal to this (default=none)cuckoo_threatscore_gt Cuckoo Sandbox Cuckoo SandboxExclude files that already have a Threat Score greater than this (default=10)cuckoo_threatscore_lt Cuckoo Sandbox Cuckoo SandboxExclude files that already have a Threat Score less than this (default=0)cuckoo_url Cuckoo Sandbox Cuckoo SandboxURL for the Cuckoo Sandbox API (eg. http//10.0.0.18090/)cuckoo_use_proxy Cuckoo Sandbox Cuckoo SandboxUse global proxy settings (true/false, default=false)cuckoo_vlan_include Cuckoo Sandbox Cuckoo SandboxOnly submit from these VLAN IDs or ranges (comma separated, default=all)falcon_auto_submit Falcon Sandbox Falcon SandboxAutomatically submit files (true/false, default=false)falcon_env_id Falcon Sandbox Falcon SandboxEnvironment ID (integer, default=100)falcon_key Falcon Sandbox Falcon SandboxAuth key for the Falcon Sandbox API (Must have 'elevated' or higher privilege)falcon_mime_include Falcon Sandbox Falcon SandboxOnly submit these MIME types (comma separated, default=all)falcon_no_syslog Falcon Sandbox Falcon SandboxPrevent CEF messages from being sent (true/false, default=false)falcon_report_alert Falcon Sandbox AlertsFalcon Sandbox report received (true/false, default=false)falcon_syslog_host Falcon Sandbox Falcon SandboxSyslog Host(s) & Port(s) (ipport ipport)falcon_threatscore_eq Falcon Sandbox Falcon SandboxExclude files that already have a Threat Score equal to this (default=none)falcon_threatscore_gt Falcon Sandbox Falcon SandboxExclude files that already have a Threat Score greater than this (default=10)falcon_threatscore_lt Falcon Sandbox Falcon SandboxExclude files that already have a Threat Score less than this (default=0)falcon_url Falcon Sandbox Falcon SandboxURL for the Falcon Sandbox API (default=https//www.reverse.it/api/v2)falcon_use_proxy Falcon Sandbox Falcon SandboxUse global proxy settings (true/false, default=false)falcon_vlan_include Falcon Sandbox Falcon SandboxOnly submit from these VLAN IDs or ranges (comma separated, default=all)fireeye_auto_submit FireEye AX FireEye AXAutomatically submit files (true/false, default=false)fireeye_legacy_api FireEye AX FireEye AXUse the legacy (v1.1.0) FireEye API, for v7.x FireEye appliances (default=0)fireeye_mime_include FireEye AX FireEye AXOnly submit these MIME types (comma separated, default=all)fireeye_no_syslog FireEye AX FireEye AXPrevent CEF messages from being sent (true/false, default=false)fireeye_password FireEye AX FireEye AXPassword for the FireEye AX APIfireeye_profile FireEye AX FireEye AXProfile (profile name, default=winxp-sp3)fireeye_report_alert FireEye AX AlertsFireEye report received (true/false, default=false)fireeye_syslog_host FireEye AX FireEye AXSyslog Host(s) & Port(s) (ipport ipport)fireeye_threatscore_eq FireEye AX FireEye AXExclude files that already have a Threat Score equal to this (default=none)fireeye_threatscore_gt FireEye AX FireEye AXExclude files that already have a Threat Score greater than this (default=10)fireeye_threatscore_lt FireEye AX FireEye AXExclude files that already have a Threat Score less than this (default=0)fireeye_url FireEye AX FireEye AXURL for the FireEye AX API (eg. https//10.10.10.10443)fireeye_username FireEye AX FireEye AXUsername for the FireEye AX APIfireeye_use_proxy FireEye AX FireEye AXUse global proxy settings (true/false, default=false)fireeye_vlan_include FireEye AX FireEye AXOnly submit from these VLAN IDs or ranges (comma separated, default=all)icap_allowed_networks ICAP ICAPSource networks (default none)icap_block_c2_hosts ICAP ICAPBlock C2 hosts (0 = allow, 1 = block, default = 1)icap_block_header_alerts ICAP ICAPBlock on header threat (0 = allow, 1 = block, default = 1)icap_block_score ICAP ICAPScore for blocked ICAP sessions (integer, default=10)icap_cache_timeout ICAP ICAPCache timeout in seconds (default 3600)icap_enable_rejection ICAP ICAPBlock on file threat (0 = allow, 1 = block, default = 1)icap_log_requests ICAP ICAPLog requests (0 = no, 1 = yes, default = 0)icap_max_connections ICAP ICAPMaximum simultaneous proxy connections (default 100)icap_max_file_size ICAP ICAPMaximum file size in bytes (default 100MB)icap_min_threat_score ICAP ICAPMinimum threat score for file threat blocking (default 6)icap_no_syslog ICAP ICAPPrevent CEF messages from being sent (true/false, default=false)icap_preview_size ICAP ICAPPreview size in bytes (default 4KB)icap_reject_message ICAP ICAPRejection message (default "Content blocked by InQuest")icap_scan_timeout ICAP ICAPScan timeout in seconds (default 60)icap_syslog_host ICAP ICAPSyslog Host(s) & Port(s) (ipport,ipport)icap_timeout_action ICAP ICAPTimeout action (0 = allow, 1 = block, default = 0)blob_size InQuest CaptureCapture buffer size in gigabytesconnection_table_size InQuest CaptureConnection Tracking Table Size (number, default=65536)flee_count InQuest CaptureNumber of capture threads per interfaceflee_disable_fast_csums InQuest CaptureDisable fast checksumming (0/1 default=0)flee_enable_ssl InQuest CaptureCapture SSL certificatesflee_frame_size InQuest CapturePacket group sizeflee_ooo_syn InQuest CaptureSupport OOO SYN packetsflee_split_vlans InQuest CaptureAllow split VLANshandle_split_http InQuest CaptureCapture half-open HTTP sessionshomenets InQuest HomeNetsNetworks considered potential targets for attacks and potential sources for data leakage (comma separated list of IPs or subnets, default=none)http_ports InQuest HTTPListen ports for hosted HTTP servers (tcp ports, default 80,8080,8000)kill_date_smtp_days InQuest AlertsDays before license expiration (default=60,30,15,3,2,1)max_protocol_window InQuest CaptureProtocol detection windowmax_session_size InQuest CaptureMaximum Stream Size (number, default=10485760)memory_blobs InQuest CaptureUse memory-backed blobsmin_session_size InQuest CaptureMinimum Stream Size (number, default=8)retain_all_email InQuest CaptureRetain all emailretain_uris InQuest CaptureRetain URIsrx_queue_count InQuest CaptureReceive queue countsmtp_extract_links InQuest SMTPExtract Links (true/false, default=true)smtp_no_syslog InQuest SMTPPrevent CEF messages from being sent (true/false, default=false)smtp_syslog_host InQuest SMTPSyslog Host(s) & Port(s) (ipport ipport)smtp_tz_offset InQuest SMTP Syslog Host(s) GMT Offset(+/- integer, default=-0)splitter_count InQuest CaptureNumber of protocol analysis threadsswap_vlans InQuest CaptureReverse carrier/customer VLANthreat_score_threshold InQuest AlertsSession score threshold GREATER than (default=8)usage_cpu_threshold InQuest AlertsCPU Usage Threshold % (default85)usage_disk_threshold InQuest AlertsDisk Usage Threshold % (default85)usage_five_minutes_threshold InQuest AlertsFive Minutes Load Average Threshold % (default85)usage_inode_threshold InQuest AlertsInode Usage Threshold % (default85)usage_mem_threshold InQuest AlertsMemory Usage Threshold in kb (default85)c2dns_syslog_host InQuest C2 Monitor C2 DNSSyslog Host(s) & Port(s) (ipport ipport)c2ip_syslog_host InQuest C2 Monitor C2 IPSyslog Host(s) & Port(s) (ipport ipport)c2_slow_vlan InQuest C2 Monitor C2Slow VLAN processingrep_query_count InQuest Eyelet Reputation Eyelet Reputation InQuest ControlsProcess Count (integer, default=3, max=10)rep_query_debug InQuest Eyelet Reputation Eyelet Reputation InQuest ControlsDebug Logging (0/1, default=0)file_analyzer_count InQuest File Analyzer Number of file analysis threadsmde_cache_days InQuest Malware Discovery Engine InQuest MDECache Scans - Days (integer, default=3)mde_count InQuest Malware Discovery Engine InQuest MDEProcess Count (integer, default=10, max=20)mde_debug InQuest Malware Discovery Engine InQuest MDEDebug Logging (0/1, default=0)mde_engine_filters InQuest Malware Discovery Engine InQuest MDE FiltersDisable Engine Filters (0/1 default=0)mde_global_filters InQuest Malware Discovery Engine InQuest MDE FiltersDisable Global Filters (0/1 default=0)mde_syslog_host InQuest Malware Discovery Engine InQuest MDESyslog Host(s) & Port(s) (ipport ipport)mde_tz_offset InQuest Malware Discovery Engine InQuest MDE ControlsSyslog Host(s) GMT Offset (+/- integer, default=-0)inquestmultiav_api InQuest MultiAV Eyelet MultiAV HostingAPI Key (api key, default=none)inquestmultiav_cache_days InQuest MultiAV Eyelet MultiAV InQuest ControlsCache Scans - Days (integer, default=3)inquestmultiav_count InQuest MultiAV Eyelet MultiAV InQuest ControlsProcess Count (integer, default=10, max=20)inquestmultiav_debug InQuest MultiAV Eyelet MultiAV InQuest ControlsDebug Logging (0/1, default=0)inquestmultiav_engine_disqualifiers InQuest MultiAV Eyelet MultiAV InQuest FiltersDisable Engine Disqualifiers (0/1 default=0)inquestmultiav_engine_filters InQuest MultiAV Eyelet MultiAV InQuest FiltersDisable Engine Filters (0/1 default=0)inquestmultiav_global_filters InQuest MultiAV Eyelet MultiAV InQuest FiltersDisable Global Filters (0/1 default=0)inquestmultiav_hash_per_request InQuest MultiAV Eyelet MultiAV InQuest ControlsHashes per Request (integer, default=20)inquestmultiav_max_queue InQuest MultiAV Eyelet MultiAV InQuest ControlsMax Queue Size - Alert Threshold (integer, default=5000)inquestmultiav_no_syslog InQuest MultiAV Eyelet MultiAV InQuest ControlsDisable CEF Messages (0/1, default=0)inquestmultiav_protocol InQuest MultiAV Eyelet MultiAV HostingRemote Protocol (http/https default=https)inquestmultiav_remote_host InQuest MultiAV Eyelet MultiAV HostingRemote Host (default=eyelet.inquest.net)inquestmultiav_remote_port InQuest MultiAV Eyelet MultiAV HostingRemote Port (default=443)inquestmultiav_syslog_host InQuest MultiAV Eyelet MultiAV InQuest ControlsSyslog Host(s) & Port(s) (ipport ipport)inquestmultiav_tz_offset InQuest MultiAV Eyelet MultiAV InQuest ControlsSyslog Host(s) GMT Offset (+/- integer, default=-0)retrohunt_no_syslog InQuest RetroHunt Historic TDE RetroHuntPrevent CEF messages from being sent (true/false, default=false)retrohunt_syslog_host InQuest RetroHunt Historic TDE RetroHuntSyslog Host(s) & Port(s) (ipport ipport)retrohunt_tz_offset InQuest RetroHunt Historic TDE RetroHunt Syslog Host(s) GMT Offset(+/- integer, default=-0)retrohunt_weeks InQuest RetroHunt Historic TDE RetroHuntNumber of weeks to historically analyze (integer, default=2)apply_codepack_alert InQuest Threat Discovery Engine AlertsSoftware update applied (true/false, default=true)blacklist_no_syslog InQuest Threat Discovery Engine BlacklistPrevent CEF messages from being sent (true/false, default=false)blacklist_syslog_host InQuest Threat Discovery Engine BlacklistSyslog Host(s) & Port(s) (ipport ipport)connection_timeout InQuest Threat Discovery Engine CaptureConnection Table Timeout (number, default=60)tde_count InQuest Threat Discovery Engine InQuest Threat Discovery EngineNumber of file analysis threadsyara_no_syslog InQuest Threat Discovery Engine InQuest Threat Detection EnginePrevent CEF messages from being sent (true/false, default=false)yara_syslog_host InQuest Threat Discovery Engine InQuest Threat Detection EngineSyslog Host(s) & Port(s) (ipport ipport)yara_tz_offset InQuest Threat Discovery Engine InQuest Threat Detection EngineSyslog Host(s) GMT Offset(+/- integer, default=-0)threat_exchange_debug InQuest Threat Exchange Eyelet Threat Exchange InQuest ControlsDebug Logging (0/1, default=0)threat_post_count InQuest Threat Exchange Eyelet Threat Push InQuest ControlsProcess Count (integer, default=2, max=10)threat_query_count InQuest Threat Exchange Eyelet Threat Query InQuest ControlsProcess Count (integer, default=3, max=10)joe_auto_submit Joe Sandbox Joe SandboxAutomatically submit files (true/false, default=false)joe_key Joe Sandbox Joe SandboxAPI Key for authenticationjoe_mime_include Joe Sandbox Joe SandboxOnly submit these MIME types (comma separated, default=all)joe_no_syslog Joe Sandbox Joe SandboxPrevent CEF messages from being sent (true/false, default=false)joe_report_alert Joe Sandbox AlertsJoe report received (true/false, default=false)joe_syslog_host Joe Sandbox Joe SandboxSyslog Host(s) & Port(s) (ipport ipport)joe_threatscore_eq Joe Sandbox Joe SandboxExclude files that already have a Threat Score equal to this (default=none)joe_threatscore_gt Joe Sandbox Joe SandboxExclude files that already have a Threat Score greater than this (default=10)joe_threatscore_lt Joe Sandbox Joe SandboxExclude files that already have a Threat Score less than this (default=0)joe_url Joe Sandbox Joe SandboxURL for the Joe Sandbox API (eg. http//10.0.0.10/joesandbox/index.php/api, default=Joe Cloud)joe_use_proxy Joe Sandbox Joe SandboxUse global proxy settings (true/false, default=false)joe_vlan_include Joe Sandbox Joe SandboxOnly submit from these VLAN IDs or ranges (comma separated, default=all)opswat_apikey OPSWAT Metadefender Core OPSWAT Metadefender Core HostingAPI Key (api key, default=none)opswat_cache_days OPSWAT Metadefender Core OPSWAT InQuest ControlsCache Scans - Days (integer, default=3)opswat_count OPSWAT Metadefender Core OPSWAT InQuest ControlsProcess Count (integer, default=10, max=20)opswat_debug OPSWAT Metadefender Core OPSWAT InQuest ControlsDebug Logging (0/1, default=0)opswat_enable_proxies OPSWAT Metadefender Core OPSWAT InQuest ControlsUse global proxy settings (0/1 default=0)opswat_engine_disqualifiers OPSWAT Metadefender Core OPSWAT InQuest FiltersDisable Engine Disqualifiers (0/1 default=0)opswat_engine_filters OPSWAT Metadefender Core OPSWAT InQuest FiltersDisable Engine Filters (0/1 default=0)opswat_engine_weights OPSWAT Metadefender Core OPSWAT InQuest FiltersDisable Engine Weights (0/1 default=0)opswat_global_filters OPSWAT Metadefender Core OPSWAT InQuest FiltersDisable Global Filters (0/1 default=0)opswat_host OPSWAT Metadefender Core OPSWAT Metadefender Core HostingRemote Host (ip/hostname, default=none)opswat_max_queue OPSWAT Metadefender Core OPSWAT InQuest ControlsMax Queue Size - Alert Threshold (integer, default=5000)opswat_metascan_uri OPSWAT Metadefender Core OPSWAT Metadefender Core HostingRemote URI (uri, default=/metascan_rest)opswat_port OPSWAT Metadefender Core OPSWAT Metadefender Core HostingRemote Port (port, default=8008)opswat_protocol OPSWAT Metadefender Core OPSWAT Metadefender Core HostingRemote Protocol (http/https, default=https)opswat_syslog_host OPSWAT Metadefender Core OPSWAT InQuest ControlsSyslog Host(s) & Port(s) (ipport ipport)opswat_tz_offset OPSWAT Metadefender Core OPSWAT InQuest ControlsSyslog Host(s) GMT Offset (+/- integer, default=-0)snmpv3_algorithm SNMP SNMPv3Encryption Algorithm (DES or AES, default=DES)snmpv3_digest SNMP SNMPv3Digest Algorithm (MD5 or SHA, default=MD5)snmpv3_password SNMP SNMPv3Password (string, default=none)snmpv3_security_level SNMP SNMPv3Trap Security Levelsnmpv3_user SNMP SNMPv3Username (string, default=none)snmp_community SNMP SNMPCommunity Name (string, default=none)snmp_source SNMP SNMPAllowed Source Networks (comma separated list of IPs or subnets, default=none)snmp_trap_address SNMP SNMPTrap Destination Address (address, default=none)snmp_trap_community SNMP SNMPTrap Community (string, default=none)snmp_trap_digest SNMP SNMPv3Trap Digest Algorithm (MD5 or SHA, default=MD5)snmp_trap_engine_id SNMP SNMPv3Trap Local Engine ID (any, default=none)snmp_trap_pass SNMP SNMPv3Trap Password (string, default=none)snmp_trap_port SNMP SNMPTrap Destination Port (port, default=none)snmp_trap_privpass SNMP SNMPv3Trap privacy password (string, default=same as trap password)snmp_trap_user SNMP SNMPv3Trap User (string, default=none)system_contact SNMP SNMPSystem Maintenance Contact (string, default=none)system_location SNMP SNMPSystem Physical Location (string, default=none)tippingpoint_api_key TippingPoint SMS TippingPoint SMSAPI key for the TippingPoint SMS API.tippingpoint_url TippingPoint SMS TippingPoint SMSURL for the TippingPoint SMS API (eg. https//10.10.10.10443)tippingpoint_use_proxy TippingPoint SMS TippingPoint SMSUse global proxy settings (true/false, default=false)virustotal_api VirusTotal VirusTotal HostingAPI Key (private api key, default=none)virustotal_cache_days VirusTotal VT InQuest ControlsCache Scans - Days (integer, default=3)virustotal_count VirusTotal VirusTotal InQuest ControlsProcess Count (integer, default=10, max=20)virustotal_debug VirusTotal VT InQuest ControlsDebug Logging (0/1, default=0)virustotal_engine_disqualifiers VirusTotal VT InQuest FiltersDisable Engine Disqualifiers (0/1 default=0)virustotal_engine_filters VirusTotal VT InQuest FiltersDisable Engine Filters (0/1 default=0)virustotal_engine_weights VirusTotal VT InQuest FiltersDisable Engine Weights (0/1 default=0)virustotal_global_filters VirusTotal VT InQuest FiltersDisable Global Filters (0/1 default=0)virustotal_hash_per_request VirusTotal VT InQuest ControlsHashes per Request (integer, default=20)virustotal_max_queue VirusTotal VT InQuest ControlsMax Queue Size - Alert Threshold (integer, default=5000)virustotal_no_syslog VirusTotal VT InQuest ControlsDisable CEF Messages (0/1, default=0)virustotal_protocol VirusTotal VirusTotal HostingRemote Protocol (http/https default=https)virustotal_remote_host VirusTotal VirusTotal HostingRemote Host (hostname, default=api.vtapi.net)virustotal_syslog_host VirusTotal VT InQuest ControlsSyslog Host(s) & Port(s) (ipport ipport)virustotal_tz_offset VirusTotal VT InQuest ControlsSyslog Host(s) GMT Offset (+/- integer, default=-0)vmray_api_key VMRay Analyzer VMRay AnalyzerAPI key for the VMRay Analyzer APIvmray_auto_submit VMRay Analyzer VMRay AnalyzerAutomatically submit files (true/false, default=false)vmray_mime_include VMRay Analyzer VMRay AnalyzerOnly submit these MIME types (comma separated, default=all)vmray_no_syslog VMRay Analyzer VMRay AnalyzerPrevent CEF messages from being sent (true/false, default=false)vmray_report_alert VMRay Analyzer AlertsVMRay report received (true/false, default=false)vmray_syslog_host VMRay Analyzer VMRay AnalyzerSyslog Host(s) & Port(s) (ipport ipport)vmray_threatscore_eq VMRay Analyzer VMRay AnalyzerExclude files that already have a Threat Score equal to this (default=none)vmray_threatscore_gt VMRay Analyzer VMRay AnalyzerExclude files that already have a Threat Score greater than this (default=10)vmray_threatscore_lt VMRay Analyzer VMRay AnalyzerExclude files that already have a Threat Score less than this (default=0)vmray_url VMRay Analyzer VMRay AnalyzerURL for the VMRay Analyzer API (defaulthttps//cloud.vmray.com)vmray_use_proxy VMRay Analyzer VMRay AnalyzerUse global proxy settings (true/false, default=false)vmray_vlan_include VMRay Analyzer VMRay AnalyzerOnly submit from these VLAN IDs or ranges (comma separated, default=all)wildfire_api_key WildFire Sandbox WildFire SandboxAPI key for the WildFire Sandbox API.wildfire_auto_submit WildFire Sandbox WildFire SandboxAutomatically submit files (true/false, default=false)wildfire_mime_include WildFire Sandbox WildFire SandboxOnly submit these MIME types (comma separated, default=all)wildfire_no_syslog WildFire Sandbox WildFire SandboxPrevent CEF messages from being sent (true/false, default=false)wildfire_report_alert WildFire Sandbox AlertsWildFire report received (true/false, default=false)wildfire_syslog_host WildFire Sandbox WildFire SandboxSyslog Host(s) & Port(s) (ipport ipport)wildfire_threatscore_eq WildFire Sandbox WildFire SandboxExclude files that already have a Threat Score equal to this (default=none)wildfire_threatscore_gt WildFire Sandbox WildFire SandboxExclude files that already have a Threat Score greater than this (default=10)wildfire_threatscore_lt WildFire Sandbox WildFire SandboxExclude files that already have a Threat Score less than this (default=0)wildfire_url WildFire Sandbox WildFire SandboxURL for the WildFire Sandbox API (eg. https//10.10.10.10443)wildfire_use_proxy WildFire Sandbox WildFire SandboxUse global proxy settings (true/false, default=false)wildfire_vlan_include WildFire Sandbox WildFire SandboxOnly submit from these VLAN IDs or ranges (comma separated, default=all)Note: In order for CEF messages to be generated, at least one user group other than the default Administrators group must be configured. The "Syslog" toggle on the edit user groups page will prevent CEF messages from being generated for a policy, provided that this option is disabled for every group associated with that policy. This option is enabled by default. For further information on editing user groups, see the Users and User Group Management guide
