Skip to content

Application Settings

Application settings overview

The CYBERQUEST Web Interface provides an administrative section for visually configuring the audit system, accessible via Settings > Application Settings. This section presents the administrator with a structured list of all configurable components, some of which have already been described in earlier chapters.

Active Directory

A dedicated section for configuring CYBERQUEST integration with Active Directory.

Through this integration, an Active Directory group can be assigned access rights, allowing its members to authenticate in CYBERQUEST using their AD credentials.

Alt Image

To see more information about Active Directory, please check the links below:

Adjusting your CYBERQUEST environment

The Administration section provides access to the instance administration page, where all configuration entries described in the CYBERQUEST configuration file sections can be managed.

The Administration service monitors the status of data collections, generating alerts when data from sources fails to reach the processing server. It also supervises CYBERQUEST component services and issues alerts in case of operational problems.

Available configurations:

Alt Image

  • AdministrationService_elasticClusterName - Specifies the name of the Online Data Storage cluster used by the Administration Service.
  • AdministrationService_elasticHostName - Defines the hostname or IP address of the Elasticsearch node where the Online Data Storage cluster is hosted.

Adjusting Alert settings

The Alert Settings section allows modification of all parameters related to alerts.

Alt Image

  • Alerts_Blacklisted_IPs - it enables / disables the Blacklisted_IPs alert
  • Alerts_Blacklisted_Users - it enables / disables the Blacklisted_Users alert

Adjusting Integrations settings

The Integrations section is used to configure all parameters related to system integrations.

Alt Image

  • Integrations_OpenVasHost - Hostname or IP address of the OpenVAS machine (the vulnerability scanner integrated with CYBERQUEST).
  • Integrations_OpenVasPassword - Password for the account used to connect to OpenVAS.
  • Integrations_OpenVasUsername - Username for the account used to connect to OpenVAS.

Adjusting Teams settings

The Teams section is used to configure settings related to Microsoft Teams integration.

Alt Image

  • Teams_TeamsHookURL - The webhook URL for the Microsoft Teams account where CYBERQUEST sends messages.

Adjusting Jira settings

The Jira section is used to configure settings related to Jira integration.

Alt Image

  • Jira_JiraHookURL - The webhook URL for the Jira account where CYBERQUEST sends messages.

Adjusting Slack settings

The Slack section is used to configure settings related to Slack integration.

Alt Image

  • Slack_SlackHookURL - The webhook URL for the Slack account where CYBERQUEST sends messages.

Adjusting Alert Templates settings

The Alert Templates section allows configuration of all parameters related to alert templates.

Alt Image

For creating a new alert template, please complete the following fields:

  • Name - Enter a unique and descriptive name for the new alert template. This helps in easily identifying and managing the template later.

  • From the Please select a rule drop-down list, choose the rule (e.g., Rule1, Rule2, Rule3, or Rule4) that the template will reference.

  • In the Please select either alert section or event data field, specify whether to use an alert section or event data as the source.

  • In the Text field, enter a descriptive message or insert dynamic objects as needed.

Alt Image

Adjusting Assets settings

Configuration page for assets. In the Assets module, details are automatically populated as data is collected, ensuring up-to-date information. Additionally, users can manually define new assets or modify existing asset details directly within the system, providing flexible and accurate asset management.

The Assets Settings section includes several visualizations including the Asset Model, Operating System Types, Operating System Versions, OS Build Numbers, Physical Memory (in GB), and CPU Core counts.

Alt Image

Alt Image

Additionally, this page provides a summary of assets grouped by the following categories: ASSET LIST, PRINTERS, SERVICES, SCHEDULED JOBS, and SOFTWARE.

Alt Image

On the right side of the page, a drop-down list allows grouping of assets by:

Alt Image

  1. The Asset List contains all assets identified by CQ (Assets displaying a Last Error status need proper configuration to allow the CQ module to retrieve information). Options are available to Edit, Delete, or View each asset.

To view asset information, click the Alt Image button, which opens the detailed asset page:

Alt Image

Alt Image

Expanding Asset Details, Hardware Info, and Extended Info reveals information about the Operating System, Network, and Hard Disk.

Within the fields section, the following information can be observed:

  • INSTALLED SOFTWARE - software installed on the asset
  • SERVICES - services present on the asset
  • LOCAL PRINTERS - local printers associated with the asset
  • LOCAL USERS - local users of the asset
  • LOCAL GROUPS - local groups of the asset
  • LOGICAL DISKS - partitions of the asset’s physical disk
  • NETWORK ADAPTERS - network adapters installed on the asset
  • DRIVERS - drivers associated with the asset
  • INSTALLED UPDATES - updates installed on the asset
  • SCHEDULED JOBS - scheduled jobs configured for the asset

2.Printers - This section lists all printers identified by CQ, along with the number of assets associated with each printer (e.g., the OneNote (Desktop) printer is found on 1 asset).

Alt Image

3.Services - This section displays all services identified by CQ, along with the number of assets associated with each service (e.g., the Windows Remote Management (WS-Management) is found on 4 assets).

Alt Image

4.Scheduled Jobs - This section lists all scheduled jobs identified by CQ, along with the number of assets associated with each job (e.g., the Automatic-Device-Join scheduled job is found on 6 assets).

Alt Image

5.Software - This section includes all software identified by CQ, along with the number of assets on which each software is installed (e.g., the software Next Generation Software is found on 2 assets). Alt Image

For instructions on adding a new asset, refer to the following link: How to ADD a New Asset

To see how to collect data on Active Directory Assets Information: How to collect data on Active Directory Assets Information

Adjusting Applications settings

This section enables the configuration and management of applications within the system. Users can add new applications by entering a unique Name and providing a clear Description that outlines the application’s purpose or functionality. These details help maintain organized records and facilitate easier identification and management of applications across the platform.

Alt Image

Alt Image

Adjusting Projects settings

This section allows configuration and management of projects within the system. New projects can be created by specifying a Name and providing a detailed Description outlining the project’s objectives, scope, or key activities.

Alt Image

Alt Image

Adjusting Owners settings

This section manages the configuration of owners responsible for assets, applications, or projects. New owners can be added by providing a Name and a brief Description that clarifies their role or area of responsibility.

Alt Image

Alt Image

Adjusting Sites settings

This section allows configuration and management of sites within the system. New sites can be created by entering a Name and providing a Description that outlines the site’s purpose, location details, or operational scope.

Alt Image

Alt Image

Adjusting Asset groups settings

This page provides configuration options for asset groups. It allows assigning a specific asset group type to an existing asset group, ensuring proper organization and categorization of assets.

Alt Image

Alt Image

Adjusting Asset Groups Types settings

This section is used for configuring asset group types, which define categories for organizing assets. All settings related to asset group types can be modified here to ensure accurate classification.

Alt Image

The New Asset Group Type screen includes the following fields:

  • Name - the name of the asset group type
  • Description - a brief explanation of the asset group type
  • Active / Disabled switch - used to enable or disable the asset group type

Alt Image

Customizing the Web Interface

Select the Customize option to open the instance customization page.

Alt Image

  • CustomizeCompanyEmailDisclaimer - Defines the email disclaimer that is automatically appended to all messages sent by CYBERQUEST, typically used for legal or compliance notices.
  • CustomizeCompanyLogo - Uploads and applies the organization’s logo, which can be included in reports generated by CYBERQUEST.
  • CustomizeExecutorHost - Specifies the server that hosts the CYBERQUEST license. In distributed installations, this will be the license server; in All-In-One deployments, the license resides locally (127.0.0.1).
  • CustomizeLoginBlockTreshold - Sets the number of consecutive failed login attempts allowed before a CYBERQUEST account is locked to prevent unauthorized access.
  • CustomizeLoginWelcomeMessage - Defines the message displayed to CYBERQUEST users after they enter their username and password during login.
  • CustomizeSendToExternalLink - Configures the forwarding of selected data to an external destination.

Adjusting data acquisition settings

Select the DataAcquisition entry to modify data acquisition settings. This section allows updating all parameters related to data acquisition.

Alt Image

  • DataAcquisition_AnomalyStatisticsInterval - Interval (in seconds) at which anomaly detection statistics are calculated and updated

  • DataAcquisition_bulk_size - Bulk size (in Bytes) to send to short term storage (Online DataStorage)

  • DataAcquisition_Cache_minim_free_space - Minimum disk space (in MB) required to continue writing data, in case of throttling

  • DataAcquisition_cache_path - Filesystem location where cache files are stored

  • DataAcquisition_CLEANUP_CRON - (Deprecated) - Previously used for cache cleanup scheduling

  • DataAcquisition_collection_unique_keys - Defines the unique event identifiers (based on listed fields) used to match events to a specific asset

  • DataAcquisition_debug_level - Sets the debug logging level:

    • 0 - FATAL ERROR, ERROR messages
    • 1 - WARNING messages
    • 2 - INFO messages
    • 3 - DEBUG message

  • DataAcquisition_DockerEnvironment - Set to true (is default) when the service is running inside a Docker container

  • DataAcquisition_ElasticSearchIsHttpsConnection - HTTPS connections of Online DataStorage

  • DataAcquisition_ElasticSearchPassword - Password for authenticating with Online DataStorage

  • DataAcquisition_ElasticSearchUseAuthentication - Authentication for connecting to Online DataStorage

  • DataAcquisition_ElasticSearchUsername - Username for authenticating with Online DataStorage

  • DataAcquisition_ELPusherThreadNo - Number of threads used to push data to short-term storage (Online DataStorage)

  • DataAcquisition_EL_minim_free_space - Minimum disk space (in MB) for short-term storage, in case of throtteling

  • DataAcquisition_EL_Port - Short-term storage (Online DataStorage) port

  • DataAcquisition_el_shards - Template number of Elasticsearch shards for short-term storage

  • DataAcquisition_el_shards_replica - Replica template number of shards for short term storage

  • DataAcquisition_EL_Url - Short term storage (Online DataStorage) address

  • DataAcquisition_FieldAutoSuggest - Controls field autocomplete functionality:

    • 0 - No autocomplete suggestions
    • 1 - Suggestions only for User, Computer, and SrcIP fields
    • 2 - Suggestions for all fields except S(1..150) and Subobjects

    After changing any settings, the DataAcquisition service must be restarted.

  • DataAcquisition_GetterThreadNo - Number of threads used to read events from the incoming events queue

  • DataAcquisition_LIC_PATH - Path to the CYBERQUEST license file on the server

  • DataAcquisition_LoadDatabase - Determines whether to load a database from the sql folder

  • DataAcquisition_MaxEventSize - The maximum size (in bytes) allowed for a single event to be processed by the Data Acquisition service. Events exceeding this limit are discarded or truncated based on configuration.

  • DataAcquisition_maxmindb_path - The server path for "maxmin" database

  • DataAcquisition_MetricsHostnameTag - Hostname tag used for metrics reporting and identification in monitoring systems

  • DataAcquisition_MetricsHostTag - Host identifier tag included in metrics data, used for tracking and distinguishing metrics from different hosts in monitoring systems

  • DataAcquisition_MetricsServerAddress - IP address or hostname of the metrics server that collects and processes monitoring data

  • DataAcquisition_MetricsServerEnable - Boolean flag that enables or disables the transmission of metrics to the metrics server

  • DataAcquisition_MetricsServerPort - Network port on the metrics server used for receiving metrics data

  • DataAcquisition_no_of_threads - Maximum number of threads available for processing (auto-filled)

  • DataAcquisition_ParserThreadNo - Number of threads dedicated to parsing incoming data

  • DataAcquisition_RedisServerPORT - The memory based storage port

  • DataAcquisition_RedisServerURL - The memory based storage address

  • DataAcquisition_ResyncCache - Resynchronizes the cache when using default parsers, resets to 0 after being set to 1

  • DataAcquisition_RMQPusherThreadNo - Number of threads used to push data to the message queue service

  • DataAcquisition_RMQUseSSL - Use secure sockets layer (SSL) - for secure traffic encryption

  • DataAcquisition_RMQ_host - Hostname or IP of the message queue server (may differ from the database server in distributed setups)

  • DataAcquisition_RMQ_password - Password for message queue service authentication

  • DataAcquisition_RMQ_port - Port used by the message queue service

  • DataAcquisition_RMQ_queue - The messaging queue name for queuing services

  • DataAcquisition_RMQ_username - Administrative username for the message queue service

  • DataAcquisition_run_collection_servers - Boolean flag indicating whether to run collection servers (used in cluster deployments)

  • DataAcquisition_sendRawData - Determines whether raw data is sent to short-term storage (Online DataStorage)

  • DataAcquisition_ServiceDebugLevel - Sets service logging verbosity: 0-FATAL ERROR, 1-WARNING, 2-INFO, 3-DEBUG

  • DataAcquisition_supressRawData - Determines whether raw data is deleted to send to long-term storage (datastorage)

  • DataAcquisition_throttle_queue - Defines the maximum number of events allowed in the message queue before event transmission stops. Once this limit is reached, all subsequent events are cached locally

  • DataAcquisition_UseDefaultParsers - Enables internal parsers for all incoming events

  • DataAcquisition_use_http_ES_DA_client - Determines whether HTTP transport is used for short-term storage (Elasticsearch). If set to false, data is transmitted using alternative methods via the queue service (fanout)

  • DataAcquisition_validateDataForEL - Validates data before sending it to Elasticsearch

  • DataAcquisition_writeEventPath - Path used to send events within CYBERQUEST to short-term storage (Online DataStorage)

Adjusting data correlation settings

Select the DataCorrelation entry to configure parameters related to data correlation. This section allows updating all parameters related to data correlation.

Alt Image

  • DataCorrelation_AplicationGUID - The server’s globally unique identifier, represented as 32 hexadecimal digits (lowercase or uppercase) in the format 8-4-4-4-12, totaling 36 characters
  • DataCorrelation_cache_path - Filesystem location where correlation cache files are stored
  • DataCorrelation_DebugLevel - Sets the debug logging level:
    • 0 - FATAL ERROR, ERROR messages
    • 1 - WARNING messages
    • 2 - INFO messages
    • 3 - DEBUG messages
  • DataCorrelation_ElasticSearchIsHttpsConnection - HTTPS connections of Online DataStorage
  • DataCorrelation_EL_Port - Short-term storage (Online DataStorage) port
  • DataCorrelation_ElasticSearchPassword - Password for authenticating with Online DataStorage
  • DataCorrelation_ElasticSearchUseAuthentication - Enables authentication when connecting to Online DataStorage
  • DataCorrelation_ElasticSearchUsername - Username for authenticating with Online DataStorage
  • DataCorrelation_EL_Url - Short term storage (Online DataStorage) address
  • DataCorrelation_MetricsHostnameTag - Hostname label included in correlation metrics to identify the source system in monitoring tools
  • DataCorrelation_MetricsHostTag - Custom tag used in correlation metrics for distinguishing data from specific hosts or environments
  • DataCorrelation_MetricsServerAddress - IP address or hostname of the metrics server that collects and stores correlation metrics
  • DataCorrelation_MetricsServerEnable - Boolean setting that enables or disables sending correlation metrics to the metrics server
  • DataCorrelation_MetricsServerPort - Network port on the metrics server used to receive correlation metrics
  • DataCorrelation_PercolatorNumberOfContainers - Number of containers used by the percolator for correlation processing
  • DataCorrelation_PercolatorThreadPoolSize - Number of threads allocated in the thread pool for percolator operations
  • DataCorrelation_RedisServerPORT - Memory based storage port
  • DataCorrelation_RedisServerURL - Memory based storage address
  • DataCorrelation_restart - Restarts the DataCorrelation service
  • DataCorrelation_RMQueueAddress - Address of the messaging queue server. In distributed architectures, may differ from the database server.
  • DataCorrelation_RMQueueName - The messaging queue name for queuing services
  • DataCorrelation_RMQueuePassword - Password for authenticating with the messaging queue service
  • DataCorrelation_RMQueuePort - Port used by the messaging queue service
  • DataCorrelation_RMQueueUserName - Username for authenticating with the messaging queue service
  • DataCorrelation_RMQUseSSL - Enables SSL encryption for secure traffic with the messaging queue service
  • DataCorrelation_throttle_queue - Throttle value

Adjusting data storage settings

Access the DataStorage entry to modify parameters related to how data is stored and managed within the system.

Alt Image

  • DataStorage_elasticClusterName - Name of the Online DataStorage cluster
  • DataStorage_elasticHostName - Hostname of the Online DataStorage server
  • DataStorage_elasticPassword - Password for accessing Online DataStorage
  • DataStorage_ElasticSearchIsHttpsConnection - HTTPS connections of Online DataStorage
  • DataStorage_ElasticSearchIsUserAuth - Indicates whether user authentication is required for Online DataStorage
  • DataStorage_elasticUserName - Username for accessing Online DataStorage
  • DataStorage_encryptionPrivateKeyFilePath - File path of the defined private key
  • DataStorage_encryptionPrivateKeyPassword - Password for the defined private key
  • DataStorage_encryptionPrivateKeyPasswordPath - File path where the private key password is stored
  • DataStorage_encryptionPublicKeyFilePath - File path of the defined public key
  • DataStorage_fileImportThreads - Number of threads used for file import operations
  • DataStorage_fileWriterTimeout - Timeout interval for the event writer process
  • DataStorage_maxEventsPerFile - Maximum number of events allowed stored file
  • DataStorage_mqAlternateHost - Alternate MQ host used if the primary host becomes unavailable
  • DataStorage_mqExchangeName - Exchange name used by the MQ service
  • DataStorage_mqHost - MQ service host. In distributed architectures, it may differ from the default CYBERQUEST server
  • DataStorage_mqPassword - Password for MQ service access
  • DataStorage_mqPort - Communication port used by the MQ service
  • DataStorage_mqQueueName - Name of the MQ queue
  • DataStorage_mqQueueType - Type of MQ queue
  • DataStorage_mqReceiveCommandExchangeName - Exchange name for MQ receive commands
  • DataStorage_mqReceiveCommandQueueName - Queue name for MQ receive commands
  • DataStorage_mqReceiveCommandQueueType - Queue type for MQ receive commands
  • DataStorage_mqReceiveCommandRouting - Routing path for MQ receive commands
  • DataStorage_mqReceiveExchangeName - Exchange name for MQ receive operations
  • DataStorage_mqReceiveQueueName - Queue name for MQ receive operations
  • DataStorage_mqReceiveQueueType - Queue type for MQ receive operations
  • DataStorage_mqReceiveRouting - Routing key for MQ receive operations
  • DataStorage_mqRouting - General routing path for message queues
  • DataStorage_mqSendExchangeName - Exchange name for MQ send operations
  • DataStorage_mqSendQueueName - Queue name for MQ send operations
  • DataStorage_mqSendQueueType - Queue type for MQ send operations
  • DataStorage_mqSendRouting - Routing path for MQ send operations
  • DataStorage_mqUserName - Administrative username for accessing MQ services
  • DataStorage_mqVHost - MQ service virtual host. In distributed architectures, it may differ from the default CYBERQUEST server

Adjusting Data Executor settings

Select the Data Executor entry to configure parameters related to data executor. This section allows updating all parameters related to data executor.

  • DataExecutor_ElasticSearchIsHttpsConnection - HTTPS connections of Online DataStorage
  • DataExecutor_ElasticSearchPassword - Password for authenticating with Online DataStorage
  • DataExecutor_ElasticSearchUseAuthentication - Enables authentication when connecting to Online DataStorage
  • DataExecutor_ElasticSearchUsername - Username for authenticating with Online DataStorage
  • DataExecutor_EL_Port - Short-term storage (Online DataStorage) port
  • DataExecutor_EL_Url - Short term storage (Online DataStorage) address
  • DataExecutor_GetterThreadNo - Number of threads used by the Data Executor to retrieve data from storage or queues
  • DataExecutor_RedisServerPORT - Memory based storage port
  • DataExecutor_RedisServerURL - Memory based storage address
  • DataExecutor_RMQUseSSL - Use secure sockets layer (SSL) - for secure traffic encryption
  • DataExecutor_RMQ_host - Hostname or IP address of the RabbitMQ server
  • DataExecutor_RMQ_password - Password for connecting to RabbitMQ
  • DataExecutor_RMQ_port - Port used by the message queue service
  • DataExecutor_RMQ_queue - Name of the RabbitMQ queue from which the Data Executor retrieves tasks
  • DataExecutor_RMQ_username - Username for RabbitMQ authentication
  • DataExecutor_ServiceDebugLevel - Sets service logging verbosity: 0-FATAL ERROR, 1-WARNING, 2-INFO, 3-DEBUG
  • DataExecutor_V8EngineTimeout - Maximum execution time (in milliseconds) allowed for scripts running in the V8 JavaScript engine before being stopped automatically.

Adjusting ElasticSearch settings

Select ElasticSearch to modify NoSQL configuration parameters. This section contains all settings related to the Online DataStorage nodes and search engine behavior.

Alt Image

  • DataAcquisition_ElasticSearchIsHttpsConnection - HTTPS connections of Online DataStorage
  • DataAcquisition_ElasticSearchPassword - Password for authenticating with Online DataStorage
  • DataAcquisition_ElasticSearchUseAuthentication - Authentication for connecting to Online DataStorage
  • DataAcquisition_ElasticSearchUsername - Username for authenticating with Online DataStorage
  • DataCorrelation_ElasticSearchIsHttpsConnection - HTTPS connections of Online DataStorage
  • DataCorrelation_ElasticSearchPassword - Password for authenticating with Online DataStorage
  • DataCorrelation_ElasticSearchUseAuthentication - Enables authentication when connecting to Online DataStorage
  • DataCorrelation_ElasticSearchUsername - Username for authenticating with Online DataStorage
  • DataExecutor_ElasticSearchIsHttpsConnection - HTTPS connections of Online DataStorage
  • DataExecutor_ElasticSearchPassword - Password for authenticating with Online DataStorage
  • DataExecutor_ElasticSearchUseAuthentication - Enables authentication when connecting to Online DataStorage
  • DataExecutor_ElasticSearchUsername - Username for authenticating with Online DataStorage
  • DataStorage_ElasticSearchIsHttpsConnection - HTTPS connections of Online DataStorage
  • DataStorage_ElasticSearchIsUserAuth - Indicates whether user authentication is required for Online DataStorage
  • ElasticSearchIsHttpsConnection - Online DataStorage is Https Connection
  • ElasticSearchPassword - Online DataStorage password
  • ElasticSearchPort - Port number used for connecting to Online DataStorage.
  • ElasticSearchServer - Hostname or IP address of the Online DataStorage server
  • ElasticSearchUseAuthentication - Enables or disables authentication for Online DataStorage connections
  • ElasticSearchUsername - Username for Online DataStorage authentication

Adjusting email settings

Select Email to configure parameters for email delivery in CYBERQUEST. This section includes all settings related to how CYBERQUEST sends emails.

Alt Image

  • CustomizeCompanyEmailDisclaimer - Defines a custom email disclaimer or footer text to be appended to outgoing emails.
  • EmailAuthPass - Password used for authentication with the outgoing email server
  • EmailAuthUserName - Username used for authentication with the outgoing email server
  • EmailBCC - One or more email addresses to receive BCC of all outgoing emails
  • EmailCC - One or more email addresses to receive CC of all outgoing emails
  • EmailFrom - The default “From” address displayed in emails sent by CYBERQUEST
  • EmailHealthCheckResponsibleUser - The designated user who receives health check or system monitoring emails
  • EmailServer - The hostname or IP address of the outgoing email server (SMTP server)
  • EmailServerNoValidateCert - When enabled, bypasses validation of the server’s SSL/TLS certificate
  • EmailServerPort - The port used for communication with the outgoing email server
  • EmailServerTimeout - The maximum time (in seconds) to wait for a response from the email server before timing out
  • EmailServerTransport - The communication protocol used to send emails (e.g., SMTP, SMTPS)
  • EmailServerUseAuth - Indicates whether authentication is required to connect to the outgoing email server
  • EmailServerUseTLS - Specifies whether to use TLS encryption when sending emails

Adjusting remote cluster settings

Select Remote Cluster to configure connections between multiple CYBERQUEST instances, enabling federated search capabilities across distributed environments.

This section allows defining one or more remote clusters that can be queried alongside the local instance, providing unified search results from multiple data sources.

  • Name - A descriptive label for the remote cluster, used to easily identify it in the interface.

  • IP Address - The network IP address of the remote CYBERQUEST instance.

  • Port - The communication port on which the remote instance accepts connections for federated search requests.

Adjusting reports export settings

Select ReportsExport to modify the configuration settings for report exports. This section contains all parameters related to the generation and export of reports.

Alt Image

  • ReportsExportLocalPath - The directory path on the local system where generated reports are stored before export.

  • ReportsExportRemotePassword - The authentication password used to connect to the remote server for report export.

  • ReportsExportRemotePath - The directory path on the remote server where exported reports will be stored.

  • ReportsExportRemoteUsername - The username used to authenticate with the remote server for report export.

Adjusting retention time

Select RetentionPeriod to modify the duration for which stored data is retained. This section contains all parameters related to data retention management.

Alt Image

  • RetentionPeriodAN: Specifies the retention duration for data in the Data Analyzer (Deprecated).

  • RetentionPeriodArchive: Defines how long unarchived data is kept when using the Archives option in jobs.

For instructions on importing data from an archive, refer to: How to import data from archive

  • RetentionPeriodEL: Determines the retention policy for the online data and online repository (Online DataStorage).

  • RetentionPeriodSelfAdjust: Accepts values 1 (ON) or 0 (OFF).

1 (ON) - The retention period in the online database (Elasticsearch) is automatically adjusted based on the allocated storage capacity.

0 (OFF) - The value in RetentionPeriodEL remains fixed. CYBERQUEST will continue collecting data until disk space is full, after which no new data will be collected.

Adjusting API Keys settings

In the API Keys section, new entries can be created to control and authenticate data access from external sources. These settings define the name of the key, the authorized remote host, and whether the key is currently active.

Alt Image

Alt Image

  • Name - A descriptive label for the API key, used to identify its purpose or associated system.
  • Remote Host - The IP address or hostname from which API requests are allowed.
  • Activate - Enables or disables the API key

Adjusting DataForwarder settings

Select DataForwarder to configure event forwarding to a syslog server. This section contains all parameters related to DataForwarder operation.

DataForwarder settings

  • DataForwarder_cache_path - Location where cache files are stored for temporarily holding events before forwarding
  • DataForwarder_enableForwarding - Enables or disables the DataForwarder service (default is disabled)
  • DataForwarder_forwardCEF - Enables forwarding of events in CEF (Common Event Format) - default is disabled
  • DataForwarder_forwardCEF_host - Hostname or IP address of the CEF destination server
  • DataForwarder_forwardCEF_port - Network port used for CEF event forwarding
  • DataForwarder_forwardCEF_protocol - Network protocol used for CEF forwarding
  • DataForwarder_forwardLEEF - Enables forwarding of events in LEEF (Log Event Extended Format) - default is disabled
  • DataForwarder_forwardLEEF_host - Hostname or IP address of the LEEF destination server
  • DataForwarder_forwardLEEF_port - Network port used for LEEF event forwarding
  • DataForwarder_forwardLEEF_protocol - Network protocol used for LEEF forwarding
  • DataForwarder_forwardRMQ - Enables event forwarding to another CYBERQUEST server via RabbitMQ
  • DataForwarder_forwardRMQ_host - Hostname or IP address of the RabbitMQ server. In distributed architectures, this may differ from the default database server
  • DataForwarder_forwardRMQ_password - Password used for RabbitMQ authentication
  • DataForwarder_forwardRMQ_port - Network port used for RabbitMQ communication
  • DataForwarder_forwardRMQ_queue - Name of the RabbitMQ queue used for forwarding events
  • DataForwarder_forwardRMQ_username - Username for RabbitMQ authentication
  • DataForwarder_forwardSyslog - Enables forwarding of events to a Syslog server (default is disabled)
  • DataForwarder_forwardSyslog_host - Hostname or IP address of the Syslog server. In distributed architectures, this may differ from the default database server
  • DataForwarder_forwardSyslog_port - Network port for Syslog forwarding
  • DataForwarder_forwardSyslog_protocol - Network protocol for Syslog forwarding
  • DataForwarder_forwardTCPSyslog - Enables forwarding of events to a Syslog server using TCP default is disabled)
  • DataForwarder_forwardTCPSyslog_host - Hostname or IP address of the TCP Syslog server
  • DataForwarder_forwardTCPSyslog_port - Network port for TCP Syslog forwarding
  • DataForwarder_GetterThreadNo - Number of threads used to read events from the incoming queue
  • DataForwarder_ServiceDebugLevel - Logging verbosity level: 0-FATAL ERROR, 1-WARNING, 2-INFO, 3-DEBUG
  • DataForwarder_source_RMQ_host - Hostname or IP address of the RabbitMQ source server. In distributed architectures, this may differ from the default database server
  • DataForwarder_source_RMQ_password - Password for authentication to the RabbitMQ source server
  • DataForwarder_source_RMQ_port - Port used to connect to the RabbitMQ source server.
  • DataForwarder_source_RMQ_queue - The messaging queue name for queuing services
  • DataForwarder_source_RMQ_username - Username for authentication to the RabbitMQ source server
  • DataForwarder_throttle_queue - Maximum number of events allowed in the message queue before forwarding stops. Additional events are cached locally until the queue clears
  • DataForwarder_UseDefaultParsers - Specifies whether to use the internally defined parsers for all events

For additional details on DataForwarder, refer to: How to forward syslog data

Adjusting Alert Forwarding settings

Select the Alert Forwarding entry to configure alert forwarding to a syslog server. This section includes all parameters related to the Alert Forwarding process.

Alt Image

  • AlertForwarding_AlertForwardingEnable - Enables or disables alert forwarding (default is disabled)
  • AlertForwarding_ForwardingSecurityLevel - Defines the security level applied to forwarded alerts
  • AlertForwarding_ForwardingSecurityScore - Defines the security score assigned to alerts during forwarding
  • AlertForwarding_forwardSyslog - Enables Syslog-based alert forwarding (default is disabled)
  • AlertForwarding_forwardSyslog_host - The host (IP or domain) to which Syslog alerts are forwarded
  • AlertForwarding_forwardSyslog_port - The network port used for forwarding Syslog alerts

For additional details on AlertForwarding, refer to: How to forward alerts to another host

Adjusting Geo Country settings

Select Geo Country to manage geographic country entries used by the system. This section allows adding new countries and configuring their associated values.

Alt Image

Alt Image

  • Name - The official name of the country

  • Value - The system-assigned code or identifier associated with the country

Adjusting Geo City settings

Select Geo City to manage geographic city entries used by the system. This section allows adding new cities and configuring their associated values.

Alt Image

Alt Image

  • Name: The name of the city (e.g., Bucharest)

  • Value: A unique identifier or code for the city (e.g., BUH)

Adjusting IOC IP settings

Select IOC IP to manage IP indicators of compromise used by the system. This section allows adding new IP entries and configuring their associated values.

Alt Image

Alt Image

  • Name - The descriptive name of the IP entry
  • Value - The IP address associated with the entry

Truncate button - Clears all entries in the current IOC IP list, removing all stored IP addresses.

Adjusting IOC Domain settings

Select IOC Domain to manage domain-based Indicators of Compromise (IOCs) used by the system for threat detection and correlation. This section allows adding new domains and configuring their associated values.

Alt Image

Alt Image

  • Name - A descriptive label for the IOC domain entry, helping identify its purpose or source
  • Value - The specific domain name associated with the IOC entry (e.g., maliciousdomain.com)

Truncate button - Deletes all existing IOC Domain entries from the list, clearing the stored data entirely. This action cannot be undone.

Adjusting Tor Exit Nodes settings

Select Tor Exit Nodes to manage a list of known Tor network exit nodes used by the system for detection or filtering purposes. This section allows adding new entries and assigning values to them.

Alt Image

Alt Image

  • Name - The label or identifier for the Tor Exit Node entry

  • Value - The IP address of the Tor Exit Node

Truncate button - Permanently clears all stored Tor Exit Node entries from the list, removing both names and values

Adjusting Active Blocked Ips settings

The Active Blocked IPs section is used to manage IP addresses that are currently blocked by the system. New entries can be added, along with details such as expiration time, associated block list, and comments for reference. This helps maintain control over restricted IP addresses and provides context for each block.

Alt Image

Adjusting Tenants settings

Select Tenants entry to change Tenants settings. Here you can change all entries that are related to Tenants.

Alt Image