diff --git a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml
index 3cfe30c26..ce522185f 100644
--- a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml
+++ b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml
@@ -102,6 +102,7 @@ jobs:
           echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt
           echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" > ./shared/environment.chroot
           echo "VCS_REVSION=${{ steps.extract_commit_sha.outputs.sha }}" > ./shared/environment.chroot
+          echo "BUILD_JOBS=2" > ./shared/environment.chroot
           sudo /usr/bin/env bash ./build.sh
           rm -rf ./shared/ ./docs/ ./_config.yml ./_includes ./_layouts /Gemfile ./README.md
           sudo chmod 644 ./hedgehog-*.*
diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml
index 93f4e60ff..2cd12c3ab 100644
--- a/.github/workflows/zeek-build-and-push-ghcr.yml
+++ b/.github/workflows/zeek-build-and-push-ghcr.yml
@@ -67,6 +67,8 @@ jobs:
           file: ./Dockerfiles/zeek.Dockerfile
           push: true
           tags: ghcr.io/${{ github.repository_owner }}/malcolm/zeek:${{ steps.extract_branch.outputs.branch }}
+          build-args: |
+            BUILD_JOBS=2
       -
         name: Run Trivy vulnerability scanner
         id: trivy-scan
diff --git a/.trigger_iso_workflow_build b/.trigger_iso_workflow_build
index b5a2ce556..4ade3f725 100644
--- a/.trigger_iso_workflow_build
+++ b/.trigger_iso_workflow_build
@@ -1,2 +1,2 @@
 # this file exists solely for the purpose of being updated and seen by github to trigger a commit build action
-0
\ No newline at end of file
+1
\ No newline at end of file
diff --git a/.trigger_workflow_build b/.trigger_workflow_build
index b5a2ce556..4ade3f725 100644
--- a/.trigger_workflow_build
+++ b/.trigger_workflow_build
@@ -1,2 +1,2 @@
 # this file exists solely for the purpose of being updated and seen by github to trigger a commit build action
-0
\ No newline at end of file
+1
\ No newline at end of file
diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile
index 16ccde49c..a674b5eb9 100644
--- a/Dockerfiles/arkime.Dockerfile
+++ b/Dockerfiles/arkime.Dockerfile
@@ -3,8 +3,11 @@ FROM debian:12-slim AS build
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 
 ENV DEBIAN_FRONTEND noninteractive
+ENV TERM xterm
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
 
-ENV ARKIME_VERSION "v4.4.0"
+ENV ARKIME_VERSION "v4.5.0"
 ENV ARKIME_DIR "/opt/arkime"
 ENV ARKIME_URL "https://github.com/arkime/arkime.git"
 ENV ARKIME_LOCALELASTICSEARCH no
@@ -50,7 +53,7 @@ RUN apt-get -q update && \
         swig \
         wget \
         zlib1g-dev && \
-  python3 -m pip install --break-system-packages --no-cache-dir beautifulsoup4 meson && \
+  python3 -m pip install --break-system-packages --no-compile --no-cache-dir beautifulsoup4 meson && \
   cd /opt && \
     git clone --recurse-submodules --branch="$ARKIME_VERSION" "$ARKIME_URL" "./arkime-"$ARKIME_VERSION && \
     cd "./arkime-"$ARKIME_VERSION && \
@@ -94,6 +97,8 @@ ENV PUSER_RLIMIT_UNLOCK true
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
 
 ARG OPENSEARCH_URL="http://opensearch:9200"
 ARG OPENSEARCH_LOCAL=true
@@ -169,7 +174,7 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour
       vim-tiny \
       wget \
       tar gzip unzip cpio bzip2 lzma xz-utils p7zip-full unrar zlib1g && \
-    python3 -m pip install --break-system-packages --no-cache-dir beautifulsoup4 pyzmq watchdog && \
+    python3 -m pip install --break-system-packages --no-compile --no-cache-dir beautifulsoup4 pyzmq watchdog && \
     ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \
       ln -sfr $ARKIME_DIR/bin/node /usr/local/bin/node && \
       ln -sfr $ARKIME_DIR/bin/npx /usr/local/bin/npx && \
diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile
index 9fcbd20ef..36322c503 100644
--- a/Dockerfiles/file-monitor.Dockerfile
+++ b/Dockerfiles/file-monitor.Dockerfile
@@ -20,6 +20,8 @@ ENV PUSER_PRIV_DROP true
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
 
 ARG ZEEK_EXTRACTOR_PATH=/zeek/extract_files
 ARG ZEEK_LOG_DIRECTORY=/zeek/logs
@@ -81,7 +83,7 @@ ENV YARA_VERSION "4.3.2"
 ENV YARA_URL "https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz"
 ENV YARA_RULES_SRC_DIR "/yara-rules-src"
 ENV YARA_RULES_DIR "/yara-rules"
-ENV CAPA_VERSION "6.0.0"
+ENV CAPA_VERSION "6.1.0"
 ENV CAPA_URL "https://github.com/fireeye/capa/releases/download/v${CAPA_VERSION}/capa-v${CAPA_VERSION}-linux.zip"
 ENV CAPA_DIR "/opt/capa"
 ENV CAPA_BIN "${CAPA_DIR}/capa"
@@ -135,7 +137,7 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour
       python3-requests \
       python3-zmq \
       rsync && \
-    python3 -m pip install --break-system-packages --no-cache-dir clamd supervisor yara-python python-magic psutil pycryptodome watchdog && \
+    python3 -m pip install --break-system-packages --no-compile --no-cache-dir clamd supervisor yara-python python-magic psutil pycryptodome watchdog && \
     curl -fsSLO "$SUPERCRONIC_URL" && \
       echo "${SUPERCRONIC_SHA1SUM}  ${SUPERCRONIC}" | sha1sum -c - && \
       chmod +x "$SUPERCRONIC" && \
diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
index 61d66e184..53b32c6bc 100644
--- a/Dockerfiles/filebeat.Dockerfile
+++ b/Dockerfiles/filebeat.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/beats/filebeat-oss:8.9.0
+FROM docker.elastic.co/beats/filebeat-oss:8.10.0
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"
@@ -23,6 +23,8 @@ ENV PUSER_PRIV_DROP false
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
 
 ARG AUTO_TAG=true
 ARG FILEBEAT_SCAN_FREQUENCY=10s
@@ -93,7 +95,7 @@ RUN apt-get -q update && \
         unar \
         unzip \
         xz-utils && \
-    python3 -m pip install --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \
+    python3 -m pip install --no-compile --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \
     curl -fsSLO "$SUPERCRONIC_URL" && \
       echo "${SUPERCRONIC_SHA1SUM}  ${SUPERCRONIC}" | sha1sum -c - && \
       chmod +x "$SUPERCRONIC" && \
diff --git a/Dockerfiles/freq.Dockerfile b/Dockerfiles/freq.Dockerfile
index 445dabfe6..fbf2d78f6 100644
--- a/Dockerfiles/freq.Dockerfile
+++ b/Dockerfiles/freq.Dockerfile
@@ -40,7 +40,7 @@ RUN apt-get -q update && \
       python3-pip \
       rsync \
       tini && \
-    pip3 install --break-system-packages supervisor six && \
+    pip3 install --break-system-packages --no-compile --no-cache-dir supervisor six && \
     cd /opt && \
     mkdir -p ./freq_server && \
       curl -sSL "$FREQ_URL" | tar xzvf - -C ./freq_server --strip-components 1 && \
diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
index 3790c76ba..f1abd9d9c 100644
--- a/Dockerfiles/logstash.Dockerfile
+++ b/Dockerfiles/logstash.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/logstash/logstash-oss:8.9.0
+FROM docker.elastic.co/logstash/logstash-oss:8.10.0
 
 LABEL maintainer="malcolm@inl.gov"
 LABEL org.opencontainers.image.authors='malcolm@inl.gov'
@@ -51,6 +51,7 @@ RUN set -x && \
     apt-get -q update && \
     apt-get -y -q --no-install-recommends upgrade && \
     apt-get -y --no-install-recommends install \
+        curl \
         gettext \
         patch \
         python3-setuptools \
@@ -81,6 +82,7 @@ RUN set -x && \
 
 COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
 COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/
+COPY --chmod=755 shared/bin/opensearch_status.sh /usr/local/bin/
 COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic
 COPY --chmod=755 shared/bin/manuf-oui-parse.py /usr/local/bin/
 COPY --chmod=755 shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/
diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index aed01d44d..beb060696 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -1,4 +1,4 @@
-FROM netboxcommunity/netbox:v3.5.7
+FROM netboxcommunity/netbox:v3.6.1
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"
@@ -13,13 +13,15 @@ LABEL org.opencontainers.image.description='Malcolm container providing the NetB
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm
 ENV LANG C.UTF-8
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
 
 ARG DEFAULT_UID=1000
 ARG DEFAULT_GID=1000
 ENV DEFAULT_UID $DEFAULT_UID
 ENV DEFAULT_GID $DEFAULT_GID
-ENV PUSER "boxer"
-ENV PGROUP "boxer"
+ENV PUSER "ubuntu"
+ENV PGROUP "ubuntu"
 ENV PUSER_PRIV_DROP true
 
 ENV SUPERCRONIC_VERSION "0.2.26"
@@ -50,15 +52,24 @@ ADD netbox/patch/* /tmp/netbox-patches/
 RUN apt-get -q update && \
     apt-get -y -q --no-install-recommends upgrade && \
     apt-get install -q -y --no-install-recommends \
+      gcc \
       git \
       jq \
+      libpq-dev \
+      libpq5 \
       patch \
       procps \
       psmisc \
+      python3-dev \
       rsync \
       supervisor \
       tini && \
-    "${NETBOX_PATH}/venv/bin/python" -m pip install --break-system-packages --no-cache-dir 'git+https://github.com/mmguero-dev/netbox-initializers' psycopg2 pynetbox python-slugify randomcolor && \
+    "${NETBOX_PATH}/venv/bin/python" -m pip install --break-system-packages --no-compile --no-cache-dir \
+      'git+https://github.com/tobiasge/netbox-initializers' \
+      psycopg2 \
+      pynetbox \
+      python-slugify \
+      randomcolor && \
     cd "${NETBOX_PATH}" && \
       bash -c 'for i in /tmp/netbox-patches/*; do patch -p 1 -r - --no-backup-if-mismatch < $i || true; done' && \
     curl -fsSLO "${SUPERCRONIC_URL}" && \
@@ -69,13 +80,11 @@ RUN apt-get -q update && \
       touch "${SUPERCRONIC_CRONTAB}" && \
     curl -fsSL -o /usr/bin/yq "${YQ_URL}" && \
         chmod 755 /usr/bin/yq && \
-    apt-get -q -y --purge remove patch git && \
+    apt-get -q -y --purge remove patch gcc git libpq-dev python3-dev && \
       apt-get -q -y --purge autoremove && \
       apt-get clean && \
       rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
-    groupadd --gid ${DEFAULT_GID} ${PUSER} && \
-      useradd -m --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER} && \
-      usermod -a -G tty ${PUSER} && \
+    usermod -a -G tty ${PUSER} && \
     mkdir -p /opt/unit "${NETBOX_DEVICETYPE_LIBRARY_PATH}" && \
     chown -R $PUSER:root /etc/netbox /opt/unit "${NETBOX_PATH}" && \
     cd "$(dirname "${NETBOX_DEVICETYPE_LIBRARY_PATH}")" && \
diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile
index 13d232705..106c6659e 100644
--- a/Dockerfiles/pcap-monitor.Dockerfile
+++ b/Dockerfiles/pcap-monitor.Dockerfile
@@ -23,6 +23,8 @@ ENV PUSER_PRIV_DROP false
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
 
 ARG OPENSEARCH_URL="http://opensearch:9200"
 ARG OPENSEARCH_LOCAL=true
@@ -61,7 +63,7 @@ RUN apt-get -q update && \
       vim-tiny && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* && \
-    python3 -m pip install --break-system-packages --no-cache-dir opensearch-py pyzmq python-magic requests watchdog && \
+    python3 -m pip install --break-system-packages --no-compile --no-cache-dir opensearch-py pyzmq python-magic requests watchdog && \
     groupadd --gid ${DEFAULT_GID} ${PGROUP} && \
       useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER}
 
diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile
index 84e32cee5..b4cb1c3d8 100644
--- a/Dockerfiles/suricata.Dockerfile
+++ b/Dockerfiles/suricata.Dockerfile
@@ -11,6 +11,8 @@ LABEL org.opencontainers.image.description='Malcolm container providing Suricata
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
 
 # configure unprivileged user and runtime parameters
 ARG DEFAULT_UID=1000
@@ -99,7 +101,7 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour
         tini \
         vim-tiny \
         zlib1g && \
-    python3 -m pip install --break-system-packages --no-cache-dir watchdog && \
+    python3 -m pip install --break-system-packages --no-compile --no-cache-dir watchdog && \
     curl -fsSLO "$SUPERCRONIC_URL" && \
         echo "${SUPERCRONIC_SHA1SUM}  ${SUPERCRONIC}" | sha1sum -c - && \
         chmod +x "$SUPERCRONIC" && \
diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index d0447c326..445fa2cb3 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -1,3 +1,61 @@
+FROM debian:12-slim as build
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV TERM xterm
+
+# for build
+ARG ZEEK_VERSION=6.0.1
+ENV ZEEK_VERSION $ZEEK_VERSION
+ARG ZEEK_DBG=0
+ENV ZEEK_DBG $ZEEK_DBG
+ARG BUILD_JOBS=4
+ENV BUILD_JOBS $BUILD_JOBS
+ENV CCACHE_DIR "/var/spool/ccache"
+ENV CCACHE_COMPRESS 1
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
+
+RUN apt-get -q update && \
+    apt-get -y -q --no-install-recommends upgrade && \
+    apt-get install -q -y --no-install-recommends \
+        bison \
+        ca-certificates \
+        ccache \
+        cmake \
+        curl \
+        flex \
+        g++ \
+        gcc \
+        git \
+        libfl-dev \
+        libgoogle-perftools4 \
+        libgoogle-perftools-dev \
+        libkrb5-3 \
+        libkrb5-dev \
+        libmaxminddb-dev \
+        libpcap-dev \
+        libssl-dev \
+        libtcmalloc-minimal4 \
+        make \
+        ninja-build \
+        python3 \
+        python3-dev \
+        python3-git \
+        python3-semantic-version \
+        sudo \
+        swig \
+        zlib1g-dev && \
+    mkdir -p /usr/share/src/zeek "${CCACHE_DIR}" && \
+        cd /usr/share/src && \
+        ( curl -sSL "https://download.zeek.org/zeek-${ZEEK_VERSION}.tar.gz" | tar xzf - -C ./zeek --strip-components 1 ) && \
+        cd /usr/share/src/zeek && \
+        [ "$ZEEK_DBG" = "1" ] && \
+            ./configure --prefix=/opt/zeek --generator=Ninja --ccache --enable-perftools --enable-debug || \
+            ./configure --prefix=/opt/zeek --generator=Ninja --ccache --enable-perftools && \
+        ninja -C build -j "${BUILD_JOBS}" && \
+        cd ./build && \
+        cpack -G DEB
+
 FROM debian:12-slim
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
@@ -13,6 +71,8 @@ LABEL org.opencontainers.image.description='Malcolm container providing Zeek'
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
 
 # configure unprivileged user and runtime parameters
 ARG DEFAULT_UID=1000
@@ -30,27 +90,26 @@ ENV PGROUP "zeeker"
 ENV PUSER_PRIV_DROP false
 ENV PUSER_RLIMIT_UNLOCK true
 
-# for download and install
-ARG ZEEK_LTS=
-ARG ZEEK_VERSION=5.2.2-0
-
-ENV ZEEK_LTS $ZEEK_LTS
-ENV ZEEK_VERSION $ZEEK_VERSION
-
 ENV SUPERCRONIC_VERSION "0.2.26"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
 ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
-# for build
-ENV CCACHE_DIR "/var/spool/ccache"
-ENV CCACHE_COMPRESS 1
+# for download and install
+ARG ZEEK_VERSION=6.0.0
+ENV ZEEK_VERSION $ZEEK_VERSION
 
 # put Zeek and Spicy in PATH
 ENV ZEEK_DIR "/opt/zeek"
 ENV PATH "${ZEEK_DIR}/bin:${PATH}"
 
+# for build
+ENV CCACHE_DIR "/var/spool/ccache"
+ENV CCACHE_COMPRESS 1
+
+COPY --from=build /usr/share/src/zeek/build/*.deb /tmp/zeekdebs/
+
 # add script for building 3rd-party plugins
 ADD shared/bin/zeek_install_plugins.sh /usr/local/bin/
 
@@ -60,6 +119,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \
     apt-get -y -q --no-install-recommends upgrade && \
     apt-get install -q -y --no-install-recommends \
       bc \
+      binutils \
       bison \
       ca-certificates \
       ccache \
@@ -78,6 +138,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \
       libatomic1 \
       libcap2-bin \
       libfl-dev \
+      libfl2 \
       libgoogle-perftools4 \
       libkrb5-3 \
       libmaxminddb-dev \
@@ -85,6 +146,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \
       libpcap-dev \
       libpcap0.8 \
       libssl-dev \
+      libssl3 \
       libtcmalloc-minimal4 \
       libunwind8 \
       libzmq5 \
@@ -92,6 +154,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \
       make \
       moreutils \
       ninja-build \
+      openssl \
       procps \
       psmisc \
       python3 \
@@ -108,23 +171,10 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \
       swig \
       tini \
       vim-tiny \
+      xxd \
       zlib1g-dev && \
+    dpkg -i /tmp/zeekdebs/*.deb && \
     python3 -m pip install --break-system-packages --no-cache-dir pymisp stix2 taxii2-client dateparser && \
-    mkdir -p /tmp/zeek-packages && \
-      cd /tmp/zeek-packages && \
-      if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS && \
-      curl -sSL --remote-name-all \
-        "https://download.zeek.org/binary-packages/Debian_12/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VERSION}_amd64.deb" \
-        "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VERSION}_amd64.deb" \
-        "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VERSION}_amd64.deb" \
-        "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VERSION}_amd64.deb" \
-        "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \
-        "https://download.zeek.org/binary-packages/Debian_12/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \
-        "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-client_${ZEEK_VERSION}_all.deb" \
-        "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VERSION}_all.deb" \
-        "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest_${ZEEK_VERSION}_all.deb" \
-        "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VERSION}_all.deb" && \
-      dpkg -i ./*.deb && \
     curl -fsSLO "$SUPERCRONIC_URL" && \
       echo "${SUPERCRONIC_SHA1SUM}  ${SUPERCRONIC}" | sha1sum -c - && \
       chmod +x "$SUPERCRONIC" && \
diff --git a/api/requirements.txt b/api/requirements.txt
index e2919f390..571c967c0 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -1,7 +1,7 @@
 pytz==2021.3
 Flask==2.3.2
 gunicorn==20.1.0
-opensearch-py==2.3.0
+opensearch-py==2.3.1
 requests==2.31.0
 regex==2022.3.2
 dateparser==1.1.1
\ No newline at end of file
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
index 0aff4df59..1175de8b5 100644
--- a/arkime/etc/config.ini
+++ b/arkime/etc/config.ini
@@ -71,1153 +71,1150 @@ valueAutoComplete=false
 # see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation
 
 # id information
-zeek.uid=db:zeek.uid;kind:termfield;friendly:Zeek Connection ID;help:Zeek Connection ID
-network.is_orig=db:network.is_orig;kind:termfield;friendly:Is Originator;help:Is Originator
-event.provider=db:event.provider;group:malcolm;kind:termfield;friendly:Data Source;help:Data Source
-event.dataset=db:event.dataset;group:malcolm;kind:termfield;friendly:Log Type;help:Log Type
-event.module=db:event.module;group:malcolm;kind:termfield;friendly:Data Source Module;help:Data Source Module
-event.id=db:event.id;group:malcolm;kind:termfield;friendly:Log ID;help:Log ID
-event.hash=db:event.hash;group:malcolm;kind:termfield;friendly:Log Hash;help:Log Hash
-event.hits=db:event.hits;group:malcolm;kind:integer;friendly:Hits;help:Hits
-zeek.ts=db:zeek.ts;kind:termfield;friendly:Timestamp;help:Zeek Timestamp
-host.name=db:host.name;group:malcolm;kind:termfield;friendly:Malcolm Node;help:Malcolm Node
+zeek.uid=db:zeek.uid;kind:termfield;viewerOnly:true;friendly:Zeek Connection ID;help:Zeek Connection ID
+network.is_orig=db:network.is_orig;kind:termfield;viewerOnly:true;friendly:Is Originator;help:Is Originator
+event.provider=db:event.provider;group:malcolm;kind:termfield;viewerOnly:false;friendly:Data Source;help:Data Source
+event.dataset=db:event.dataset;group:malcolm;kind:termfield;viewerOnly:false;friendly:Log Type;help:Log Type
+event.module=db:event.module;group:malcolm;kind:termfield;viewerOnly:false;friendly:Data Source Module;help:Data Source Module
+event.id=db:event.id;group:malcolm;kind:termfield;viewerOnly:false;friendly:Log ID;help:Log ID
+event.hash=db:event.hash;group:malcolm;kind:termfield;viewerOnly:false;friendly:Log Hash;help:Log Hash
+event.hits=db:event.hits;group:malcolm;kind:integer;viewerOnly:true;friendly:Hits;help:Hits
+zeek.ts=db:zeek.ts;kind:termfield;viewerOnly:true;friendly:Timestamp;help:Zeek Timestamp
+host.name=db:host.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Malcolm Node;help:Malcolm Node
 
 # basic connection information
-destination.geo.city_name=db:destination.geo.city_name;group:malcolm;kind:termfield;friendly:Responding GeoIP City;help:Responding GeoIP City
-destination.geo.country_name=db:destination.geo.country_name;group:malcolm;kind:termfield;friendly:Responding GeoIP Country;help:Responding GeoIP Country
-destination.device.cluster=db:destination.device.cluster;group:malcolm;kind:termfield;friendly:Responding Device Cluster;help:Responding Device Cluster
-destination.device.device_type=db:destination.device.device_type;group:malcolm;kind:termfield;friendly:Responding Device Type;help:Responding Device Type
-destination.device.id=db:destination.device.id;group:malcolm;kind:integer;friendly:Responding Device ID;help:Responding Device ID
-destination.device.manufacturer=db:destination.device.manufacturer;group:malcolm;kind:termfield;friendly:Responding Device Manufacturer;help:Responding Device Manufacturer
-destination.device.name=db:destination.device.name;group:malcolm;kind:termfield;friendly:Responding Device Name;help:Responding Device Name
-destination.device.role=db:destination.device.role;group:malcolm;kind:termfield;friendly:Responding Device Role;help:Responding Device Role
-destination.device.service=db:destination.device.service;group:malcolm;kind:termfield;friendly:Responding Device Service;help:Responding Device Service
-destination.device.site=db:destination.device.site;group:malcolm;kind:termfield;friendly:Responding Device Site;help:Responding Device Site
-destination.device.url=db:destination.device.url;group:malcolm;kind:termfield;friendly:Responding Device URL;help:Responding Device URL
-destination.ip_reverse_dns=db:destination.ip_reverse_dns;group:malcolm;kind:termfield;friendly:Responding IP Reverse DNS;help:Responding IP Reverse DNS
-destination.oui=db:destination.oui;group:malcolm;kind:termfield;friendly:Responding OUI;help:Responding OUI
-destination.segment.id=db:destination.segment.id;group:malcolm;kind:integer;friendly:Responding Network Segment ID;help:Responding Network Segment ID
-destination.segment.name=db:destination.segment.name;group:malcolm;kind:termfield;friendly:Responding Network Segment Name;help:Responding Network Segment Name
-destination.segment.site=db:destination.segment.site;group:malcolm;kind:termfield;friendly:Responding Network Segment Site;help:Responding Network Segment Site
-destination.segment.tenant=db:destination.segment.tenant;group:malcolm;kind:termfield;friendly:Responding Network Segment Tenant;help:Responding Network Segment Tenant
-destination.segment.url=db:destination.segment.url;group:malcolm;kind:termfield;friendly:Responding Network Segment URL;help:Responding Network Segment URL
-event.action=db:event.action;group:malcolm;kind:termfield;friendly:Action;help:Action
-event.freq_score_v1=db:event.freq_score_v1;group:malcolm;kind:float;friendly:Freq Score v1;help:Freq Score v1
-event.freq_score_v2=db:event.freq_score_v2;group:malcolm;kind:float;friendly:Freq Score v2;help:Freq Score v2
-event.result=db:event.result;group:malcolm;kind:termfield;friendly:Result;help:Result
-event.risk_score=db:event.risk_score;group:malcolm;kind:float;friendly:Risk Score;help:Risk Score
-event.risk_score_norm=db:event.risk_score_norm;group:malcolm;kind:float;friendly:Risk Score (Normalized);help:Risk Score (Normalized)
-event.severity=db:event.severity;group:malcolm;kind:integer;friendly:Severity;help:Severity
-event.severity_tags=db:event.severity_tags;group:malcolm;kind:termfield;friendly:Severity Tags;help:Severity Tags
-network.direction=db:network.direction;group:malcolm;kind:termfield;friendly:Direction;help:Direction
-network.inner.vlan.id=db:network.inner.vlan.id;group:malcolm;kind:integer;friendly:Inner VLAN ID;help:Inner VLAN ID
-network.name=db:network.name;group:malcolm;kind:termfield;friendly:Network Name;help:Network Name
-network.protocol=db:network.protocol;group:malcolm;kind:termfield;friendly:Service;help:Service
-network.protocol_version=db:network.protocol_version;group:malcolm;kind:termfield;friendly:Service Version;help:Service Version
-network.transport=db:network.transport;group:malcolm;kind:lotermfield;friendly:Protocol;help:Protocol
-network.vlan.id=db:network.vlan.id;group:malcolm;kind:integer;friendly:VLAN ID;help:VLAN ID
-related.device_name=db:related.device_name;group:malcolm;kind:termfield;friendly:Related Device Name;help:Related Device Name
-related.device_type=db:related.device_type;group:malcolm;kind:termfield;friendly:Related Device Type;help:Related Device Type
-related.hash=db:related.hash;group:malcolm;kind:termfield;friendly:Related Hash;help:Related Hash
-related.hosts=db:related.hosts;group:malcolm;kind:termfield;friendly:Related Host;help:Related Host
-related.ip=db:related.ip;group:malcolm;kind:termfield;friendly:Related IP;help:Related IP
-related.mac=db:related.mac;group:malcolm;kind:termfield;friendly:Related MAC;help:Related MAC
-related.manufacturer=db:related.manufacturer;group:malcolm;kind:termfield;friendly:Related Manufacturer;help:Related Manufacturer
-related.oui=db:related.oui;group:malcolm;kind:termfield;friendly:Related OUI;help:Related OUI
-related.password=db:related.password;group:malcolm;kind:termfield;friendly:Password;help:Password
-related.role=db:related.role;group:malcolm;kind:termfield;friendly:Related Role;help:Related Role
-related.service=db:related.service;group:malcolm;kind:termfield;friendly:Related Service;help:Related Service
-related.site=db:related.site;group:malcolm;kind:termfield;friendly:Related Site;help:Related Site
-related.user=db:related.user;group:malcolm;kind:termfield;friendly:User;help:User
-source.geo.city_name=db:source.geo.city_name;group:malcolm;kind:termfield;friendly:Originating GeoIP City;help:Originating GeoIP City
-source.geo.country_name=db:source.geo.country_name;group:malcolm;kind:termfield;friendly:Originating GeoIP Country;help:Originating GeoIP Country
-source.device.cluster=db:source.device.cluster;group:malcolm;kind:termfield;friendly:Originating Device Cluster;help:Originating Device Cluster
-source.device.device_type=db:source.device.device_type;group:malcolm;kind:termfield;friendly:Originating Device Type;help:Originating Device Type
-source.device.id=db:source.device.id;group:malcolm;kind:integer;friendly:Originating Device ID;help:Originating Device ID
-source.device.manufacturer=db:source.device.manufacturer;group:malcolm;kind:termfield;friendly:Originating Device Manufacturer;help:Originating Device Manufacturer
-source.device.name=db:source.device.name;group:malcolm;kind:termfield;friendly:Originating Device Name;help:Originating Device Name
-source.device.role=db:source.device.role;group:malcolm;kind:termfield;friendly:Originating Device Role;help:Originating Device Role
-source.device.service=db:source.device.service;group:malcolm;kind:termfield;friendly:Originating Device Service;help:Originating Device Service
-source.device.site=db:source.device.site;group:malcolm;kind:termfield;friendly:Originating Device Site;help:Originating Device Site
-source.device.url=db:source.device.url;group:malcolm;kind:termfield;friendly:Originating Device URL;help:Originating Device URL
-source.ip_reverse_dns=db:source.ip_reverse_dns;group:malcolm;kind:termfield;friendly:Originating IP Reverse DNS;help:Originating IP Reverse DNS
-source.nat.ip=db:source.nat.ip;group:malcolm;kind:termfield;friendly:NAT IP;help:NAT IP
-source.nat.port=db:source.nat.port;group:malcolm;kind:integer;friendly:NAT Port;help:NAT Port
-source.oui=db:source.oui;kind:termfield;group:malcolm;friendly:Originating OUI;help:Originating OUI
-source.segment.id=db:source.segment.id;group:malcolm;kind:integer;friendly:Originating Network Segment ID;help:Originating Network Segment ID
-source.segment.name=db:source.segment.name;group:malcolm;kind:termfield;friendly:Originating Network Segment Name;help:Originating Network Segment Name
-source.segment.site=db:source.segment.site;group:malcolm;kind:termfield;friendly:Originating Network Segment Site;help:Originating Network Segment Site
-source.segment.tenant=db:source.segment.tenant;group:malcolm;kind:termfield;friendly:Originating Network Segment Tenant;help:Originating Network Segment Tenant
-source.segment.url=db:source.segment.url;group:malcolm;kind:termfield;friendly:Originating Network Segment URL;help:Originating Network Segment URL
-user_agent.original=db:user_agent.original;group:malcolm;kind:termfield;friendly:User Agent;help:User Agent
-url.original=db:url.original;group:malcolm;kind:termfield;friendly:URL;help:URL
-vulnerability.category=db:vulnerability.category;group:malcolm;kind:termfield;friendly:Vulnerability Category;help:Vulnerability Category
-vulnerability.description=db:vulnerability.description;group:malcolm;kind:termfield;friendly:Vulnerability Description;help:Vulnerability Description
-vulnerability.enumeration=db:vulnerability.enumeration;group:malcolm;kind:termfield;friendly:Vulnerability Enumeration;help:Vulnerability Enumeration
-vulnerability.id=db:vulnerability.id;group:malcolm;kind:termfield;friendly:Vulnerability ID;help:Vulnerability ID
-vulnerability.reference=db:vulnerability.reference;group:malcolm;kind:termfield;friendly:Vulnerability Reference;help:Vulnerability Reference
-vulnerability.scanner.vendor=db:vulnerability.scanner.vendor;group:malcolm;kind:termfield;friendly:Vulnerability Scanner Vendor;help:Vulnerability Scanner Vendor
-threat.framework=db:threat.framework;group:malcolm;kind:termfield;friendly:Threat Framework;help:Threat Framework
-threat.tactic.id=db:threat.tactic.id;group:malcolm;kind:termfield;friendly:Tactic ID;help:Tactic ID
-threat.tactic.name=db:threat.tactic.name;group:malcolm;kind:termfield;friendly:Tactic;help:Tactic
-threat.technique.id=db:threat.technique.id;group:malcolm;kind:termfield;friendly:Technique ID;help:Technique ID
-threat.technique.name=db:threat.technique.name;group:malcolm;kind:termfield;friendly:Technique;help:Technique
-rule.name=db:rule.name;group:malcolm;kind:termfield;friendly:Event Name;help:Event Name
-rule.id=db:rule.id;group:malcolm;kind:termfield;friendly:Rule ID;help:Rule ID
-rule.category=db:rule.category;group:malcolm;kind:termfield;friendly:Event Category;help:Event Category
+destination.geo.city_name=db:destination.geo.city_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding GeoIP City;help:Responding GeoIP City
+destination.geo.country_name=db:destination.geo.country_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding GeoIP Country;help:Responding GeoIP Country
+destination.device.cluster=db:destination.device.cluster;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Cluster;help:Responding Device Cluster
+destination.device.device_type=db:destination.device.device_type;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Type;help:Responding Device Type
+destination.device.id=db:destination.device.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Responding Device ID;help:Responding Device ID
+destination.device.manufacturer=db:destination.device.manufacturer;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Manufacturer;help:Responding Device Manufacturer
+destination.device.name=db:destination.device.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Name;help:Responding Device Name
+destination.device.role=db:destination.device.role;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Role;help:Responding Device Role
+destination.device.service=db:destination.device.service;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Service;help:Responding Device Service
+destination.device.site=db:destination.device.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Site;help:Responding Device Site
+destination.device.url=db:destination.device.url;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device URL;help:Responding Device URL
+destination.ip_reverse_dns=db:destination.ip_reverse_dns;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding IP Reverse DNS;help:Responding IP Reverse DNS
+destination.oui=db:destination.oui;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding OUI;help:Responding OUI
+destination.segment.id=db:destination.segment.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Responding Network Segment ID;help:Responding Network Segment ID
+destination.segment.name=db:destination.segment.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Network Segment Name;help:Responding Network Segment Name
+destination.segment.site=db:destination.segment.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Network Segment Site;help:Responding Network Segment Site
+destination.segment.tenant=db:destination.segment.tenant;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Network Segment Tenant;help:Responding Network Segment Tenant
+destination.segment.url=db:destination.segment.url;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Network Segment URL;help:Responding Network Segment URL
+event.action=db:event.action;group:malcolm;kind:termfield;viewerOnly:true;friendly:Action;help:Action
+event.freq_score_v1=db:event.freq_score_v1;group:malcolm;kind:float;viewerOnly:true;friendly:Freq Score v1;help:Freq Score v1
+event.freq_score_v2=db:event.freq_score_v2;group:malcolm;kind:float;viewerOnly:true;friendly:Freq Score v2;help:Freq Score v2
+event.result=db:event.result;group:malcolm;kind:termfield;viewerOnly:true;friendly:Result;help:Result
+event.risk_score=db:event.risk_score;group:malcolm;kind:float;viewerOnly:true;friendly:Risk Score;help:Risk Score
+event.risk_score_norm=db:event.risk_score_norm;group:malcolm;kind:float;viewerOnly:true;friendly:Risk Score (Normalized);help:Risk Score (Normalized)
+event.severity=db:event.severity;group:malcolm;kind:integer;viewerOnly:true;friendly:Severity;help:Severity
+event.severity_tags=db:event.severity_tags;group:malcolm;kind:termfield;viewerOnly:true;friendly:Severity Tags;help:Severity Tags
+network.direction=db:network.direction;group:malcolm;kind:termfield;viewerOnly:true;friendly:Direction;help:Direction
+network.inner.vlan.id=db:network.inner.vlan.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Inner VLAN ID;help:Inner VLAN ID
+network.name=db:network.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Network Name;help:Network Name
+network.protocol=db:network.protocol;group:malcolm;kind:termfield;viewerOnly:true;friendly:Service;help:Service
+network.protocol_version=db:network.protocol_version;group:malcolm;kind:termfield;viewerOnly:true;friendly:Service Version;help:Service Version
+network.transport=db:network.transport;group:malcolm;kind:lotermfield;viewerOnly:true;friendly:Protocol;help:Protocol
+network.vlan.id=db:network.vlan.id;group:malcolm;kind:integer;viewerOnly:false;friendly:VLAN ID;help:VLAN ID
+related.device_name=db:related.device_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Device Name;help:Related Device Name
+related.device_type=db:related.device_type;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Device Type;help:Related Device Type
+related.hash=db:related.hash;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Hash;help:Related Hash
+related.hosts=db:related.hosts;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Host;help:Related Host
+related.ip=db:related.ip;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related IP;help:Related IP
+related.mac=db:related.mac;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related MAC;help:Related MAC
+related.manufacturer=db:related.manufacturer;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Manufacturer;help:Related Manufacturer
+related.oui=db:related.oui;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related OUI;help:Related OUI
+related.password=db:related.password;group:malcolm;kind:termfield;viewerOnly:true;friendly:Password;help:Password
+related.role=db:related.role;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Role;help:Related Role
+related.service=db:related.service;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Service;help:Related Service
+related.site=db:related.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Site;help:Related Site
+related.user=db:related.user;group:malcolm;kind:termfield;viewerOnly:true;friendly:User;help:User
+source.geo.city_name=db:source.geo.city_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating GeoIP City;help:Originating GeoIP City
+source.geo.country_name=db:source.geo.country_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating GeoIP Country;help:Originating GeoIP Country
+source.device.cluster=db:source.device.cluster;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Cluster;help:Originating Device Cluster
+source.device.device_type=db:source.device.device_type;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Type;help:Originating Device Type
+source.device.id=db:source.device.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Originating Device ID;help:Originating Device ID
+source.device.manufacturer=db:source.device.manufacturer;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Manufacturer;help:Originating Device Manufacturer
+source.device.name=db:source.device.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Name;help:Originating Device Name
+source.device.role=db:source.device.role;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Role;help:Originating Device Role
+source.device.service=db:source.device.service;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Service;help:Originating Device Service
+source.device.site=db:source.device.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Site;help:Originating Device Site
+source.device.url=db:source.device.url;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device URL;help:Originating Device URL
+source.ip_reverse_dns=db:source.ip_reverse_dns;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating IP Reverse DNS;help:Originating IP Reverse DNS
+source.nat.ip=db:source.nat.ip;group:malcolm;kind:termfield;viewerOnly:true;friendly:NAT IP;help:NAT IP
+source.nat.port=db:source.nat.port;group:malcolm;kind:integer;viewerOnly:true;friendly:NAT Port;help:NAT Port
+source.oui=db:source.oui;kind:termfield;group:malcolm;viewerOnly:true;friendly:Originating OUI;help:Originating OUI
+source.segment.id=db:source.segment.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Originating Network Segment ID;help:Originating Network Segment ID
+source.segment.name=db:source.segment.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Network Segment Name;help:Originating Network Segment Name
+source.segment.site=db:source.segment.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Network Segment Site;help:Originating Network Segment Site
+source.segment.tenant=db:source.segment.tenant;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Network Segment Tenant;help:Originating Network Segment Tenant
+source.segment.url=db:source.segment.url;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Network Segment URL;help:Originating Network Segment URL
+user_agent.original=db:user_agent.original;group:malcolm;kind:termfield;viewerOnly:true;friendly:User Agent;help:User Agent
+url.original=db:url.original;group:malcolm;kind:termfield;viewerOnly:true;friendly:URL;help:URL
+vulnerability.category=db:vulnerability.category;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Category;help:Vulnerability Category
+vulnerability.description=db:vulnerability.description;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Description;help:Vulnerability Description
+vulnerability.enumeration=db:vulnerability.enumeration;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Enumeration;help:Vulnerability Enumeration
+vulnerability.id=db:vulnerability.id;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability ID;help:Vulnerability ID
+vulnerability.reference=db:vulnerability.reference;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Reference;help:Vulnerability Reference
+vulnerability.scanner.vendor=db:vulnerability.scanner.vendor;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Scanner Vendor;help:Vulnerability Scanner Vendor
+threat.framework=db:threat.framework;group:malcolm;kind:termfield;viewerOnly:true;friendly:Threat Framework;help:Threat Framework
+threat.tactic.id=db:threat.tactic.id;group:malcolm;kind:termfield;viewerOnly:true;friendly:Tactic ID;help:Tactic ID
+threat.tactic.name=db:threat.tactic.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Tactic;help:Tactic
+threat.technique.id=db:threat.technique.id;group:malcolm;kind:termfield;viewerOnly:true;friendly:Technique ID;help:Technique ID
+threat.technique.name=db:threat.technique.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Technique;help:Technique
+rule.name=db:rule.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Event Name;help:Event Name
+rule.id=db:rule.id;group:malcolm;kind:termfield;viewerOnly:true;friendly:Rule ID;help:Rule ID
+rule.category=db:rule.category;group:malcolm;kind:termfield;viewerOnly:true;friendly:Event Category;help:Event Category
 
 # file information
-zeek.fuid=db:zeek.fuid;kind:termfield;friendly:File ID;help:File ID
-file.path=db:file.path;group:malcolm;kind:termfield;friendly:File Path;help:File Path
-file.mime_type=db:file.mime_type;group:malcolm;kind:termfield;friendly:File Magic;help:File Magic
-file.source=db:file.source;group:malcolm;kind:termfield;friendly:File Transport;help:File Transport
+zeek.fuid=db:zeek.fuid;kind:termfield;viewerOnly:true;friendly:File ID;help:File ID
+file.path=db:file.path;group:malcolm;kind:termfield;viewerOnly:true;friendly:File Path;help:File Path
+file.mime_type=db:file.mime_type;group:malcolm;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic
+file.source=db:file.source;group:malcolm;kind:termfield;viewerOnly:true;friendly:File Transport;help:File Transport
 
 # conn.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info
-zeek.conn.duration=db:zeek.conn.duration;group:zeek_conn;kind:termfield;friendly:Duration;help:Duration
-zeek.conn.orig_bytes=db:zeek.conn.orig_bytes;group:zeek_conn;kind:integer;friendly:Originating Bytes;help:Originating Bytes
-zeek.conn.resp_bytes=db:zeek.conn.resp_bytes;group:zeek_conn;kind:integer;friendly:Responding Bytes;help:Responding Bytes
-zeek.conn.conn_state=db:zeek.conn.conn_state;group:zeek_conn;kind:termfield;friendly:Connection State Code;help:Connection State Code
-zeek.conn.conn_state_description=db:zeek.conn.conn_state_description;group:zeek_conn;kind:termfield;friendly:conn Connection State;help:conn Connection State
-zeek.conn.local_orig=db:zeek.conn.local_orig;group:zeek_conn;kind:termfield;friendly:Local Originator;help:Local Originator
-zeek.conn.local_resp=db:zeek.conn.local_resp;group:zeek_conn;kind:termfield;friendly:Local Responder;help:Local Responder
-zeek.conn.missed_bytes=db:zeek.conn.missed_bytes;group:zeek_conn;kind:integer;friendly:Missed Bytes;help:Missed Bytes
-zeek.conn.history=db:zeek.conn.history;group:zeek_conn;kind:termfield;friendly:Connection Flags History;help:Connection Flags History
-zeek.conn.orig_pkts=db:zeek.conn.orig_pkts;group:zeek_conn;kind:integer;friendly:Originating Packets;help:Originating Packets
-zeek.conn.orig_ip_bytes=db:zeek.conn.orig_ip_bytes;group:zeek_conn;kind:integer;friendly:Originating IP Bytes;help:Originating IP Bytes
-zeek.conn.resp_pkts=db:zeek.conn.resp_pkts;group:zeek_conn;kind:integer;friendly:Responding Packets;help:Responding Packets
-zeek.conn.resp_ip_bytes=db:zeek.conn.resp_ip_bytes;group:zeek_conn;kind:integer;friendly:Responding IP Bytes;help:Responding IP Bytes
-zeek.conn.tunnel_parents=db:zeek.conn.tunnel_parents;group:zeek_conn;kind:termfield;friendly:Tunnel Connection ID;help:Tunnel Connection ID
-zeek.conn.vlan=db:zeek.conn.vlan;group:zeek_conn;kind:integer;friendly:Outer VLAN;help:Outer VLAN
-zeek.conn.inner_vlan=db:zeek.conn.inner_vlan;group:zeek_conn;kind:integer;friendly:Inner VLAN;help:Inner VLAN
+zeek.conn.duration=db:zeek.conn.duration;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Duration;help:Duration
+zeek.conn.orig_bytes=db:zeek.conn.orig_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Originating Bytes;help:Originating Bytes
+zeek.conn.resp_bytes=db:zeek.conn.resp_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Responding Bytes;help:Responding Bytes
+zeek.conn.conn_state=db:zeek.conn.conn_state;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Connection State Code;help:Connection State Code
+zeek.conn.conn_state_description=db:zeek.conn.conn_state_description;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:conn Connection State;help:conn Connection State
+zeek.conn.local_orig=db:zeek.conn.local_orig;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Local Originator;help:Local Originator
+zeek.conn.local_resp=db:zeek.conn.local_resp;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Local Responder;help:Local Responder
+zeek.conn.missed_bytes=db:zeek.conn.missed_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Missed Bytes;help:Missed Bytes
+zeek.conn.history=db:zeek.conn.history;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Connection Flags History;help:Connection Flags History
+zeek.conn.orig_pkts=db:zeek.conn.orig_pkts;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Originating Packets;help:Originating Packets
+zeek.conn.orig_ip_bytes=db:zeek.conn.orig_ip_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Originating IP Bytes;help:Originating IP Bytes
+zeek.conn.resp_pkts=db:zeek.conn.resp_pkts;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Responding Packets;help:Responding Packets
+zeek.conn.resp_ip_bytes=db:zeek.conn.resp_ip_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Responding IP Bytes;help:Responding IP Bytes
+zeek.conn.tunnel_parents=db:zeek.conn.tunnel_parents;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Tunnel Connection ID;help:Tunnel Connection ID
+zeek.conn.vlan=db:zeek.conn.vlan;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Outer VLAN;help:Outer VLAN
+zeek.conn.inner_vlan=db:zeek.conn.inner_vlan;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Inner VLAN;help:Inner VLAN
 
 # bacnet.log
 # https://github.com/cisagov/ICSNPP
-zeek.bacnet.bvlc_function=db:zeek.bacnet.bvlc_function;group:zeek_bacnet;kind:termfield;friendly:BVLC Function;help:BVLC Function
-zeek.bacnet.invoke_id=db:zeek.bacnet.invoke_id;group:zeek_bacnet;kind:integer;friendly:Invoke ID;help:Invoke ID
-zeek.bacnet.pdu_service=db:zeek.bacnet.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service Choice;help:APDU Service Choice
-zeek.bacnet.pdu_type=db:zeek.bacnet.pdu_type;group:zeek_bacnet;kind:termfield;friendly:APDU Service Type;help:APDU Service Type
-zeek.bacnet.result_code=db:zeek.bacnet.result_code;group:zeek_bacnet;kind:termfield;friendly:Result Code;help:Result Code
-zeek.bacnet.instance_number=db:zeek.bacnet.instance_number;group:zeek_bacnet;kind:integer;friendly:Instance Number;help:Instance Number
+zeek.bacnet.bvlc_function=db:zeek.bacnet.bvlc_function;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:BVLC Function;help:BVLC Function
+zeek.bacnet.invoke_id=db:zeek.bacnet.invoke_id;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Invoke ID;help:Invoke ID
+zeek.bacnet.pdu_service=db:zeek.bacnet.pdu_service;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:APDU Service Choice;help:APDU Service Choice
+zeek.bacnet.pdu_type=db:zeek.bacnet.pdu_type;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:APDU Service Type;help:APDU Service Type
+zeek.bacnet.result_code=db:zeek.bacnet.result_code;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Result Code;help:Result Code
+zeek.bacnet.instance_number=db:zeek.bacnet.instance_number;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Instance Number;help:Instance Number
 
 # bacnet_device_control.log
 # https://github.com/cisagov/ICSNPP
-zeek.bacnet_device_control.pdu_service=db:zeek.bacnet_device_control.pdu_service;group:zeek_bacnet;kind:term;friendly:APDU Service Choice;help:APDU Service Choice
-zeek.bacnet_device_control.time_duration=db:zeek.bacnet_device_control.time_duration;group:zeek_bacnet;kind:integer;friendly:Ignore Duration;help:Ignore Duration
-zeek.bacnet_device_control.device_state=db:zeek.bacnet_device_control.device_state;group:zeek_bacnet;kind:term;friendly:Device State;help:Device State
-zeek.bacnet_device_control.result=db:zeek.bacnet_device_control.result;group:zeek_bacnet;kind:term;friendly:Result;help:Result
-zeek.bacnet_device_control.result_code=db:zeek.bacnet_device_control.result_code;group:zeek_bacnet;kind:term;friendly:Result Code;help:Result Code
+zeek.bacnet_device_control.time_duration=db:zeek.bacnet_device_control.time_duration;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Ignore Duration;help:Ignore Duration
+zeek.bacnet_device_control.device_state=db:zeek.bacnet_device_control.device_state;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:Device State;help:Device State
+zeek.bacnet_device_control.result=db:zeek.bacnet_device_control.result;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:Result;help:Result
+zeek.bacnet_device_control.result_code=db:zeek.bacnet_device_control.result_code;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:Result Code;help:Result Code
 
 # bacnet_discovery.log
 # https://github.com/cisagov/ICSNPP
-zeek.bacnet_discovery.object_name=db:zeek.bacnet_discovery.object_name;group:zeek_bacnet;kind:termfield;friendly:Object Name;help:Object Name
-zeek.bacnet_discovery.object_type=db:zeek.bacnet_discovery.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type
-zeek.bacnet_discovery.pdu_service=db:zeek.bacnet_discovery.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service
-zeek.bacnet_discovery.range=db:zeek.bacnet_discovery.range;group:zeek_bacnet;kind:termfield;friendly:Range;help:Range
-zeek.bacnet_discovery.range_high=db:zeek.bacnet_discovery.range_high;group:zeek_bacnet;kind:integer;friendly:Range High;help:Range High
-zeek.bacnet_discovery.range_low=db:zeek.bacnet_discovery.range_low;group:zeek_bacnet;kind:integer;friendly:Range Low;help:Range Low
-zeek.bacnet_discovery.vendor=db:zeek.bacnet_discovery.vendor;group:zeek_bacnet;kind:termfield;friendly:Vendor Name;help:Vendor Name
+zeek.bacnet_discovery.object_name=db:zeek.bacnet_discovery.object_name;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Object Name;help:Object Name
+zeek.bacnet_discovery.object_type=db:zeek.bacnet_discovery.object_type;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Object Type;help:Object Type
+zeek.bacnet_discovery.range=db:zeek.bacnet_discovery.range;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Range;help:Range
+zeek.bacnet_discovery.range_high=db:zeek.bacnet_discovery.range_high;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Range High;help:Range High
+zeek.bacnet_discovery.range_low=db:zeek.bacnet_discovery.range_low;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Range Low;help:Range Low
+zeek.bacnet_discovery.vendor=db:zeek.bacnet_discovery.vendor;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Vendor Name;help:Vendor Name
 
 # bacnet_property.log
 # https://github.com/cisagov/ICSNPP
-zeek.bacnet_property.array_index=db:zeek.bacnet_property.array_index;group:zeek_bacnet;kind:integer;friendly:Array Index;help:Array Index
-zeek.bacnet_property.object_type=db:zeek.bacnet_property.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type
-zeek.bacnet_property.pdu_service=db:zeek.bacnet_property.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service
-zeek.bacnet_property.property=db:zeek.bacnet_property.property;group:zeek_bacnet;kind:termfield;friendly:Property Type;help:Property Type
-zeek.bacnet_property.value=db:zeek.bacnet_property.value;group:zeek_bacnet;kind:termfield;friendly:Value;help:Value
+zeek.bacnet_property.array_index=db:zeek.bacnet_property.array_index;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Array Index;help:Array Index
+zeek.bacnet_property.object_type=db:zeek.bacnet_property.object_type;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Object Type;help:Object Type
+zeek.bacnet_property.property=db:zeek.bacnet_property.property;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Property Type;help:Property Type
+zeek.bacnet_property.value=db:zeek.bacnet_property.value;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Value;help:Value
 
 # bestguess.log
-zeek.bestguess.name=db:zeek.bestguess.name;group:zeek_bestguess;kind:termfield;friendly:Best Guess Name;help:Best Guess Name
-zeek.bestguess.category=db:zeek.bestguess.category;group:zeek_bestguess;kind:termfield;friendly:Best Guess Category;help:Best Guess Category
+zeek.bestguess.name=db:zeek.bestguess.name;group:zeek_bestguess;kind:termfield;viewerOnly:true;friendly:Best Guess Name;help:Best Guess Name
+zeek.bestguess.category=db:zeek.bestguess.category;group:zeek_bestguess;kind:termfield;viewerOnly:true;friendly:Best Guess Category;help:Best Guess Category
 
 # bsap_ip_header.log
 # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser
-zeek.bsap_ip_header.num_msg=db:zeek.bsap_ip_header.num_msg;group:zeek_bsap;kind:integer;friendly:Functions per Message;help:Functions per Message
-zeek.bsap_ip_header.type_name=db:zeek.bsap_ip_header.type_name;group:zeek_bsap;kind:termfield;friendly:Message Type;help:Message Type
+zeek.bsap_ip_header.num_msg=db:zeek.bsap_ip_header.num_msg;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Functions per Message;help:Functions per Message
+zeek.bsap_ip_header.type_name=db:zeek.bsap_ip_header.type_name;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Message Type;help:Message Type
 
 # bsap_ip_rdb.log
 # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser
-zeek.bsap_ip_rdb.app_func_code=db:zeek.bsap_ip_rdb.app_func_code;group:zeek_bsap;kind:termfield;friendly:Application Function;help:Application Function
-zeek.bsap_ip_rdb.variables.var=db:zeek.bsap_ip_rdb.variables.var;group:zeek_bsap;kind:termfield;friendly:RDB Variable;help:RDB Variable
-zeek.bsap_ip_rdb.variables.val=db:zeek.bsap_ip_rdb.variables.val;group:zeek_bsap;kind:termfield;friendly:RDB Variable Value;help:RDB Variable Value
-zeek.bsap_ip_rdb.variable_count=db:zeek.bsap_ip_rdb.variable_count;group:zeek_bsap;kind:integer;friendly:RDB Variable Count;help:RDB Variable Count
-zeek.bsap_ip_rdb.func_code=db:zeek.bsap_ip_rdb.func_code;group:zeek_bsap;kind:termfield;friendly:Application Subfunction;help:Application Subfunction
-zeek.bsap_ip_rdb.header_size=db:zeek.bsap_ip_rdb.header_size;group:zeek_bsap;kind:integer;friendly:Header Length;help:Header Length
-zeek.bsap_ip_rdb.mes_seq=db:zeek.bsap_ip_rdb.mes_seq;group:zeek_bsap;kind:integer;friendly:Message Sequence;help:Message Sequence
-zeek.bsap_ip_rdb.node_status=db:zeek.bsap_ip_rdb.node_status;group:zeek_bsap;kind:integer;friendly:Node Status;help:Node Status
-zeek.bsap_ip_rdb.res_seq=db:zeek.bsap_ip_rdb.res_seq;group:zeek_bsap;kind:integer;friendly:Response Sequence;help:Response Sequence
-zeek.bsap_ip_rdb.sequence=db:zeek.bsap_ip_rdb.sequence;group:zeek_bsap;kind:integer;friendly:Function Sequence;help:Function Sequence
+zeek.bsap_ip_rdb.app_func_code=db:zeek.bsap_ip_rdb.app_func_code;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Application Function;help:Application Function
+zeek.bsap_ip_rdb.variables.var=db:zeek.bsap_ip_rdb.variables.var;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Variable;help:RDB Variable
+zeek.bsap_ip_rdb.variables.val=db:zeek.bsap_ip_rdb.variables.val;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Variable Value;help:RDB Variable Value
+zeek.bsap_ip_rdb.variable_count=db:zeek.bsap_ip_rdb.variable_count;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:RDB Variable Count;help:RDB Variable Count
+zeek.bsap_ip_rdb.func_code=db:zeek.bsap_ip_rdb.func_code;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Application Subfunction;help:Application Subfunction
+zeek.bsap_ip_rdb.header_size=db:zeek.bsap_ip_rdb.header_size;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Header Length;help:Header Length
+zeek.bsap_ip_rdb.mes_seq=db:zeek.bsap_ip_rdb.mes_seq;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Message Sequence;help:Message Sequence
+zeek.bsap_ip_rdb.node_status=db:zeek.bsap_ip_rdb.node_status;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Node Status;help:Node Status
+zeek.bsap_ip_rdb.res_seq=db:zeek.bsap_ip_rdb.res_seq;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Response Sequence;help:Response Sequence
+zeek.bsap_ip_rdb.sequence=db:zeek.bsap_ip_rdb.sequence;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Function Sequence;help:Function Sequence
 
 # bsap_serial_header.log
 # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser
-zeek.bsap_serial_header.ctl=db:zeek.bsap_serial_header.ctl;group:zeek_bsap;kind:integer;friendly:Control Byte;help:Control Byte
-zeek.bsap_serial_header.dadd=db:zeek.bsap_serial_header.dadd;group:zeek_bsap;kind:integer;friendly:Destination Address;help:Destination Address
-zeek.bsap_serial_header.dfun=db:zeek.bsap_serial_header.dfun;group:zeek_bsap;kind:termfield;friendly:Destination Function;help:Destination Function
-zeek.bsap_serial_header.nsb=db:zeek.bsap_serial_header.nsb;group:zeek_bsap;kind:integer;friendly:Node Status;help:Node Statussb
-zeek.bsap_serial_header.sadd=db:zeek.bsap_serial_header.sadd;group:zeek_bsap;kind:integer;friendly:Source Address;help:Source Address
-zeek.bsap_serial_header.seq=db:zeek.bsap_serial_header.seq;group:zeek_bsap;kind:integer;friendly:Message Sequence;help:Message Sequence
-zeek.bsap_serial_header.ser=db:zeek.bsap_serial_header.ser;group:zeek_bsap;kind:termfield;friendly:Message Serial Number;help:Message Serial Number
-zeek.bsap_serial_header.sfun=db:zeek.bsap_serial_header.sfun;group:zeek_bsap;kind:termfield;friendly:Source Function;help:Source Function
-zeek.bsap_serial_header.type_name=db:zeek.bsap_serial_header.type_name;group:zeek_bsap;kind:termfield;friendly:Message Type;help:Message Type
+zeek.bsap_serial_header.ctl=db:zeek.bsap_serial_header.ctl;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Control Byte;help:Control Byte
+zeek.bsap_serial_header.dadd=db:zeek.bsap_serial_header.dadd;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Destination Address;help:Destination Address
+zeek.bsap_serial_header.dfun=db:zeek.bsap_serial_header.dfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Destination Function;help:Destination Function
+zeek.bsap_serial_header.nsb=db:zeek.bsap_serial_header.nsb;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Node Status;help:Node Statussb
+zeek.bsap_serial_header.sadd=db:zeek.bsap_serial_header.sadd;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Source Address;help:Source Address
+zeek.bsap_serial_header.seq=db:zeek.bsap_serial_header.seq;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Message Sequence;help:Message Sequence
+zeek.bsap_serial_header.ser=db:zeek.bsap_serial_header.ser;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Message Serial Number;help:Message Serial Number
+zeek.bsap_serial_header.sfun=db:zeek.bsap_serial_header.sfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Source Function;help:Source Function
+zeek.bsap_serial_header.type_name=db:zeek.bsap_serial_header.type_name;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Message Type;help:Message Type
 
 # bsap_serial_rdb.log
 # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser
-zeek.bsap_serial_rdb.variables.var=db:zeek.bsap_serial_rdb.variables.var;group:zeek_bsap;kind:termfield;friendly:RDB Variable;help:RDB Variable
-zeek.bsap_serial_rdb.variables.val=db:zeek.bsap_serial_rdb.variables.val;group:zeek_bsap;kind:termfield;friendly:RDB Variable Value;help:RDB Variable Value
-zeek.bsap_serial_rdb.variable_count=db:zeek.bsap_serial_rdb.variable_count;group:zeek_bsap;kind:integer;friendly:RDB Variable Count;help:RDB Variable Count
-zeek.bsap_serial_rdb.func_code=db:zeek.bsap_serial_rdb.func_code;group:zeek_bsap;kind:termfield;friendly:RDB Function;help:RDB Function
+zeek.bsap_serial_rdb.variables.var=db:zeek.bsap_serial_rdb.variables.var;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Variable;help:RDB Variable
+zeek.bsap_serial_rdb.variables.val=db:zeek.bsap_serial_rdb.variables.val;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Variable Value;help:RDB Variable Value
+zeek.bsap_serial_rdb.variable_count=db:zeek.bsap_serial_rdb.variable_count;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:RDB Variable Count;help:RDB Variable Count
+zeek.bsap_serial_rdb.func_code=db:zeek.bsap_serial_rdb.func_code;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Function;help:RDB Function
 
 # bsap_serial_rdb_ext.log
 # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser
-zeek.bsap_serial_rdb_ext.data=db:zeek.bsap_serial_rdb_ext.data;group:zeek_bsap;kind:termfield;friendly:RDB Ext Function Data;help:RDB Ext Function Data
-zeek.bsap_serial_rdb_ext.dfun=db:zeek.bsap_serial_rdb_ext.dfun;group:zeek_bsap;kind:termfield;friendly:Destination Function;help:Destination Function
-zeek.bsap_serial_rdb_ext.extfun=db:zeek.bsap_serial_rdb_ext.extfun;group:zeek_bsap;kind:termfield;friendly:RDB Ext Function;help:RDB Ext Function
-zeek.bsap_serial_rdb_ext.nsb=db:zeek.bsap_serial_rdb_ext.nsb;group:zeek_bsap;kind:integer;friendly:Node Status;help:Node Status
-zeek.bsap_serial_rdb_ext.seq=db:zeek.bsap_serial_rdb_ext.seq;group:zeek_bsap;kind:integer;friendly:Message Sequence;help:Message Sequence
-zeek.bsap_serial_rdb_ext.sfun=db:zeek.bsap_serial_rdb_ext.sfun;group:zeek_bsap;kind:termfield;friendly:Source Function;help:Source Function
+zeek.bsap_serial_rdb_ext.data=db:zeek.bsap_serial_rdb_ext.data;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Ext Function Data;help:RDB Ext Function Data
+zeek.bsap_serial_rdb_ext.dfun=db:zeek.bsap_serial_rdb_ext.dfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Destination Function;help:Destination Function
+zeek.bsap_serial_rdb_ext.extfun=db:zeek.bsap_serial_rdb_ext.extfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Ext Function;help:RDB Ext Function
+zeek.bsap_serial_rdb_ext.nsb=db:zeek.bsap_serial_rdb_ext.nsb;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Node Status;help:Node Status
+zeek.bsap_serial_rdb_ext.seq=db:zeek.bsap_serial_rdb_ext.seq;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Message Sequence;help:Message Sequence
+zeek.bsap_serial_rdb_ext.sfun=db:zeek.bsap_serial_rdb_ext.sfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Source Function;help:Source Function
 
 # cip.log
 # https://github.com/cisagov/ICSNPP
-zeek.cip.attribute_id=db:zeek.cip.attribute_id;group:zeek_cip;kind:termfield;friendly:Attribute ID;help:Attribute ID
-zeek.cip.cip_sequence_count=db:zeek.cip.cip_sequence_count;group:zeek_cip;kind:integer;friendly:CIP Sequence Number;help:CIP Sequence Number
-zeek.cip.cip_service=db:zeek.cip.cip_service;group:zeek_cip;kind:termfield;friendly:CIP Service;help:CIP Service
-zeek.cip.cip_service_code=db:zeek.cip.cip_service_code;group:zeek_cip;kind:termfield;friendly:CIP Service Code;help:CIP Service Code
-zeek.cip.cip_status=db:zeek.cip.cip_status;group:zeek_cip;kind:termfield;friendly:CIP Status;help:CIP Status
-zeek.cip.class_id=db:zeek.cip.class_id;group:zeek_cip;kind:termfield;friendly:Class ID;help:Class ID
-zeek.cip.class_name=db:zeek.cip.class_name;group:zeek_cip;kind:termfield;friendly:Class Name;help:Class Name
-zeek.cip.direction=db:zeek.cip.direction;group:zeek_cip;kind:termfield;friendly:Direction;help:Direction
-zeek.cip.instance_id=db:zeek.cip.instance_id;group:zeek_cip;kind:termfield;friendly:Instance ID;help:Instance ID
-zeek.cip.cip_status_code=db:zeek.cip.cip_status_code;group:zeek_cip;kind:termfield;friendly:Status Code;help:Status Code
-zeek.cip.cip_extended_status_code=db:zeek.cip.cip_extended_status_code;group:zeek_cip;kind:termfield;friendly:Extended Status Code;help:Extended Status Code
-zeek.cip.cip_extended_status=db:zeek.cip.cip_extended_status;group:zeek_cip;kind:termfield;friendly:Extended Status;help:Extended Status
+zeek.cip.attribute_id=db:zeek.cip.attribute_id;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Attribute ID;help:Attribute ID
+zeek.cip.cip_sequence_count=db:zeek.cip.cip_sequence_count;group:zeek_cip;kind:integer;viewerOnly:true;friendly:CIP Sequence Number;help:CIP Sequence Number
+zeek.cip.cip_service=db:zeek.cip.cip_service;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:CIP Service;help:CIP Service
+zeek.cip.cip_service_code=db:zeek.cip.cip_service_code;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:CIP Service Code;help:CIP Service Code
+zeek.cip.cip_status=db:zeek.cip.cip_status;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:CIP Status;help:CIP Status
+zeek.cip.class_id=db:zeek.cip.class_id;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Class ID;help:Class ID
+zeek.cip.class_name=db:zeek.cip.class_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Class Name;help:Class Name
+zeek.cip.direction=db:zeek.cip.direction;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Direction;help:Direction
+zeek.cip.instance_id=db:zeek.cip.instance_id;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Instance ID;help:Instance ID
+zeek.cip.cip_status_code=db:zeek.cip.cip_status_code;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Status Code;help:Status Code
+zeek.cip.cip_extended_status_code=db:zeek.cip.cip_extended_status_code;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Extended Status Code;help:Extended Status Code
+zeek.cip.cip_extended_status=db:zeek.cip.cip_extended_status;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Extended Status;help:Extended Status
 
 # cip_identity.log
 # https://github.com/cisagov/ICSNPP
-zeek.cip_identity.encapsulation_version=db:zeek.cip_identity.encapsulation_version;group:zeek_cip;kind:integer;friendly:Encapsulation Version;help:Encapsulation Version
-zeek.cip_identity.socket_address=db:zeek.cip_identity.socket_address;group:zeek_cip;kind:termfield;friendly:Socket Address;help:Socket Address
-zeek.cip_identity.socket_address_geo.city_name=db:zeek.cip_identity.socket_address_geo.city_name;group:zeek_cip;kind:termfield;friendly:Socket Address GeoIP City;help:Socket Address GeoIP City
-zeek.cip_identity.socket_address_geo.country_name=db:zeek.cip_identity.socket_address_geo.country_name;group:zeek_cip;kind:termfield;friendly:Socket Address GeoIP Country;help:Socket Address GeoIP Country
-zeek.cip_identity.socket_address_asn=db:zeek.cip_identity.socket_address_asn;group:zeek_cip;kind:termfield;friendly:Socket Address ASN;help:Socket Address ASN
-zeek.cip_identity.socket_port=db:zeek.cip_identity.socket_port;group:zeek_cip;kind:integer;friendly:Socket Port;help:Socket Port
-zeek.cip_identity.vendor_id=db:zeek.cip_identity.vendor_id;group:zeek_cip;kind:integer;friendly:Vendor ID;help:Vendor ID
-zeek.cip_identity.vendor_name=db:zeek.cip_identity.vendor_name;group:zeek_cip;kind:termfield;friendly:Vendor Name;help:Vendor Name
-zeek.cip_identity.device_type_id=db:zeek.cip_identity.device_type_id;group:zeek_cip;kind:integer;friendly:Device Type ID;help:Device Type ID
-zeek.cip_identity.device_type_name=db:zeek.cip_identity.device_type_name;group:zeek_cip;kind:termfield;friendly:Device Type Name;help:Device Type Name
-zeek.cip_identity.product_code=db:zeek.cip_identity.product_code;group:zeek_cip;kind:integer;friendly:Product Code;help:Product Code
-zeek.cip_identity.revision=db:zeek.cip_identity.revision;group:zeek_cip;kind:termfield;friendly:Device Revision;help:Device Revision
-zeek.cip_identity.device_status=db:zeek.cip_identity.device_status;group:zeek_cip;kind:termfield;friendly:Device Status;help:Device Status
-zeek.cip_identity.serial_number=db:zeek.cip_identity.serial_number;group:zeek_cip;kind:termfield;friendly:Serial Number;help:Serial Number
-zeek.cip_identity.product_name=db:zeek.cip_identity.product_name;group:zeek_cip;kind:termfield;friendly:Product Name;help:Product Name
-zeek.cip_identity.device_state=db:zeek.cip_identity.device_state;group:zeek_cip;kind:termfield;friendly:Device State;help:Device State
+zeek.cip_identity.encapsulation_version=db:zeek.cip_identity.encapsulation_version;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Encapsulation Version;help:Encapsulation Version
+zeek.cip_identity.socket_address=db:zeek.cip_identity.socket_address;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Socket Address;help:Socket Address
+zeek.cip_identity.socket_address_geo.city_name=db:zeek.cip_identity.socket_address_geo.city_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Socket Address GeoIP City;help:Socket Address GeoIP City
+zeek.cip_identity.socket_address_geo.country_name=db:zeek.cip_identity.socket_address_geo.country_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Socket Address GeoIP Country;help:Socket Address GeoIP Country
+zeek.cip_identity.socket_address_asn=db:zeek.cip_identity.socket_address_asn;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Socket Address ASN;help:Socket Address ASN
+zeek.cip_identity.socket_port=db:zeek.cip_identity.socket_port;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Socket Port;help:Socket Port
+zeek.cip_identity.vendor_id=db:zeek.cip_identity.vendor_id;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Vendor ID;help:Vendor ID
+zeek.cip_identity.vendor_name=db:zeek.cip_identity.vendor_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Vendor Name;help:Vendor Name
+zeek.cip_identity.device_type_id=db:zeek.cip_identity.device_type_id;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Device Type ID;help:Device Type ID
+zeek.cip_identity.device_type_name=db:zeek.cip_identity.device_type_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Device Type Name;help:Device Type Name
+zeek.cip_identity.product_code=db:zeek.cip_identity.product_code;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Product Code;help:Product Code
+zeek.cip_identity.revision=db:zeek.cip_identity.revision;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Device Revision;help:Device Revision
+zeek.cip_identity.device_status=db:zeek.cip_identity.device_status;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Device Status;help:Device Status
+zeek.cip_identity.serial_number=db:zeek.cip_identity.serial_number;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Serial Number;help:Serial Number
+zeek.cip_identity.product_name=db:zeek.cip_identity.product_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Product Name;help:Product Name
+zeek.cip_identity.device_state=db:zeek.cip_identity.device_state;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Device State;help:Device State
 
 # cip_io.log
 # https://github.com/cisagov/ICSNPP
-zeek.cip_io.connection_id=db:zeek.cip_io.connection_id;group:zeek_cip;kind:termfield;friendly:Connection ID;help:Connection ID
-zeek.cip_io.data_length=db:zeek.cip_io.data_length;group:zeek_cip;kind:integer;friendly:Data Length;help:Data Length
-zeek.cip_io.io_data=db:zeek.cip_io.io_data;group:zeek_cip;kind:termfield;friendly:Transport Data;help:Transport Data
-zeek.cip_io.sequence_number=db:zeek.cip_io.sequence_number;group:zeek_cip;kind:integer;friendly:Sequence Number;help:Sequence Number
+zeek.cip_io.connection_id=db:zeek.cip_io.connection_id;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Connection ID;help:Connection ID
+zeek.cip_io.data_length=db:zeek.cip_io.data_length;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Data Length;help:Data Length
+zeek.cip_io.io_data=db:zeek.cip_io.io_data;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Transport Data;help:Transport Data
+zeek.cip_io.sequence_number=db:zeek.cip_io.sequence_number;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Sequence Number;help:Sequence Number
 
 # dce_rpc.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info
-zeek.dce_rpc.rtt=db:zeek.dce_rpc.rtt;group:zeek_dce_rpc;kind:termfield;friendly:Round Trip Time;help:Round Trip Time
-zeek.dce_rpc.named_pipe=db:zeek.dce_rpc.named_pipe;group:zeek_dce_rpc;kind:termfield;friendly:Remote Pipe;help:Remote Pipe
-zeek.dce_rpc.endpoint=db:zeek.dce_rpc.endpoint;group:zeek_dce_rpc;kind:termfield;friendly:Endpoint;help:Endpoint
-zeek.dce_rpc.operation=db:zeek.dce_rpc.operation;group:zeek_dce_rpc;kind:termfield;friendly:Operation;help:Operation
+zeek.dce_rpc.rtt=db:zeek.dce_rpc.rtt;group:zeek_dce_rpc;kind:termfield;viewerOnly:true;friendly:Round Trip Time;help:Round Trip Time
+zeek.dce_rpc.named_pipe=db:zeek.dce_rpc.named_pipe;group:zeek_dce_rpc;kind:termfield;viewerOnly:true;friendly:Remote Pipe;help:Remote Pipe
+zeek.dce_rpc.endpoint=db:zeek.dce_rpc.endpoint;group:zeek_dce_rpc;kind:termfield;viewerOnly:true;friendly:Endpoint;help:Endpoint
+zeek.dce_rpc.operation=db:zeek.dce_rpc.operation;group:zeek_dce_rpc;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation
 
 # dhcp.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info
-zeek.dhcp.mac=db:zeek.dhcp.mac;group:zeek_dhcp;kind:termfield;friendly:Client MAC;help:Client MAC
-zeek.dhcp.assigned_ip=db:zeek.dhcp.assigned_ip;group:zeek_dhcp;kind:termfield;friendly:Assigned IP;help:Assigned IP
-zeek.dhcp.lease_time=db:zeek.dhcp.lease_time;group:zeek_dhcp;kind:termfield;friendly:Lease Time;help:Lease Time
-zeek.dhcp.trans_id=db:zeek.dhcp.trans_id;group:zeek_dhcp;kind:termfield;friendly:dhcp Transaction ID;help:dhcp Transaction ID
-zeek.dhcp.client_fqdn=db:zeek.dhcp.client_fqdn;group:zeek_dhcp;kind:termfield;friendly:Client FQDN;help:Client FQDN
-zeek.dhcp.client_message=db:zeek.dhcp.client_message;group:zeek_dhcp;kind:termfield;friendly:Client Message;help:Client Message
-zeek.dhcp.domain=db:zeek.dhcp.domain;group:zeek_dhcp;kind:termfield;friendly:Domain;help:Domain
-zeek.dhcp.duration=db:zeek.dhcp.duration;group:zeek_dhcp;kind:termfield;friendly:Duration;help:Duration
-zeek.dhcp.host_name=db:zeek.dhcp.host_name;group:zeek_dhcp;kind:termfield;friendly:Hostname;help:Hostname
-zeek.dhcp.msg_types=db:zeek.dhcp.msg_types;group:zeek_dhcp;kind:termfield;friendly:Message Types;help:Message Types
-zeek.dhcp.requested_ip=db:zeek.dhcp.requested_ip;group:zeek_dhcp;kind:termfield;friendly:Requested IP;help:Requested IP
-zeek.dhcp.server_message=db:zeek.dhcp.server_message;group:zeek_dhcp;kind:termfield;friendly:Server Message;help:Server Message
-zeek.dhcp.client_software=db:zeek.dhcp.client_software;group:zeek_dhcp;kind:termfield;friendly:Client Software;help:Client Software
-zeek.dhcp.server_software=db:zeek.dhcp.server_software;group:zeek_dhcp;kind:termfield;friendly:Server Software;help:Server Software
+zeek.dhcp.mac=db:zeek.dhcp.mac;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Client MAC;help:Client MAC
+zeek.dhcp.assigned_ip=db:zeek.dhcp.assigned_ip;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Assigned IP;help:Assigned IP
+zeek.dhcp.lease_time=db:zeek.dhcp.lease_time;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Lease Time;help:Lease Time
+zeek.dhcp.trans_id=db:zeek.dhcp.trans_id;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:dhcp Transaction ID;help:dhcp Transaction ID
+zeek.dhcp.client_fqdn=db:zeek.dhcp.client_fqdn;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Client FQDN;help:Client FQDN
+zeek.dhcp.client_message=db:zeek.dhcp.client_message;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Client Message;help:Client Message
+zeek.dhcp.domain=db:zeek.dhcp.domain;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Domain;help:Domain
+zeek.dhcp.duration=db:zeek.dhcp.duration;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Duration;help:Duration
+zeek.dhcp.host_name=db:zeek.dhcp.host_name;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Hostname;help:Hostname
+zeek.dhcp.msg_types=db:zeek.dhcp.msg_types;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Message Types;help:Message Types
+zeek.dhcp.requested_ip=db:zeek.dhcp.requested_ip;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Requested IP;help:Requested IP
+zeek.dhcp.server_message=db:zeek.dhcp.server_message;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Server Message;help:Server Message
+zeek.dhcp.client_software=db:zeek.dhcp.client_software;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Client Software;help:Client Software
+zeek.dhcp.server_software=db:zeek.dhcp.server_software;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Server Software;help:Server Software
 
 # dnp3.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info
-zeek.dnp3.fc_request=db:zeek.dnp3.fc_request;group:zeek_dnp3;kind:termfield;friendly:Request Function Message;help:Request Function Message
-zeek.dnp3.fc_reply=db:zeek.dnp3.fc_reply;group:zeek_dnp3;kind:termfield;friendly:Reply Function Message;help:Reply Function Message
-zeek.dnp3.iin=db:zeek.dnp3.iin;group:zeek_dnp3;kind:termfield;friendly:Internal Indication Number;help:Internal Indication Number
-zeek.dnp3.iin_flags=db:zeek.dnp3.iin_flags;group:zeek_dnp3;kind:termfield;friendly:Internal Indicators;help:Internal Indicators
+zeek.dnp3.fc_request=db:zeek.dnp3.fc_request;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Request Function Message;help:Request Function Message
+zeek.dnp3.fc_reply=db:zeek.dnp3.fc_reply;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Reply Function Message;help:Reply Function Message
+zeek.dnp3.iin=db:zeek.dnp3.iin;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Internal Indication Number;help:Internal Indication Number
+zeek.dnp3.iin_flags=db:zeek.dnp3.iin_flags;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Internal Indicators;help:Internal Indicators
 
 # dnp3_control.log
 # https://github.com/cisagov/ICSNPP
-zeek.dnp3_control.block_type=db:zeek.dnp3_control.block_type;group:zeek_dnp3;kind:termfield;friendly:Control Block Type;help:Control Block Type
-zeek.dnp3_control.function_code=db:zeek.dnp3_control.function_code;group:zeek_dnp3;kind:termfield;friendly:DNP3 Function Code;help:DNP3 Function Code
-zeek.dnp3_control.index_number=db:zeek.dnp3_control.index_number;group:zeek_dnp3;kind:integer;friendly:Object Index Number;help:Object Index Number
-zeek.dnp3_control.trip_control_code=db:zeek.dnp3_control.trip_control_code;group:zeek_dnp3;kind:termfield;friendly:Trip Control Code;help:Trip Control Code
-zeek.dnp3_control.operation_type=db:zeek.dnp3_control.operation_type;group:zeek_dnp3;kind:termfield;friendly:Operation Type;help:Operation Type
-zeek.dnp3_control.execute_count=db:zeek.dnp3_control.execute_count;group:zeek_dnp3;kind:integer;friendly:Execute Count;help:Execute Count
-zeek.dnp3_control.on_time=db:zeek.dnp3_control.on_time;group:zeek_dnp3;kind:integer;friendly:On Time;help:On Time
-zeek.dnp3_control.off_time=db:zeek.dnp3_control.off_time;group:zeek_dnp3;kind:integer;friendly:Off Time;help:Off Time
-zeek.dnp3_control.status_code=db:zeek.dnp3_control.status_code;group:zeek_dnp3;kind:termfield;friendly:Status Code;help:Status Code
+zeek.dnp3_control.block_type=db:zeek.dnp3_control.block_type;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Control Block Type;help:Control Block Type
+zeek.dnp3_control.function_code=db:zeek.dnp3_control.function_code;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:DNP3 Function Code;help:DNP3 Function Code
+zeek.dnp3_control.index_number=db:zeek.dnp3_control.index_number;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Object Index Number;help:Object Index Number
+zeek.dnp3_control.trip_control_code=db:zeek.dnp3_control.trip_control_code;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Trip Control Code;help:Trip Control Code
+zeek.dnp3_control.operation_type=db:zeek.dnp3_control.operation_type;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Operation Type;help:Operation Type
+zeek.dnp3_control.execute_count=db:zeek.dnp3_control.execute_count;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Execute Count;help:Execute Count
+zeek.dnp3_control.on_time=db:zeek.dnp3_control.on_time;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:On Time;help:On Time
+zeek.dnp3_control.off_time=db:zeek.dnp3_control.off_time;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Off Time;help:Off Time
+zeek.dnp3_control.status_code=db:zeek.dnp3_control.status_code;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Status Code;help:Status Code
 
 # dnp3_objects.log
 # https://github.com/cisagov/ICSNPP
-zeek.dnp3_objects.function_code=db:zeek.dnp3_objects.function_code;group:zeek_dnp3;kind:termfield;friendly:Function Code;help:Function Code
-zeek.dnp3_objects.object_type=db:zeek.dnp3_objects.object_type;group:zeek_dnp3;kind:termfield;friendly:Object Type;help:Object Type
-zeek.dnp3_objects.object_count=db:zeek.dnp3_objects.object_count;group:zeek_dnp3;kind:integer;friendly:Object Count;help:Object Count
-zeek.dnp3_objects.range_low=db:zeek.dnp3_objects.range_low;group:zeek_dnp3;kind:integer;friendly:Range Low;help:Range Low
-zeek.dnp3_objects.range_high=db:zeek.dnp3_objects.range_high;group:zeek_dnp3;kind:integer;friendly:Range High;help:Range High
+zeek.dnp3_objects.function_code=db:zeek.dnp3_objects.function_code;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Function Code;help:Function Code
+zeek.dnp3_objects.object_type=db:zeek.dnp3_objects.object_type;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Object Type;help:Object Type
+zeek.dnp3_objects.object_count=db:zeek.dnp3_objects.object_count;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Object Count;help:Object Count
+zeek.dnp3_objects.range_low=db:zeek.dnp3_objects.range_low;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Range Low;help:Range Low
+zeek.dnp3_objects.range_high=db:zeek.dnp3_objects.range_high;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Range High;help:Range High
 
 # dns.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info
-zeek.dns.trans_id=db:zeek.dns.trans_id;group:zeek_dns;kind:termfield;friendly:Transaction ID;help:Transaction ID
-zeek.dns.rtt=db:zeek.dns.rtt;group:zeek_dns;kind:termfield;friendly:Round Trip Time;help:Round Trip Time
-zeek.dns.query=db:zeek.dns.query;group:zeek_dns;kind:termfield;friendly:Query;help:Query
-zeek.dns.qclass=db:zeek.dns.qclass;group:zeek_dns;kind:termfield;friendly:Query Class Code;help:Query Class Code
-zeek.dns.qclass_name=db:zeek.dns.qclass_name;group:zeek_dns;kind:termfield;friendly:Query Class;help:Query Class
-zeek.dns.qtype=db:zeek.dns.qtype;group:zeek_dns;kind:termfield;friendly:Query Type Code;help:Query Type Code
-zeek.dns.qtype_name=db:zeek.dns.qtype_name;group:zeek_dns;kind:termfield;friendly:Query Type;help:Query Type
-zeek.dns.rcode=db:zeek.dns.rcode;group:zeek_dns;kind:integer;friendly:Response Code;help:Response Code
-zeek.dns.rcode_name=db:zeek.dns.rcode_name;group:zeek_dns;kind:termfield;friendly:Response;help:Response
-zeek.dns.AA=db:zeek.dns.AA;group:zeek_dns;kind:termfield;friendly:Authoritative Answer Bit;help:Authoritative Answer Bit
-zeek.dns.TC=db:zeek.dns.TC;group:zeek_dns;kind:termfield;friendly:Truncation Bit;help:Truncation Bit
-zeek.dns.RD=db:zeek.dns.RD;group:zeek_dns;kind:termfield;friendly:Recursion Desired Bit;help:Recursion Desired Bit
-zeek.dns.RA=db:zeek.dns.RA;group:zeek_dns;kind:termfield;friendly:Recursion Available Bit;help:Recursion Available Bit
-zeek.dns.Z=db:zeek.dns.Z;group:zeek_dns;kind:termfield;friendly:Z Bit;help:Z Bit
-zeek.dns.answers=db:zeek.dns.answers;group:zeek_dns;kind:termfield;friendly:Answer;help:Answer
-zeek.dns.TTLs=db:zeek.dns.TTLs;group:zeek_dns;kind:termfield;friendly:TTL;help:TTL
-zeek.dns.rejected=db:zeek.dns.rejected;group:zeek_dns;kind:termfield;friendly:Rejected;help:Rejected
+zeek.dns.trans_id=db:zeek.dns.trans_id;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Transaction ID;help:Transaction ID
+zeek.dns.rtt=db:zeek.dns.rtt;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Round Trip Time;help:Round Trip Time
+zeek.dns.query=db:zeek.dns.query;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query;help:Query
+zeek.dns.qclass=db:zeek.dns.qclass;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query Class Code;help:Query Class Code
+zeek.dns.qclass_name=db:zeek.dns.qclass_name;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query Class;help:Query Class
+zeek.dns.qtype=db:zeek.dns.qtype;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query Type Code;help:Query Type Code
+zeek.dns.qtype_name=db:zeek.dns.qtype_name;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query Type;help:Query Type
+zeek.dns.rcode=db:zeek.dns.rcode;group:zeek_dns;kind:integer;viewerOnly:true;friendly:Response Code;help:Response Code
+zeek.dns.rcode_name=db:zeek.dns.rcode_name;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Response;help:Response
+zeek.dns.AA=db:zeek.dns.AA;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Authoritative Answer Bit;help:Authoritative Answer Bit
+zeek.dns.TC=db:zeek.dns.TC;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Truncation Bit;help:Truncation Bit
+zeek.dns.RD=db:zeek.dns.RD;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Recursion Desired Bit;help:Recursion Desired Bit
+zeek.dns.RA=db:zeek.dns.RA;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Recursion Available Bit;help:Recursion Available Bit
+zeek.dns.Z=db:zeek.dns.Z;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Z Bit;help:Z Bit
+zeek.dns.answers=db:zeek.dns.answers;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Answer;help:Answer
+zeek.dns.TTLs=db:zeek.dns.TTLs;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:TTL;help:TTL
+zeek.dns.rejected=db:zeek.dns.rejected;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Rejected;help:Rejected
 
 # dpd.log
 # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info
-zeek.dpd.service=db:zeek.dpd.service;group:zeek_dpd;kind:termfield;friendly:Protocol;help:Protocol
-zeek.dpd.failure_reason=db:zeek.dpd.failure_reason;group:zeek_dpd;kind:termfield;friendly:Failure Reason;help:Failure Reason
+zeek.dpd.service=db:zeek.dpd.service;group:zeek_dpd;kind:termfield;viewerOnly:true;friendly:Protocol;help:Protocol
+zeek.dpd.failure_reason=db:zeek.dpd.failure_reason;group:zeek_dpd;kind:termfield;viewerOnly:true;friendly:Failure Reason;help:Failure Reason
 
 # enip.log
 # https://github.com/cisagov/ICSNPP
-zeek.enip.enip_command=db:zeek.enip.enip_command;group:zeek_enip;kind:termfield;friendly:EthernetIP Command;help:EthernetIP Command
-zeek.enip.enip_command_code=db:zeek.enip.enip_command_code;group:zeek_enip;kind:termfield;friendly:EthernetIP Command Code;help:EthernetIP Command Code
-zeek.enip.enip_status=db:zeek.enip.enip_status;group:zeek_enip;kind:termfield;friendly:EthernetIP Status;help:EthernetIP Status
-zeek.enip.length=db:zeek.enip.length;group:zeek_enip;kind:integer;friendly:Packet Length;help:Packet Length
-zeek.enip.options=db:zeek.enip.options;group:zeek_enip;kind:termfield;friendly:Options;help:Options
-zeek.enip.sender_context=db:zeek.enip.sender_context;group:zeek_enip;kind:termfield;friendly:Sender Context;help:Sender Context
-zeek.enip.session_handle=db:zeek.enip.session_handle;group:zeek_enip;kind:termfield;friendly:Session Number;help:Session Number
+zeek.enip.enip_command=db:zeek.enip.enip_command;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:EthernetIP Command;help:EthernetIP Command
+zeek.enip.enip_command_code=db:zeek.enip.enip_command_code;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:EthernetIP Command Code;help:EthernetIP Command Code
+zeek.enip.enip_status=db:zeek.enip.enip_status;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:EthernetIP Status;help:EthernetIP Status
+zeek.enip.length=db:zeek.enip.length;group:zeek_enip;kind:integer;viewerOnly:true;friendly:Packet Length;help:Packet Length
+zeek.enip.options=db:zeek.enip.options;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:Options;help:Options
+zeek.enip.sender_context=db:zeek.enip.sender_context;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:Sender Context;help:Sender Context
+zeek.enip.session_handle=db:zeek.enip.session_handle;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:Session Number;help:Session Number
 
 # ecat_registers.log
 # https://github.com/cisagov/ICSNPP
-zeek.ecat_registers.command=db:zeek.ecat_registers.command;group:zeek_ecat;kind:termfield;friendly:Command;help:Command
-zeek.ecat_registers.server_addr=db:zeek.ecat_registers.server_addr;group:zeek_ecat;kind:termfield;friendly:Server Address;help:Server Address
-zeek.ecat_registers.register_type=db:zeek.ecat_registers.register_type;group:zeek_ecat;kind:termfield;friendly:Register Information;help:Register Information
-zeek.ecat_registers.register_addr=db:zeek.ecat_registers.register_addr;group:zeek_ecat;kind:termfield;friendly:Register Address;help:Register Address
-zeek.ecat_registers.data=db:zeek.ecat_registers.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data
+zeek.ecat_registers.command=db:zeek.ecat_registers.command;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Command;help:Command
+zeek.ecat_registers.server_addr=db:zeek.ecat_registers.server_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Server Address;help:Server Address
+zeek.ecat_registers.register_type=db:zeek.ecat_registers.register_type;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Register Information;help:Register Information
+zeek.ecat_registers.register_addr=db:zeek.ecat_registers.register_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Register Address;help:Register Address
+zeek.ecat_registers.data=db:zeek.ecat_registers.data;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data;help:Data
 
 # ecat_log_address.log
 # https://github.com/cisagov/ICSNPP
-zeek.ecat_log_address.log_addr=db:zeek.ecat_log_address.log_addr;group:zeek_ecat;kind:termfield;friendly:Data Address;help:Data Address
-zeek.ecat_log_address.length=db:zeek.ecat_log_address.length;group:zeek_ecat;kind:integer;friendly:Data Length;help:Data Length
-zeek.ecat_log_address.command=db:zeek.ecat_log_address.command;group:zeek_ecat;kind:termfield;friendly:Command;help:Command
-zeek.ecat_log_address.data=db:zeek.ecat_log_address.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data
+zeek.ecat_log_address.log_addr=db:zeek.ecat_log_address.log_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data Address;help:Data Address
+zeek.ecat_log_address.length=db:zeek.ecat_log_address.length;group:zeek_ecat;kind:integer;viewerOnly:true;friendly:Data Length;help:Data Length
+zeek.ecat_log_address.command=db:zeek.ecat_log_address.command;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Command;help:Command
+zeek.ecat_log_address.data=db:zeek.ecat_log_address.data;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data;help:Data
 
 # ecat_dev_info.log
 # https://github.com/cisagov/ICSNPP
-zeek.ecat_dev_info.server_id=db:zeek.ecat_dev_info.server_id;group:zeek_ecat;kind:termfield;friendly:Server Address;help:Server Address
-zeek.ecat_dev_info.revision=db:zeek.ecat_dev_info.revision;group:zeek_ecat;kind:termfield;friendly:Revision;help:Revision
-zeek.ecat_dev_info.dev_type=db:zeek.ecat_dev_info.dev_type;group:zeek_ecat;kind:termfield;friendly:Device Type;help:Device Type
-zeek.ecat_dev_info.build=db:zeek.ecat_dev_info.build;group:zeek_ecat;kind:termfield;friendly:Build Version;help:Build Version
-zeek.ecat_dev_info.fmmucnt=db:zeek.ecat_dev_info.fmmucnt;group:zeek_ecat;kind:termfield;friendly:Fieldbus MMU Channels;help:Fieldbus MMU Channels
-zeek.ecat_dev_info.smcount=db:zeek.ecat_dev_info.smcount;group:zeek_ecat;kind:termfield;friendly:Sync Managers;help:Sync Managers
-zeek.ecat_dev_info.ports=db:zeek.ecat_dev_info.ports;group:zeek_ecat;kind:termfield;friendly:Port Descriptor;help:Port Descriptor
-zeek.ecat_dev_info.dpram=db:zeek.ecat_dev_info.dpram;group:zeek_ecat;kind:termfield;friendly:RAM Size;help:RAM Size
-zeek.ecat_dev_info.features=db:zeek.ecat_dev_info.features;group:zeek_ecat;kind:termfield;friendly:Features;help:Features
+zeek.ecat_dev_info.server_id=db:zeek.ecat_dev_info.server_id;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Server Address;help:Server Address
+zeek.ecat_dev_info.revision=db:zeek.ecat_dev_info.revision;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Revision;help:Revision
+zeek.ecat_dev_info.dev_type=db:zeek.ecat_dev_info.dev_type;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Device Type;help:Device Type
+zeek.ecat_dev_info.build=db:zeek.ecat_dev_info.build;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Build Version;help:Build Version
+zeek.ecat_dev_info.fmmucnt=db:zeek.ecat_dev_info.fmmucnt;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Fieldbus MMU Channels;help:Fieldbus MMU Channels
+zeek.ecat_dev_info.smcount=db:zeek.ecat_dev_info.smcount;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Sync Managers;help:Sync Managers
+zeek.ecat_dev_info.ports=db:zeek.ecat_dev_info.ports;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Port Descriptor;help:Port Descriptor
+zeek.ecat_dev_info.dpram=db:zeek.ecat_dev_info.dpram;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:RAM Size;help:RAM Size
+zeek.ecat_dev_info.features=db:zeek.ecat_dev_info.features;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Features;help:Features
 
 # ecat_aoe_info.log
 # https://github.com/cisagov/ICSNPP
-zeek.ecat_aoe_info.resp_port=db:zeek.ecat_aoe_info.resp_port;group:zeek_ecat;kind:termfield;friendly:Target Port;help:Target Port
-zeek.ecat_aoe_info.orig_port=db:zeek.ecat_aoe_info.orig_port;group:zeek_ecat;kind:termfield;friendly:Sender Port;help:Sender Port
-zeek.ecat_aoe_info.command=db:zeek.ecat_aoe_info.command;group:zeek_ecat;kind:termfield;friendly:Command;help:Command
-zeek.ecat_aoe_info.state=db:zeek.ecat_aoe_info.state;group:zeek_ecat;kind:termfield;friendly:State Flags;help:State Flags
-zeek.ecat_aoe_info.data=db:zeek.ecat_aoe_info.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data
+zeek.ecat_aoe_info.resp_port=db:zeek.ecat_aoe_info.resp_port;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Target Port;help:Target Port
+zeek.ecat_aoe_info.orig_port=db:zeek.ecat_aoe_info.orig_port;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Sender Port;help:Sender Port
+zeek.ecat_aoe_info.command=db:zeek.ecat_aoe_info.command;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Command;help:Command
+zeek.ecat_aoe_info.state=db:zeek.ecat_aoe_info.state;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:State Flags;help:State Flags
+zeek.ecat_aoe_info.data=db:zeek.ecat_aoe_info.data;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data;help:Data
 
 # ecat_coe_info.log
 # https://github.com/cisagov/ICSNPP
-zeek.ecat_coe_info.number=db:zeek.ecat_coe_info.number;group:zeek_ecat;kind:termfield;friendly:Message Number;help:Message Number
-zeek.ecat_coe_info.type=db:zeek.ecat_coe_info.type;group:zeek_ecat;kind:termfield;friendly:Message Type;help:Message Type
-zeek.ecat_coe_info.req_resp=db:zeek.ecat_coe_info.req_resp;group:zeek_ecat;kind:termfield;friendly:Request or Response;help:Request or Response
-zeek.ecat_coe_info.index=db:zeek.ecat_coe_info.index;group:zeek_ecat;kind:termfield;friendly:Message Index;help:Message Index
-zeek.ecat_coe_info.subindex=db:zeek.ecat_coe_info.subindex;group:zeek_ecat;kind:termfield;friendly:Message Subindex;help:Message Subindex
-zeek.ecat_coe_info.dataoffset=db:zeek.ecat_coe_info.dataoffset;group:zeek_ecat;kind:termfield;friendly:Data Offset;help:Data Offset
+zeek.ecat_coe_info.number=db:zeek.ecat_coe_info.number;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Number;help:Message Number
+zeek.ecat_coe_info.type=db:zeek.ecat_coe_info.type;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Type;help:Message Type
+zeek.ecat_coe_info.req_resp=db:zeek.ecat_coe_info.req_resp;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Request or Response;help:Request or Response
+zeek.ecat_coe_info.index=db:zeek.ecat_coe_info.index;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Index;help:Message Index
+zeek.ecat_coe_info.subindex=db:zeek.ecat_coe_info.subindex;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Subindex;help:Message Subindex
+zeek.ecat_coe_info.dataoffset=db:zeek.ecat_coe_info.dataoffset;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data Offset;help:Data Offset
 
 # ecat_foe_info.log
 # https://github.com/cisagov/ICSNPP
-zeek.ecat_foe_info.opcode=db:zeek.ecat_foe_info.opcode;group:zeek_ecat;kind:termfield;friendly:Operation;help:Operation
-zeek.ecat_foe_info.reserved=db:zeek.ecat_foe_info.reserved;group:zeek_ecat;kind:termfield;friendly:Reserver;help:Reserver
-zeek.ecat_foe_info.packet_num=db:zeek.ecat_foe_info.packet_num;group:zeek_ecat;kind:termfield;friendly:Packet Number;help:Packet Number
-zeek.ecat_foe_info.error_code=db:zeek.ecat_foe_info.error_code;group:zeek_ecat;kind:termfield;friendly:Error Code;help:Error Code
-zeek.ecat_foe_info.filename=db:zeek.ecat_foe_info.filename;group:zeek_ecat;kind:termfield;friendly:File Name;help:File Name
-zeek.ecat_foe_info.data=db:zeek.ecat_foe_info.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data
+zeek.ecat_foe_info.opcode=db:zeek.ecat_foe_info.opcode;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation
+zeek.ecat_foe_info.reserved=db:zeek.ecat_foe_info.reserved;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Reserver;help:Reserver
+zeek.ecat_foe_info.packet_num=db:zeek.ecat_foe_info.packet_num;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Packet Number;help:Packet Number
+zeek.ecat_foe_info.error_code=db:zeek.ecat_foe_info.error_code;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Error Code;help:Error Code
+zeek.ecat_foe_info.filename=db:zeek.ecat_foe_info.filename;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:File Name;help:File Name
+zeek.ecat_foe_info.data=db:zeek.ecat_foe_info.data;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data;help:Data
 
 # ecat_soe_info.log
 # https://github.com/cisagov/ICSNPP
-zeek.ecat_soe_info.opcode=db:zeek.ecat_soe_info.opcode;group:zeek_ecat;kind:termfield;friendly:Operation;help:Operation
-zeek.ecat_soe_info.incomplete=db:zeek.ecat_soe_info.incomplete;group:zeek_ecat;kind:termfield;friendly:Incomplete;help:Incomplete
-zeek.ecat_soe_info.error=db:zeek.ecat_soe_info.error;group:zeek_ecat;kind:termfield;friendly:Error Message;help:Error Message
-zeek.ecat_soe_info.drive_num=db:zeek.ecat_soe_info.drive_num;group:zeek_ecat;kind:termfield;friendly:Drive Number;help:Drive Number
-zeek.ecat_soe_info.element=db:zeek.ecat_soe_info.element;group:zeek_ecat;kind:termfield;friendly:Element Flags;help:Element Flags
-zeek.ecat_soe_info.index=db:zeek.ecat_soe_info.index;group:zeek_ecat;kind:termfield;friendly:Message Index;help:Message Index
+zeek.ecat_soe_info.opcode=db:zeek.ecat_soe_info.opcode;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation
+zeek.ecat_soe_info.incomplete=db:zeek.ecat_soe_info.incomplete;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Incomplete;help:Incomplete
+zeek.ecat_soe_info.error=db:zeek.ecat_soe_info.error;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Error Message;help:Error Message
+zeek.ecat_soe_info.drive_num=db:zeek.ecat_soe_info.drive_num;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Drive Number;help:Drive Number
+zeek.ecat_soe_info.element=db:zeek.ecat_soe_info.element;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Element Flags;help:Element Flags
+zeek.ecat_soe_info.index=db:zeek.ecat_soe_info.index;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Index;help:Message Index
 
 # ecat_arp_info.log
 # https://github.com/cisagov/ICSNPP
-zeek.ecat_arp_info.arp_type=db:zeek.ecat_arp_info.arp_type;group:zeek_ecat;kind:termfield;friendly:ARP Command;help:ARP Command
-zeek.ecat_arp_info.orig_proto_addr=db:zeek.ecat_arp_info.orig_proto_addr;group:zeek_ecat;kind:termfield;friendly:Originating host;help:Originating host
-zeek.ecat_arp_info.orig_hw_addr=db:zeek.ecat_arp_info.orig_hw_addr;group:zeek_ecat;kind:termfield;friendly:Originating MAC;help:Originating MAC
-zeek.ecat_arp_info.resp_proto_addr=db:zeek.ecat_arp_info.resp_proto_addr;group:zeek_ecat;kind:termfield;friendly:Responding host;help:Responding host
-zeek.ecat_arp_info.resp_hw_addr=db:zeek.ecat_arp_info.resp_hw_addr;group:zeek_ecat;kind:termfield;friendly:Responding MAC;help:Responding MAC
+zeek.ecat_arp_info.arp_type=db:zeek.ecat_arp_info.arp_type;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:ARP Command;help:ARP Command
+zeek.ecat_arp_info.orig_proto_addr=db:zeek.ecat_arp_info.orig_proto_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Originating host;help:Originating host
+zeek.ecat_arp_info.orig_hw_addr=db:zeek.ecat_arp_info.orig_hw_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Originating MAC;help:Originating MAC
+zeek.ecat_arp_info.resp_proto_addr=db:zeek.ecat_arp_info.resp_proto_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Responding host;help:Responding host
+zeek.ecat_arp_info.resp_hw_addr=db:zeek.ecat_arp_info.resp_hw_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Responding MAC;help:Responding MAC
 
 # files.log
 # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info
-zeek.files.tx_hosts=db:zeek.files.tx_hosts;group:zeek_files;kind:termfield;friendly:Transmitter;help:Transmitter
-zeek.files.rx_hosts=db:zeek.files.rx_hosts;group:zeek_files;kind:termfield;friendly:Receiver;help:Receiver
-zeek.files.conn_uids=db:zeek.files.conn_uids;group:zeek_files;kind:termfield;friendly:Connection ID;help:Connection ID
-zeek.files.depth=db:zeek.files.depth;group:zeek_files;kind:integer;friendly:Source Depth;help:Source Depth
-zeek.files.analyzers=db:zeek.files.analyzers;group:zeek_files;kind:termfield;friendly:Analyzer;help:Analyzer
-zeek.files.mime_type=db:zeek.files.mime_type;group:zeek_files;kind:termfield;friendly:File Magic;help:File Magic
-zeek.files.filename=db:zeek.files.filename;group:zeek_files;kind:termfield;friendly:Filename;help:Filename
-zeek.files.ftime=db:zeek.files.ftime;group:zeek_files;kind:termfield;friendly:File Timestamp;help:File Timestamp
-zeek.files.duration=db:zeek.files.duration;group:zeek_files;kind:termfield;friendly:Analysis Duration;help:Analysis Duration
-zeek.files.local_orig=db:zeek.files.local_orig;group:zeek_files;kind:termfield;friendly:Local Originator;help:Local Originator
-zeek.files.seen_bytes=db:zeek.files.seen_bytes;group:zeek_files;kind:integer;friendly:Bytes Analyzed;help:Bytes Analyzed
-zeek.files.total_bytes=db:zeek.files.total_bytes;group:zeek_files;kind:integer;friendly:Total Bytes;help:Total Bytes
-zeek.files.missing_bytes=db:zeek.files.missing_bytes;group:zeek_files;kind:integer;friendly:Missed Bytes;help:Missed Bytes
-zeek.files.overflow_bytes=db:zeek.files.overflow_bytes;group:zeek_files;kind:integer;friendly:Overflow Bytes;help:Overflow Bytes
-zeek.files.timedout=db:zeek.files.timedout;group:zeek_files;kind:termfield;friendly:Analysis Timed Out;help:Analysis Timed Out
-zeek.files.parent_fuid=db:zeek.files.parent_fuid;group:zeek_files;kind:termfield;friendly:Parent File ID;help:Parent File ID
-zeek.files.md5=db:zeek.files.md5;group:zeek_files;kind:termfield;friendly:MD5 Digest;help:MD5 Digest
-zeek.files.sha1=db:zeek.files.sha1;group:zeek_files;kind:termfield;friendly:SHA1 Digest;help:SHA1 Digest
-zeek.files.sha256=db:zeek.files.sha256;group:zeek_files;kind:termfield;friendly:SHA256 Digest;help:SHA256 Digest
-zeek.files.extracted=db:zeek.files.extracted;group:zeek_files;kind:termfield;friendly:Extracted Filename;help:Extracted Filename
-zeek.files.extracted_cutoff=db:zeek.files.extracted_cutoff;group:zeek_files;kind:termfield;friendly:Truncated;help:Truncated
-zeek.files.extracted_size=db:zeek.files.extracted_size;group:zeek_files;kind:integer;friendly:Extracted Bytes;help:Extracted Bytes
+zeek.files.tx_hosts=db:zeek.files.tx_hosts;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Transmitter;help:Transmitter
+zeek.files.rx_hosts=db:zeek.files.rx_hosts;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Receiver;help:Receiver
+zeek.files.conn_uids=db:zeek.files.conn_uids;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Connection ID;help:Connection ID
+zeek.files.depth=db:zeek.files.depth;group:zeek_files;kind:integer;viewerOnly:true;friendly:Source Depth;help:Source Depth
+zeek.files.analyzers=db:zeek.files.analyzers;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Analyzer;help:Analyzer
+zeek.files.mime_type=db:zeek.files.mime_type;group:zeek_files;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic
+zeek.files.filename=db:zeek.files.filename;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Filename;help:Filename
+zeek.files.ftime=db:zeek.files.ftime;group:zeek_files;kind:termfield;viewerOnly:true;friendly:File Timestamp;help:File Timestamp
+zeek.files.duration=db:zeek.files.duration;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Analysis Duration;help:Analysis Duration
+zeek.files.local_orig=db:zeek.files.local_orig;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Local Originator;help:Local Originator
+zeek.files.seen_bytes=db:zeek.files.seen_bytes;group:zeek_files;kind:integer;viewerOnly:true;friendly:Bytes Analyzed;help:Bytes Analyzed
+zeek.files.total_bytes=db:zeek.files.total_bytes;group:zeek_files;kind:integer;viewerOnly:true;friendly:Total Bytes;help:Total Bytes
+zeek.files.missing_bytes=db:zeek.files.missing_bytes;group:zeek_files;kind:integer;viewerOnly:true;friendly:Missed Bytes;help:Missed Bytes
+zeek.files.overflow_bytes=db:zeek.files.overflow_bytes;group:zeek_files;kind:integer;viewerOnly:true;friendly:Overflow Bytes;help:Overflow Bytes
+zeek.files.timedout=db:zeek.files.timedout;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Analysis Timed Out;help:Analysis Timed Out
+zeek.files.parent_fuid=db:zeek.files.parent_fuid;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Parent File ID;help:Parent File ID
+zeek.files.md5=db:zeek.files.md5;group:zeek_files;kind:termfield;viewerOnly:true;friendly:MD5 Digest;help:MD5 Digest
+zeek.files.sha1=db:zeek.files.sha1;group:zeek_files;kind:termfield;viewerOnly:true;friendly:SHA1 Digest;help:SHA1 Digest
+zeek.files.sha256=db:zeek.files.sha256;group:zeek_files;kind:termfield;viewerOnly:true;friendly:SHA256 Digest;help:SHA256 Digest
+zeek.files.extracted=db:zeek.files.extracted;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Extracted Filename;help:Extracted Filename
+zeek.files.extracted_cutoff=db:zeek.files.extracted_cutoff;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Truncated;help:Truncated
+zeek.files.extracted_size=db:zeek.files.extracted_size;group:zeek_files;kind:integer;viewerOnly:true;friendly:Extracted Bytes;help:Extracted Bytes
 
 # ftp.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info
-zeek.ftp.command=db:zeek.ftp.command;group:zeek_ftp;kind:termfield;friendly:Command;help:Command
-zeek.ftp.arg=db:zeek.ftp.arg;group:zeek_ftp;kind:termfield;friendly:Argument;help:Argument
-zeek.ftp.mime_type=db:zeek.ftp.mime_type;group:zeek_ftp;kind:termfield;friendly:File Magic;help:File Magic
-zeek.ftp.file_size=db:zeek.ftp.file_size;group:zeek_ftp;kind:integer;friendly:File Size;help:File Size
-zeek.ftp.reply_code=db:zeek.ftp.reply_code;group:zeek_ftp;kind:integer;friendly:Reply Code;help:Reply Code
-zeek.ftp.reply_msg=db:zeek.ftp.reply_msg;group:zeek_ftp;kind:termfield;friendly:Reply;help:Reply
-zeek.ftp.data_channel_passive=db:zeek.ftp.data_channel_passive;group:zeek_ftp;kind:termfield;friendly:Passive;help:Passive
-zeek.ftp.data_channel_orig_h=db:zeek.ftp.data_channel_orig_h;group:zeek_ftp;kind:termfield;friendly:Data Originating Host;help:Data Originating Host
-zeek.ftp.data_channel_resp_h=db:zeek.ftp.data_channel_resp_h;group:zeek_ftp;kind:termfield;friendly:Data Responding Host;help:Data Responding Host
-zeek.ftp.data_channel_resp_p=db:zeek.ftp.data_channel_resp_p;group:zeek_ftp;kind:integer;friendly:Data Responding Port;help:Data Responding Port
+zeek.ftp.command=db:zeek.ftp.command;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Command;help:Command
+zeek.ftp.arg=db:zeek.ftp.arg;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Argument;help:Argument
+zeek.ftp.mime_type=db:zeek.ftp.mime_type;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic
+zeek.ftp.file_size=db:zeek.ftp.file_size;group:zeek_ftp;kind:integer;viewerOnly:true;friendly:File Size;help:File Size
+zeek.ftp.reply_code=db:zeek.ftp.reply_code;group:zeek_ftp;kind:integer;viewerOnly:true;friendly:Reply Code;help:Reply Code
+zeek.ftp.reply_msg=db:zeek.ftp.reply_msg;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Reply;help:Reply
+zeek.ftp.data_channel_passive=db:zeek.ftp.data_channel_passive;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Passive;help:Passive
+zeek.ftp.data_channel_orig_h=db:zeek.ftp.data_channel_orig_h;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Data Originating Host;help:Data Originating Host
+zeek.ftp.data_channel_resp_h=db:zeek.ftp.data_channel_resp_h;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Data Responding Host;help:Data Responding Host
+zeek.ftp.data_channel_resp_p=db:zeek.ftp.data_channel_resp_p;group:zeek_ftp;kind:integer;viewerOnly:true;friendly:Data Responding Port;help:Data Responding Port
 
 # genisys.log
 # https://github.com/cisagov/icsnpp-genisys
-zeek.genisys.header=db:zeek.genisys.header;group:zeek_genisys;kind:termfield;friendly:Control Character;help:Control Character
-zeek.genisys.server=db:zeek.genisys.server;group:zeek_genisys;kind:integer;friendly:Station Address;help:Station Address
-zeek.genisys.direction=db:zeek.genisys.direction;group:zeek_genisys;kind:termfield;friendly:Message Direction;help:Message Direction
-zeek.genisys.crc_transmitted=db:zeek.genisys.crc_transmitted;group:zeek_genisys;kind:termfield;friendly:CRC Transmitted;help:CRC Transmitted
-zeek.genisys.crc_calculated=db:zeek.genisys.crc_calculated;group:zeek_genisys;kind:termfield;friendly:CRC Calculated;help:CRC Calculated
-zeek.genisys.payload.address=db:zeek.genisys.payload.address;group:zeek_genisys;kind:integer;friendly:Payload Address;help:Payload Address
-zeek.genisys.payload.data=db:zeek.genisys.payload.data;group:zeek_genisys;kind:integer;friendly:Payload Data;help:Payload Data
+zeek.genisys.header=db:zeek.genisys.header;group:zeek_genisys;kind:termfield;viewerOnly:true;friendly:Control Character;help:Control Character
+zeek.genisys.server=db:zeek.genisys.server;group:zeek_genisys;kind:integer;viewerOnly:true;friendly:Station Address;help:Station Address
+zeek.genisys.direction=db:zeek.genisys.direction;group:zeek_genisys;kind:termfield;viewerOnly:true;friendly:Message Direction;help:Message Direction
+zeek.genisys.crc_transmitted=db:zeek.genisys.crc_transmitted;group:zeek_genisys;kind:termfield;viewerOnly:true;friendly:CRC Transmitted;help:CRC Transmitted
+zeek.genisys.crc_calculated=db:zeek.genisys.crc_calculated;group:zeek_genisys;kind:termfield;viewerOnly:true;friendly:CRC Calculated;help:CRC Calculated
+zeek.genisys.payload.address=db:zeek.genisys.payload.address;group:zeek_genisys;kind:integer;viewerOnly:true;friendly:Payload Address;help:Payload Address
+zeek.genisys.payload.data=db:zeek.genisys.payload.data;group:zeek_genisys;kind:integer;viewerOnly:true;friendly:Payload Data;help:Payload Data
 
 # gquic.log
 # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro
-zeek.gquic.version=db:zeek.gquic.version;group:zeek_gquic;kind:termfield;friendly:QUIC version;help:gquic version
-zeek.gquic.server_name=db:zeek.gquic.server_name;group:zeek_gquic;kind:termfield;friendly:Server Name;help:gquic server_name
-zeek.gquic.user_agent=db:zeek.gquic.user_agent;group:zeek_gquic;kind:termfield;friendly:User Agent;help:gquic user_agent
-zeek.gquic.tag_count=db:zeek.gquic.tag_count;group:zeek_gquic;kind:integer;friendly:Tag Count;help:gquic tag_count
-zeek.gquic.cyu=db:zeek.gquic.cyu;group:zeek_gquic;kind:termfield;friendly:CYU Fingerprint;help:gquic cyu
-zeek.gquic.cyutags=db:zeek.gquic.cyutags;group:zeek_gquic;kind:termfield;friendly:CYU Fingerprint Digest;help:gquic cyutags
+zeek.gquic.version=db:zeek.gquic.version;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:QUIC version;help:gquic version
+zeek.gquic.server_name=db:zeek.gquic.server_name;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:Server Name;help:gquic server_name
+zeek.gquic.user_agent=db:zeek.gquic.user_agent;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:User Agent;help:gquic user_agent
+zeek.gquic.tag_count=db:zeek.gquic.tag_count;group:zeek_gquic;kind:integer;viewerOnly:true;friendly:Tag Count;help:gquic tag_count
+zeek.gquic.cyu=db:zeek.gquic.cyu;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:CYU Fingerprint;help:gquic cyu
+zeek.gquic.cyutags=db:zeek.gquic.cyutags;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:CYU Fingerprint Digest;help:gquic cyutags
 
 # http.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info
-zeek.http.trans_depth=db:zeek.http.trans_depth;group:zeek_http;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth
-zeek.http.method=db:zeek.http.method;group:zeek_http;kind:termfield;friendly:Request Method;help:Request Method
-zeek.http.host=db:zeek.http.host;group:zeek_http;kind:termfield;friendly:Host Header;help:Host Header
-zeek.http.uri=db:zeek.http.uri;group:zeek_http;kind:termfield;friendly:URI;help:URI
-zeek.http.referrer=db:zeek.http.referrer;group:zeek_http;kind:termfield;friendly:Referrer Header;help:Referrer Header
-zeek.http.version=db:zeek.http.version;group:zeek_http;kind:termfield;friendly:Version;help:Version
-zeek.http.user_agent=db:zeek.http.user_agent;group:zeek_http;kind:termfield;friendly:User Agent;help:User Agent
-zeek.http.origin=db:zeek.http.origin;group:zeek_http;kind:termfield;friendly:Origin Header;help:Origin Header
-zeek.http.request_body_len=db:zeek.http.request_body_len;group:zeek_http;kind:integer;friendly:Request Body Length;help:Request Body Length
-zeek.http.response_body_len=db:zeek.http.response_body_len;group:zeek_http;kind:integer;friendly:Response Body Length;help:Response Body Length
-zeek.http.status_code=db:zeek.http.status_code;group:zeek_http;kind:integer;friendly:Status Code;help:Status Code
-zeek.http.status_msg=db:zeek.http.status_msg;group:zeek_http;kind:termfield;friendly:Status Message;help:Status Message
-zeek.http.info_code=db:zeek.http.info_code;group:zeek_http;kind:integer;friendly:Informational Code;help:Informational Code
-zeek.http.info_msg=db:zeek.http.info_msg;group:zeek_http;kind:termfield;friendly:Informational Message;help:Informational Message
-zeek.http.tags=db:zeek.http.tags;group:zeek_http;kind:termfield;friendly:HTTP Tag;help:HTTP Tag
-zeek.http.proxied=db:zeek.http.proxied;group:zeek_http;kind:termfield;friendly:Proxy Header;help:Proxy Header
-zeek.http.orig_fuids=db:zeek.http.orig_fuids;group:zeek_http;kind:termfield;friendly:Originating File ID;help:Originating File ID
-zeek.http.orig_filenames=db:zeek.http.orig_filenames;group:zeek_http;kind:termfield;friendly:Originating Filename;help:Originating Filename
-zeek.http.orig_mime_types=db:zeek.http.orig_mime_types;group:zeek_http;kind:termfield;friendly:Originating File Magic;help:Originating File Magic
-zeek.http.resp_fuids=db:zeek.http.resp_fuids;group:zeek_http;kind:termfield;friendly:Responding File ID;help:Responding File ID
-zeek.http.resp_filenames=db:zeek.http.resp_filenames;group:zeek_http;kind:termfield;friendly:Responding Filename;help:Responding Filename
-zeek.http.resp_mime_types=db:zeek.http.resp_mime_types;group:zeek_http;kind:termfield;friendly:Responding File Magic;help:Responding File Magic
-zeek.http.post_username=db:zeek.http.post_username;group:zeek_http;kind:termfield;friendly:POST User;help:POST User
-zeek.http.post_password_plain=db:zeek.http.post_password_plain;group:zeek_http;kind:termfield;friendly:POST Password;help:POST Password
+zeek.http.trans_depth=db:zeek.http.trans_depth;group:zeek_http;kind:integer;viewerOnly:true;friendly:Pipeline Depth;help:Pipeline Depth
+zeek.http.method=db:zeek.http.method;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Request Method;help:Request Method
+zeek.http.host=db:zeek.http.host;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Host Header;help:Host Header
+zeek.http.uri=db:zeek.http.uri;group:zeek_http;kind:termfield;viewerOnly:true;friendly:URI;help:URI
+zeek.http.referrer=db:zeek.http.referrer;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Referrer Header;help:Referrer Header
+zeek.http.version=db:zeek.http.version;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Version;help:Version
+zeek.http.user_agent=db:zeek.http.user_agent;group:zeek_http;kind:termfield;viewerOnly:true;friendly:User Agent;help:User Agent
+zeek.http.origin=db:zeek.http.origin;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Origin Header;help:Origin Header
+zeek.http.request_body_len=db:zeek.http.request_body_len;group:zeek_http;kind:integer;viewerOnly:true;friendly:Request Body Length;help:Request Body Length
+zeek.http.response_body_len=db:zeek.http.response_body_len;group:zeek_http;kind:integer;viewerOnly:true;friendly:Response Body Length;help:Response Body Length
+zeek.http.status_code=db:zeek.http.status_code;group:zeek_http;kind:integer;viewerOnly:true;friendly:Status Code;help:Status Code
+zeek.http.status_msg=db:zeek.http.status_msg;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Status Message;help:Status Message
+zeek.http.info_code=db:zeek.http.info_code;group:zeek_http;kind:integer;viewerOnly:true;friendly:Informational Code;help:Informational Code
+zeek.http.info_msg=db:zeek.http.info_msg;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Informational Message;help:Informational Message
+zeek.http.tags=db:zeek.http.tags;group:zeek_http;kind:termfield;viewerOnly:true;friendly:HTTP Tag;help:HTTP Tag
+zeek.http.proxied=db:zeek.http.proxied;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Proxy Header;help:Proxy Header
+zeek.http.orig_fuids=db:zeek.http.orig_fuids;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Originating File ID;help:Originating File ID
+zeek.http.orig_filenames=db:zeek.http.orig_filenames;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Originating Filename;help:Originating Filename
+zeek.http.orig_mime_types=db:zeek.http.orig_mime_types;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Originating File Magic;help:Originating File Magic
+zeek.http.resp_fuids=db:zeek.http.resp_fuids;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Responding File ID;help:Responding File ID
+zeek.http.resp_filenames=db:zeek.http.resp_filenames;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Responding Filename;help:Responding Filename
+zeek.http.resp_mime_types=db:zeek.http.resp_mime_types;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Responding File Magic;help:Responding File Magic
+zeek.http.post_username=db:zeek.http.post_username;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST User;help:POST User
+zeek.http.post_password_plain=db:zeek.http.post_password_plain;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST Password;help:POST Password
 
 # intel.log
 # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info
-zeek.intel.seen_indicator=db:zeek.intel.seen_indicator;group:zeek_intel;kind:termfield;friendly:Indicator;help:Indicator
-zeek.intel.seen_indicator_type=db:zeek.intel.seen_indicator_type;group:zeek_intel;kind:termfield;friendly:Indicator Type;help:Indicator Type
-zeek.intel.seen_where=db:zeek.intel.seen_where;group:zeek_intel;kind:termfield;friendly:Where Discovered;help:Where Discovered
-zeek.intel.seen_node=db:zeek.intel.seen_node;group:zeek_intel;kind:termfield;friendly:Discovered Node;help:Discovered Node
-zeek.intel.matched=db:zeek.intel.matched;group:zeek_intel;kind:termfield;friendly:Match Indicator;help:Match Indicator
-zeek.intel.sources=db:zeek.intel.sources;group:zeek_intel;kind:termfield;friendly:Match Source;help:Match Source
-zeek.intel.file_mime_type=db:zeek.intel.file_mime_type;group:zeek_intel;kind:termfield;friendly:File Magic;help:File Magic
-zeek.intel.file_description=db:zeek.intel.file_description;group:zeek_intel;kind:termfield;friendly:File Description;help:File Description
-zeek.intel.cif_tags=db:zeek.intel.cif_tags;group:zeek_intel;kind:termfield;friendly:CIF Tags;help:CIF Tags
-zeek.intel.cif_confidence=db:zeek.intel.cif_confidence;group:zeek_intel;kind:float;friendly:CIF Confidence;help:CIF Confidence
-zeek.intel.cif_source=db:zeek.intel.cif_source;group:zeek_intel;kind:termfield;friendly:CIF Source;help:CIF Source
-zeek.intel.cif_description=db:zeek.intel.cif_description;group:zeek_intel;kind:termfield;friendly:CIF Description;help:CIF Description
-zeek.intel.cif_firstseen=db:zeek.intel.cif_firstseen;group:zeek_intel;kind:termfield;friendly:CIF First Seen;help:CIF First Seen
-zeek.intel.cif_lastseen=db:zeek.intel.cif_lastseen;group:zeek_intel;kind:termfield;friendly:CIF Last Seen;help:CIF Last Seen
+zeek.intel.seen_indicator=db:zeek.intel.seen_indicator;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Indicator;help:Indicator
+zeek.intel.seen_indicator_type=db:zeek.intel.seen_indicator_type;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Indicator Type;help:Indicator Type
+zeek.intel.seen_where=db:zeek.intel.seen_where;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Where Discovered;help:Where Discovered
+zeek.intel.seen_node=db:zeek.intel.seen_node;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Discovered Node;help:Discovered Node
+zeek.intel.matched=db:zeek.intel.matched;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Match Indicator;help:Match Indicator
+zeek.intel.sources=db:zeek.intel.sources;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Match Source;help:Match Source
+zeek.intel.file_mime_type=db:zeek.intel.file_mime_type;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic
+zeek.intel.file_description=db:zeek.intel.file_description;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:File Description;help:File Description
+zeek.intel.cif_tags=db:zeek.intel.cif_tags;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF Tags;help:CIF Tags
+zeek.intel.cif_confidence=db:zeek.intel.cif_confidence;group:zeek_intel;kind:float;viewerOnly:true;friendly:CIF Confidence;help:CIF Confidence
+zeek.intel.cif_source=db:zeek.intel.cif_source;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF Source;help:CIF Source
+zeek.intel.cif_description=db:zeek.intel.cif_description;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF Description;help:CIF Description
+zeek.intel.cif_firstseen=db:zeek.intel.cif_firstseen;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF First Seen;help:CIF First Seen
+zeek.intel.cif_lastseen=db:zeek.intel.cif_lastseen;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF Last Seen;help:CIF Last Seen
 
 # ipsec.log
 # https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek
-zeek.ipsec.initiator_spi=db:zeek.ipsec.initiator_spi;group:zeek_ipsec;kind:termfield;friendly:Initiator SPI;help:Initiator SPI
-zeek.ipsec.responder_spi=db:zeek.ipsec.responder_spi;group:zeek_ipsec;kind:termfield;friendly:Responder SPI;help:Responder SPI
-zeek.ipsec.maj_ver=db:zeek.ipsec.maj_ver;group:zeek_ipsec;kind:integer;friendly:Major Version;help:Major Version
-zeek.ipsec.min_ver=db:zeek.ipsec.min_ver;group:zeek_ipsec;kind:integer;friendly:Minor Version;help:Minor Version
-zeek.ipsec.doi=db:zeek.ipsec.doi;group:zeek_ipsec;kind:integer;friendly:Domain of Interpretation;help:Domain of Interpretation
-zeek.ipsec.exchange_type=db:zeek.ipsec.exchange_type;group:zeek_ipsec;kind:integer;friendly:Exchange Type;help:Exchange Type
-zeek.ipsec.flag_e=db:zeek.ipsec.flag_e;group:zeek_ipsec;kind:termfield;friendly:Flag E;help:Flag E
-zeek.ipsec.flag_c=db:zeek.ipsec.flag_c;group:zeek_ipsec;kind:termfield;friendly:Flag C;help:Flac C
-zeek.ipsec.flag_a=db:zeek.ipsec.flag_a;group:zeek_ipsec;kind:termfield;friendly:Flag A;help:Flag A
-zeek.ipsec.flag_i=db:zeek.ipsec.flag_i;group:zeek_ipsec;kind:termfield;friendly:Flag I;help:Flag I
-zeek.ipsec.flag_v=db:zeek.ipsec.flag_v;group:zeek_ipsec;kind:termfield;friendly:Flag V;help:Flag V
-zeek.ipsec.flag_r=db:zeek.ipsec.flag_r;group:zeek_ipsec;kind:termfield;friendly:Flag R;help:Flag R
-zeek.ipsec.flags=db:zeek.ipsec.flags;group:zeek_ipsec;kind:termfield;friendly:Flags;help:Flags
-zeek.ipsec.message_id=db:zeek.ipsec.message_id;group:zeek_ipsec;kind:termfield;friendly:Message ID;help:Message ID
-zeek.ipsec.vendor_ids=db:zeek.ipsec.vendor_ids;group:zeek_ipsec;kind:termfield;friendly:Vendor ID;help:Vendor ID
-zeek.ipsec.notify_messages=db:zeek.ipsec.notify_messages;group:zeek_ipsec;kind:termfield;friendly:Notify Message Type;help:Notify Message Type
-zeek.ipsec.situation=db:zeek.ipsec.situation;group:zeek_ipsec;kind:termfield;friendly:Situation;help:Situation
-zeek.ipsec.transforms=db:zeek.ipsec.transforms;group:zeek_ipsec;kind:termfield;friendly:Transform;help:Transform
-zeek.ipsec.ke_dh_groups=db:zeek.ipsec.ke_dh_groups;group:zeek_ipsec;kind:integer;friendly:KE DH Group;help:KE DH Group
-zeek.ipsec.proposals=db:zeek.ipsec.proposals;group:zeek_ipsec;kind:integer;friendly:Proposal;help:Proposal
-zeek.ipsec.protocol_id=db:zeek.ipsec.protocol_id;group:zeek_ipsec;kind:integer;friendly:Protocol ID;help:Protocol ID
-zeek.ipsec.certificates=db:zeek.ipsec.certificates;group:zeek_ipsec;kind:termfield;friendly:Certificate Hash;help:Certificate Hash
-zeek.ipsec.transform_attributes=db:zeek.ipsec.transform_attributes;group:zeek_ipsec;kind:termfield;friendly:Transform Attribute;help:Transform Attribute
-zeek.ipsec.length=db:zeek.ipsec.length;group:zeek_ipsec;kind:integer;friendly:Message Length;help:Message Length
-zeek.ipsec.hash=db:zeek.ipsec.hash;group:zeek_ipsec;kind:termfield;friendly:Transaction Hash;help:Transaction Hash
+zeek.ipsec.initiator_spi=db:zeek.ipsec.initiator_spi;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Initiator SPI;help:Initiator SPI
+zeek.ipsec.responder_spi=db:zeek.ipsec.responder_spi;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Responder SPI;help:Responder SPI
+zeek.ipsec.maj_ver=db:zeek.ipsec.maj_ver;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Major Version;help:Major Version
+zeek.ipsec.min_ver=db:zeek.ipsec.min_ver;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Minor Version;help:Minor Version
+zeek.ipsec.doi=db:zeek.ipsec.doi;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Domain of Interpretation;help:Domain of Interpretation
+zeek.ipsec.exchange_type=db:zeek.ipsec.exchange_type;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Exchange Type;help:Exchange Type
+zeek.ipsec.flag_e=db:zeek.ipsec.flag_e;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag E;help:Flag E
+zeek.ipsec.flag_c=db:zeek.ipsec.flag_c;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag C;help:Flac C
+zeek.ipsec.flag_a=db:zeek.ipsec.flag_a;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag A;help:Flag A
+zeek.ipsec.flag_i=db:zeek.ipsec.flag_i;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag I;help:Flag I
+zeek.ipsec.flag_v=db:zeek.ipsec.flag_v;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag V;help:Flag V
+zeek.ipsec.flag_r=db:zeek.ipsec.flag_r;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag R;help:Flag R
+zeek.ipsec.flags=db:zeek.ipsec.flags;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flags;help:Flags
+zeek.ipsec.message_id=db:zeek.ipsec.message_id;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Message ID;help:Message ID
+zeek.ipsec.vendor_ids=db:zeek.ipsec.vendor_ids;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Vendor ID;help:Vendor ID
+zeek.ipsec.notify_messages=db:zeek.ipsec.notify_messages;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Notify Message Type;help:Notify Message Type
+zeek.ipsec.situation=db:zeek.ipsec.situation;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Situation;help:Situation
+zeek.ipsec.transforms=db:zeek.ipsec.transforms;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Transform;help:Transform
+zeek.ipsec.ke_dh_groups=db:zeek.ipsec.ke_dh_groups;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:KE DH Group;help:KE DH Group
+zeek.ipsec.proposals=db:zeek.ipsec.proposals;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Proposal;help:Proposal
+zeek.ipsec.protocol_id=db:zeek.ipsec.protocol_id;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Protocol ID;help:Protocol ID
+zeek.ipsec.certificates=db:zeek.ipsec.certificates;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Certificate Hash;help:Certificate Hash
+zeek.ipsec.transform_attributes=db:zeek.ipsec.transform_attributes;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Transform Attribute;help:Transform Attribute
+zeek.ipsec.length=db:zeek.ipsec.length;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Message Length;help:Message Length
+zeek.ipsec.hash=db:zeek.ipsec.hash;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Transaction Hash;help:Transaction Hash
 
 # irc.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info
-zeek.irc.nick=db:zeek.irc.nick;group:zeek_irc;kind:termfield;friendly:Nickname;help:Nickname
-zeek.irc.command=db:zeek.irc.command;group:zeek_irc;kind:termfield;friendly:Command;help:Command
-zeek.irc.value=db:zeek.irc.value;group:zeek_irc;kind:termfield;friendly:Value;help:Value
-zeek.irc.addl=db:zeek.irc.addl;group:zeek_irc;kind:termfield;friendly:Additional Data;help:Additional Data
-zeek.irc.dcc_file_name=db:zeek.irc.dcc_file_name;group:zeek_irc;kind:termfield;friendly:DCC Filename;help:DCC Filename
-zeek.irc.dcc_file_size=db:zeek.irc.dcc_file_size;group:zeek_irc;kind:integer;friendly:DCC File Size;help:DCC File Size
-zeek.irc.dcc_mime_type=db:zeek.irc.dcc_mime_type;group:zeek_irc;kind:termfield;friendly:DCC File Magic;help:DCC File Magic
+zeek.irc.nick=db:zeek.irc.nick;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:Nickname;help:Nickname
+zeek.irc.command=db:zeek.irc.command;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:Command;help:Command
+zeek.irc.value=db:zeek.irc.value;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:Value;help:Value
+zeek.irc.addl=db:zeek.irc.addl;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:Additional Data;help:Additional Data
+zeek.irc.dcc_file_name=db:zeek.irc.dcc_file_name;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:DCC Filename;help:DCC Filename
+zeek.irc.dcc_file_size=db:zeek.irc.dcc_file_size;group:zeek_irc;kind:integer;viewerOnly:true;friendly:DCC File Size;help:DCC File Size
+zeek.irc.dcc_mime_type=db:zeek.irc.dcc_mime_type;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:DCC File Magic;help:DCC File Magic
 
 # cotp.log
 # https://github.com/cisagov/icsnpp-s7comm
-zeek.cotp.pdu_code=db:zeek.cotp.pdu_code;group:zeek_cotp;kind:termfield;friendly:PDU Code;help:PDU Code
-zeek.cotp.pdu_name=db:zeek.cotp.pdu_name;group:zeek_cotp;kind:termfield;friendly:PDU Name;help:PDU Name
+zeek.cotp.pdu_code=db:zeek.cotp.pdu_code;group:zeek_cotp;kind:termfield;viewerOnly:true;friendly:PDU Code;help:PDU Code
+zeek.cotp.pdu_name=db:zeek.cotp.pdu_name;group:zeek_cotp;kind:termfield;viewerOnly:true;friendly:PDU Name;help:PDU Name
 
 # kerberos.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info
-zeek.kerberos.cname=db:zeek.kerberos.cname;group:zeek_kerberos;kind:termfield;friendly:Client;help:Client
-zeek.kerberos.sname=db:zeek.kerberos.sname;group:zeek_kerberos;kind:termfield;friendly:Service;help:Service
-zeek.kerberos.success=db:zeek.kerberos.success;group:zeek_kerberos;kind:termfield;friendly:Success;help:Success
-zeek.kerberos.error_msg=db:zeek.kerberos.error_msg;group:zeek_kerberos;kind:termfield;friendly:Error Message;help:Error Message
-zeek.kerberos.from=db:zeek.kerberos.from;group:zeek_kerberos;kind:termfield;friendly:Ticket Valid From;help:Ticket Valid From
-zeek.kerberos.till=db:zeek.kerberos.till;group:zeek_kerberos;kind:termfield;friendly:Ticket Valid Till;help:Ticket Valid Till
-zeek.kerberos.cipher=db:zeek.kerberos.cipher;group:zeek_kerberos;kind:termfield;friendly:Encryption Type;help:Encryption Type
-zeek.kerberos.forwardable=db:zeek.kerberos.forwardable;group:zeek_kerberos;kind:termfield;friendly:Forwardable;help:Forwardable
-zeek.kerberos.renewable=db:zeek.kerberos.renewable;group:zeek_kerberos;kind:termfield;friendly:Renewable;help:Renewable
-zeek.kerberos.request_type=db:zeek.kerberos.request_type;group:zeek_kerberos;kind:termfield;friendly:Request Type;help:Request Type
-zeek.kerberos.client_cert_subject=db:zeek.kerberos.client_cert_subject;group:zeek_kerberos;kind:termfield;friendly:Client Certificate Subject;help:Client Certificate Subject
-zeek.kerberos.client_cert_fuid=db:zeek.kerberos.client_cert_fuid;group:zeek_kerberos;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID
-zeek.kerberos.server_cert_subject=db:zeek.kerberos.server_cert_subject;group:zeek_kerberos;kind:termfield;friendly:Server Certificate Subject;help:Server Certificate Subject
-zeek.kerberos.server_cert_fuid=db:zeek.kerberos.server_cert_fuid;group:zeek_kerberos;kind:termfield;friendly:Server Certificate File ID;help:Server Certificate File ID
+zeek.kerberos.cname=db:zeek.kerberos.cname;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Client;help:Client
+zeek.kerberos.sname=db:zeek.kerberos.sname;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Service;help:Service
+zeek.kerberos.success=db:zeek.kerberos.success;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Success;help:Success
+zeek.kerberos.error_msg=db:zeek.kerberos.error_msg;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Error Message;help:Error Message
+zeek.kerberos.from=db:zeek.kerberos.from;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Ticket Valid From;help:Ticket Valid From
+zeek.kerberos.till=db:zeek.kerberos.till;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Ticket Valid Till;help:Ticket Valid Till
+zeek.kerberos.cipher=db:zeek.kerberos.cipher;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Encryption Type;help:Encryption Type
+zeek.kerberos.forwardable=db:zeek.kerberos.forwardable;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Forwardable;help:Forwardable
+zeek.kerberos.renewable=db:zeek.kerberos.renewable;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Renewable;help:Renewable
+zeek.kerberos.request_type=db:zeek.kerberos.request_type;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Request Type;help:Request Type
+zeek.kerberos.client_cert_subject=db:zeek.kerberos.client_cert_subject;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Client Certificate Subject;help:Client Certificate Subject
+zeek.kerberos.client_cert_fuid=db:zeek.kerberos.client_cert_fuid;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Client Certificate File ID;help:Client Certificate File ID
+zeek.kerberos.server_cert_subject=db:zeek.kerberos.server_cert_subject;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Server Certificate Subject;help:Server Certificate Subject
+zeek.kerberos.server_cert_fuid=db:zeek.kerberos.server_cert_fuid;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Server Certificate File ID;help:Server Certificate File ID
 
 # known_certs.log
 # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo
-zeek.known_certs.subject=db:zeek.known_certs.subject;group:zeek_x509;kind:termfield;friendly:Certificate Subject;help:Certificate Subject
-zeek.known_certs.issuer_subject=db:zeek.known_certs.issuer_subject;group:zeek_x509;kind:termfield;friendly:Issuer Subject;help:Issuer Subject
-zeek.known_certs.serial=db:zeek.known_certs.serial;group:zeek_x509;kind:termfield;friendly:Serial Number;help:Serial Number
+zeek.known_certs.subject=db:zeek.known_certs.subject;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Certificate Subject;help:Certificate Subject
+zeek.known_certs.issuer_subject=db:zeek.known_certs.issuer_subject;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Subject;help:Issuer Subject
+zeek.known_certs.serial=db:zeek.known_certs.serial;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Serial Number;help:Serial Number
 
 # known_modbus.log
 # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo
-zeek.known_modbus.device_type=db:zeek.known_modbus.device_type;group:zeek_modbus;kind:termfield;friendly:Role;help:Role
+zeek.known_modbus.device_type=db:zeek.known_modbus.device_type;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Role;help:Role
 
 # ldap.log
 # https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek
-zeek.ldap.message_id=db:zeek.ldap.message_id;group:zeek_ldap;kind:termfield;friendly:Message ID;help:Message ID
-zeek.ldap.version=db:zeek.ldap.version;group:zeek_ldap;kind:integer;friendly:LDAP Version;help:LDAP Version
-zeek.ldap.operation=db:zeek.ldap.operation;group:zeek_ldap;kind:termfield;friendly:Operation;help:Operation
-zeek.ldap.result_code=db:zeek.ldap.result_code;group:zeek_ldap;kind:termfield;friendly:Result Code;help:Result Code
-zeek.ldap.result_message=db:zeek.ldap.result_message;group:zeek_ldap;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message
-zeek.ldap.object=db:zeek.ldap.object;group:zeek_ldap;kind:termfield;friendly:Object;help:Object
-zeek.ldap.argument=db:zeek.ldap.argument;group:zeek_ldap;kind:termfield;friendly:Arguments;help:Arguments
+zeek.ldap.message_id=db:zeek.ldap.message_id;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Message ID;help:Message ID
+zeek.ldap.version=db:zeek.ldap.version;group:zeek_ldap;kind:integer;viewerOnly:true;friendly:LDAP Version;help:LDAP Version
+zeek.ldap.operation=db:zeek.ldap.operation;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation
+zeek.ldap.result_code=db:zeek.ldap.result_code;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Result Code;help:Result Code
+zeek.ldap.result_message=db:zeek.ldap.result_message;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Diagnostic Message;help:Diagnostic Message
+zeek.ldap.object=db:zeek.ldap.object;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Object;help:Object
+zeek.ldap.argument=db:zeek.ldap.argument;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Arguments;help:Arguments
 
 # ldap_search.log
 # https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek
-zeek.ldap_search.attributes=db:zeek.ldap_search.attributes;group:zeek_ldap;kind:termfield;friendly:Attributes;help:Attributes
-zeek.ldap_search.base_object=db:zeek.ldap_search.base_object;group:zeek_ldap;kind:termfield;friendly:Base Object;help:Base Object
-zeek.ldap_search.deref=db:zeek.ldap_search.deref;group:zeek_ldap;kind:termfield;friendly:Dereference Alias;help:Dereference Alias
-zeek.ldap_search.filter=db:zeek.ldap_search.filter;group:zeek_ldap;kind:termfield;friendly:Filter;help:Filter
-zeek.ldap_search.message_id=db:zeek.ldap_search.message_id;group:zeek_ldap;kind:termfield;friendly:Message ID;help:Message ID
-zeek.ldap_search.result_code=db:zeek.ldap_search.result_code;group:zeek_ldap;kind:termfield;friendly:Result Code;help:Result Code
-zeek.ldap_search.result_count=db:zeek.ldap_search.result_count;group:zeek_ldap;kind:integer;friendly:Result Count;help:Result Count
-zeek.ldap_search.result_message=db:zeek.ldap_search.result_message;group:zeek_ldap;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message
-zeek.ldap_search.scope=db:zeek.ldap_search.scope;group:zeek_ldap;kind:termfield;friendly:Scope;help:Scope
+zeek.ldap_search.attributes=db:zeek.ldap_search.attributes;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Attributes;help:Attributes
+zeek.ldap_search.base_object=db:zeek.ldap_search.base_object;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Base Object;help:Base Object
+zeek.ldap_search.deref=db:zeek.ldap_search.deref;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Dereference Alias;help:Dereference Alias
+zeek.ldap_search.filter=db:zeek.ldap_search.filter;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Filter;help:Filter
+zeek.ldap_search.message_id=db:zeek.ldap_search.message_id;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Message ID;help:Message ID
+zeek.ldap_search.result_code=db:zeek.ldap_search.result_code;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Result Code;help:Result Code
+zeek.ldap_search.result_count=db:zeek.ldap_search.result_count;group:zeek_ldap;kind:integer;viewerOnly:true;friendly:Result Count;help:Result Count
+zeek.ldap_search.result_message=db:zeek.ldap_search.result_message;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Diagnostic Message;help:Diagnostic Message
+zeek.ldap_search.scope=db:zeek.ldap_search.scope;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Scope;help:Scope
 
 # login.log - custom login.log module (rudimentary, login/rlogin/rsh analyzers are old and not the greatest)
-zeek.login.success=db:zeek.login.success;group:zeek_login;kind:termfield;friendly:Successful Login;help:Successful Login
-zeek.login.confused=db:zeek.login.confused;group:zeek_login;kind:termfield;friendly:Analyzer Confused;help:Analyzer Confused
-zeek.login.client_user=db:zeek.login.client_user;group:zeek_login;kind:termfield;friendly:Client User;help:Client User
+zeek.login.success=db:zeek.login.success;group:zeek_login;kind:termfield;viewerOnly:true;friendly:Successful Login;help:Successful Login
+zeek.login.confused=db:zeek.login.confused;group:zeek_login;kind:termfield;viewerOnly:true;friendly:Analyzer Confused;help:Analyzer Confused
+zeek.login.client_user=db:zeek.login.client_user;group:zeek_login;kind:termfield;viewerOnly:true;friendly:Client User;help:Client User
 
 # modbus.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info
-zeek.modbus.func=db:zeek.modbus.func;group:zeek_modbus;kind:termfield;friendly:Function;help:Function
-zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield;friendly:Exception;help:Exception
-zeek.modbus.unit_id=db:zeek.modbus.unit_id;group:zeek_modbus;kind:integer;friendly:Unit/Server ID;help:Unit/Server ID
-zeek.modbus.trans_id=db:zeek.modbus.trans_id;group:zeek_modbus;kind:integer;friendly:Transaction ID;help:Transaction ID
-zeek.modbus.network_direction=db:zeek.modbus.network_direction;group:zeek_modbus;kind:termfield;friendly:PDU Type;help:Request or Response
+zeek.modbus.func=db:zeek.modbus.func;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Function;help:Function
+zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Exception;help:Exception
+zeek.modbus.unit_id=db:zeek.modbus.unit_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Unit/Server ID;help:Unit/Server ID
+zeek.modbus.trans_id=db:zeek.modbus.trans_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Transaction ID;help:Transaction ID
+zeek.modbus.network_direction=db:zeek.modbus.network_direction;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:PDU Type;help:Request or Response
 
 # modbus_detailed.log
 # https://github.com/cisagov/ICSNPP
-zeek.modbus_detailed.address=db:zeek.modbus_detailed.address;group:zeek_modbus;kind:integer;friendly:Starting Memory Address;help:Starting Memory Address
-zeek.modbus_detailed.quantity=db:zeek.modbus_detailed.quantity;group:zeek_modbus;kind:integer;friendly:Number of Values;help:Number of Values
-zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kind:termfield;friendly:Values;help:Values
+zeek.modbus_detailed.address=db:zeek.modbus_detailed.address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting Memory Address;help:Starting Memory Address
+zeek.modbus_detailed.quantity=db:zeek.modbus_detailed.quantity;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Number of Values;help:Number of Values
+zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Values;help:Values
 
 # modbus_mask_write_register.log
 # https://github.com/cisagov/ICSNPP
-zeek.modbus_mask_write_register.and_mask=db:zeek.modbus_mask_write_register.and_mask;group:zeek_modbus;kind:integer;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register
-zeek.modbus_mask_write_register.or_mask=db:zeek.modbus_mask_write_register.or_mask;group:zeek_modbus;kind:integer;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register
+zeek.modbus_mask_write_register.and_mask=db:zeek.modbus_mask_write_register.and_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register
+zeek.modbus_mask_write_register.or_mask=db:zeek.modbus_mask_write_register.or_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register
 
 # modbus_read_write_multiple_registers.log
 # https://github.com/cisagov/ICSNPP
-zeek.modbus_read_write_multiple_registers.write_start_address=db:zeek.modbus_read_write_multiple_registers.write_start_address;group:zeek_modbus;kind:integer;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to
-zeek.modbus_read_write_multiple_registers.write_registers=db:zeek.modbus_read_write_multiple_registers.write_registers;group:zeek_modbus;kind:termfield;friendly:Register values written;help:Register values written
-zeek.modbus_read_write_multiple_registers.read_start_address=db:zeek.modbus_read_write_multiple_registers.read_start_address;group:zeek_modbus;kind:integer;friendly:Starting address of the registers to read;help:Starting address of the registers to read
-zeek.modbus_read_write_multiple_registers.read_quantity=db:zeek.modbus_read_write_multiple_registers.read_quantity;group:zeek_modbus;kind:integer;friendly:Number of registers to read;help:Number of registers to read
-zeek.modbus_read_write_multiple_registers.read_registers=db:zeek.modbus_read_write_multiple_registers.read_registers;group:zeek_modbus;kind:termfield;friendly:Register values read;help:Register values read
+zeek.modbus_read_write_multiple_registers.write_start_address=db:zeek.modbus_read_write_multiple_registers.write_start_address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to
+zeek.modbus_read_write_multiple_registers.write_registers=db:zeek.modbus_read_write_multiple_registers.write_registers;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Register values written;help:Register values written
+zeek.modbus_read_write_multiple_registers.read_start_address=db:zeek.modbus_read_write_multiple_registers.read_start_address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting address of the registers to read;help:Starting address of the registers to read
+zeek.modbus_read_write_multiple_registers.read_quantity=db:zeek.modbus_read_write_multiple_registers.read_quantity;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Number of registers to read;help:Number of registers to read
+zeek.modbus_read_write_multiple_registers.read_registers=db:zeek.modbus_read_write_multiple_registers.read_registers;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Register values read;help:Register values read
 
 # mqtt_connect.log
 # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo
-zeek.mqtt_connect.proto_name=db:zeek.mqtt_connect.proto_name;group:zeek_mqtt;kind:termfield;friendly:MQTT Protocol;help:MQTT Protocol
-zeek.mqtt_connect.proto_version=db:zeek.mqtt_connect.proto_version;group:zeek_mqtt;kind:termfield;friendly:Protocol Version;help:Protocol Version
-zeek.mqtt_connect.client_id=db:zeek.mqtt_connect.client_id;group:zeek_mqtt;kind:termfield;friendly:Client ID;help:Client ID
-zeek.mqtt_connect.connect_status=db:zeek.mqtt_connect.connect_status;group:zeek_mqtt;kind:termfield;friendly:Connect Status;help:Connect Status
-zeek.mqtt_connect.will_topic=db:zeek.mqtt_connect.will_topic;group:zeek_mqtt;kind:termfield;friendly:LWT Topic;help:Last Will and Testament Topic
-zeek.mqtt_connect.will_payload=db:zeek.mqtt_connect.will_payload;group:zeek_mqtt;kind:termfield;friendly:LWT Payload;help:Last Will and Testament Payload
+zeek.mqtt_connect.proto_name=db:zeek.mqtt_connect.proto_name;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:MQTT Protocol;help:MQTT Protocol
+zeek.mqtt_connect.proto_version=db:zeek.mqtt_connect.proto_version;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Protocol Version;help:Protocol Version
+zeek.mqtt_connect.client_id=db:zeek.mqtt_connect.client_id;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Client ID;help:Client ID
+zeek.mqtt_connect.connect_status=db:zeek.mqtt_connect.connect_status;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Connect Status;help:Connect Status
+zeek.mqtt_connect.will_topic=db:zeek.mqtt_connect.will_topic;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:LWT Topic;help:Last Will and Testament Topic
+zeek.mqtt_connect.will_payload=db:zeek.mqtt_connect.will_payload;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:LWT Payload;help:Last Will and Testament Payload
 
 # mqtt_publish.log
 # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo
-zeek.mqtt_publish.from_client=db:zeek.mqtt_publish.from_client;group:zeek_mqtt;kind:termfield;friendly:From Client;help:From Client
-zeek.mqtt_publish.retain=db:zeek.mqtt_publish.retain;group:zeek_mqtt;kind:termfield;friendly:Retain Flag;help:Retain Flag
-zeek.mqtt_publish.qos=db:zeek.mqtt_publish.qos;group:zeek_mqtt;kind:termfield;friendly:QoS Level;help:QoS Level
-zeek.mqtt_publish.status=db:zeek.mqtt_publish.status;group:zeek_mqtt;kind:termfield;friendly:Message Status;help:Message Status
-zeek.mqtt_publish.topic=db:zeek.mqtt_publish.topic;group:zeek_mqtt;kind:termfield;friendly:Topic;help:Topic
-zeek.mqtt_publish.payload=db:zeek.mqtt_publish.payload;group:zeek_mqtt;kind:termfield;friendly:Payload;help:Payload
-zeek.mqtt_publish.payload_len=db:zeek.mqtt_publish.payload_len;group:zeek_mqtt;kind:integer;friendly:Payload Length;help:Payload Length
-zeek.mqtt_publish.payload_dict.messageType=db:zeek.mqtt_publish.payload_dict.messageType;group:zeek_mqtt;kind:termfield;friendly:Message Type;help:Message Type
+zeek.mqtt_publish.from_client=db:zeek.mqtt_publish.from_client;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:From Client;help:From Client
+zeek.mqtt_publish.retain=db:zeek.mqtt_publish.retain;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Retain Flag;help:Retain Flag
+zeek.mqtt_publish.qos=db:zeek.mqtt_publish.qos;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:QoS Level;help:QoS Level
+zeek.mqtt_publish.status=db:zeek.mqtt_publish.status;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Message Status;help:Message Status
+zeek.mqtt_publish.topic=db:zeek.mqtt_publish.topic;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Topic;help:Topic
+zeek.mqtt_publish.payload=db:zeek.mqtt_publish.payload;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Payload;help:Payload
+zeek.mqtt_publish.payload_len=db:zeek.mqtt_publish.payload_len;group:zeek_mqtt;kind:integer;viewerOnly:true;friendly:Payload Length;help:Payload Length
+zeek.mqtt_publish.payload_dict.messageType=db:zeek.mqtt_publish.payload_dict.messageType;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Message Type;help:Message Type
 
 # mqtt_subscribe.log
 # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo
-zeek.mqtt_subscribe.action=db:zeek.mqtt_subscribe.action;group:zeek_mqtt;kind:termfield;friendly:Action;help:Action
-zeek.mqtt_subscribe.topics=db:zeek.mqtt_subscribe.topics;group:zeek_mqtt;kind:termfield;friendly:Topic;help:Topic
-zeek.mqtt_subscribe.qos_levels=db:zeek.mqtt_subscribe.qos_levels;group:zeek_mqtt;kind:integer;friendly:QoS Level Requested;help:QoS Level Requested
-zeek.mqtt_subscribe.granted_qos_level=db:zeek.mqtt_subscribe.granted_qos_level;group:zeek_mqtt;kind:integer;friendly:QoS Level Granted;help:QoS Level Granted
-zeek.mqtt_subscribe.ack=db:zeek.mqtt_subscribe.ack;group:zeek_mqtt;kind:termfield;friendly:ACKed;help:ACKed
+zeek.mqtt_subscribe.action=db:zeek.mqtt_subscribe.action;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Action;help:Action
+zeek.mqtt_subscribe.topics=db:zeek.mqtt_subscribe.topics;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Topic;help:Topic
+zeek.mqtt_subscribe.qos_levels=db:zeek.mqtt_subscribe.qos_levels;group:zeek_mqtt;kind:integer;viewerOnly:true;friendly:QoS Level Requested;help:QoS Level Requested
+zeek.mqtt_subscribe.granted_qos_level=db:zeek.mqtt_subscribe.granted_qos_level;group:zeek_mqtt;kind:integer;viewerOnly:true;friendly:QoS Level Granted;help:QoS Level Granted
+zeek.mqtt_subscribe.ack=db:zeek.mqtt_subscribe.ack;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:ACKed;help:ACKed
 
 # mysql.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info
-zeek.mysql.cmd=db:zeek.mysql.cmd;group:zeek_mysql;kind:termfield;friendly:Command;help:Command
-zeek.mysql.arg=db:zeek.mysql.arg;group:zeek_mysql;kind:termfield;friendly:Argument;help:Argument
-zeek.mysql.success=db:zeek.mysql.success;group:zeek_mysql;kind:termfield;friendly:Success;help:Success
-zeek.mysql.rows=db:zeek.mysql.rows;group:zeek_mysql;kind:integer;friendly:Rows Affected;help:Rows Affected
-zeek.mysql.response=db:zeek.mysql.response;group:zeek_mysql;kind:termfield;friendly:Response;help:Response
+zeek.mysql.cmd=db:zeek.mysql.cmd;group:zeek_mysql;kind:termfield;viewerOnly:true;friendly:Command;help:Command
+zeek.mysql.arg=db:zeek.mysql.arg;group:zeek_mysql;kind:termfield;viewerOnly:true;friendly:Argument;help:Argument
+zeek.mysql.success=db:zeek.mysql.success;group:zeek_mysql;kind:termfield;viewerOnly:true;friendly:Success;help:Success
+zeek.mysql.rows=db:zeek.mysql.rows;group:zeek_mysql;kind:integer;viewerOnly:true;friendly:Rows Affected;help:Rows Affected
+zeek.mysql.response=db:zeek.mysql.response;group:zeek_mysql;kind:termfield;viewerOnly:true;friendly:Response;help:Response
 
 # notice.log
 # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info
-zeek.notice.file_mime_type=db:zeek.notice.file_mime_type;group:zeek_notice;kind:termfield;friendly:File Magic;help:File Magic
-zeek.notice.file_desc=db:zeek.notice.file_desc;group:zeek_notice;kind:termfield;friendly:File Description;help:File Description
-zeek.notice.note=db:zeek.notice.note;group:zeek_notice;kind:termfield;friendly:Notice Type;help:Notice Type
-zeek.notice.msg=db:zeek.notice.msg;group:zeek_notice;kind:termfield;friendly:Message;help:Message
-zeek.notice.sub=db:zeek.notice.sub;group:zeek_notice;kind:termfield;friendly:Submessage;help:Submessage
-zeek.notice.src=db:zeek.notice.src;group:zeek_notice;kind:termfield;friendly:Notice Source;help:Notice Source
-zeek.notice.dst=db:zeek.notice.dst;group:zeek_notice;kind:termfield;friendly:Notice Destination;help:Notice Destination
-zeek.notice.p=db:zeek.notice.p;group:zeek_notice;kind:integer;friendly:Notice Port;help:Notice Port
-zeek.notice.n=db:zeek.notice.n;group:zeek_notice;kind:integer;friendly:Notice Count or Code;help:Notice Count or Code
-zeek.notice.peer_descr=db:zeek.notice.peer_descr;group:zeek_notice;kind:termfield;friendly:Remote Peer;help:Remote Peer
-zeek.notice.actions=db:zeek.notice.actions;group:zeek_notice;kind:termfield;friendly:Action;help:Action
-zeek.notice.suppress_for=db:zeek.notice.suppress_for;group:zeek_notice;kind:termfield;friendly:Suppress Interval;help:Suppress Interval
-zeek.notice.dropped=db:zeek.notice.dropped;group:zeek_notice;kind:termfield;friendly:Dropped;help:Dropped
-zeek.notice.remote_location_country_code=db:zeek.notice.remote_location_country_code;group:zeek_notice;kind:termfield;friendly:Notice Country Code;help:Notice Country Code
-zeek.notice.remote_location_region=db:zeek.notice.remote_location_region;group:zeek_notice;kind:termfield;friendly:Notice Region;help:Notice Region
-zeek.notice.remote_location_city=db:zeek.notice.remote_location_city;group:zeek_notice;kind:termfield;friendly:Notice City;help:Notice City
-zeek.notice.remote_location_latitude=db:zeek.notice.remote_location_latitude;group:zeek_notice;kind:termfield;friendly:Notice Latitude;help:Notice Latitude
-zeek.notice.remote_location_longitude=db:zeek.notice.remote_location_longitude;group:zeek_notice;kind:termfield;friendly:Notice Longitude;help:Notice Longitude
+zeek.notice.file_mime_type=db:zeek.notice.file_mime_type;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic
+zeek.notice.file_desc=db:zeek.notice.file_desc;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:File Description;help:File Description
+zeek.notice.note=db:zeek.notice.note;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Type;help:Notice Type
+zeek.notice.msg=db:zeek.notice.msg;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Message;help:Message
+zeek.notice.sub=db:zeek.notice.sub;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Submessage;help:Submessage
+zeek.notice.src=db:zeek.notice.src;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Source;help:Notice Source
+zeek.notice.dst=db:zeek.notice.dst;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Destination;help:Notice Destination
+zeek.notice.p=db:zeek.notice.p;group:zeek_notice;kind:integer;viewerOnly:true;friendly:Notice Port;help:Notice Port
+zeek.notice.n=db:zeek.notice.n;group:zeek_notice;kind:integer;viewerOnly:true;friendly:Notice Count or Code;help:Notice Count or Code
+zeek.notice.peer_descr=db:zeek.notice.peer_descr;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Remote Peer;help:Remote Peer
+zeek.notice.actions=db:zeek.notice.actions;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Action;help:Action
+zeek.notice.suppress_for=db:zeek.notice.suppress_for;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Suppress Interval;help:Suppress Interval
+zeek.notice.dropped=db:zeek.notice.dropped;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Dropped;help:Dropped
+zeek.notice.remote_location_country_code=db:zeek.notice.remote_location_country_code;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Country Code;help:Notice Country Code
+zeek.notice.remote_location_region=db:zeek.notice.remote_location_region;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Region;help:Notice Region
+zeek.notice.remote_location_city=db:zeek.notice.remote_location_city;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice City;help:Notice City
+zeek.notice.remote_location_latitude=db:zeek.notice.remote_location_latitude;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Latitude;help:Notice Latitude
+zeek.notice.remote_location_longitude=db:zeek.notice.remote_location_longitude;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Longitude;help:Notice Longitude
 
 # ntlm.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info
-zeek.ntlm.host=db:zeek.ntlm.host;group:zeek_ntlm;kind:termfield;friendly:Client Hostname;help:Client Hostname
-zeek.ntlm.domain=db:zeek.ntlm.domain;group:zeek_ntlm;kind:termfield;friendly:Client Domain Name;help:Client Domain Name
-zeek.ntlm.success=db:zeek.ntlm.success;group:zeek_ntlm;kind:termfield;friendly:Authentication Success;help:Authentication Success
-zeek.ntlm.status=db:zeek.ntlm.status;group:zeek_ntlm;kind:termfield;friendly:Status;help:Status
-zeek.ntlm.server_nb_computer=db:zeek.ntlm.server_nb_computer;group:zeek_ntlm;kind:termfield;friendly:Server CHALLENGE NetBIOS;help:Server CHALLENGE NetBIOS
-zeek.ntlm.server_dns_computer=db:zeek.ntlm.server_dns_computer;group:zeek_ntlm;kind:termfield;friendly:Server CHALLENGE DNS;help:Server CHALLENGE DNS
-zeek.ntlm.server_tree=db:zeek.ntlm.server_tree;group:zeek_ntlm;kind:termfield;friendly:Server CHALLENGE Tree;help:Server CHALLENGE Tree
+zeek.ntlm.host=db:zeek.ntlm.host;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Client Hostname;help:Client Hostname
+zeek.ntlm.domain=db:zeek.ntlm.domain;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Client Domain Name;help:Client Domain Name
+zeek.ntlm.success=db:zeek.ntlm.success;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Authentication Success;help:Authentication Success
+zeek.ntlm.status=db:zeek.ntlm.status;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Status;help:Status
+zeek.ntlm.server_nb_computer=db:zeek.ntlm.server_nb_computer;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Server CHALLENGE NetBIOS;help:Server CHALLENGE NetBIOS
+zeek.ntlm.server_dns_computer=db:zeek.ntlm.server_dns_computer;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Server CHALLENGE DNS;help:Server CHALLENGE DNS
+zeek.ntlm.server_tree=db:zeek.ntlm.server_tree;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Server CHALLENGE Tree;help:Server CHALLENGE Tree
 
 # ntp.log
 # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info
-zeek.ntp.version=db:zeek.ntp.version;group:zeek_ntp;kind:integer;friendly:NTP Version;help:NTP Version
-zeek.ntp.mode=db:zeek.ntp.mode;group:zeek_ntp;kind:termfield;friendly:NTP Mode Code;help:NTP Mode Code
-zeek.ntp.mode_str=db:zeek.ntp.mode_str;group:zeek_ntp;kind:termfield;friendly:NTP Mode;help:NTP Mode
-zeek.ntp.stratum=db:zeek.ntp.stratum;group:zeek_ntp;kind:termfield;friendly:Stratum;help:Stratum
-zeek.ntp.poll=db:zeek.ntp.poll;group:zeek_ntp;kind:termfield;friendly:Poll Interval;help:Poll Interval
-zeek.ntp.precision=db:zeek.ntp.precision;group:zeek_ntp;kind:termfield;friendly:Clock Precision;help:Clock Precision
-zeek.ntp.root_delay=db:zeek.ntp.root_delay;group:zeek_ntp;kind:termfield;friendly:Synchronizing Distance;help:Synchronizing Distance
-zeek.ntp.root_disp=db:zeek.ntp.root_disp;group:zeek_ntp;kind:termfield;friendly:Estimated Drift Rate;help:Estimated Drift Rate
-zeek.ntp.ref_id=db:zeek.ntp.ref_id;group:zeek_ntp;kind:termfield;friendly:Reference Clock Identifier;help:Reference Clock Identifier
-zeek.ntp.ref_time=db:zeek.ntp.ref_time;group:zeek_ntp;kind:termfield;friendly:Reference Timestamp;help:Reference Timestamp
-zeek.ntp.org_time=db:zeek.ntp.org_time;group:zeek_ntp;kind:termfield;friendly:Originate Timestamp;help:Originate Timestamp
-zeek.ntp.rec_time=db:zeek.ntp.rec_time;group:zeek_ntp;kind:termfield;friendly:Receive Timestamp;help:Receive Timestamp
-zeek.ntp.xmt_time=db:zeek.ntp.xmt_time;group:zeek_ntp;kind:termfield;friendly:Transmit Timestamp;help:Transmit Timestamp
-zeek.ntp.num_exts=db:zeek.ntp.num_exts;group:zeek_ntp;kind:integer;friendly:Extension Fields;help:Extension Fields
+zeek.ntp.version=db:zeek.ntp.version;group:zeek_ntp;kind:integer;viewerOnly:true;friendly:NTP Version;help:NTP Version
+zeek.ntp.mode=db:zeek.ntp.mode;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:NTP Mode Code;help:NTP Mode Code
+zeek.ntp.mode_str=db:zeek.ntp.mode_str;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:NTP Mode;help:NTP Mode
+zeek.ntp.stratum=db:zeek.ntp.stratum;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Stratum;help:Stratum
+zeek.ntp.poll=db:zeek.ntp.poll;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Poll Interval;help:Poll Interval
+zeek.ntp.precision=db:zeek.ntp.precision;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Clock Precision;help:Clock Precision
+zeek.ntp.root_delay=db:zeek.ntp.root_delay;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Synchronizing Distance;help:Synchronizing Distance
+zeek.ntp.root_disp=db:zeek.ntp.root_disp;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Estimated Drift Rate;help:Estimated Drift Rate
+zeek.ntp.ref_id=db:zeek.ntp.ref_id;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Reference Clock Identifier;help:Reference Clock Identifier
+zeek.ntp.ref_time=db:zeek.ntp.ref_time;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Reference Timestamp;help:Reference Timestamp
+zeek.ntp.org_time=db:zeek.ntp.org_time;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Originate Timestamp;help:Originate Timestamp
+zeek.ntp.rec_time=db:zeek.ntp.rec_time;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Receive Timestamp;help:Receive Timestamp
+zeek.ntp.xmt_time=db:zeek.ntp.xmt_time;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Transmit Timestamp;help:Transmit Timestamp
+zeek.ntp.num_exts=db:zeek.ntp.num_exts;group:zeek_ntp;kind:integer;viewerOnly:true;friendly:Extension Fields;help:Extension Fields
 
 # opcua_binary_activate_session.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_activate_session.client_algorithm=db:zeek.opcua_binary_activate_session.client_algorithm;group:zeek_opcua;kind:termfield;friendly:client_algorithm;help:client_algorithm
-zeek.opcua_binary_activate_session.client_signature=db:zeek.opcua_binary_activate_session.client_signature;group:zeek_opcua;kind:termfield;friendly:client_signature;help:client_signature
-zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask=db:zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_encoding_mask;help:ext_obj_type_id_encoding_mask
-zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx=db:zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_namespace_idx;help:ext_obj_type_id_namespace_idx
-zeek.opcua_binary_activate_session.ext_obj_type_id_numeric=db:zeek.opcua_binary_activate_session.ext_obj_type_id_numeric;group:zeek_opcua;kind:integer;friendly:ext_obj_type_id_numeric;help:ext_obj_type_id_numeric
-zeek.opcua_binary_activate_session.ext_obj_type_id_string=db:zeek.opcua_binary_activate_session.ext_obj_type_id_string;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_string;help:ext_obj_type_id_string
-zeek.opcua_binary_activate_session.ext_obj_type_id_guid=db:zeek.opcua_binary_activate_session.ext_obj_type_id_guid;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_guid;help:ext_obj_type_id_guid
-zeek.opcua_binary_activate_session.ext_obj_type_id_opaque=db:zeek.opcua_binary_activate_session.ext_obj_type_id_opaque;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_opaque;help:ext_obj_type_id_opaque
-zeek.opcua_binary_activate_session.ext_obj_type_id_str=db:zeek.opcua_binary_activate_session.ext_obj_type_id_str;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_str;help:ext_obj_type_id_str
-zeek.opcua_binary_activate_session.ext_obj_encoding=db:zeek.opcua_binary_activate_session.ext_obj_encoding;group:zeek_opcua;kind:termfield;friendly:ext_obj_encoding;help:ext_obj_encoding
-zeek.opcua_binary_activate_session.ext_obj_policy_id=db:zeek.opcua_binary_activate_session.ext_obj_policy_id;group:zeek_opcua;kind:termfield;friendly:ext_obj_policy_id;help:ext_obj_policy_id
-zeek.opcua_binary_activate_session.ext_obj_user_name=db:zeek.opcua_binary_activate_session.ext_obj_user_name;group:zeek_opcua;kind:termfield;friendly:ext_obj_user_name;help:ext_obj_user_name
-zeek.opcua_binary_activate_session.ext_obj_password=db:zeek.opcua_binary_activate_session.ext_obj_password;group:zeek_opcua;kind:termfield;friendly:ext_obj_password;help:ext_obj_password
-zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom=db:zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom;group:zeek_opcua;kind:termfield;friendly:ext_obj_encryption_algorithom;help:ext_obj_encryption_algorithom
-zeek.opcua_binary_activate_session.ext_obj_certificate_data=db:zeek.opcua_binary_activate_session.ext_obj_certificate_data;group:zeek_opcua;kind:termfield;friendly:ext_obj_certificate_data;help:ext_obj_certificate_data
-zeek.opcua_binary_activate_session.ext_obj_token_data=db:zeek.opcua_binary_activate_session.ext_obj_token_data;group:zeek_opcua;kind:termfield;friendly:ext_obj_token_data;help:ext_obj_token_data
-zeek.opcua_binary_activate_session.user_token_algorithm=db:zeek.opcua_binary_activate_session.user_token_algorithm;group:zeek_opcua;kind:termfield;friendly:user_token_algorithm;help:user_token_algorithm
-zeek.opcua_binary_activate_session.user_token_signature=db:zeek.opcua_binary_activate_session.user_token_signature;group:zeek_opcua;kind:termfield;friendly:user_token_signature;help:user_token_signature
-zeek.opcua_binary_activate_session.server_nonce=db:zeek.opcua_binary_activate_session.server_nonce;group:zeek_opcua;kind:termfield;friendly:server_nonce;help:server_nonce
+zeek.opcua_binary_activate_session.client_algorithm=db:zeek.opcua_binary_activate_session.client_algorithm;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_algorithm;help:client_algorithm
+zeek.opcua_binary_activate_session.client_signature=db:zeek.opcua_binary_activate_session.client_signature;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_signature;help:client_signature
+zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask=db:zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_encoding_mask;help:ext_obj_type_id_encoding_mask
+zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx=db:zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_namespace_idx;help:ext_obj_type_id_namespace_idx
+zeek.opcua_binary_activate_session.ext_obj_type_id_numeric=db:zeek.opcua_binary_activate_session.ext_obj_type_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:ext_obj_type_id_numeric;help:ext_obj_type_id_numeric
+zeek.opcua_binary_activate_session.ext_obj_type_id_string=db:zeek.opcua_binary_activate_session.ext_obj_type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_string;help:ext_obj_type_id_string
+zeek.opcua_binary_activate_session.ext_obj_type_id_guid=db:zeek.opcua_binary_activate_session.ext_obj_type_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_guid;help:ext_obj_type_id_guid
+zeek.opcua_binary_activate_session.ext_obj_type_id_opaque=db:zeek.opcua_binary_activate_session.ext_obj_type_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_opaque;help:ext_obj_type_id_opaque
+zeek.opcua_binary_activate_session.ext_obj_type_id_str=db:zeek.opcua_binary_activate_session.ext_obj_type_id_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_str;help:ext_obj_type_id_str
+zeek.opcua_binary_activate_session.ext_obj_encoding=db:zeek.opcua_binary_activate_session.ext_obj_encoding;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_encoding;help:ext_obj_encoding
+zeek.opcua_binary_activate_session.ext_obj_policy_id=db:zeek.opcua_binary_activate_session.ext_obj_policy_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_policy_id;help:ext_obj_policy_id
+zeek.opcua_binary_activate_session.ext_obj_user_name=db:zeek.opcua_binary_activate_session.ext_obj_user_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_user_name;help:ext_obj_user_name
+zeek.opcua_binary_activate_session.ext_obj_password=db:zeek.opcua_binary_activate_session.ext_obj_password;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_password;help:ext_obj_password
+zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom=db:zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_encryption_algorithom;help:ext_obj_encryption_algorithom
+zeek.opcua_binary_activate_session.ext_obj_certificate_data=db:zeek.opcua_binary_activate_session.ext_obj_certificate_data;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_certificate_data;help:ext_obj_certificate_data
+zeek.opcua_binary_activate_session.ext_obj_token_data=db:zeek.opcua_binary_activate_session.ext_obj_token_data;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_token_data;help:ext_obj_token_data
+zeek.opcua_binary_activate_session.user_token_algorithm=db:zeek.opcua_binary_activate_session.user_token_algorithm;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_algorithm;help:user_token_algorithm
+zeek.opcua_binary_activate_session.user_token_signature=db:zeek.opcua_binary_activate_session.user_token_signature;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_signature;help:user_token_signature
+zeek.opcua_binary_activate_session.server_nonce=db:zeek.opcua_binary_activate_session.server_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_nonce;help:server_nonce
 
 # opcua_binary_activate_session_client_software_cert.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_link_id=db:zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_link_id;group:zeek_opcua;kind:termfield;friendly:client_software_cert_link_id;help:client_software_cert_link_id
-zeek.opcua_binary_activate_session_client_software_cert.cert_data=db:zeek.opcua_binary_activate_session_client_software_cert.cert_data;group:zeek_opcua;kind:termfield;friendly:cert_data;help:cert_data
-zeek.opcua_binary_activate_session_client_software_cert.cert_signature=db:zeek.opcua_binary_activate_session_client_software_cert.cert_signature;group:zeek_opcua;kind:termfield;friendly:cert_signature;help:cert_signature
+zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_link_id=db:zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_software_cert_link_id;help:client_software_cert_link_id
+zeek.opcua_binary_activate_session_client_software_cert.cert_data=db:zeek.opcua_binary_activate_session_client_software_cert.cert_data;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:cert_data;help:cert_data
+zeek.opcua_binary_activate_session_client_software_cert.cert_signature=db:zeek.opcua_binary_activate_session_client_software_cert.cert_signature;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:cert_signature;help:cert_signature
 
 # opcua_binary_activate_session_locale_id.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_activate_session_locale_id.opcua_locale_link_id=db:zeek.opcua_binary_activate_session_locale_id.opcua_locale_link_id;group:zeek_opcua;kind:termfield;friendly:opcua_locale_link_id;help:opcua_locale_link_id
-zeek.opcua_binary_activate_session_locale_id.local_id=db:zeek.opcua_binary_activate_session_locale_id.local_id;group:zeek_opcua;kind:termfield;friendly:local_id;help:local_id
+zeek.opcua_binary_activate_session_locale_id.opcua_locale_link_id=db:zeek.opcua_binary_activate_session_locale_id.opcua_locale_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:opcua_locale_link_id;help:opcua_locale_link_id
+zeek.opcua_binary_activate_session_locale_id.local_id=db:zeek.opcua_binary_activate_session_locale_id.local_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:local_id;help:local_id
 
 # opcua_binary_aggregate_filter.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_aggregate_filter.start_time=db:zeek.opcua_binary_aggregate_filter.start_time;group:zeek_opcua;kind:termfield;friendly:start_time;help:start_time
-zeek.opcua_binary_aggregate_filter.start_time_str=db:zeek.opcua_binary_aggregate_filter.start_time_str;group:zeek_opcua;kind:termfield;friendly:start_time_str;help:start_time_str
-zeek.opcua_binary_aggregate_filter.aggregate_type_encoding_mask=db:zeek.opcua_binary_aggregate_filter.aggregate_type_encoding_mask;group:zeek_opcua;kind:termfield;friendly:aggregate_type_encoding_mask;help:aggregate_type_encoding_mask
-zeek.opcua_binary_aggregate_filter.aggregate_type_namespace_idx=db:zeek.opcua_binary_aggregate_filter.aggregate_type_namespace_idx;group:zeek_opcua;kind:termfield;friendly:aggregate_type_namespace_idx;help:aggregate_type_namespace_idx
-zeek.opcua_binary_aggregate_filter.aggregate_type_numeric=db:zeek.opcua_binary_aggregate_filter.aggregate_type_numeric;group:zeek_opcua;kind:integer;friendly:aggregate_type_numeric;help:aggregate_type_numeric
-zeek.opcua_binary_aggregate_filter.aggregate_type_string=db:zeek.opcua_binary_aggregate_filter.aggregate_type_string;group:zeek_opcua;kind:termfield;friendly:aggregate_type_string;help:aggregate_type_string
-zeek.opcua_binary_aggregate_filter.aggregate_type_guid=db:zeek.opcua_binary_aggregate_filter.aggregate_type_guid;group:zeek_opcua;kind:termfield;friendly:aggregate_type_guid;help:aggregate_type_guid
-zeek.opcua_binary_aggregate_filter.aggregate_type_opaque=db:zeek.opcua_binary_aggregate_filter.aggregate_type_opaque;group:zeek_opcua;kind:termfield;friendly:aggregate_type_opaque;help:aggregate_type_opaque
-zeek.opcua_binary_aggregate_filter.processing_interval=db:zeek.opcua_binary_aggregate_filter.processing_interval;group:zeek_opcua;kind:termfield;friendly:processing_interval;help:processing_interval
-zeek.opcua_binary_aggregate_filter.use_server_capabilities_default=db:zeek.opcua_binary_aggregate_filter.use_server_capabilities_default;group:zeek_opcua;kind:termfield;friendly:use_server_capabilities_default;help:use_server_capabilities_default
-zeek.opcua_binary_aggregate_filter.treat_uncertain_as_bad=db:zeek.opcua_binary_aggregate_filter.treat_uncertain_as_bad;group:zeek_opcua;kind:termfield;friendly:treat_uncertain_as_bad;help:treat_uncertain_as_bad
-zeek.opcua_binary_aggregate_filter.percent_data_good=db:zeek.opcua_binary_aggregate_filter.percent_data_good;group:zeek_opcua;kind:integer;friendly:percent_data_good;help:percent_data_good
-zeek.opcua_binary_aggregate_filter.percent_data_bad=db:zeek.opcua_binary_aggregate_filter.percent_data_bad;group:zeek_opcua;kind:integer;friendly:percent_data_bad;help:percent_data_bad
-zeek.opcua_binary_aggregate_filter.use_slopped_extrapolation=db:zeek.opcua_binary_aggregate_filter.use_slopped_extrapolation;group:zeek_opcua;kind:termfield;friendly:use_slopped_extrapolation;help:use_slopped_extrapolation
-zeek.opcua_binary_aggregate_filter.revised_start_time=db:zeek.opcua_binary_aggregate_filter.revised_start_time;group:zeek_opcua;kind:termfield;friendly:revised_start_time;help:revised_start_time
-zeek.opcua_binary_aggregate_filter.revised_start_time_str=db:zeek.opcua_binary_aggregate_filter.revised_start_time_str;group:zeek_opcua;kind:termfield;friendly:revised_start_time_str;help:revised_start_time_str
-zeek.opcua_binary_aggregate_filter.revised_processing_interval=db:zeek.opcua_binary_aggregate_filter.revised_processing_interval;group:zeek_opcua;kind:termfield;friendly:revised_processing_interval;help:revised_processing_interval
-zeek.opcua_binary_aggregate_filter.revised_use_server_capabilities_default=db:zeek.opcua_binary_aggregate_filter.revised_use_server_capabilities_default;group:zeek_opcua;kind:termfield;friendly:revised_use_server_capabilities_default;help:revised_use_server_capabilities_default
-zeek.opcua_binary_aggregate_filter.revised_treat_uncertain_as_bad=db:zeek.opcua_binary_aggregate_filter.revised_treat_uncertain_as_bad;group:zeek_opcua;kind:termfield;friendly:revised_treat_uncertain_as_bad;help:revised_treat_uncertain_as_bad
-zeek.opcua_binary_aggregate_filter.revised_percent_data_good=db:zeek.opcua_binary_aggregate_filter.revised_percent_data_good;group:zeek_opcua;kind:integer;friendly:revised_percent_data_good;help:revised_percent_data_good
-zeek.opcua_binary_aggregate_filter.revised_percent_data_bad=db:zeek.opcua_binary_aggregate_filter.revised_percent_data_bad;group:zeek_opcua;kind:integer;friendly:revised_percent_data_bad;help:revised_percent_data_bad
-zeek.opcua_binary_aggregate_filter.revised_use_slopped_extrapolation=db:zeek.opcua_binary_aggregate_filter.revised_use_slopped_extrapolation;group:zeek_opcua;kind:termfield;friendly:revised_use_slopped_extrapolation;help:revised_use_slopped_extrapolation
+zeek.opcua_binary_aggregate_filter.start_time=db:zeek.opcua_binary_aggregate_filter.start_time;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:start_time;help:start_time
+zeek.opcua_binary_aggregate_filter.start_time_str=db:zeek.opcua_binary_aggregate_filter.start_time_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:start_time_str;help:start_time_str
+zeek.opcua_binary_aggregate_filter.aggregate_type_encoding_mask=db:zeek.opcua_binary_aggregate_filter.aggregate_type_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_encoding_mask;help:aggregate_type_encoding_mask
+zeek.opcua_binary_aggregate_filter.aggregate_type_namespace_idx=db:zeek.opcua_binary_aggregate_filter.aggregate_type_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_namespace_idx;help:aggregate_type_namespace_idx
+zeek.opcua_binary_aggregate_filter.aggregate_type_numeric=db:zeek.opcua_binary_aggregate_filter.aggregate_type_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:aggregate_type_numeric;help:aggregate_type_numeric
+zeek.opcua_binary_aggregate_filter.aggregate_type_string=db:zeek.opcua_binary_aggregate_filter.aggregate_type_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_string;help:aggregate_type_string
+zeek.opcua_binary_aggregate_filter.aggregate_type_guid=db:zeek.opcua_binary_aggregate_filter.aggregate_type_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_guid;help:aggregate_type_guid
+zeek.opcua_binary_aggregate_filter.aggregate_type_opaque=db:zeek.opcua_binary_aggregate_filter.aggregate_type_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_opaque;help:aggregate_type_opaque
+zeek.opcua_binary_aggregate_filter.processing_interval=db:zeek.opcua_binary_aggregate_filter.processing_interval;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:processing_interval;help:processing_interval
+zeek.opcua_binary_aggregate_filter.use_server_capabilities_default=db:zeek.opcua_binary_aggregate_filter.use_server_capabilities_default;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:use_server_capabilities_default;help:use_server_capabilities_default
+zeek.opcua_binary_aggregate_filter.treat_uncertain_as_bad=db:zeek.opcua_binary_aggregate_filter.treat_uncertain_as_bad;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:treat_uncertain_as_bad;help:treat_uncertain_as_bad
+zeek.opcua_binary_aggregate_filter.percent_data_good=db:zeek.opcua_binary_aggregate_filter.percent_data_good;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:percent_data_good;help:percent_data_good
+zeek.opcua_binary_aggregate_filter.percent_data_bad=db:zeek.opcua_binary_aggregate_filter.percent_data_bad;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:percent_data_bad;help:percent_data_bad
+zeek.opcua_binary_aggregate_filter.use_slopped_extrapolation=db:zeek.opcua_binary_aggregate_filter.use_slopped_extrapolation;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:use_slopped_extrapolation;help:use_slopped_extrapolation
+zeek.opcua_binary_aggregate_filter.revised_start_time=db:zeek.opcua_binary_aggregate_filter.revised_start_time;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_start_time;help:revised_start_time
+zeek.opcua_binary_aggregate_filter.revised_start_time_str=db:zeek.opcua_binary_aggregate_filter.revised_start_time_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_start_time_str;help:revised_start_time_str
+zeek.opcua_binary_aggregate_filter.revised_processing_interval=db:zeek.opcua_binary_aggregate_filter.revised_processing_interval;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_processing_interval;help:revised_processing_interval
+zeek.opcua_binary_aggregate_filter.revised_use_server_capabilities_default=db:zeek.opcua_binary_aggregate_filter.revised_use_server_capabilities_default;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_use_server_capabilities_default;help:revised_use_server_capabilities_default
+zeek.opcua_binary_aggregate_filter.revised_treat_uncertain_as_bad=db:zeek.opcua_binary_aggregate_filter.revised_treat_uncertain_as_bad;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_treat_uncertain_as_bad;help:revised_treat_uncertain_as_bad
+zeek.opcua_binary_aggregate_filter.revised_percent_data_good=db:zeek.opcua_binary_aggregate_filter.revised_percent_data_good;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_percent_data_good;help:revised_percent_data_good
+zeek.opcua_binary_aggregate_filter.revised_percent_data_bad=db:zeek.opcua_binary_aggregate_filter.revised_percent_data_bad;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_percent_data_bad;help:revised_percent_data_bad
+zeek.opcua_binary_aggregate_filter.revised_use_slopped_extrapolation=db:zeek.opcua_binary_aggregate_filter.revised_use_slopped_extrapolation;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_use_slopped_extrapolation;help:revised_use_slopped_extrapolation
 
 # opcua_binary_event_filter_attribute_operand.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_event_filter_attribute_operand.node_id_encoding_mask=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:node_id_encoding_mask;help:node_id_encoding_mask
-zeek.opcua_binary_event_filter_attribute_operand.node_id_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:node_id_namespace_idx;help:node_id_namespace_idx
-zeek.opcua_binary_event_filter_attribute_operand.node_id_numeric=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_numeric;group:zeek_opcua;kind:integer;friendly:node_id_numeric;help:node_id_numeric
-zeek.opcua_binary_event_filter_attribute_operand.node_id_string=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_string;group:zeek_opcua;kind:termfield;friendly:node_id_string;help:node_id_string
-zeek.opcua_binary_event_filter_attribute_operand.node_id_guid=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_guid;group:zeek_opcua;kind:termfield;friendly:node_id_guid;help:node_id_guid
-zeek.opcua_binary_event_filter_attribute_operand.node_id_opaque=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_opaque;group:zeek_opcua;kind:termfield;friendly:node_id_opaque;help:node_id_opaque
-zeek.opcua_binary_event_filter_attribute_operand.alias=db:zeek.opcua_binary_event_filter_attribute_operand.alias;group:zeek_opcua;kind:termfield;friendly:alias;help:alias
-zeek.opcua_binary_event_filter_attribute_operand.attribute=db:zeek.opcua_binary_event_filter_attribute_operand.attribute;group:zeek_opcua;kind:termfield;friendly:attribute;help:attribute
-zeek.opcua_binary_event_filter_attribute_operand.index_range=db:zeek.opcua_binary_event_filter_attribute_operand.index_range;group:zeek_opcua;kind:termfield;friendly:index_range;help:index_range
+zeek.opcua_binary_event_filter_attribute_operand.node_id_encoding_mask=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_encoding_mask;help:node_id_encoding_mask
+zeek.opcua_binary_event_filter_attribute_operand.node_id_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_namespace_idx;help:node_id_namespace_idx
+zeek.opcua_binary_event_filter_attribute_operand.node_id_numeric=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:node_id_numeric;help:node_id_numeric
+zeek.opcua_binary_event_filter_attribute_operand.node_id_string=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_string;help:node_id_string
+zeek.opcua_binary_event_filter_attribute_operand.node_id_guid=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_guid;help:node_id_guid
+zeek.opcua_binary_event_filter_attribute_operand.node_id_opaque=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_opaque;help:node_id_opaque
+zeek.opcua_binary_event_filter_attribute_operand.alias=db:zeek.opcua_binary_event_filter_attribute_operand.alias;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:alias;help:alias
+zeek.opcua_binary_event_filter_attribute_operand.attribute=db:zeek.opcua_binary_event_filter_attribute_operand.attribute;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:attribute;help:attribute
+zeek.opcua_binary_event_filter_attribute_operand.index_range=db:zeek.opcua_binary_event_filter_attribute_operand.index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:index_range;help:index_range
 
 # opcua_binary_event_filter_attribute_operand_browse_paths.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.browse_path_element_link_id=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.browse_path_element_link_id;group:zeek_opcua;kind:termfield;friendly:browse_path_element_link_id;help:browse_path_element_link_id
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:type_id_encoding_mask;help:type_id_encoding_mask
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:type_id_namespace_idx;help:type_id_namespace_idx
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_numeric=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_numeric;group:zeek_opcua;kind:integer;friendly:type_id_numeric;help:type_id_numeric
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_string=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_string;group:zeek_opcua;kind:termfield;friendly:type_id_string;help:type_id_string
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_guid=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_guid;group:zeek_opcua;kind:termfield;friendly:type_id_guid;help:type_id_guid
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_opaque=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_opaque;group:zeek_opcua;kind:termfield;friendly:type_id_opaque;help:type_id_opaque
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.is_inverse=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.is_inverse;group:zeek_opcua;kind:termfield;friendly:is_inverse;help:is_inverse
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.include_subtypes=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.include_subtypes;group:zeek_opcua;kind:termfield;friendly:include_subtypes;help:include_subtypes
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name_namespace_idx;group:zeek_opcua;kind:termfield;friendly:target_name_namespace_idx;help:target_name_namespace_idx
-zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name;group:zeek_opcua;kind:termfield;friendly:target_name;help:target_name
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.browse_path_element_link_id=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.browse_path_element_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_path_element_link_id;help:browse_path_element_link_id
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_encoding_mask;help:type_id_encoding_mask
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_namespace_idx;help:type_id_namespace_idx
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_numeric=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:type_id_numeric;help:type_id_numeric
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_string=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_string;help:type_id_string
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_guid=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_guid;help:type_id_guid
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_opaque=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_opaque;help:type_id_opaque
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.is_inverse=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.is_inverse;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:is_inverse;help:is_inverse
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.include_subtypes=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.include_subtypes;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:include_subtypes;help:include_subtypes
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:target_name_namespace_idx;help:target_name_namespace_idx
+zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:target_name;help:target_name
 
 # opcua_binary_browse.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_browse.browse_service_type=db:zeek.opcua_binary_browse.browse_service_type;group:zeek_opcua;kind:termfield;friendly:browse_service_type;help:browse_service_type
-zeek.opcua_binary_browse.browse_view_id_encoding_mask=db:zeek.opcua_binary_browse.browse_view_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_view_id_encoding_mask;help:browse_view_id_encoding_mask
-zeek.opcua_binary_browse.browse_view_id_namespace_idx=db:zeek.opcua_binary_browse.browse_view_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_view_id_namespace_idx;help:browse_view_id_namespace_idx
-zeek.opcua_binary_browse.browse_view_id_numeric=db:zeek.opcua_binary_browse.browse_view_id_numeric;group:zeek_opcua;kind:integer;friendly:browse_view_id_numeric;help:browse_view_id_numeric
-zeek.opcua_binary_browse.browse_view_id_string=db:zeek.opcua_binary_browse.browse_view_id_string;group:zeek_opcua;kind:termfield;friendly:browse_view_id_string;help:browse_view_id_string
-zeek.opcua_binary_browse.browse_view_id_guid=db:zeek.opcua_binary_browse.browse_view_id_guid;group:zeek_opcua;kind:termfield;friendly:browse_view_id_guid;help:browse_view_id_guid
-zeek.opcua_binary_browse.browse_view_id_opaque=db:zeek.opcua_binary_browse.browse_view_id_opaque;group:zeek_opcua;kind:termfield;friendly:browse_view_id_opaque;help:browse_view_id_opaque
-zeek.opcua_binary_browse.browse_view_description_timestamp=db:zeek.opcua_binary_browse.browse_view_description_timestamp;group:zeek_opcua;kind:termfield;friendly:browse_view_description_timestamp;help:browse_view_description_timestamp
-zeek.opcua_binary_browse.browse_view_description_view_version=db:zeek.opcua_binary_browse.browse_view_description_view_version;group:zeek_opcua;kind:integer;friendly:browse_view_description_view_version;help:browse_view_description_view_version
-zeek.opcua_binary_browse.req_max_ref_nodes=db:zeek.opcua_binary_browse.req_max_ref_nodes;group:zeek_opcua;kind:integer;friendly:req_max_ref_nodes;help:req_max_ref_nodes
-zeek.opcua_binary_browse.browse_next_release_continuation_point=db:zeek.opcua_binary_browse.browse_next_release_continuation_point;group:zeek_opcua;kind:termfield;friendly:browse_next_release_continuation_point;help:browse_next_release_continuation_point
+zeek.opcua_binary_browse.browse_service_type=db:zeek.opcua_binary_browse.browse_service_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_service_type;help:browse_service_type
+zeek.opcua_binary_browse.browse_view_id_encoding_mask=db:zeek.opcua_binary_browse.browse_view_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_encoding_mask;help:browse_view_id_encoding_mask
+zeek.opcua_binary_browse.browse_view_id_namespace_idx=db:zeek.opcua_binary_browse.browse_view_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_namespace_idx;help:browse_view_id_namespace_idx
+zeek.opcua_binary_browse.browse_view_id_numeric=db:zeek.opcua_binary_browse.browse_view_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_view_id_numeric;help:browse_view_id_numeric
+zeek.opcua_binary_browse.browse_view_id_string=db:zeek.opcua_binary_browse.browse_view_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_string;help:browse_view_id_string
+zeek.opcua_binary_browse.browse_view_id_guid=db:zeek.opcua_binary_browse.browse_view_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_guid;help:browse_view_id_guid
+zeek.opcua_binary_browse.browse_view_id_opaque=db:zeek.opcua_binary_browse.browse_view_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_opaque;help:browse_view_id_opaque
+zeek.opcua_binary_browse.browse_view_description_timestamp=db:zeek.opcua_binary_browse.browse_view_description_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_description_timestamp;help:browse_view_description_timestamp
+zeek.opcua_binary_browse.browse_view_description_view_version=db:zeek.opcua_binary_browse.browse_view_description_view_version;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_view_description_view_version;help:browse_view_description_view_version
+zeek.opcua_binary_browse.req_max_ref_nodes=db:zeek.opcua_binary_browse.req_max_ref_nodes;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_max_ref_nodes;help:req_max_ref_nodes
+zeek.opcua_binary_browse.browse_next_release_continuation_point=db:zeek.opcua_binary_browse.browse_next_release_continuation_point;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_next_release_continuation_point;help:browse_next_release_continuation_point
 
 # opcua_binary_browse_description.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_browse_description.browse_description_link_id=db:zeek.opcua_binary_browse_description.browse_description_link_id;group:zeek_opcua;kind:termfield;friendly:browse_description_link_id;help:browse_description_link_id
-zeek.opcua_binary_browse_description.browse_description_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_description_encoding_mask;help:browse_description_encoding_mask
-zeek.opcua_binary_browse_description.browse_description_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_description_namespace_idx;help:browse_description_namespace_idx
-zeek.opcua_binary_browse_description.browse_description_numeric=db:zeek.opcua_binary_browse_description.browse_description_numeric;group:zeek_opcua;kind:integer;friendly:browse_description_numeric;help:browse_description_numeric
-zeek.opcua_binary_browse_description.browse_description_string=db:zeek.opcua_binary_browse_description.browse_description_string;group:zeek_opcua;kind:termfield;friendly:browse_description_string;help:browse_description_string
-zeek.opcua_binary_browse_description.browse_description_guid=db:zeek.opcua_binary_browse_description.browse_description_guid;group:zeek_opcua;kind:termfield;friendly:browse_description_guid;help:browse_description_guid
-zeek.opcua_binary_browse_description.browse_description_opaque=db:zeek.opcua_binary_browse_description.browse_description_opaque;group:zeek_opcua;kind:termfield;friendly:browse_description_opaque;help:browse_description_opaque
-zeek.opcua_binary_browse_description.browse_direction=db:zeek.opcua_binary_browse_description.browse_direction;group:zeek_opcua;kind:termfield;friendly:browse_direction;help:browse_direction
-zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_encoding_mask;help:browse_description_ref_encoding_mask
-zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_namespace_idx;help:browse_description_ref_namespace_idx
-zeek.opcua_binary_browse_description.browse_description_ref_numeric=db:zeek.opcua_binary_browse_description.browse_description_ref_numeric;group:zeek_opcua;kind:integer;friendly:browse_description_ref_numeric;help:browse_description_ref_numeric
-zeek.opcua_binary_browse_description.browse_description_ref_string=db:zeek.opcua_binary_browse_description.browse_description_ref_string;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_string;help:browse_description_ref_string
-zeek.opcua_binary_browse_description.browse_description_ref_guid=db:zeek.opcua_binary_browse_description.browse_description_ref_guid;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_guid;help:browse_description_ref_guid
-zeek.opcua_binary_browse_description.browse_description_ref_opaque=db:zeek.opcua_binary_browse_description.browse_description_ref_opaque;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_opaque;help:browse_description_ref_opaque
-zeek.opcua_binary_browse_description.browse_description_include_subtypes=db:zeek.opcua_binary_browse_description.browse_description_include_subtypes;group:zeek_opcua;kind:termfield;friendly:browse_description_include_subtypes;help:browse_description_include_subtypes
-zeek.opcua_binary_browse_description.browse_node_class_mask=db:zeek.opcua_binary_browse_description.browse_node_class_mask;group:zeek_opcua;kind:termfield;friendly:browse_node_class_mask;help:browse_node_class_mask
-zeek.opcua_binary_browse_description.browse_result_mask=db:zeek.opcua_binary_browse_description.browse_result_mask;group:zeek_opcua;kind:termfield;friendly:browse_result_mask;help:browse_result_mask
+zeek.opcua_binary_browse_description.browse_description_link_id=db:zeek.opcua_binary_browse_description.browse_description_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_link_id;help:browse_description_link_id
+zeek.opcua_binary_browse_description.browse_description_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_encoding_mask;help:browse_description_encoding_mask
+zeek.opcua_binary_browse_description.browse_description_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_namespace_idx;help:browse_description_namespace_idx
+zeek.opcua_binary_browse_description.browse_description_numeric=db:zeek.opcua_binary_browse_description.browse_description_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_description_numeric;help:browse_description_numeric
+zeek.opcua_binary_browse_description.browse_description_string=db:zeek.opcua_binary_browse_description.browse_description_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_string;help:browse_description_string
+zeek.opcua_binary_browse_description.browse_description_guid=db:zeek.opcua_binary_browse_description.browse_description_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_guid;help:browse_description_guid
+zeek.opcua_binary_browse_description.browse_description_opaque=db:zeek.opcua_binary_browse_description.browse_description_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_opaque;help:browse_description_opaque
+zeek.opcua_binary_browse_description.browse_direction=db:zeek.opcua_binary_browse_description.browse_direction;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_direction;help:browse_direction
+zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_encoding_mask;help:browse_description_ref_encoding_mask
+zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_namespace_idx;help:browse_description_ref_namespace_idx
+zeek.opcua_binary_browse_description.browse_description_ref_numeric=db:zeek.opcua_binary_browse_description.browse_description_ref_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_description_ref_numeric;help:browse_description_ref_numeric
+zeek.opcua_binary_browse_description.browse_description_ref_string=db:zeek.opcua_binary_browse_description.browse_description_ref_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_string;help:browse_description_ref_string
+zeek.opcua_binary_browse_description.browse_description_ref_guid=db:zeek.opcua_binary_browse_description.browse_description_ref_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_guid;help:browse_description_ref_guid
+zeek.opcua_binary_browse_description.browse_description_ref_opaque=db:zeek.opcua_binary_browse_description.browse_description_ref_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_opaque;help:browse_description_ref_opaque
+zeek.opcua_binary_browse_description.browse_description_include_subtypes=db:zeek.opcua_binary_browse_description.browse_description_include_subtypes;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_include_subtypes;help:browse_description_include_subtypes
+zeek.opcua_binary_browse_description.browse_node_class_mask=db:zeek.opcua_binary_browse_description.browse_node_class_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_node_class_mask;help:browse_node_class_mask
+zeek.opcua_binary_browse_description.browse_result_mask=db:zeek.opcua_binary_browse_description.browse_result_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_result_mask;help:browse_result_mask
 
 # opcua_binary_browse_response_references.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_browse_response_references.browse_reference_link_id=db:zeek.opcua_binary_browse_response_references.browse_reference_link_id;group:zeek_opcua;kind:termfield;friendly:browse_reference_link_id;help:browse_reference_link_id
-zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_encoding_mask;help:browse_response_ref_encoding_mask
-zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_namespace_idx;help:browse_response_ref_namespace_idx
-zeek.opcua_binary_browse_response_references.browse_response_ref_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_numeric;group:zeek_opcua;kind:integer;friendly:browse_response_ref_numeric;help:browse_response_ref_numeric
-zeek.opcua_binary_browse_response_references.browse_response_ref_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_string;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_string;help:browse_response_ref_string
-zeek.opcua_binary_browse_response_references.browse_response_ref_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_guid;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_guid;help:browse_response_ref_guid
-zeek.opcua_binary_browse_response_references.browse_response_ref_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_opaque;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_opaque;help:browse_response_ref_opaque
-zeek.opcua_binary_browse_response_references.browse_response_is_forward=db:zeek.opcua_binary_browse_response_references.browse_response_is_forward;group:zeek_opcua;kind:termfield;friendly:browse_response_is_forward;help:browse_response_is_forward
-zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_encoding_mask;help:browse_response_ref_type_encoding_mask
-zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_namespace_idx;help:browse_response_ref_type_namespace_idx
-zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric;group:zeek_opcua;kind:integer;friendly:browse_response_ref_type_numeric;help:browse_response_ref_type_numeric
-zeek.opcua_binary_browse_response_references.browse_response_ref_type_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_string;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_string;help:browse_response_ref_type_string
-zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_guid;help:browse_response_ref_type_guid
-zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_opaque;help:browse_response_ref_type_opaque
-zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_namespace_uri;help:browse_response_ref_type_namespace_uri
-zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx;group:zeek_opcua;kind:integer;friendly:browse_response_ref_type_server_idx;help:browse_response_ref_type_server_idx
-zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx;group:zeek_opcua;kind:integer;friendly:browse_response_ref_name_idx;help:browse_response_ref_name_idx
-zeek.opcua_binary_browse_response_references.browse_response_ref_name=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_name;help:browse_response_ref_name
-zeek.opcua_binary_browse_response_references.browse_response_display_name_mask=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_display_name_mask;help:browse_response_display_name_mask
-zeek.opcua_binary_browse_response_references.browse_response_display_name_locale=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_locale;group:zeek_opcua;kind:termfield;friendly:browse_response_display_name_locale;help:browse_response_display_name_locale
-zeek.opcua_binary_browse_response_references.browse_response_display_name_text=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_text;group:zeek_opcua;kind:termfield;friendly:browse_response_display_name_text;help:browse_response_display_name_text
-zeek.opcua_binary_browse_response_references.browse_response_node_class=db:zeek.opcua_binary_browse_response_references.browse_response_node_class;group:zeek_opcua;kind:termfield;friendly:browse_response_node_class;help:browse_response_node_class
-zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_encoding_mask;help:browse_response_type_def_encoding_mask
-zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_namespace_idx;help:browse_response_type_def_namespace_idx
-zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric;group:zeek_opcua;kind:integer;friendly:browse_response_type_def_numeric;help:browse_response_type_def_numeric
-zeek.opcua_binary_browse_response_references.browse_response_type_def_string=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_string;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_string;help:browse_response_type_def_string
-zeek.opcua_binary_browse_response_references.browse_response_type_def_guid=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_guid;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_guid;help:browse_response_type_def_guid
-zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_opaque;help:browse_response_type_def_opaque
-zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_namespace_uri;help:browse_response_type_def_namespace_uri
-zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx;group:zeek_opcua;kind:integer;friendly:browse_response_type_def_server_idx;help:browse_response_type_def_server_idx
+zeek.opcua_binary_browse_response_references.browse_reference_link_id=db:zeek.opcua_binary_browse_response_references.browse_reference_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_reference_link_id;help:browse_reference_link_id
+zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_encoding_mask;help:browse_response_ref_encoding_mask
+zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_namespace_idx;help:browse_response_ref_namespace_idx
+zeek.opcua_binary_browse_response_references.browse_response_ref_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_ref_numeric;help:browse_response_ref_numeric
+zeek.opcua_binary_browse_response_references.browse_response_ref_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_string;help:browse_response_ref_string
+zeek.opcua_binary_browse_response_references.browse_response_ref_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_guid;help:browse_response_ref_guid
+zeek.opcua_binary_browse_response_references.browse_response_ref_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_opaque;help:browse_response_ref_opaque
+zeek.opcua_binary_browse_response_references.browse_response_is_forward=db:zeek.opcua_binary_browse_response_references.browse_response_is_forward;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_is_forward;help:browse_response_is_forward
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_encoding_mask;help:browse_response_ref_type_encoding_mask
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_namespace_idx;help:browse_response_ref_type_namespace_idx
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_ref_type_numeric;help:browse_response_ref_type_numeric
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_string;help:browse_response_ref_type_string
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_guid;help:browse_response_ref_type_guid
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_opaque;help:browse_response_ref_type_opaque
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_namespace_uri;help:browse_response_ref_type_namespace_uri
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_ref_type_server_idx;help:browse_response_ref_type_server_idx
+zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_ref_name_idx;help:browse_response_ref_name_idx
+zeek.opcua_binary_browse_response_references.browse_response_ref_name=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_name;help:browse_response_ref_name
+zeek.opcua_binary_browse_response_references.browse_response_display_name_mask=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_display_name_mask;help:browse_response_display_name_mask
+zeek.opcua_binary_browse_response_references.browse_response_display_name_locale=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_display_name_locale;help:browse_response_display_name_locale
+zeek.opcua_binary_browse_response_references.browse_response_display_name_text=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_display_name_text;help:browse_response_display_name_text
+zeek.opcua_binary_browse_response_references.browse_response_node_class=db:zeek.opcua_binary_browse_response_references.browse_response_node_class;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_node_class;help:browse_response_node_class
+zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_encoding_mask;help:browse_response_type_def_encoding_mask
+zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_namespace_idx;help:browse_response_type_def_namespace_idx
+zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_type_def_numeric;help:browse_response_type_def_numeric
+zeek.opcua_binary_browse_response_references.browse_response_type_def_string=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_string;help:browse_response_type_def_string
+zeek.opcua_binary_browse_response_references.browse_response_type_def_guid=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_guid;help:browse_response_type_def_guid
+zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_opaque;help:browse_response_type_def_opaque
+zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_namespace_uri;help:browse_response_type_def_namespace_uri
+zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_type_def_server_idx;help:browse_response_type_def_server_idx
 
 # opcua_binary_browse_request_continuation_point.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id=db:zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id;group:zeek_opcua;kind:termfield;friendly:browse_next_link_id;help:browse_next_link_id
-zeek.opcua_binary_browse_request_continuation_point.continuation_point=db:zeek.opcua_binary_browse_request_continuation_point.continuation_point;group:zeek_opcua;kind:termfield;friendly:continuation_point;help:continuation_point
+zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id=db:zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_next_link_id;help:browse_next_link_id
+zeek.opcua_binary_browse_request_continuation_point.continuation_point=db:zeek.opcua_binary_browse_request_continuation_point.continuation_point;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:continuation_point;help:continuation_point
 
 # opcua_binary_browse_result.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_browse_result.browse_response_link_id=db:zeek.opcua_binary_browse_result.browse_response_link_id;group:zeek_opcua;kind:termfield;friendly:browse_response_link_id;help:browse_response_link_id
-zeek.opcua_binary_browse_result.browse_result_continuation_point=db:zeek.opcua_binary_browse_result.browse_result_continuation_point;group:zeek_opcua;kind:termfield;friendly:browse_result_continuation_point;help:browse_result_continuation_point
+zeek.opcua_binary_browse_result.browse_response_link_id=db:zeek.opcua_binary_browse_result.browse_response_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_link_id;help:browse_response_link_id
+zeek.opcua_binary_browse_result.browse_result_continuation_point=db:zeek.opcua_binary_browse_result.browse_result_continuation_point;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_result_continuation_point;help:browse_result_continuation_point
 
 # opcua_binary_close_session.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_close_session.del_subscriptions=db:zeek.opcua_binary_close_session.del_subscriptions;group:zeek_opcua;kind:termfield;friendly:del_subscriptions;help:del_subscriptions
+zeek.opcua_binary_close_session.del_subscriptions=db:zeek.opcua_binary_close_session.del_subscriptions;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:del_subscriptions;help:del_subscriptions
 
 # opcua_binary_event_filter_where_clause.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_event_filter_where_clause.where_clause_link_id=db:zeek.opcua_binary_event_filter_where_clause.where_clause_link_id;group:zeek_opcua;kind:termfield;friendly:where_clause_link_id;help:where_clause_link_id
+zeek.opcua_binary_event_filter_where_clause.where_clause_link_id=db:zeek.opcua_binary_event_filter_where_clause.where_clause_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:where_clause_link_id;help:where_clause_link_id
 
 # opcua_binary_event_filter_where_clause_elements.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_event_filter_where_clause_elements.content_filter_element_link_id=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_element_link_id;group:zeek_opcua;kind:termfield;friendly:content_filter_element_link_id;help:content_filter_element_link_id
-zeek.opcua_binary_event_filter_where_clause_elements.filter_operator=db:zeek.opcua_binary_event_filter_where_clause_elements.filter_operator;group:zeek_opcua;kind:termfield;friendly:filter_operator;help:filter_operator
-zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_encoding_mask=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_encoding_mask;help:content_filter_filter_operand_type_id_node_id_encoding_mask
-zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_namespace_idx=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_namespace_idx;help:content_filter_filter_operand_type_id_node_id_namespace_idx
-zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_numeric=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_numeric;group:zeek_opcua;kind:integer;friendly:content_filter_filter_operand_type_id_node_id_numeric;help:content_filter_filter_operand_type_id_node_id_numeric
-zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_string=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_string;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_string;help:content_filter_filter_operand_type_id_node_id_string
-zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_guid=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_guid;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_guid;help:content_filter_filter_operand_type_id_node_id_guid
-zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_opaque=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_opaque;help:content_filter_filter_operand_type_id_node_id_opaque
-zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_string=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_string;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_string;help:content_filter_filter_operand_type_id_string
-zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_encoding=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_encoding;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_encoding;help:content_filter_filter_operand_type_id_encoding
+zeek.opcua_binary_event_filter_where_clause_elements.content_filter_element_link_id=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_element_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_element_link_id;help:content_filter_element_link_id
+zeek.opcua_binary_event_filter_where_clause_elements.filter_operator=db:zeek.opcua_binary_event_filter_where_clause_elements.filter_operator;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:filter_operator;help:filter_operator
+zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_encoding_mask=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_encoding_mask;help:content_filter_filter_operand_type_id_node_id_encoding_mask
+zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_namespace_idx=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_namespace_idx;help:content_filter_filter_operand_type_id_node_id_namespace_idx
+zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_numeric=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_numeric;help:content_filter_filter_operand_type_id_node_id_numeric
+zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_string=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_string;help:content_filter_filter_operand_type_id_node_id_string
+zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_guid=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_guid;help:content_filter_filter_operand_type_id_node_id_guid
+zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_opaque=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_opaque;help:content_filter_filter_operand_type_id_node_id_opaque
+zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_string=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_string;help:content_filter_filter_operand_type_id_string
+zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_encoding=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_encoding;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_encoding;help:content_filter_filter_operand_type_id_encoding
 
 # opcua_binary_create_monitored_items.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_create_monitored_items.subscription_id=db:zeek.opcua_binary_create_monitored_items.subscription_id;group:zeek_opcua;kind:integer;friendly:subscription_id;help:subscription_id
-zeek.opcua_binary_create_monitored_items.timestamps_to_return=db:zeek.opcua_binary_create_monitored_items.timestamps_to_return;group:zeek_opcua;kind:integer;friendly:timestamps_to_return;help:timestamps_to_return
-zeek.opcua_binary_create_monitored_items.timestamps_to_return_str=db:zeek.opcua_binary_create_monitored_items.timestamps_to_return_str;group:zeek_opcua;kind:termfield;friendly:timestamps_to_return_str;help:timestamps_to_return_str
+zeek.opcua_binary_create_monitored_items.subscription_id=db:zeek.opcua_binary_create_monitored_items.subscription_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:subscription_id;help:subscription_id
+zeek.opcua_binary_create_monitored_items.timestamps_to_return=db:zeek.opcua_binary_create_monitored_items.timestamps_to_return;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:timestamps_to_return;help:timestamps_to_return
+zeek.opcua_binary_create_monitored_items.timestamps_to_return_str=db:zeek.opcua_binary_create_monitored_items.timestamps_to_return_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:timestamps_to_return_str;help:timestamps_to_return_str
 
 # opcua_binary_create_monitored_items_create_item.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_create_monitored_items_create_item.create_item_link_id=db:zeek.opcua_binary_create_monitored_items_create_item.create_item_link_id;group:zeek_opcua;kind:termfield;friendly:create_item_link_id;help:create_item_link_id
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_encoding_mask=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_encoding_mask;help:item_to_monitor_node_id_encoding_mask
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_namespace_idx;help:item_to_monitor_node_id_namespace_idx
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_numeric=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_numeric;group:zeek_opcua;kind:integer;friendly:item_to_monitor_node_id_numeric;help:item_to_monitor_node_id_numeric
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_string;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_string;help:item_to_monitor_node_id_string
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_guid=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_guid;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_guid;help:item_to_monitor_node_id_guid
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_opaque=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_opaque;help:item_to_monitor_node_id_opaque
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_attribute_id=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_attribute_id;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_attribute_id;help:item_to_monitor_attribute_id
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_index_range=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_index_range;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_index_range;help:item_to_monitor_index_range
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_namespace_idx;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_namespace_idx;help:item_to_monitor_namespace_idx
-zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_name=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_name;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_name;help:item_to_monitor_name
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_mode=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_mode;group:zeek_opcua;kind:termfield;friendly:monitoring_mode;help:monitoring_mode
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_client_handle=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_client_handle;group:zeek_opcua;kind:integer;friendly:monitoring_parameters_client_handle;help:monitoring_parameters_client_handle
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_sampling_interval=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_sampling_interval;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_sampling_interval;help:monitoring_parameters_sampling_interval
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_queue_size=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_queue_size;group:zeek_opcua;kind:integer;friendly:monitoring_parameters_queue_size;help:monitoring_parameters_queue_size
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_discard_oldest=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_discard_oldest;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_discard_oldest;help:monitoring_parameters_discard_oldest
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_encoding_mask=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_encoding_mask;help:monitoring_parameters_filter_info_type_id_node_id_encoding_mask
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_namespace_idx;help:monitoring_parameters_filter_info_type_id_node_id_namespace_idx
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_numeric=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_numeric;group:zeek_opcua;kind:integer;friendly:monitoring_parameters_filter_info_type_id_node_id_numeric;help:monitoring_parameters_filter_info_type_id_node_id_numeric
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_string;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_string;help:monitoring_parameters_filter_info_type_id_node_id_string
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_guid=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_guid;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_guid;help:monitoring_parameters_filter_info_type_id_node_id_guid
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_opaque=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_opaque;help:monitoring_parameters_filter_info_type_id_node_id_opaque
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_string;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_string;help:monitoring_parameters_filter_info_type_id_string
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_encoding=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_encoding;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_encoding;help:monitoring_parameters_filter_info_type_id_encoding
-zeek.opcua_binary_create_monitored_items_create_item.monitored_item_index_id=db:zeek.opcua_binary_create_monitored_items_create_item.monitored_item_index_id;group:zeek_opcua;kind:integer;friendly:monitored_item_index_id;help:monitored_item_index_id
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_sampling_interval=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_sampling_interval;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_revised_sampling_interval;help:monitoring_parameters_revised_sampling_interval
-zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_queue_size=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_queue_size;group:zeek_opcua;kind:integer;friendly:monitoring_parameters_revised_queue_size;help:monitoring_parameters_revised_queue_size
+zeek.opcua_binary_create_monitored_items_create_item.create_item_link_id=db:zeek.opcua_binary_create_monitored_items_create_item.create_item_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:create_item_link_id;help:create_item_link_id
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_encoding_mask=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_encoding_mask;help:item_to_monitor_node_id_encoding_mask
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_namespace_idx;help:item_to_monitor_node_id_namespace_idx
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_numeric=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:item_to_monitor_node_id_numeric;help:item_to_monitor_node_id_numeric
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_string;help:item_to_monitor_node_id_string
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_guid=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_guid;help:item_to_monitor_node_id_guid
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_opaque=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_opaque;help:item_to_monitor_node_id_opaque
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_attribute_id=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_attribute_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_attribute_id;help:item_to_monitor_attribute_id
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_index_range=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_index_range;help:item_to_monitor_index_range
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_namespace_idx;help:item_to_monitor_namespace_idx
+zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_name=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_name;help:item_to_monitor_name
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_mode=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_mode;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_mode;help:monitoring_mode
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_client_handle=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_client_handle;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitoring_parameters_client_handle;help:monitoring_parameters_client_handle
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_sampling_interval=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_sampling_interval;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_sampling_interval;help:monitoring_parameters_sampling_interval
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_queue_size=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_queue_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitoring_parameters_queue_size;help:monitoring_parameters_queue_size
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_discard_oldest=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_discard_oldest;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_discard_oldest;help:monitoring_parameters_discard_oldest
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_encoding_mask=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_encoding_mask;help:monitoring_parameters_filter_info_type_id_node_id_encoding_mask
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_namespace_idx;help:monitoring_parameters_filter_info_type_id_node_id_namespace_idx
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_numeric=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_numeric;help:monitoring_parameters_filter_info_type_id_node_id_numeric
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_string;help:monitoring_parameters_filter_info_type_id_node_id_string
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_guid=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_guid;help:monitoring_parameters_filter_info_type_id_node_id_guid
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_opaque=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_opaque;help:monitoring_parameters_filter_info_type_id_node_id_opaque
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_string;help:monitoring_parameters_filter_info_type_id_string
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_encoding=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_encoding;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_encoding;help:monitoring_parameters_filter_info_type_id_encoding
+zeek.opcua_binary_create_monitored_items_create_item.monitored_item_index_id=db:zeek.opcua_binary_create_monitored_items_create_item.monitored_item_index_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitored_item_index_id;help:monitored_item_index_id
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_sampling_interval=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_sampling_interval;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_revised_sampling_interval;help:monitoring_parameters_revised_sampling_interval
+zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_queue_size=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_queue_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitoring_parameters_revised_queue_size;help:monitoring_parameters_revised_queue_size
 
 # opcua_binary_create_session.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_create_session.application_uri=db:zeek.opcua_binary_create_session.application_uri;group:zeek_opcua;kind:termfield;friendly:application_uri;help:application_uri
-zeek.opcua_binary_create_session.product_uri=db:zeek.opcua_binary_create_session.product_uri;group:zeek_opcua;kind:termfield;friendly:product_uri;help:product_uri
-zeek.opcua_binary_create_session.encoding_mask=db:zeek.opcua_binary_create_session.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask
-zeek.opcua_binary_create_session.locale=db:zeek.opcua_binary_create_session.locale;group:zeek_opcua;kind:termfield;friendly:locale;help:locale
-zeek.opcua_binary_create_session.text=db:zeek.opcua_binary_create_session.text;group:zeek_opcua;kind:termfield;friendly:text;help:text
-zeek.opcua_binary_create_session.application_type=db:zeek.opcua_binary_create_session.application_type;group:zeek_opcua;kind:integer;friendly:application_type;help:application_type
-zeek.opcua_binary_create_session.gateway_server_uri=db:zeek.opcua_binary_create_session.gateway_server_uri;group:zeek_opcua;kind:termfield;friendly:gateway_server_uri;help:gateway_server_uri
-zeek.opcua_binary_create_session.discovery_profile_uri=db:zeek.opcua_binary_create_session.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri
-zeek.opcua_binary_create_session.server_uri=db:zeek.opcua_binary_create_session.server_uri;group:zeek_opcua;kind:termfield;friendly:server_uri;help:server_uri
-zeek.opcua_binary_create_session.endpoint_url=db:zeek.opcua_binary_create_session.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url
-zeek.opcua_binary_create_session.session_name=db:zeek.opcua_binary_create_session.session_name;group:zeek_opcua;kind:termfield;friendly:session_name;help:session_name
-zeek.opcua_binary_create_session.client_nonce=db:zeek.opcua_binary_create_session.client_nonce;group:zeek_opcua;kind:termfield;friendly:client_nonce;help:client_nonce
-zeek.opcua_binary_create_session.client_cert_size=db:zeek.opcua_binary_create_session.client_cert_size;group:zeek_opcua;kind:integer;friendly:client_cert_size;help:client_cert_size
-zeek.opcua_binary_create_session.client_cert=db:zeek.opcua_binary_create_session.client_cert;group:zeek_opcua;kind:termfield;friendly:client_cert;help:client_cert
-zeek.opcua_binary_create_session.req_session_timeout=db:zeek.opcua_binary_create_session.req_session_timeout;group:zeek_opcua;kind:integer;friendly:req_session_timeout;help:req_session_timeout
-zeek.opcua_binary_create_session.max_res_msg_size=db:zeek.opcua_binary_create_session.max_res_msg_size;group:zeek_opcua;kind:integer;friendly:max_res_msg_size;help:max_res_msg_size
-zeek.opcua_binary_create_session.session_id_encoding_mask=db:zeek.opcua_binary_create_session.session_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:session_id_encoding_mask;help:session_id_encoding_mask
-zeek.opcua_binary_create_session.session_id_namespace_idx=db:zeek.opcua_binary_create_session.session_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:session_id_namespace_idx;help:session_id_namespace_idx
-zeek.opcua_binary_create_session.session_id_numeric=db:zeek.opcua_binary_create_session.session_id_numeric;group:zeek_opcua;kind:integer;friendly:session_id_numeric;help:session_id_numeric
-zeek.opcua_binary_create_session.session_id_string=db:zeek.opcua_binary_create_session.session_id_string;group:zeek_opcua;kind:termfield;friendly:session_id_string;help:session_id_string
-zeek.opcua_binary_create_session.session_id_guid=db:zeek.opcua_binary_create_session.session_id_guid;group:zeek_opcua;kind:termfield;friendly:session_id_guid;help:session_id_guid
-zeek.opcua_binary_create_session.session_id_opaque=db:zeek.opcua_binary_create_session.session_id_opaque;group:zeek_opcua;kind:termfield;friendly:session_id_opaque;help:session_id_opaque
-zeek.opcua_binary_create_session.auth_token_encoding_mask=db:zeek.opcua_binary_create_session.auth_token_encoding_mask;group:zeek_opcua;kind:termfield;friendly:auth_token_encoding_mask;help:auth_token_encoding_mask
-zeek.opcua_binary_create_session.auth_token_namespace_idx=db:zeek.opcua_binary_create_session.auth_token_namespace_idx;group:zeek_opcua;kind:termfield;friendly:auth_token_namespace_idx;help:auth_token_namespace_idx
-zeek.opcua_binary_create_session.auth_token_numeric=db:zeek.opcua_binary_create_session.auth_token_numeric;group:zeek_opcua;kind:integer;friendly:auth_token_numeric;help:auth_token_numeric
-zeek.opcua_binary_create_session.auth_token_string=db:zeek.opcua_binary_create_session.auth_token_string;group:zeek_opcua;kind:termfield;friendly:auth_token_string;help:auth_token_string
-zeek.opcua_binary_create_session.auth_token_guid=db:zeek.opcua_binary_create_session.auth_token_guid;group:zeek_opcua;kind:termfield;friendly:auth_token_guid;help:auth_token_guid
-zeek.opcua_binary_create_session.auth_token_opaque=db:zeek.opcua_binary_create_session.auth_token_opaque;group:zeek_opcua;kind:termfield;friendly:auth_token_opaque;help:auth_token_opaque
-zeek.opcua_binary_create_session.revised_session_timeout=db:zeek.opcua_binary_create_session.revised_session_timeout;group:zeek_opcua;kind:integer;friendly:revised_session_timeout;help:revised_session_timeout
-zeek.opcua_binary_create_session.server_nonce=db:zeek.opcua_binary_create_session.server_nonce;group:zeek_opcua;kind:termfield;friendly:server_nonce;help:server_nonce
-zeek.opcua_binary_create_session.server_cert_size=db:zeek.opcua_binary_create_session.server_cert_size;group:zeek_opcua;kind:integer;friendly:server_cert_size;help:server_cert_size
-zeek.opcua_binary_create_session.server_cert=db:zeek.opcua_binary_create_session.server_cert;group:zeek_opcua;kind:termfield;friendly:server_cert;help:server_cert
-zeek.opcua_binary_create_session.algorithm=db:zeek.opcua_binary_create_session.algorithm;group:zeek_opcua;kind:termfield;friendly:algorithm;help:algorithm
-zeek.opcua_binary_create_session.signature=db:zeek.opcua_binary_create_session.signature;group:zeek_opcua;kind:termfield;friendly:signature;help:signature
-zeek.opcua_binary_create_session.max_req_msg_size=db:zeek.opcua_binary_create_session.max_req_msg_size;group:zeek_opcua;kind:integer;friendly:max_req_msg_size;help:max_req_msg_size
+zeek.opcua_binary_create_session.application_uri=db:zeek.opcua_binary_create_session.application_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:application_uri;help:application_uri
+zeek.opcua_binary_create_session.product_uri=db:zeek.opcua_binary_create_session.product_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:product_uri;help:product_uri
+zeek.opcua_binary_create_session.encoding_mask=db:zeek.opcua_binary_create_session.encoding_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:encoding_mask;help:encoding_mask
+zeek.opcua_binary_create_session.locale=db:zeek.opcua_binary_create_session.locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale;help:locale
+zeek.opcua_binary_create_session.text=db:zeek.opcua_binary_create_session.text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:text;help:text
+zeek.opcua_binary_create_session.application_type=db:zeek.opcua_binary_create_session.application_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:application_type;help:application_type
+zeek.opcua_binary_create_session.gateway_server_uri=db:zeek.opcua_binary_create_session.gateway_server_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:gateway_server_uri;help:gateway_server_uri
+zeek.opcua_binary_create_session.discovery_profile_uri=db:zeek.opcua_binary_create_session.discovery_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_uri;help:discovery_profile_uri
+zeek.opcua_binary_create_session.server_uri=db:zeek.opcua_binary_create_session.server_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_uri;help:server_uri
+zeek.opcua_binary_create_session.endpoint_url=db:zeek.opcua_binary_create_session.endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_url;help:endpoint_url
+zeek.opcua_binary_create_session.session_name=db:zeek.opcua_binary_create_session.session_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_name;help:session_name
+zeek.opcua_binary_create_session.client_nonce=db:zeek.opcua_binary_create_session.client_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_nonce;help:client_nonce
+zeek.opcua_binary_create_session.client_cert_size=db:zeek.opcua_binary_create_session.client_cert_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:client_cert_size;help:client_cert_size
+zeek.opcua_binary_create_session.client_cert=db:zeek.opcua_binary_create_session.client_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_cert;help:client_cert
+zeek.opcua_binary_create_session.req_session_timeout=db:zeek.opcua_binary_create_session.req_session_timeout;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_session_timeout;help:req_session_timeout
+zeek.opcua_binary_create_session.max_res_msg_size=db:zeek.opcua_binary_create_session.max_res_msg_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_res_msg_size;help:max_res_msg_size
+zeek.opcua_binary_create_session.session_id_encoding_mask=db:zeek.opcua_binary_create_session.session_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_encoding_mask;help:session_id_encoding_mask
+zeek.opcua_binary_create_session.session_id_namespace_idx=db:zeek.opcua_binary_create_session.session_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_namespace_idx;help:session_id_namespace_idx
+zeek.opcua_binary_create_session.session_id_numeric=db:zeek.opcua_binary_create_session.session_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:session_id_numeric;help:session_id_numeric
+zeek.opcua_binary_create_session.session_id_string=db:zeek.opcua_binary_create_session.session_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_string;help:session_id_string
+zeek.opcua_binary_create_session.session_id_guid=db:zeek.opcua_binary_create_session.session_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_guid;help:session_id_guid
+zeek.opcua_binary_create_session.session_id_opaque=db:zeek.opcua_binary_create_session.session_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_opaque;help:session_id_opaque
+zeek.opcua_binary_create_session.auth_token_encoding_mask=db:zeek.opcua_binary_create_session.auth_token_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_encoding_mask;help:auth_token_encoding_mask
+zeek.opcua_binary_create_session.auth_token_namespace_idx=db:zeek.opcua_binary_create_session.auth_token_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_namespace_idx;help:auth_token_namespace_idx
+zeek.opcua_binary_create_session.auth_token_numeric=db:zeek.opcua_binary_create_session.auth_token_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:auth_token_numeric;help:auth_token_numeric
+zeek.opcua_binary_create_session.auth_token_string=db:zeek.opcua_binary_create_session.auth_token_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_string;help:auth_token_string
+zeek.opcua_binary_create_session.auth_token_guid=db:zeek.opcua_binary_create_session.auth_token_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_guid;help:auth_token_guid
+zeek.opcua_binary_create_session.auth_token_opaque=db:zeek.opcua_binary_create_session.auth_token_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_opaque;help:auth_token_opaque
+zeek.opcua_binary_create_session.revised_session_timeout=db:zeek.opcua_binary_create_session.revised_session_timeout;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_session_timeout;help:revised_session_timeout
+zeek.opcua_binary_create_session.server_nonce=db:zeek.opcua_binary_create_session.server_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_nonce;help:server_nonce
+zeek.opcua_binary_create_session.server_cert_size=db:zeek.opcua_binary_create_session.server_cert_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:server_cert_size;help:server_cert_size
+zeek.opcua_binary_create_session.server_cert=db:zeek.opcua_binary_create_session.server_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_cert;help:server_cert
+zeek.opcua_binary_create_session.algorithm=db:zeek.opcua_binary_create_session.algorithm;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:algorithm;help:algorithm
+zeek.opcua_binary_create_session.signature=db:zeek.opcua_binary_create_session.signature;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:signature;help:signature
+zeek.opcua_binary_create_session.max_req_msg_size=db:zeek.opcua_binary_create_session.max_req_msg_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_req_msg_size;help:max_req_msg_size
 
 # opcua_binary_create_session_discovery.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_create_session_discovery.discovery_profile_link_id=db:zeek.opcua_binary_create_session_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;friendly:discovery_profile_link_id;help:discovery_profile_link_id
-zeek.opcua_binary_create_session_discovery.discovery_profile_uri=db:zeek.opcua_binary_create_session_discovery.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri
-zeek.opcua_binary_create_session_discovery.discovery_profile_url=db:zeek.opcua_binary_create_session_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;friendly:discovery_profile_url;help:discovery_profile_url
+zeek.opcua_binary_create_session_discovery.discovery_profile_link_id=db:zeek.opcua_binary_create_session_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_link_id;help:discovery_profile_link_id
+zeek.opcua_binary_create_session_discovery.discovery_profile_uri=db:zeek.opcua_binary_create_session_discovery.discovery_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_uri;help:discovery_profile_uri
+zeek.opcua_binary_create_session_discovery.discovery_profile_url=db:zeek.opcua_binary_create_session_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_url;help:discovery_profile_url
 
 # opcua_binary_create_session_endpoints.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_create_session_endpoints.endpoint_link_id=db:zeek.opcua_binary_create_session_endpoints.endpoint_link_id;group:zeek_opcua;kind:termfield;friendly:endpoint_link_id;help:endpoint_link_id
-zeek.opcua_binary_create_session_endpoints.endpoint_url=db:zeek.opcua_binary_create_session_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url
-zeek.opcua_binary_create_session_endpoints.application_uri=db:zeek.opcua_binary_create_session_endpoints.application_uri;group:zeek_opcua;kind:termfield;friendly:application_uri;help:application_uri
-zeek.opcua_binary_create_session_endpoints.product_uri=db:zeek.opcua_binary_create_session_endpoints.product_uri;group:zeek_opcua;kind:termfield;friendly:product_uri;help:product_uri
-zeek.opcua_binary_create_session_endpoints.encoding_mask=db:zeek.opcua_binary_create_session_endpoints.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask
-zeek.opcua_binary_create_session_endpoints.locale=db:zeek.opcua_binary_create_session_endpoints.locale;group:zeek_opcua;kind:termfield;friendly:locale;help:locale
-zeek.opcua_binary_create_session_endpoints.text=db:zeek.opcua_binary_create_session_endpoints.text;group:zeek_opcua;kind:termfield;friendly:text;help:text
-zeek.opcua_binary_create_session_endpoints.application_type=db:zeek.opcua_binary_create_session_endpoints.application_type;group:zeek_opcua;kind:integer;friendly:application_type;help:application_type
-zeek.opcua_binary_create_session_endpoints.gateway_server_uri=db:zeek.opcua_binary_create_session_endpoints.gateway_server_uri;group:zeek_opcua;kind:termfield;friendly:gateway_server_uri;help:gateway_server_uri
-zeek.opcua_binary_create_session_endpoints.discovery_profile_uri=db:zeek.opcua_binary_create_session_endpoints.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri
-zeek.opcua_binary_create_session_endpoints.cert_size=db:zeek.opcua_binary_create_session_endpoints.cert_size;group:zeek_opcua;kind:integer;friendly:cert_size;help:cert_size
-zeek.opcua_binary_create_session_endpoints.server_cert=db:zeek.opcua_binary_create_session_endpoints.server_cert;group:zeek_opcua;kind:termfield;friendly:server_cert;help:server_cert
-zeek.opcua_binary_create_session_endpoints.message_security_mode=db:zeek.opcua_binary_create_session_endpoints.message_security_mode;group:zeek_opcua;kind:integer;friendly:message_security_mode;help:message_security_mode
-zeek.opcua_binary_create_session_endpoints.security_policy_uri=db:zeek.opcua_binary_create_session_endpoints.security_policy_uri;group:zeek_opcua;kind:termfield;friendly:security_policy_uri;help:security_policy_uri
-zeek.opcua_binary_create_session_endpoints.transport_profile_uri=db:zeek.opcua_binary_create_session_endpoints.transport_profile_uri;group:zeek_opcua;kind:termfield;friendly:transport_profile_uri;help:transport_profile_uri
-zeek.opcua_binary_create_session_endpoints.security_level=db:zeek.opcua_binary_create_session_endpoints.security_level;group:zeek_opcua;kind:integer;friendly:security_level;help:security_level
+zeek.opcua_binary_create_session_endpoints.endpoint_link_id=db:zeek.opcua_binary_create_session_endpoints.endpoint_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_link_id;help:endpoint_link_id
+zeek.opcua_binary_create_session_endpoints.endpoint_url=db:zeek.opcua_binary_create_session_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_url;help:endpoint_url
+zeek.opcua_binary_create_session_endpoints.application_uri=db:zeek.opcua_binary_create_session_endpoints.application_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:application_uri;help:application_uri
+zeek.opcua_binary_create_session_endpoints.product_uri=db:zeek.opcua_binary_create_session_endpoints.product_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:product_uri;help:product_uri
+zeek.opcua_binary_create_session_endpoints.encoding_mask=db:zeek.opcua_binary_create_session_endpoints.encoding_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:encoding_mask;help:encoding_mask
+zeek.opcua_binary_create_session_endpoints.locale=db:zeek.opcua_binary_create_session_endpoints.locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale;help:locale
+zeek.opcua_binary_create_session_endpoints.text=db:zeek.opcua_binary_create_session_endpoints.text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:text;help:text
+zeek.opcua_binary_create_session_endpoints.application_type=db:zeek.opcua_binary_create_session_endpoints.application_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:application_type;help:application_type
+zeek.opcua_binary_create_session_endpoints.gateway_server_uri=db:zeek.opcua_binary_create_session_endpoints.gateway_server_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:gateway_server_uri;help:gateway_server_uri
+zeek.opcua_binary_create_session_endpoints.discovery_profile_uri=db:zeek.opcua_binary_create_session_endpoints.discovery_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_uri;help:discovery_profile_uri
+zeek.opcua_binary_create_session_endpoints.cert_size=db:zeek.opcua_binary_create_session_endpoints.cert_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:cert_size;help:cert_size
+zeek.opcua_binary_create_session_endpoints.server_cert=db:zeek.opcua_binary_create_session_endpoints.server_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_cert;help:server_cert
+zeek.opcua_binary_create_session_endpoints.message_security_mode=db:zeek.opcua_binary_create_session_endpoints.message_security_mode;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:message_security_mode;help:message_security_mode
+zeek.opcua_binary_create_session_endpoints.security_policy_uri=db:zeek.opcua_binary_create_session_endpoints.security_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:security_policy_uri;help:security_policy_uri
+zeek.opcua_binary_create_session_endpoints.transport_profile_uri=db:zeek.opcua_binary_create_session_endpoints.transport_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:transport_profile_uri;help:transport_profile_uri
+zeek.opcua_binary_create_session_endpoints.security_level=db:zeek.opcua_binary_create_session_endpoints.security_level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:security_level;help:security_level
 
 # opcua_binary_create_session_user_token.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_create_session_user_token.user_token_link_id=db:zeek.opcua_binary_create_session_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;friendly:user_token_link_id;help:user_token_link_id
-zeek.opcua_binary_create_session_user_token.user_token_policy_id=db:zeek.opcua_binary_create_session_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;friendly:user_token_policy_id;help:user_token_policy_id
-zeek.opcua_binary_create_session_user_token.user_token_type=db:zeek.opcua_binary_create_session_user_token.user_token_type;group:zeek_opcua;kind:integer;friendly:user_token_type;help:user_token_type
-zeek.opcua_binary_create_session_user_token.user_token_issued_type=db:zeek.opcua_binary_create_session_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;friendly:user_token_issued_type;help:user_token_issued_type
-zeek.opcua_binary_create_session_user_token.user_token_endpoint_url=db:zeek.opcua_binary_create_session_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;friendly:user_token_endpoint_url;help:user_token_endpoint_url
-zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri
+zeek.opcua_binary_create_session_user_token.user_token_link_id=db:zeek.opcua_binary_create_session_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_link_id;help:user_token_link_id
+zeek.opcua_binary_create_session_user_token.user_token_policy_id=db:zeek.opcua_binary_create_session_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_policy_id;help:user_token_policy_id
+zeek.opcua_binary_create_session_user_token.user_token_type=db:zeek.opcua_binary_create_session_user_token.user_token_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:user_token_type;help:user_token_type
+zeek.opcua_binary_create_session_user_token.user_token_issued_type=db:zeek.opcua_binary_create_session_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_issued_type;help:user_token_issued_type
+zeek.opcua_binary_create_session_user_token.user_token_endpoint_url=db:zeek.opcua_binary_create_session_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_endpoint_url;help:user_token_endpoint_url
+zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri
 
 # opcua_binary_create_subscription.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_create_subscription.requested_publishing_interval=db:zeek.opcua_binary_create_subscription.requested_publishing_interval;group:zeek_opcua;kind:integer;friendly:requested_publishing_interval;help:requested_publishing_interval
-zeek.opcua_binary_create_subscription.requested_lifetime_count=db:zeek.opcua_binary_create_subscription.requested_lifetime_count;group:zeek_opcua;kind:integer;friendly:requested_lifetime_count;help:requested_lifetime_count
-zeek.opcua_binary_create_subscription.requested_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.requested_max_keep_alive_count;group:zeek_opcua;kind:integer;friendly:requested_max_keep_alive_count;help:requested_max_keep_alive_count
-zeek.opcua_binary_create_subscription.max_notifications_per_publish=db:zeek.opcua_binary_create_subscription.max_notifications_per_publish;group:zeek_opcua;kind:integer;friendly:max_notifications_per_publish;help:max_notifications_per_publish
-zeek.opcua_binary_create_subscription.publishing_enabled=db:zeek.opcua_binary_create_subscription.publishing_enabled;group:zeek_opcua;kind:termfield;friendly:publishing_enabled;help:publishing_enabled
-zeek.opcua_binary_create_subscription.priority=db:zeek.opcua_binary_create_subscription.priority;group:zeek_opcua;kind:integer;friendly:priority;help:priority
-zeek.opcua_binary_create_subscription.subscription_id=db:zeek.opcua_binary_create_subscription.subscription_id;group:zeek_opcua;kind:integer;friendly:subscription_id;help:subscription_id
-zeek.opcua_binary_create_subscription.revised_publishing_interval=db:zeek.opcua_binary_create_subscription.revised_publishing_interval;group:zeek_opcua;kind:integer;friendly:revised_publishing_interval;help:revised_publishing_interval
-zeek.opcua_binary_create_subscription.revised_lifetime_count=db:zeek.opcua_binary_create_subscription.revised_lifetime_count;group:zeek_opcua;kind:integer;friendly:revised_lifetime_count;help:revised_lifetime_count
-zeek.opcua_binary_create_subscription.revised_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.revised_max_keep_alive_count;group:zeek_opcua;kind:integer;friendly:revised_max_keep_alive_count;help:revised_max_keep_alive_count
+zeek.opcua_binary_create_subscription.requested_publishing_interval=db:zeek.opcua_binary_create_subscription.requested_publishing_interval;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:requested_publishing_interval;help:requested_publishing_interval
+zeek.opcua_binary_create_subscription.requested_lifetime_count=db:zeek.opcua_binary_create_subscription.requested_lifetime_count;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:requested_lifetime_count;help:requested_lifetime_count
+zeek.opcua_binary_create_subscription.requested_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.requested_max_keep_alive_count;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:requested_max_keep_alive_count;help:requested_max_keep_alive_count
+zeek.opcua_binary_create_subscription.max_notifications_per_publish=db:zeek.opcua_binary_create_subscription.max_notifications_per_publish;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_notifications_per_publish;help:max_notifications_per_publish
+zeek.opcua_binary_create_subscription.publishing_enabled=db:zeek.opcua_binary_create_subscription.publishing_enabled;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:publishing_enabled;help:publishing_enabled
+zeek.opcua_binary_create_subscription.priority=db:zeek.opcua_binary_create_subscription.priority;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:priority;help:priority
+zeek.opcua_binary_create_subscription.subscription_id=db:zeek.opcua_binary_create_subscription.subscription_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:subscription_id;help:subscription_id
+zeek.opcua_binary_create_subscription.revised_publishing_interval=db:zeek.opcua_binary_create_subscription.revised_publishing_interval;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_publishing_interval;help:revised_publishing_interval
+zeek.opcua_binary_create_subscription.revised_lifetime_count=db:zeek.opcua_binary_create_subscription.revised_lifetime_count;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_lifetime_count;help:revised_lifetime_count
+zeek.opcua_binary_create_subscription.revised_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.revised_max_keep_alive_count;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_max_keep_alive_count;help:revised_max_keep_alive_count
 
 # opcua_binary_data_change_filter.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_data_change_filter.trigger=db:zeek.opcua_binary_data_change_filter.trigger;group:zeek_opcua;kind:termfield;friendly:trigger;help:trigger
-zeek.opcua_binary_data_change_filter.deadband_type=db:zeek.opcua_binary_data_change_filter.deadband_type;group:zeek_opcua;kind:termfield;friendly:deadband_type;help:deadband_type
-zeek.opcua_binary_data_change_filter.deadband_value=db:zeek.opcua_binary_data_change_filter.deadband_value;group:zeek_opcua;kind:termfield;friendly:deadband_value;help:deadband_value
+zeek.opcua_binary_data_change_filter.trigger=db:zeek.opcua_binary_data_change_filter.trigger;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:trigger;help:trigger
+zeek.opcua_binary_data_change_filter.deadband_type=db:zeek.opcua_binary_data_change_filter.deadband_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:deadband_type;help:deadband_type
+zeek.opcua_binary_data_change_filter.deadband_value=db:zeek.opcua_binary_data_change_filter.deadband_value;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:deadband_value;help:deadband_value
 
 # opcua_binary_diag_info_detail.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_diag_info_detail.diag_info_link_id=db:zeek.opcua_binary_diag_info_detail.diag_info_link_id;group:zeek_opcua;kind:termfield;friendly:diag_info_link_id;help:diag_info_link_id
-zeek.opcua_binary_diag_info_detail.root_object_id=db:zeek.opcua_binary_diag_info_detail.root_object_id;group:zeek_opcua;kind:termfield;friendly:root_object_id;help:root_object_id
-zeek.opcua_binary_diag_info_detail.source=db:zeek.opcua_binary_diag_info_detail.source;group:zeek_opcua;kind:integer;friendly:source;help:source
-zeek.opcua_binary_diag_info_detail.source_str=db:zeek.opcua_binary_diag_info_detail.source_str;group:zeek_opcua;kind:termfield;friendly:source_str;help:source_str
-zeek.opcua_binary_diag_info_detail.inner_diag_level=db:zeek.opcua_binary_diag_info_detail.inner_diag_level;group:zeek_opcua;kind:integer;friendly:inner_diag_level;help:inner_diag_level
-zeek.opcua_binary_diag_info_detail.has_symbolic_id=db:zeek.opcua_binary_diag_info_detail.has_symbolic_id;group:zeek_opcua;kind:termfield;friendly:has_symbolic_id;help:has_symbolic_id
-zeek.opcua_binary_diag_info_detail.symbolic_id=db:zeek.opcua_binary_diag_info_detail.symbolic_id;group:zeek_opcua;kind:integer;friendly:symbolic_id;help:symbolic_id
-zeek.opcua_binary_diag_info_detail.symbolic_id_str=db:zeek.opcua_binary_diag_info_detail.symbolic_id_str;group:zeek_opcua;kind:termfield;friendly:symbolic_id_str;help:symbolic_id_str
-zeek.opcua_binary_diag_info_detail.has_namespace_uri=db:zeek.opcua_binary_diag_info_detail.has_namespace_uri;group:zeek_opcua;kind:termfield;friendly:has_namespace_uri;help:has_namespace_uri
-zeek.opcua_binary_diag_info_detail.namespace_uri=db:zeek.opcua_binary_diag_info_detail.namespace_uri;group:zeek_opcua;kind:integer;friendly:namespace_uri;help:namespace_uri
-zeek.opcua_binary_diag_info_detail.namespace_uri_str=db:zeek.opcua_binary_diag_info_detail.namespace_uri_str;group:zeek_opcua;kind:termfield;friendly:namespace_uri_str;help:namespace_uri_str
-zeek.opcua_binary_diag_info_detail.has_locale=db:zeek.opcua_binary_diag_info_detail.has_locale;group:zeek_opcua;kind:termfield;friendly:has_locale;help:has_locale
-zeek.opcua_binary_diag_info_detail.locale=db:zeek.opcua_binary_diag_info_detail.locale;group:zeek_opcua;kind:integer;friendly:locale;help:locale
-zeek.opcua_binary_diag_info_detail.locale_str=db:zeek.opcua_binary_diag_info_detail.locale_str;group:zeek_opcua;kind:termfield;friendly:locale_str;help:locale_str
-zeek.opcua_binary_diag_info_detail.has_locale_txt=db:zeek.opcua_binary_diag_info_detail.has_locale_txt;group:zeek_opcua;kind:termfield;friendly:has_locale_txt;help:has_locale_txt
-zeek.opcua_binary_diag_info_detail.locale_txt=db:zeek.opcua_binary_diag_info_detail.locale_txt;group:zeek_opcua;kind:integer;friendly:locale_txt;help:locale_txt
-zeek.opcua_binary_diag_info_detail.locale_txt_str=db:zeek.opcua_binary_diag_info_detail.locale_txt_str;group:zeek_opcua;kind:termfield;friendly:locale_txt_str;help:locale_txt_str
-zeek.opcua_binary_diag_info_detail.has_addl_info=db:zeek.opcua_binary_diag_info_detail.has_addl_info;group:zeek_opcua;kind:termfield;friendly:has_addl_info;help:has_addl_info
-zeek.opcua_binary_diag_info_detail.addl_info=db:zeek.opcua_binary_diag_info_detail.addl_info;group:zeek_opcua;kind:termfield;friendly:addl_info;help:addl_info
-zeek.opcua_binary_diag_info_detail.has_inner_stat_code=db:zeek.opcua_binary_diag_info_detail.has_inner_stat_code;group:zeek_opcua;kind:termfield;friendly:has_inner_stat_code;help:has_inner_stat_code
-zeek.opcua_binary_diag_info_detail.inner_stat_code=db:zeek.opcua_binary_diag_info_detail.inner_stat_code;group:zeek_opcua;kind:termfield;friendly:inner_stat_code;help:inner_stat_code
-zeek.opcua_binary_diag_info_detail.has_inner_diag_info=db:zeek.opcua_binary_diag_info_detail.has_inner_diag_info;group:zeek_opcua;kind:termfield;friendly:has_inner_diag_info;help:has_inner_diag_info
+zeek.opcua_binary_diag_info_detail.diag_info_link_id=db:zeek.opcua_binary_diag_info_detail.diag_info_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:diag_info_link_id;help:diag_info_link_id
+zeek.opcua_binary_diag_info_detail.root_object_id=db:zeek.opcua_binary_diag_info_detail.root_object_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:root_object_id;help:root_object_id
+zeek.opcua_binary_diag_info_detail.source=db:zeek.opcua_binary_diag_info_detail.source;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source;help:source
+zeek.opcua_binary_diag_info_detail.source_str=db:zeek.opcua_binary_diag_info_detail.source_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:source_str;help:source_str
+zeek.opcua_binary_diag_info_detail.inner_diag_level=db:zeek.opcua_binary_diag_info_detail.inner_diag_level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:inner_diag_level;help:inner_diag_level
+zeek.opcua_binary_diag_info_detail.has_symbolic_id=db:zeek.opcua_binary_diag_info_detail.has_symbolic_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_symbolic_id;help:has_symbolic_id
+zeek.opcua_binary_diag_info_detail.symbolic_id=db:zeek.opcua_binary_diag_info_detail.symbolic_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:symbolic_id;help:symbolic_id
+zeek.opcua_binary_diag_info_detail.symbolic_id_str=db:zeek.opcua_binary_diag_info_detail.symbolic_id_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:symbolic_id_str;help:symbolic_id_str
+zeek.opcua_binary_diag_info_detail.has_namespace_uri=db:zeek.opcua_binary_diag_info_detail.has_namespace_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_namespace_uri;help:has_namespace_uri
+zeek.opcua_binary_diag_info_detail.namespace_uri=db:zeek.opcua_binary_diag_info_detail.namespace_uri;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:namespace_uri;help:namespace_uri
+zeek.opcua_binary_diag_info_detail.namespace_uri_str=db:zeek.opcua_binary_diag_info_detail.namespace_uri_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:namespace_uri_str;help:namespace_uri_str
+zeek.opcua_binary_diag_info_detail.has_locale=db:zeek.opcua_binary_diag_info_detail.has_locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_locale;help:has_locale
+zeek.opcua_binary_diag_info_detail.locale=db:zeek.opcua_binary_diag_info_detail.locale;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:locale;help:locale
+zeek.opcua_binary_diag_info_detail.locale_str=db:zeek.opcua_binary_diag_info_detail.locale_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale_str;help:locale_str
+zeek.opcua_binary_diag_info_detail.has_locale_txt=db:zeek.opcua_binary_diag_info_detail.has_locale_txt;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_locale_txt;help:has_locale_txt
+zeek.opcua_binary_diag_info_detail.locale_txt=db:zeek.opcua_binary_diag_info_detail.locale_txt;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:locale_txt;help:locale_txt
+zeek.opcua_binary_diag_info_detail.locale_txt_str=db:zeek.opcua_binary_diag_info_detail.locale_txt_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale_txt_str;help:locale_txt_str
+zeek.opcua_binary_diag_info_detail.has_addl_info=db:zeek.opcua_binary_diag_info_detail.has_addl_info;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_addl_info;help:has_addl_info
+zeek.opcua_binary_diag_info_detail.addl_info=db:zeek.opcua_binary_diag_info_detail.addl_info;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:addl_info;help:addl_info
+zeek.opcua_binary_diag_info_detail.has_inner_stat_code=db:zeek.opcua_binary_diag_info_detail.has_inner_stat_code;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_inner_stat_code;help:has_inner_stat_code
+zeek.opcua_binary_diag_info_detail.inner_stat_code=db:zeek.opcua_binary_diag_info_detail.inner_stat_code;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:inner_stat_code;help:inner_stat_code
+zeek.opcua_binary_diag_info_detail.has_inner_diag_info=db:zeek.opcua_binary_diag_info_detail.has_inner_diag_info;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_inner_diag_info;help:has_inner_diag_info
 
 # opcua_binary_event_filter_element_operand.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_event_filter_element_operand.element_index=db:zeek.opcua_binary_event_filter_element_operand.element_index;group:zeek_opcua;kind:integer;friendly:element_index;help:element_index
+zeek.opcua_binary_event_filter_element_operand.element_index=db:zeek.opcua_binary_event_filter_element_operand.element_index;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:element_index;help:element_index
 
 # opcua_binary_event_filter.log
 # https://github.com/cisagov/icsnpp-opcua-binary
 
 # opcua_binary_get_endpoints.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_get_endpoints.endpoint_url=db:zeek.opcua_binary_get_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url
+zeek.opcua_binary_get_endpoints.endpoint_url=db:zeek.opcua_binary_get_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_url;help:endpoint_url
 
 # opcua_binary_get_endpoints_description.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id=db:zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id;group:zeek_opcua;kind:termfield;friendly:endpoint_description_link_id;help:endpoint_description_link_id
-zeek.opcua_binary_get_endpoints_description.endpoint_uri=db:zeek.opcua_binary_get_endpoints_description.endpoint_uri;group:zeek_opcua;kind:termfield;friendly:endpoint_uri;help:endpoint_uri
-zeek.opcua_binary_get_endpoints_description.application_uri=db:zeek.opcua_binary_get_endpoints_description.application_uri;group:zeek_opcua;kind:termfield;friendly:application_uri;help:application_uri
-zeek.opcua_binary_get_endpoints_description.product_uri=db:zeek.opcua_binary_get_endpoints_description.product_uri;group:zeek_opcua;kind:termfield;friendly:product_uri;help:product_uri
-zeek.opcua_binary_get_endpoints_description.encoding_mask=db:zeek.opcua_binary_get_endpoints_description.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask
-zeek.opcua_binary_get_endpoints_description.locale=db:zeek.opcua_binary_get_endpoints_description.locale;group:zeek_opcua;kind:termfield;friendly:locale;help:locale
-zeek.opcua_binary_get_endpoints_description.text=db:zeek.opcua_binary_get_endpoints_description.text;group:zeek_opcua;kind:termfield;friendly:text;help:text
-zeek.opcua_binary_get_endpoints_description.application_type=db:zeek.opcua_binary_get_endpoints_description.application_type;group:zeek_opcua;kind:integer;friendly:application_type;help:application_type
-zeek.opcua_binary_get_endpoints_description.gateway_server_uri=db:zeek.opcua_binary_get_endpoints_description.gateway_server_uri;group:zeek_opcua;kind:termfield;friendly:gateway_server_uri;help:gateway_server_uri
-zeek.opcua_binary_get_endpoints_description.discovery_profile_uri=db:zeek.opcua_binary_get_endpoints_description.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri
-zeek.opcua_binary_get_endpoints_description.cert_size=db:zeek.opcua_binary_get_endpoints_description.cert_size;group:zeek_opcua;kind:integer;friendly:cert_size;help:cert_size
-zeek.opcua_binary_get_endpoints_description.server_cert=db:zeek.opcua_binary_get_endpoints_description.server_cert;group:zeek_opcua;kind:termfield;friendly:server_cert;help:server_cert
-zeek.opcua_binary_get_endpoints_description.message_security_mode=db:zeek.opcua_binary_get_endpoints_description.message_security_mode;group:zeek_opcua;kind:integer;friendly:message_security_mode;help:message_security_mode
-zeek.opcua_binary_get_endpoints_description.security_policy_uri=db:zeek.opcua_binary_get_endpoints_description.security_policy_uri;group:zeek_opcua;kind:termfield;friendly:security_policy_uri;help:security_policy_uri
-zeek.opcua_binary_get_endpoints_description.transport_profile_uri=db:zeek.opcua_binary_get_endpoints_description.transport_profile_uri;group:zeek_opcua;kind:termfield;friendly:transport_profile_uri;help:transport_profile_uri
-zeek.opcua_binary_get_endpoints_description.security_level=db:zeek.opcua_binary_get_endpoints_description.security_level;group:zeek_opcua;kind:integer;friendly:security_level;help:security_level
+zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id=db:zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_description_link_id;help:endpoint_description_link_id
+zeek.opcua_binary_get_endpoints_description.endpoint_uri=db:zeek.opcua_binary_get_endpoints_description.endpoint_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_uri;help:endpoint_uri
+zeek.opcua_binary_get_endpoints_description.application_uri=db:zeek.opcua_binary_get_endpoints_description.application_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:application_uri;help:application_uri
+zeek.opcua_binary_get_endpoints_description.product_uri=db:zeek.opcua_binary_get_endpoints_description.product_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:product_uri;help:product_uri
+zeek.opcua_binary_get_endpoints_description.encoding_mask=db:zeek.opcua_binary_get_endpoints_description.encoding_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:encoding_mask;help:encoding_mask
+zeek.opcua_binary_get_endpoints_description.locale=db:zeek.opcua_binary_get_endpoints_description.locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale;help:locale
+zeek.opcua_binary_get_endpoints_description.text=db:zeek.opcua_binary_get_endpoints_description.text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:text;help:text
+zeek.opcua_binary_get_endpoints_description.application_type=db:zeek.opcua_binary_get_endpoints_description.application_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:application_type;help:application_type
+zeek.opcua_binary_get_endpoints_description.gateway_server_uri=db:zeek.opcua_binary_get_endpoints_description.gateway_server_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:gateway_server_uri;help:gateway_server_uri
+zeek.opcua_binary_get_endpoints_description.discovery_profile_uri=db:zeek.opcua_binary_get_endpoints_description.discovery_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_uri;help:discovery_profile_uri
+zeek.opcua_binary_get_endpoints_description.cert_size=db:zeek.opcua_binary_get_endpoints_description.cert_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:cert_size;help:cert_size
+zeek.opcua_binary_get_endpoints_description.server_cert=db:zeek.opcua_binary_get_endpoints_description.server_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_cert;help:server_cert
+zeek.opcua_binary_get_endpoints_description.message_security_mode=db:zeek.opcua_binary_get_endpoints_description.message_security_mode;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:message_security_mode;help:message_security_mode
+zeek.opcua_binary_get_endpoints_description.security_policy_uri=db:zeek.opcua_binary_get_endpoints_description.security_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:security_policy_uri;help:security_policy_uri
+zeek.opcua_binary_get_endpoints_description.transport_profile_uri=db:zeek.opcua_binary_get_endpoints_description.transport_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:transport_profile_uri;help:transport_profile_uri
+zeek.opcua_binary_get_endpoints_description.security_level=db:zeek.opcua_binary_get_endpoints_description.security_level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:security_level;help:security_level
 
 # opcua_binary_get_endpoints_discovery.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;friendly:discovery_profile_link_id;help:discovery_profile_link_id
-zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;friendly:discovery_profile_url;help:discovery_profile_url
+zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_link_id;help:discovery_profile_link_id
+zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_url;help:discovery_profile_url
 
 # opcua_binary_get_endpoints_locale_id.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_get_endpoints_locale_id.locale_link_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_link_id;group:zeek_opcua;kind:termfield;friendly:locale_link_id;help:locale_link_id
-zeek.opcua_binary_get_endpoints_locale_id.locale_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_id;group:zeek_opcua;kind:termfield;friendly:locale_id;help:locale_id
+zeek.opcua_binary_get_endpoints_locale_id.locale_link_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale_link_id;help:locale_link_id
+zeek.opcua_binary_get_endpoints_locale_id.locale_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale_id;help:locale_id
 
 # opcua_binary_get_endpoints_profile_uri.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id;group:zeek_opcua;kind:termfield;friendly:profile_uri_link_id;help:profile_uri_link_id
-zeek.opcua_binary_get_endpoints_profile_uri.profile_uri=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri;group:zeek_opcua;kind:termfield;friendly:profile_uri;help:profile_uri
+zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:profile_uri_link_id;help:profile_uri_link_id
+zeek.opcua_binary_get_endpoints_profile_uri.profile_uri=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:profile_uri;help:profile_uri
 
 # opcua_binary_get_endpoints_user_token.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_get_endpoints_user_token.user_token_link_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;friendly:user_token_link_id;help:user_token_link_id
-zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;friendly:user_token_policy_id;help:user_token_policy_id
-zeek.opcua_binary_get_endpoints_user_token.user_token_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_type;group:zeek_opcua;kind:integer;friendly:user_token_type;help:user_token_type
-zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;friendly:user_token_issued_type;help:user_token_issued_type
-zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url=db:zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;friendly:user_token_endpoint_url;help:user_token_endpoint_url
-zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri
+zeek.opcua_binary_get_endpoints_user_token.user_token_link_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_link_id;help:user_token_link_id
+zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_policy_id;help:user_token_policy_id
+zeek.opcua_binary_get_endpoints_user_token.user_token_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:user_token_type;help:user_token_type
+zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_issued_type;help:user_token_issued_type
+zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url=db:zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_endpoint_url;help:user_token_endpoint_url
+zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri
 
 # opcua_binary.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary.encoding_mask=db:zeek.opcua_binary.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask
-zeek.opcua_binary.endpoint_url=db:zeek.opcua_binary.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url
-zeek.opcua_binary.error=db:zeek.opcua_binary.error;group:zeek_opcua;kind:integer;friendly:error;help:error
-zeek.opcua_binary.filter_source_link_id=db:zeek.opcua_binary.filter_source_link_id;group:zeek_opcua;kind:termfield;friendly:filter_source_link_id;help:filter_source_link_id
-zeek.opcua_binary.identifier=db:zeek.opcua_binary.identifier;group:zeek_opcua;kind:integer;friendly:identifier;help:identifier
-zeek.opcua_binary.identifier_str=db:zeek.opcua_binary.identifier_str;group:zeek_opcua;kind:termfield;friendly:identifier_str;help:identifier_str
-zeek.opcua_binary.is_final=db:zeek.opcua_binary.is_final;group:zeek_opcua;kind:termfield;friendly:is_final;help:is_final
-zeek.opcua_binary.max_chunk_cnt=db:zeek.opcua_binary.max_chunk_cnt;group:zeek_opcua;kind:integer;friendly:max_chunk_cnt;help:max_chunk_cnt
-zeek.opcua_binary.max_msg_size=db:zeek.opcua_binary.max_msg_size;group:zeek_opcua;kind:integer;friendly:max_msg_size;help:max_msg_size
-zeek.opcua_binary.msg_size=db:zeek.opcua_binary.msg_size;group:zeek_opcua;kind:integer;friendly:msg_size;help:msg_size
-zeek.opcua_binary.msg_type=db:zeek.opcua_binary.msg_type;group:zeek_opcua;kind:termfield;friendly:msg_type;help:msg_type
-zeek.opcua_binary.namespace_idx=db:zeek.opcua_binary.namespace_idx;group:zeek_opcua;kind:termfield;friendly:namespace_idx;help:namespace_idx
-zeek.opcua_binary.opcua_link_id=db:zeek.opcua_binary.opcua_link_id;group:zeek_opcua;kind:termfield;friendly:opcua_link_id;help:opcua_link_id
-zeek.opcua_binary.operand_source_link_id=db:zeek.opcua_binary.operand_source_link_id;group:zeek_opcua;kind:termfield;friendly:operand_source_link_id;help:operand_source_link_id
-zeek.opcua_binary.rcv_buf_size=db:zeek.opcua_binary.rcv_buf_size;group:zeek_opcua;kind:integer;friendly:rcv_buf_size;help:rcv_buf_size
-zeek.opcua_binary.rcv_cert=db:zeek.opcua_binary.rcv_cert;group:zeek_opcua;kind:termfield;friendly:rcv_cert;help:rcv_cert
-zeek.opcua_binary.rcv_cert_len=db:zeek.opcua_binary.rcv_cert_len;group:zeek_opcua;kind:integer;friendly:rcv_cert_len;help:rcv_cert_len
-zeek.opcua_binary.reason=db:zeek.opcua_binary.reason;group:zeek_opcua;kind:termfield;friendly:reason;help:reason
-zeek.opcua_binary.req_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.req_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;friendly:req_hdr_add_hdr_enc_mask;help:req_hdr_add_hdr_enc_mask
-zeek.opcua_binary.req_hdr_add_hdr_type_id=db:zeek.opcua_binary.req_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;friendly:req_hdr_add_hdr_type_id;help:req_hdr_add_hdr_type_id
-zeek.opcua_binary.req_hdr_audit_entry_id=db:zeek.opcua_binary.req_hdr_audit_entry_id;group:zeek_opcua;kind:termfield;friendly:req_hdr_audit_entry_id;help:req_hdr_audit_entry_id
-zeek.opcua_binary.req_hdr_node_id_guid=db:zeek.opcua_binary.req_hdr_node_id_guid;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_guid;help:req_hdr_node_id_guid
-zeek.opcua_binary.req_hdr_node_id_namespace_idx=db:zeek.opcua_binary.req_hdr_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_namespace_idx;help:req_hdr_node_id_namespace_idx
-zeek.opcua_binary.req_hdr_node_id_numeric=db:zeek.opcua_binary.req_hdr_node_id_numeric;group:zeek_opcua;kind:integer;friendly:req_hdr_node_id_numeric;help:req_hdr_node_id_numeric
-zeek.opcua_binary.req_hdr_node_id_opaque=db:zeek.opcua_binary.req_hdr_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_opaque;help:req_hdr_node_id_opaque
-zeek.opcua_binary.req_hdr_node_id_string=db:zeek.opcua_binary.req_hdr_node_id_string;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_string;help:req_hdr_node_id_string
-zeek.opcua_binary.req_hdr_node_id_type=db:zeek.opcua_binary.req_hdr_node_id_type;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_type;help:req_hdr_node_id_type
-zeek.opcua_binary.req_hdr_request_handle=db:zeek.opcua_binary.req_hdr_request_handle;group:zeek_opcua;kind:integer;friendly:req_hdr_request_handle;help:req_hdr_request_handle
-zeek.opcua_binary.req_hdr_return_diag=db:zeek.opcua_binary.req_hdr_return_diag;group:zeek_opcua;kind:integer;friendly:req_hdr_return_diag;help:req_hdr_return_diag
-zeek.opcua_binary.req_hdr_timeout_hint=db:zeek.opcua_binary.req_hdr_timeout_hint;group:zeek_opcua;kind:integer;friendly:req_hdr_timeout_hint;help:req_hdr_timeout_hint
-zeek.opcua_binary.req_hdr_timestamp=db:zeek.opcua_binary.req_hdr_timestamp;group:zeek_opcua;kind:termfield;friendly:req_hdr_timestamp;help:req_hdr_timestamp
-zeek.opcua_binary.request_id=db:zeek.opcua_binary.request_id;group:zeek_opcua;kind:integer;friendly:request_id;help:request_id
-zeek.opcua_binary.res_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.res_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;friendly:res_hdr_add_hdr_enc_mask;help:res_hdr_add_hdr_enc_mask
-zeek.opcua_binary.res_hdr_add_hdr_type_id=db:zeek.opcua_binary.res_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;friendly:res_hdr_add_hdr_type_id;help:res_hdr_add_hdr_type_id
-zeek.opcua_binary.res_hdr_request_handle=db:zeek.opcua_binary.res_hdr_request_handle;group:zeek_opcua;kind:integer;friendly:res_hdr_request_handle;help:res_hdr_request_handle
-zeek.opcua_binary.res_hdr_service_diag_encoding=db:zeek.opcua_binary.res_hdr_service_diag_encoding;group:zeek_opcua;kind:integer;friendly:res_hdr_service_diag_encoding;help:res_hdr_service_diag_encoding
-zeek.opcua_binary.res_hdr_timestamp=db:zeek.opcua_binary.res_hdr_timestamp;group:zeek_opcua;kind:termfield;friendly:res_hdr_timestamp;help:res_hdr_timestamp
-zeek.opcua_binary.sec_channel_id=db:zeek.opcua_binary.sec_channel_id;group:zeek_opcua;kind:integer;friendly:sec_channel_id;help:sec_channel_id
-zeek.opcua_binary.sec_policy_uri=db:zeek.opcua_binary.sec_policy_uri;group:zeek_opcua;kind:termfield;friendly:sec_policy_uri;help:sec_policy_uri
-zeek.opcua_binary.sec_policy_uri_len=db:zeek.opcua_binary.sec_policy_uri_len;group:zeek_opcua;kind:integer;friendly:sec_policy_uri_len;help:sec_policy_uri_len
-zeek.opcua_binary.seq_number=db:zeek.opcua_binary.seq_number;group:zeek_opcua;kind:integer;friendly:seq_number;help:seq_number
-zeek.opcua_binary.snd_buf_size=db:zeek.opcua_binary.snd_buf_size;group:zeek_opcua;kind:integer;friendly:snd_buf_size;help:snd_buf_size
-zeek.opcua_binary.snd_cert=db:zeek.opcua_binary.snd_cert;group:zeek_opcua;kind:termfield;friendly:snd_cert;help:snd_cert
-zeek.opcua_binary.snd_cert_len=db:zeek.opcua_binary.snd_cert_len;group:zeek_opcua;kind:integer;friendly:snd_cert_len;help:snd_cert_len
-zeek.opcua_binary.variant_source_link_id=db:zeek.opcua_binary.variant_source_link_id;group:zeek_opcua;kind:termfield;friendly:variant_source_link_id;help:variant_source_link_id
-zeek.opcua_binary.version=db:zeek.opcua_binary.version;group:zeek_opcua;kind:integer;friendly:version;help:version
+zeek.opcua_binary.encoding_mask=db:zeek.opcua_binary.encoding_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:encoding_mask;help:encoding_mask
+zeek.opcua_binary.endpoint_url=db:zeek.opcua_binary.endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_url;help:endpoint_url
+zeek.opcua_binary.error=db:zeek.opcua_binary.error;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:error;help:error
+zeek.opcua_binary.filter_source_link_id=db:zeek.opcua_binary.filter_source_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:filter_source_link_id;help:filter_source_link_id
+zeek.opcua_binary.identifier=db:zeek.opcua_binary.identifier;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:identifier;help:identifier
+zeek.opcua_binary.identifier_str=db:zeek.opcua_binary.identifier_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:identifier_str;help:identifier_str
+zeek.opcua_binary.is_final=db:zeek.opcua_binary.is_final;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:is_final;help:is_final
+zeek.opcua_binary.max_chunk_cnt=db:zeek.opcua_binary.max_chunk_cnt;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_chunk_cnt;help:max_chunk_cnt
+zeek.opcua_binary.max_msg_size=db:zeek.opcua_binary.max_msg_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_msg_size;help:max_msg_size
+zeek.opcua_binary.msg_size=db:zeek.opcua_binary.msg_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:msg_size;help:msg_size
+zeek.opcua_binary.msg_type=db:zeek.opcua_binary.msg_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:msg_type;help:msg_type
+zeek.opcua_binary.namespace_idx=db:zeek.opcua_binary.namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:namespace_idx;help:namespace_idx
+zeek.opcua_binary.opcua_link_id=db:zeek.opcua_binary.opcua_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:opcua_link_id;help:opcua_link_id
+zeek.opcua_binary.operand_source_link_id=db:zeek.opcua_binary.operand_source_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:operand_source_link_id;help:operand_source_link_id
+zeek.opcua_binary.rcv_buf_size=db:zeek.opcua_binary.rcv_buf_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:rcv_buf_size;help:rcv_buf_size
+zeek.opcua_binary.rcv_cert=db:zeek.opcua_binary.rcv_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:rcv_cert;help:rcv_cert
+zeek.opcua_binary.rcv_cert_len=db:zeek.opcua_binary.rcv_cert_len;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:rcv_cert_len;help:rcv_cert_len
+zeek.opcua_binary.reason=db:zeek.opcua_binary.reason;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:reason;help:reason
+zeek.opcua_binary.req_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.req_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_add_hdr_enc_mask;help:req_hdr_add_hdr_enc_mask
+zeek.opcua_binary.req_hdr_add_hdr_type_id=db:zeek.opcua_binary.req_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_add_hdr_type_id;help:req_hdr_add_hdr_type_id
+zeek.opcua_binary.req_hdr_audit_entry_id=db:zeek.opcua_binary.req_hdr_audit_entry_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_audit_entry_id;help:req_hdr_audit_entry_id
+zeek.opcua_binary.req_hdr_node_id_guid=db:zeek.opcua_binary.req_hdr_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_guid;help:req_hdr_node_id_guid
+zeek.opcua_binary.req_hdr_node_id_namespace_idx=db:zeek.opcua_binary.req_hdr_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_namespace_idx;help:req_hdr_node_id_namespace_idx
+zeek.opcua_binary.req_hdr_node_id_numeric=db:zeek.opcua_binary.req_hdr_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_node_id_numeric;help:req_hdr_node_id_numeric
+zeek.opcua_binary.req_hdr_node_id_opaque=db:zeek.opcua_binary.req_hdr_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_opaque;help:req_hdr_node_id_opaque
+zeek.opcua_binary.req_hdr_node_id_string=db:zeek.opcua_binary.req_hdr_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_string;help:req_hdr_node_id_string
+zeek.opcua_binary.req_hdr_node_id_type=db:zeek.opcua_binary.req_hdr_node_id_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_type;help:req_hdr_node_id_type
+zeek.opcua_binary.req_hdr_request_handle=db:zeek.opcua_binary.req_hdr_request_handle;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_request_handle;help:req_hdr_request_handle
+zeek.opcua_binary.req_hdr_return_diag=db:zeek.opcua_binary.req_hdr_return_diag;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_return_diag;help:req_hdr_return_diag
+zeek.opcua_binary.req_hdr_timeout_hint=db:zeek.opcua_binary.req_hdr_timeout_hint;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_timeout_hint;help:req_hdr_timeout_hint
+zeek.opcua_binary.req_hdr_timestamp=db:zeek.opcua_binary.req_hdr_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_timestamp;help:req_hdr_timestamp
+zeek.opcua_binary.request_id=db:zeek.opcua_binary.request_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:request_id;help:request_id
+zeek.opcua_binary.res_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.res_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:res_hdr_add_hdr_enc_mask;help:res_hdr_add_hdr_enc_mask
+zeek.opcua_binary.res_hdr_add_hdr_type_id=db:zeek.opcua_binary.res_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:res_hdr_add_hdr_type_id;help:res_hdr_add_hdr_type_id
+zeek.opcua_binary.res_hdr_request_handle=db:zeek.opcua_binary.res_hdr_request_handle;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:res_hdr_request_handle;help:res_hdr_request_handle
+zeek.opcua_binary.res_hdr_service_diag_encoding=db:zeek.opcua_binary.res_hdr_service_diag_encoding;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:res_hdr_service_diag_encoding;help:res_hdr_service_diag_encoding
+zeek.opcua_binary.res_hdr_timestamp=db:zeek.opcua_binary.res_hdr_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:res_hdr_timestamp;help:res_hdr_timestamp
+zeek.opcua_binary.sec_channel_id=db:zeek.opcua_binary.sec_channel_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_channel_id;help:sec_channel_id
+zeek.opcua_binary.sec_policy_uri=db:zeek.opcua_binary.sec_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:sec_policy_uri;help:sec_policy_uri
+zeek.opcua_binary.sec_policy_uri_len=db:zeek.opcua_binary.sec_policy_uri_len;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_policy_uri_len;help:sec_policy_uri_len
+zeek.opcua_binary.seq_number=db:zeek.opcua_binary.seq_number;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:seq_number;help:seq_number
+zeek.opcua_binary.snd_buf_size=db:zeek.opcua_binary.snd_buf_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:snd_buf_size;help:snd_buf_size
+zeek.opcua_binary.snd_cert=db:zeek.opcua_binary.snd_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:snd_cert;help:snd_cert
+zeek.opcua_binary.snd_cert_len=db:zeek.opcua_binary.snd_cert_len;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:snd_cert_len;help:snd_cert_len
+zeek.opcua_binary.variant_source_link_id=db:zeek.opcua_binary.variant_source_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_source_link_id;help:variant_source_link_id
+zeek.opcua_binary.version=db:zeek.opcua_binary.version;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:version;help:version
 
 
 # opcua_binary_event_filter_literal_operand.log
@@ -1225,1329 +1222,1329 @@ zeek.opcua_binary.version=db:zeek.opcua_binary.version;group:zeek_opcua;kind:int
 
 # opcua_binary_opensecure_channel.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_opensecure_channel.client_proto_ver=db:zeek.opcua_binary_opensecure_channel.client_proto_ver;group:zeek_opcua;kind:integer;friendly:client_proto_ver;help:client_proto_ver
-zeek.opcua_binary_opensecure_channel.sec_token_request_type=db:zeek.opcua_binary_opensecure_channel.sec_token_request_type;group:zeek_opcua;kind:integer;friendly:sec_token_request_type;help:sec_token_request_type
-zeek.opcua_binary_opensecure_channel.message_security_mode=db:zeek.opcua_binary_opensecure_channel.message_security_mode;group:zeek_opcua;kind:integer;friendly:message_security_mode;help:message_security_mode
-zeek.opcua_binary_opensecure_channel.client_nonce=db:zeek.opcua_binary_opensecure_channel.client_nonce;group:zeek_opcua;kind:termfield;friendly:client_nonce;help:client_nonce
-zeek.opcua_binary_opensecure_channel.req_lifetime=db:zeek.opcua_binary_opensecure_channel.req_lifetime;group:zeek_opcua;kind:integer;friendly:req_lifetime;help:req_lifetime
-zeek.opcua_binary_opensecure_channel.server_proto_ver=db:zeek.opcua_binary_opensecure_channel.server_proto_ver;group:zeek_opcua;kind:integer;friendly:server_proto_ver;help:server_proto_ver
-zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id=db:zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id;group:zeek_opcua;kind:integer;friendly:sec_token_sec_channel_id;help:sec_token_sec_channel_id
-zeek.opcua_binary_opensecure_channel.sec_token_id=db:zeek.opcua_binary_opensecure_channel.sec_token_id;group:zeek_opcua;kind:integer;friendly:sec_token_id;help:sec_token_id
-zeek.opcua_binary_opensecure_channel.sec_token_created_at=db:zeek.opcua_binary_opensecure_channel.sec_token_created_at;group:zeek_opcua;kind:termfield;friendly:sec_token_created_at;help:sec_token_created_at
-zeek.opcua_binary_opensecure_channel.sec_token_revised_time=db:zeek.opcua_binary_opensecure_channel.sec_token_revised_time;group:zeek_opcua;kind:integer;friendly:sec_token_revised_time;help:sec_token_revised_time
-zeek.opcua_binary_opensecure_channel.server_nonce=db:zeek.opcua_binary_opensecure_channel.server_nonce;group:zeek_opcua;kind:termfield;friendly:server_nonce;help:server_nonce
+zeek.opcua_binary_opensecure_channel.client_proto_ver=db:zeek.opcua_binary_opensecure_channel.client_proto_ver;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:client_proto_ver;help:client_proto_ver
+zeek.opcua_binary_opensecure_channel.sec_token_request_type=db:zeek.opcua_binary_opensecure_channel.sec_token_request_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_token_request_type;help:sec_token_request_type
+zeek.opcua_binary_opensecure_channel.message_security_mode=db:zeek.opcua_binary_opensecure_channel.message_security_mode;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:message_security_mode;help:message_security_mode
+zeek.opcua_binary_opensecure_channel.client_nonce=db:zeek.opcua_binary_opensecure_channel.client_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_nonce;help:client_nonce
+zeek.opcua_binary_opensecure_channel.req_lifetime=db:zeek.opcua_binary_opensecure_channel.req_lifetime;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_lifetime;help:req_lifetime
+zeek.opcua_binary_opensecure_channel.server_proto_ver=db:zeek.opcua_binary_opensecure_channel.server_proto_ver;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:server_proto_ver;help:server_proto_ver
+zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id=db:zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_token_sec_channel_id;help:sec_token_sec_channel_id
+zeek.opcua_binary_opensecure_channel.sec_token_id=db:zeek.opcua_binary_opensecure_channel.sec_token_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_token_id;help:sec_token_id
+zeek.opcua_binary_opensecure_channel.sec_token_created_at=db:zeek.opcua_binary_opensecure_channel.sec_token_created_at;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:sec_token_created_at;help:sec_token_created_at
+zeek.opcua_binary_opensecure_channel.sec_token_revised_time=db:zeek.opcua_binary_opensecure_channel.sec_token_revised_time;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_token_revised_time;help:sec_token_revised_time
+zeek.opcua_binary_opensecure_channel.server_nonce=db:zeek.opcua_binary_opensecure_channel.server_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_nonce;help:server_nonce
 
 # opcua_binary_read.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_read.max_age=db:zeek.opcua_binary_read.max_age;group:zeek_opcua;kind:integer;friendly:max_age;help:max_age
-zeek.opcua_binary_read.timestamps_to_return=db:zeek.opcua_binary_read.timestamps_to_return;group:zeek_opcua;kind:integer;friendly:timestamps_to_return;help:timestamps_to_return
-zeek.opcua_binary_read.timestamps_to_return_str=db:zeek.opcua_binary_read.timestamps_to_return_str;group:zeek_opcua;kind:termfield;friendly:timestamps_to_return_str;help:timestamps_to_return_str
+zeek.opcua_binary_read.max_age=db:zeek.opcua_binary_read.max_age;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_age;help:max_age
+zeek.opcua_binary_read.timestamps_to_return=db:zeek.opcua_binary_read.timestamps_to_return;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:timestamps_to_return;help:timestamps_to_return
+zeek.opcua_binary_read.timestamps_to_return_str=db:zeek.opcua_binary_read.timestamps_to_return_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:timestamps_to_return_str;help:timestamps_to_return_str
 
 # opcua_binary_read_nodes_to_read.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_read_nodes_to_read.nodes_to_read_link_id=db:zeek.opcua_binary_read_nodes_to_read.nodes_to_read_link_id;group:zeek_opcua;kind:termfield;friendly:nodes_to_read_link_id;help:nodes_to_read_link_id
-zeek.opcua_binary_read_nodes_to_read.node_id_encoding_mask=db:zeek.opcua_binary_read_nodes_to_read.node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:node_id_encoding_mask;help:node_id_encoding_mask
-zeek.opcua_binary_read_nodes_to_read.node_id_namespace_idx=db:zeek.opcua_binary_read_nodes_to_read.node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:node_id_namespace_idx;help:node_id_namespace_idx
-zeek.opcua_binary_read_nodes_to_read.node_id_numeric=db:zeek.opcua_binary_read_nodes_to_read.node_id_numeric;group:zeek_opcua;kind:integer;friendly:node_id_numeric;help:node_id_numeric
-zeek.opcua_binary_read_nodes_to_read.node_id_string=db:zeek.opcua_binary_read_nodes_to_read.node_id_string;group:zeek_opcua;kind:termfield;friendly:node_id_string;help:node_id_string
-zeek.opcua_binary_read_nodes_to_read.node_id_guid=db:zeek.opcua_binary_read_nodes_to_read.node_id_guid;group:zeek_opcua;kind:termfield;friendly:node_id_guid;help:node_id_guid
-zeek.opcua_binary_read_nodes_to_read.node_id_opaque=db:zeek.opcua_binary_read_nodes_to_read.node_id_opaque;group:zeek_opcua;kind:termfield;friendly:node_id_opaque;help:node_id_opaque
-zeek.opcua_binary_read_nodes_to_read.attribute_id=db:zeek.opcua_binary_read_nodes_to_read.attribute_id;group:zeek_opcua;kind:integer;friendly:attribute_id;help:attribute_id
-zeek.opcua_binary_read_nodes_to_read.attribute_id_str=db:zeek.opcua_binary_read_nodes_to_read.attribute_id_str;group:zeek_opcua;kind:termfield;friendly:attribute_id_str;help:attribute_id_str
-zeek.opcua_binary_read_nodes_to_read.index_range=db:zeek.opcua_binary_read_nodes_to_read.index_range;group:zeek_opcua;kind:termfield;friendly:index_range;help:index_range
-zeek.opcua_binary_read_nodes_to_read.data_encoding_name_idx=db:zeek.opcua_binary_read_nodes_to_read.data_encoding_name_idx;group:zeek_opcua;kind:integer;friendly:data_encoding_name_idx;help:data_encoding_name_idx
-zeek.opcua_binary_read_nodes_to_read.data_encoding_name=db:zeek.opcua_binary_read_nodes_to_read.data_encoding_name;group:zeek_opcua;kind:termfield;friendly:data_encoding_name;help:data_encoding_name
+zeek.opcua_binary_read_nodes_to_read.nodes_to_read_link_id=db:zeek.opcua_binary_read_nodes_to_read.nodes_to_read_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:nodes_to_read_link_id;help:nodes_to_read_link_id
+zeek.opcua_binary_read_nodes_to_read.node_id_encoding_mask=db:zeek.opcua_binary_read_nodes_to_read.node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_encoding_mask;help:node_id_encoding_mask
+zeek.opcua_binary_read_nodes_to_read.node_id_namespace_idx=db:zeek.opcua_binary_read_nodes_to_read.node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_namespace_idx;help:node_id_namespace_idx
+zeek.opcua_binary_read_nodes_to_read.node_id_numeric=db:zeek.opcua_binary_read_nodes_to_read.node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:node_id_numeric;help:node_id_numeric
+zeek.opcua_binary_read_nodes_to_read.node_id_string=db:zeek.opcua_binary_read_nodes_to_read.node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_string;help:node_id_string
+zeek.opcua_binary_read_nodes_to_read.node_id_guid=db:zeek.opcua_binary_read_nodes_to_read.node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_guid;help:node_id_guid
+zeek.opcua_binary_read_nodes_to_read.node_id_opaque=db:zeek.opcua_binary_read_nodes_to_read.node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_opaque;help:node_id_opaque
+zeek.opcua_binary_read_nodes_to_read.attribute_id=db:zeek.opcua_binary_read_nodes_to_read.attribute_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:attribute_id;help:attribute_id
+zeek.opcua_binary_read_nodes_to_read.attribute_id_str=db:zeek.opcua_binary_read_nodes_to_read.attribute_id_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:attribute_id_str;help:attribute_id_str
+zeek.opcua_binary_read_nodes_to_read.index_range=db:zeek.opcua_binary_read_nodes_to_read.index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:index_range;help:index_range
+zeek.opcua_binary_read_nodes_to_read.data_encoding_name_idx=db:zeek.opcua_binary_read_nodes_to_read.data_encoding_name_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:data_encoding_name_idx;help:data_encoding_name_idx
+zeek.opcua_binary_read_nodes_to_read.data_encoding_name=db:zeek.opcua_binary_read_nodes_to_read.data_encoding_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:data_encoding_name;help:data_encoding_name
 
 # opcua_binary_read_results.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_read_results.results_link_id=db:zeek.opcua_binary_read_results.results_link_id;group:zeek_opcua;kind:termfield;friendly:results_link_id;help:results_link_id
-zeek.opcua_binary_read_results.level=db:zeek.opcua_binary_read_results.level;group:zeek_opcua;kind:integer;friendly:level;help:level
-zeek.opcua_binary_read_results.data_value_encoding_mask=db:zeek.opcua_binary_read_results.data_value_encoding_mask;group:zeek_opcua;kind:termfield;friendly:data_value_encoding_mask;help:data_value_encoding_mask
-zeek.opcua_binary_read_results.source_timestamp=db:zeek.opcua_binary_read_results.source_timestamp;group:zeek_opcua;kind:termfield;friendly:source_timestamp;help:source_timestamp
-zeek.opcua_binary_read_results.source_pico_sec=db:zeek.opcua_binary_read_results.source_pico_sec;group:zeek_opcua;kind:integer;friendly:source_pico_sec;help:source_pico_sec
-zeek.opcua_binary_read_results.server_timestamp=db:zeek.opcua_binary_read_results.server_timestamp;group:zeek_opcua;kind:termfield;friendly:server_timestamp;help:server_timestamp
-zeek.opcua_binary_read_results.server_pico_sec=db:zeek.opcua_binary_read_results.server_pico_sec;group:zeek_opcua;kind:integer;friendly:server_pico_sec;help:server_pico_sec
+zeek.opcua_binary_read_results.results_link_id=db:zeek.opcua_binary_read_results.results_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:results_link_id;help:results_link_id
+zeek.opcua_binary_read_results.level=db:zeek.opcua_binary_read_results.level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:level;help:level
+zeek.opcua_binary_read_results.data_value_encoding_mask=db:zeek.opcua_binary_read_results.data_value_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:data_value_encoding_mask;help:data_value_encoding_mask
+zeek.opcua_binary_read_results.source_timestamp=db:zeek.opcua_binary_read_results.source_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:source_timestamp;help:source_timestamp
+zeek.opcua_binary_read_results.source_pico_sec=db:zeek.opcua_binary_read_results.source_pico_sec;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source_pico_sec;help:source_pico_sec
+zeek.opcua_binary_read_results.server_timestamp=db:zeek.opcua_binary_read_results.server_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_timestamp;help:server_timestamp
+zeek.opcua_binary_read_results.server_pico_sec=db:zeek.opcua_binary_read_results.server_pico_sec;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:server_pico_sec;help:server_pico_sec
 
 # opcua_binary_event_filter_select_clause.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_event_filter_select_clause.select_clause_link_id=db:zeek.opcua_binary_event_filter_select_clause.select_clause_link_id;group:zeek_opcua;kind:termfield;friendly:select_clause_link_id;help:select_clause_link_id
-zeek.opcua_binary_event_filter_select_clause.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_select_clause.type_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:type_id_encoding_mask;help:type_id_encoding_mask
-zeek.opcua_binary_event_filter_select_clause.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_select_clause.type_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:type_id_namespace_idx;help:type_id_namespace_idx
-zeek.opcua_binary_event_filter_select_clause.type_id_numeric=db:zeek.opcua_binary_event_filter_select_clause.type_id_numeric;group:zeek_opcua;kind:integer;friendly:type_id_numeric;help:type_id_numeric
-zeek.opcua_binary_event_filter_select_clause.type_id_string=db:zeek.opcua_binary_event_filter_select_clause.type_id_string;group:zeek_opcua;kind:termfield;friendly:type_id_string;help:type_id_string
-zeek.opcua_binary_event_filter_select_clause.type_id_guid=db:zeek.opcua_binary_event_filter_select_clause.type_id_guid;group:zeek_opcua;kind:termfield;friendly:type_id_guid;help:type_id_guid
-zeek.opcua_binary_event_filter_select_clause.type_id_opaque=db:zeek.opcua_binary_event_filter_select_clause.type_id_opaque;group:zeek_opcua;kind:termfield;friendly:type_id_opaque;help:type_id_opaque
-zeek.opcua_binary_event_filter_select_clause.attribute_id=db:zeek.opcua_binary_event_filter_select_clause.attribute_id;group:zeek_opcua;kind:termfield;friendly:attribute_id;help:attribute_id
-zeek.opcua_binary_event_filter_select_clause.index_range=db:zeek.opcua_binary_event_filter_select_clause.index_range;group:zeek_opcua;kind:termfield;friendly:index_range;help:index_range
+zeek.opcua_binary_event_filter_select_clause.select_clause_link_id=db:zeek.opcua_binary_event_filter_select_clause.select_clause_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:select_clause_link_id;help:select_clause_link_id
+zeek.opcua_binary_event_filter_select_clause.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_select_clause.type_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_encoding_mask;help:type_id_encoding_mask
+zeek.opcua_binary_event_filter_select_clause.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_select_clause.type_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_namespace_idx;help:type_id_namespace_idx
+zeek.opcua_binary_event_filter_select_clause.type_id_numeric=db:zeek.opcua_binary_event_filter_select_clause.type_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:type_id_numeric;help:type_id_numeric
+zeek.opcua_binary_event_filter_select_clause.type_id_string=db:zeek.opcua_binary_event_filter_select_clause.type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_string;help:type_id_string
+zeek.opcua_binary_event_filter_select_clause.type_id_guid=db:zeek.opcua_binary_event_filter_select_clause.type_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_guid;help:type_id_guid
+zeek.opcua_binary_event_filter_select_clause.type_id_opaque=db:zeek.opcua_binary_event_filter_select_clause.type_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_opaque;help:type_id_opaque
+zeek.opcua_binary_event_filter_select_clause.attribute_id=db:zeek.opcua_binary_event_filter_select_clause.attribute_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:attribute_id;help:attribute_id
+zeek.opcua_binary_event_filter_select_clause.index_range=db:zeek.opcua_binary_event_filter_select_clause.index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:index_range;help:index_range
 
 # opcua_binary_event_filter_simple_attribute_operand.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:type_id_encoding_mask;help:type_id_encoding_mask
-zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:type_id_namespace_idx;help:type_id_namespace_idx
-zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_numeric=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_numeric;group:zeek_opcua;kind:integer;friendly:type_id_numeric;help:type_id_numeric
-zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_string=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_string;group:zeek_opcua;kind:termfield;friendly:type_id_string;help:type_id_string
-zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_guid=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_guid;group:zeek_opcua;kind:termfield;friendly:type_id_guid;help:type_id_guid
-zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_opaque=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_opaque;group:zeek_opcua;kind:termfield;friendly:type_id_opaque;help:type_id_opaque
-zeek.opcua_binary_event_filter_simple_attribute_operand.attribute_id=db:zeek.opcua_binary_event_filter_simple_attribute_operand.attribute_id;group:zeek_opcua;kind:termfield;friendly:attribute_id;help:attribute_id
-zeek.opcua_binary_event_filter_simple_attribute_operand.index_range=db:zeek.opcua_binary_event_filter_simple_attribute_operand.index_range;group:zeek_opcua;kind:termfield;friendly:index_range;help:index_range
+zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_encoding_mask;help:type_id_encoding_mask
+zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_namespace_idx;help:type_id_namespace_idx
+zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_numeric=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:type_id_numeric;help:type_id_numeric
+zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_string=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_string;help:type_id_string
+zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_guid=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_guid;help:type_id_guid
+zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_opaque=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_opaque;help:type_id_opaque
+zeek.opcua_binary_event_filter_simple_attribute_operand.attribute_id=db:zeek.opcua_binary_event_filter_simple_attribute_operand.attribute_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:attribute_id;help:attribute_id
+zeek.opcua_binary_event_filter_simple_attribute_operand.index_range=db:zeek.opcua_binary_event_filter_simple_attribute_operand.index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:index_range;help:index_range
 
 # opcua_binary_event_filter_simple_attribute_operand_browse_paths.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.simple_attribute_operand_browse_path_link_id=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.simple_attribute_operand_browse_path_link_id;group:zeek_opcua;kind:termfield;friendly:simple_attribute_operand_browse_path_link_id;help:simple_attribute_operand_browse_path_link_id
-zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.browse_path_src=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.browse_path_src;group:zeek_opcua;kind:termfield;friendly:browse_path_src;help:browse_path_src
-zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.namespace_index=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.namespace_index;group:zeek_opcua;kind:integer;friendly:namespace_index;help:namespace_index
-zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.name=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.name;group:zeek_opcua;kind:termfield;friendly:name;help:name
+zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.simple_attribute_operand_browse_path_link_id=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.simple_attribute_operand_browse_path_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:simple_attribute_operand_browse_path_link_id;help:simple_attribute_operand_browse_path_link_id
+zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.browse_path_src=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.browse_path_src;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_path_src;help:browse_path_src
+zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.namespace_index=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.namespace_index;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:namespace_index;help:namespace_index
+zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.name=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:name;help:name
 
 # opcua_binary_status_code_detail.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_status_code_detail.status_code_link_id=db:zeek.opcua_binary_status_code_detail.status_code_link_id;group:zeek_opcua;kind:termfield;friendly:status_code_link_id;help:status_code_link_id
-zeek.opcua_binary_status_code_detail.source=db:zeek.opcua_binary_status_code_detail.source;group:zeek_opcua;kind:integer;friendly:source;help:source
-zeek.opcua_binary_status_code_detail.source_str=db:zeek.opcua_binary_status_code_detail.source_str;group:zeek_opcua;kind:termfield;friendly:source_str;help:source_str
-zeek.opcua_binary_status_code_detail.source_level=db:zeek.opcua_binary_status_code_detail.source_level;group:zeek_opcua;kind:integer;friendly:source_level;help:source_level
-zeek.opcua_binary_status_code_detail.status_code=db:zeek.opcua_binary_status_code_detail.status_code;group:zeek_opcua;kind:termfield;friendly:status_code;help:status_code
-zeek.opcua_binary_status_code_detail.severity=db:zeek.opcua_binary_status_code_detail.severity;group:zeek_opcua;kind:integer;friendly:severity;help:severity
-zeek.opcua_binary_status_code_detail.severity_str=db:zeek.opcua_binary_status_code_detail.severity_str;group:zeek_opcua;kind:termfield;friendly:severity_str;help:severity_str
-zeek.opcua_binary_status_code_detail.sub_code=db:zeek.opcua_binary_status_code_detail.sub_code;group:zeek_opcua;kind:integer;friendly:sub_code;help:sub_code
-zeek.opcua_binary_status_code_detail.sub_code_str=db:zeek.opcua_binary_status_code_detail.sub_code_str;group:zeek_opcua;kind:termfield;friendly:sub_code_str;help:sub_code_str
-zeek.opcua_binary_status_code_detail.structure_changed=db:zeek.opcua_binary_status_code_detail.structure_changed;group:zeek_opcua;kind:termfield;friendly:structure_changed;help:structure_changed
-zeek.opcua_binary_status_code_detail.semantics_changed=db:zeek.opcua_binary_status_code_detail.semantics_changed;group:zeek_opcua;kind:termfield;friendly:semantics_changed;help:semantics_changed
-zeek.opcua_binary_status_code_detail.info_type=db:zeek.opcua_binary_status_code_detail.info_type;group:zeek_opcua;kind:integer;friendly:info_type;help:info_type
-zeek.opcua_binary_status_code_detail.info_type_str=db:zeek.opcua_binary_status_code_detail.info_type_str;group:zeek_opcua;kind:termfield;friendly:info_type_str;help:info_type_str
-zeek.opcua_binary_status_code_detail.limit_bits=db:zeek.opcua_binary_status_code_detail.limit_bits;group:zeek_opcua;kind:integer;friendly:limit_bits;help:limit_bits
-zeek.opcua_binary_status_code_detail.limit_bits_str=db:zeek.opcua_binary_status_code_detail.limit_bits_str;group:zeek_opcua;kind:termfield;friendly:limit_bits_str;help:limit_bits_str
-zeek.opcua_binary_status_code_detail.overflow=db:zeek.opcua_binary_status_code_detail.overflow;group:zeek_opcua;kind:termfield;friendly:overflow;help:overflow
-zeek.opcua_binary_status_code_detail.historian_bits=db:zeek.opcua_binary_status_code_detail.historian_bits;group:zeek_opcua;kind:integer;friendly:historian_bits;help:historian_bits
-zeek.opcua_binary_status_code_detail.historian_bits_str=db:zeek.opcua_binary_status_code_detail.historian_bits_str;group:zeek_opcua;kind:termfield;friendly:historian_bits_str;help:historian_bits_str
-zeek.opcua_binary_status_code_detail.historianpartial=db:zeek.opcua_binary_status_code_detail.historianpartial;group:zeek_opcua;kind:termfield;friendly:historianpartial;help:historianpartial
-zeek.opcua_binary_status_code_detail.historianextradata=db:zeek.opcua_binary_status_code_detail.historianextradata;group:zeek_opcua;kind:termfield;friendly:historianextradata;help:historianextradata
-zeek.opcua_binary_status_code_detail.historianmultivalue=db:zeek.opcua_binary_status_code_detail.historianmultivalue;group:zeek_opcua;kind:termfield;friendly:historianmultivalue;help:historianmultivalue
+zeek.opcua_binary_status_code_detail.status_code_link_id=db:zeek.opcua_binary_status_code_detail.status_code_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:status_code_link_id;help:status_code_link_id
+zeek.opcua_binary_status_code_detail.source=db:zeek.opcua_binary_status_code_detail.source;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source;help:source
+zeek.opcua_binary_status_code_detail.source_str=db:zeek.opcua_binary_status_code_detail.source_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:source_str;help:source_str
+zeek.opcua_binary_status_code_detail.source_level=db:zeek.opcua_binary_status_code_detail.source_level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source_level;help:source_level
+zeek.opcua_binary_status_code_detail.status_code=db:zeek.opcua_binary_status_code_detail.status_code;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:status_code;help:status_code
+zeek.opcua_binary_status_code_detail.severity=db:zeek.opcua_binary_status_code_detail.severity;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:severity;help:severity
+zeek.opcua_binary_status_code_detail.severity_str=db:zeek.opcua_binary_status_code_detail.severity_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:severity_str;help:severity_str
+zeek.opcua_binary_status_code_detail.sub_code=db:zeek.opcua_binary_status_code_detail.sub_code;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sub_code;help:sub_code
+zeek.opcua_binary_status_code_detail.sub_code_str=db:zeek.opcua_binary_status_code_detail.sub_code_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:sub_code_str;help:sub_code_str
+zeek.opcua_binary_status_code_detail.structure_changed=db:zeek.opcua_binary_status_code_detail.structure_changed;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:structure_changed;help:structure_changed
+zeek.opcua_binary_status_code_detail.semantics_changed=db:zeek.opcua_binary_status_code_detail.semantics_changed;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:semantics_changed;help:semantics_changed
+zeek.opcua_binary_status_code_detail.info_type=db:zeek.opcua_binary_status_code_detail.info_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:info_type;help:info_type
+zeek.opcua_binary_status_code_detail.info_type_str=db:zeek.opcua_binary_status_code_detail.info_type_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:info_type_str;help:info_type_str
+zeek.opcua_binary_status_code_detail.limit_bits=db:zeek.opcua_binary_status_code_detail.limit_bits;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:limit_bits;help:limit_bits
+zeek.opcua_binary_status_code_detail.limit_bits_str=db:zeek.opcua_binary_status_code_detail.limit_bits_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:limit_bits_str;help:limit_bits_str
+zeek.opcua_binary_status_code_detail.overflow=db:zeek.opcua_binary_status_code_detail.overflow;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:overflow;help:overflow
+zeek.opcua_binary_status_code_detail.historian_bits=db:zeek.opcua_binary_status_code_detail.historian_bits;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:historian_bits;help:historian_bits
+zeek.opcua_binary_status_code_detail.historian_bits_str=db:zeek.opcua_binary_status_code_detail.historian_bits_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:historian_bits_str;help:historian_bits_str
+zeek.opcua_binary_status_code_detail.historianpartial=db:zeek.opcua_binary_status_code_detail.historianpartial;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:historianpartial;help:historianpartial
+zeek.opcua_binary_status_code_detail.historianextradata=db:zeek.opcua_binary_status_code_detail.historianextradata;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:historianextradata;help:historianextradata
+zeek.opcua_binary_status_code_detail.historianmultivalue=db:zeek.opcua_binary_status_code_detail.historianmultivalue;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:historianmultivalue;help:historianmultivalue
 
 # opcua_binary_variant_array_dims.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_variant_array_dims.array_dim_link_id=db:zeek.opcua_binary_variant_array_dims.array_dim_link_id;group:zeek_opcua;kind:termfield;friendly:array_dim_link_id;help:array_dim_link_id
-zeek.opcua_binary_variant_array_dims.dimension=db:zeek.opcua_binary_variant_array_dims.dimension;group:zeek_opcua;kind:integer;friendly:dimension;help:dimension
+zeek.opcua_binary_variant_array_dims.array_dim_link_id=db:zeek.opcua_binary_variant_array_dims.array_dim_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:array_dim_link_id;help:array_dim_link_id
+zeek.opcua_binary_variant_array_dims.dimension=db:zeek.opcua_binary_variant_array_dims.dimension;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:dimension;help:dimension
 
 # opcua_binary_variant_data.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_variant_data.variant_data_link_id=db:zeek.opcua_binary_variant_data.variant_data_link_id;group:zeek_opcua;kind:termfield;friendly:variant_data_link_id;help:variant_data_link_id
-zeek.opcua_binary_variant_data.variant_data_value_signed_numeric=db:zeek.opcua_binary_variant_data.variant_data_value_signed_numeric;group:zeek_opcua;kind:termfield;friendly:variant_data_value_signed_numeric;help:variant_data_value_signed_numeric
-zeek.opcua_binary_variant_data.variant_data_value_unsigned_numeric=db:zeek.opcua_binary_variant_data.variant_data_value_unsigned_numeric;group:zeek_opcua;kind:termfield;friendly:variant_data_value_unsigned_numeric;help:variant_data_value_unsigned_numeric
-zeek.opcua_binary_variant_data.variant_data_value_string=db:zeek.opcua_binary_variant_data.variant_data_value_string;group:zeek_opcua;kind:termfield;friendly:variant_data_value_string;help:variant_data_value_string
-zeek.opcua_binary_variant_data.variant_data_node_id_encoding_mask=db:zeek.opcua_binary_variant_data.variant_data_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_encoding_mask;help:variant_data_node_id_encoding_mask
-zeek.opcua_binary_variant_data.variant_data_node_id_namespace_idx=db:zeek.opcua_binary_variant_data.variant_data_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_namespace_idx;help:variant_data_node_id_namespace_idx
-zeek.opcua_binary_variant_data.variant_data_node_id_numeric=db:zeek.opcua_binary_variant_data.variant_data_node_id_numeric;group:zeek_opcua;kind:integer;friendly:variant_data_node_id_numeric;help:variant_data_node_id_numeric
-zeek.opcua_binary_variant_data.variant_data_node_id_string=db:zeek.opcua_binary_variant_data.variant_data_node_id_string;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_string;help:variant_data_node_id_string
-zeek.opcua_binary_variant_data.variant_data_node_id_guid=db:zeek.opcua_binary_variant_data.variant_data_node_id_guid;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_guid;help:variant_data_node_id_guid
-zeek.opcua_binary_variant_data.variant_data_node_id_opaque=db:zeek.opcua_binary_variant_data.variant_data_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_opaque;help:variant_data_node_id_opaque
-zeek.opcua_binary_variant_data.variant_data_node_id_namespace_uri=db:zeek.opcua_binary_variant_data.variant_data_node_id_namespace_uri;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_namespace_uri;help:variant_data_node_id_namespace_uri
-zeek.opcua_binary_variant_data.variant_data_node_id_server_idx=db:zeek.opcua_binary_variant_data.variant_data_node_id_server_idx;group:zeek_opcua;kind:integer;friendly:variant_data_node_id_server_idx;help:variant_data_node_id_server_idx
-zeek.opcua_binary_variant_data.variant_data_value_time=db:zeek.opcua_binary_variant_data.variant_data_value_time;group:zeek_opcua;kind:termfield;friendly:variant_data_value_time;help:variant_data_value_time
-zeek.opcua_binary_variant_data.variant_data_encoding_name_idx=db:zeek.opcua_binary_variant_data.variant_data_encoding_name_idx;group:zeek_opcua;kind:integer;friendly:variant_data_encoding_name_idx;help:variant_data_encoding_name_idx
-zeek.opcua_binary_variant_data.variant_data_encoding_name=db:zeek.opcua_binary_variant_data.variant_data_encoding_name;group:zeek_opcua;kind:termfield;friendly:variant_data_encoding_name;help:variant_data_encoding_name
-zeek.opcua_binary_variant_data.variant_data_mask=db:zeek.opcua_binary_variant_data.variant_data_mask;group:zeek_opcua;kind:termfield;friendly:variant_data_mask;help:variant_data_mask
-zeek.opcua_binary_variant_data.variant_data_locale=db:zeek.opcua_binary_variant_data.variant_data_locale;group:zeek_opcua;kind:termfield;friendly:variant_data_locale;help:variant_data_locale
-zeek.opcua_binary_variant_data.variant_data_text=db:zeek.opcua_binary_variant_data.variant_data_text;group:zeek_opcua;kind:termfield;friendly:variant_data_text;help:variant_data_text
-zeek.opcua_binary_variant_data.variant_data_value_decimal=db:zeek.opcua_binary_variant_data.variant_data_value_decimal;group:zeek_opcua;kind:termfield;friendly:variant_data_value_decimal;help:variant_data_value_decimal
+zeek.opcua_binary_variant_data.variant_data_link_id=db:zeek.opcua_binary_variant_data.variant_data_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_link_id;help:variant_data_link_id
+zeek.opcua_binary_variant_data.variant_data_value_signed_numeric=db:zeek.opcua_binary_variant_data.variant_data_value_signed_numeric;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_signed_numeric;help:variant_data_value_signed_numeric
+zeek.opcua_binary_variant_data.variant_data_value_unsigned_numeric=db:zeek.opcua_binary_variant_data.variant_data_value_unsigned_numeric;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_unsigned_numeric;help:variant_data_value_unsigned_numeric
+zeek.opcua_binary_variant_data.variant_data_value_string=db:zeek.opcua_binary_variant_data.variant_data_value_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_string;help:variant_data_value_string
+zeek.opcua_binary_variant_data.variant_data_node_id_encoding_mask=db:zeek.opcua_binary_variant_data.variant_data_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_encoding_mask;help:variant_data_node_id_encoding_mask
+zeek.opcua_binary_variant_data.variant_data_node_id_namespace_idx=db:zeek.opcua_binary_variant_data.variant_data_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_namespace_idx;help:variant_data_node_id_namespace_idx
+zeek.opcua_binary_variant_data.variant_data_node_id_numeric=db:zeek.opcua_binary_variant_data.variant_data_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_node_id_numeric;help:variant_data_node_id_numeric
+zeek.opcua_binary_variant_data.variant_data_node_id_string=db:zeek.opcua_binary_variant_data.variant_data_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_string;help:variant_data_node_id_string
+zeek.opcua_binary_variant_data.variant_data_node_id_guid=db:zeek.opcua_binary_variant_data.variant_data_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_guid;help:variant_data_node_id_guid
+zeek.opcua_binary_variant_data.variant_data_node_id_opaque=db:zeek.opcua_binary_variant_data.variant_data_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_opaque;help:variant_data_node_id_opaque
+zeek.opcua_binary_variant_data.variant_data_node_id_namespace_uri=db:zeek.opcua_binary_variant_data.variant_data_node_id_namespace_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_namespace_uri;help:variant_data_node_id_namespace_uri
+zeek.opcua_binary_variant_data.variant_data_node_id_server_idx=db:zeek.opcua_binary_variant_data.variant_data_node_id_server_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_node_id_server_idx;help:variant_data_node_id_server_idx
+zeek.opcua_binary_variant_data.variant_data_value_time=db:zeek.opcua_binary_variant_data.variant_data_value_time;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_time;help:variant_data_value_time
+zeek.opcua_binary_variant_data.variant_data_encoding_name_idx=db:zeek.opcua_binary_variant_data.variant_data_encoding_name_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_encoding_name_idx;help:variant_data_encoding_name_idx
+zeek.opcua_binary_variant_data.variant_data_encoding_name=db:zeek.opcua_binary_variant_data.variant_data_encoding_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_encoding_name;help:variant_data_encoding_name
+zeek.opcua_binary_variant_data.variant_data_mask=db:zeek.opcua_binary_variant_data.variant_data_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_mask;help:variant_data_mask
+zeek.opcua_binary_variant_data.variant_data_locale=db:zeek.opcua_binary_variant_data.variant_data_locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_locale;help:variant_data_locale
+zeek.opcua_binary_variant_data.variant_data_text=db:zeek.opcua_binary_variant_data.variant_data_text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_text;help:variant_data_text
+zeek.opcua_binary_variant_data.variant_data_value_decimal=db:zeek.opcua_binary_variant_data.variant_data_value_decimal;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_decimal;help:variant_data_value_decimal
 
 # opcua_binary_variant_data_value.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_variant_data_value.variant_data_value_source_link=db:zeek.opcua_binary_variant_data_value.variant_data_value_source_link;group:zeek_opcua;kind:termfield;friendly:variant_data_value_source_link;help:variant_data_value_source_link
-zeek.opcua_binary_variant_data_value.data_value_encoding_mask=db:zeek.opcua_binary_variant_data_value.data_value_encoding_mask;group:zeek_opcua;kind:termfield;friendly:data_value_encoding_mask;help:data_value_encoding_mask
-zeek.opcua_binary_variant_data_value.source_timestamp=db:zeek.opcua_binary_variant_data_value.source_timestamp;group:zeek_opcua;kind:termfield;friendly:source_timestamp;help:source_timestamp
-zeek.opcua_binary_variant_data_value.source_pico_sec=db:zeek.opcua_binary_variant_data_value.source_pico_sec;group:zeek_opcua;kind:integer;friendly:source_pico_sec;help:source_pico_sec
-zeek.opcua_binary_variant_data_value.server_timestamp=db:zeek.opcua_binary_variant_data_value.server_timestamp;group:zeek_opcua;kind:termfield;friendly:server_timestamp;help:server_timestamp
-zeek.opcua_binary_variant_data_value.server_pico_sec=db:zeek.opcua_binary_variant_data_value.server_pico_sec;group:zeek_opcua;kind:integer;friendly:server_pico_sec;help:server_pico_sec
+zeek.opcua_binary_variant_data_value.variant_data_value_source_link=db:zeek.opcua_binary_variant_data_value.variant_data_value_source_link;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_source_link;help:variant_data_value_source_link
+zeek.opcua_binary_variant_data_value.data_value_encoding_mask=db:zeek.opcua_binary_variant_data_value.data_value_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:data_value_encoding_mask;help:data_value_encoding_mask
+zeek.opcua_binary_variant_data_value.source_timestamp=db:zeek.opcua_binary_variant_data_value.source_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:source_timestamp;help:source_timestamp
+zeek.opcua_binary_variant_data_value.source_pico_sec=db:zeek.opcua_binary_variant_data_value.source_pico_sec;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source_pico_sec;help:source_pico_sec
+zeek.opcua_binary_variant_data_value.server_timestamp=db:zeek.opcua_binary_variant_data_value.server_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_timestamp;help:server_timestamp
+zeek.opcua_binary_variant_data_value.server_pico_sec=db:zeek.opcua_binary_variant_data_value.server_pico_sec;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:server_pico_sec;help:server_pico_sec
 
 # opcua_binary_variant_extension_object.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_variant_extension_object.ext_obj_link_id=db:zeek.opcua_binary_variant_extension_object.ext_obj_link_id;group:zeek_opcua;kind:termfield;friendly:ext_obj_link_id;help:ext_obj_link_id
-zeek.opcua_binary_variant_extension_object.ext_obj_node_id_encoding_mask=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_encoding_mask;help:ext_obj_node_id_encoding_mask
-zeek.opcua_binary_variant_extension_object.ext_obj_node_id_namespace_idx=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_namespace_idx;help:ext_obj_node_id_namespace_idx
-zeek.opcua_binary_variant_extension_object.ext_obj_node_id_numeric=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_numeric;group:zeek_opcua;kind:integer;friendly:ext_obj_node_id_numeric;help:ext_obj_node_id_numeric
-zeek.opcua_binary_variant_extension_object.ext_obj_node_id_string=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_string;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_string;help:ext_obj_node_id_string
-zeek.opcua_binary_variant_extension_object.ext_obj_node_id_guid=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_guid;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_guid;help:ext_obj_node_id_guid
-zeek.opcua_binary_variant_extension_object.ext_obj_node_id_opaque=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_opaque;help:ext_obj_node_id_opaque
-zeek.opcua_binary_variant_extension_object.ext_obj_type_id_str=db:zeek.opcua_binary_variant_extension_object.ext_obj_type_id_str;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_str;help:ext_obj_type_id_str
-zeek.opcua_binary_variant_extension_object.ext_obj_encoding=db:zeek.opcua_binary_variant_extension_object.ext_obj_encoding;group:zeek_opcua;kind:termfield;friendly:ext_obj_encoding;help:ext_obj_encoding
+zeek.opcua_binary_variant_extension_object.ext_obj_link_id=db:zeek.opcua_binary_variant_extension_object.ext_obj_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_link_id;help:ext_obj_link_id
+zeek.opcua_binary_variant_extension_object.ext_obj_node_id_encoding_mask=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_encoding_mask;help:ext_obj_node_id_encoding_mask
+zeek.opcua_binary_variant_extension_object.ext_obj_node_id_namespace_idx=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_namespace_idx;help:ext_obj_node_id_namespace_idx
+zeek.opcua_binary_variant_extension_object.ext_obj_node_id_numeric=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:ext_obj_node_id_numeric;help:ext_obj_node_id_numeric
+zeek.opcua_binary_variant_extension_object.ext_obj_node_id_string=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_string;help:ext_obj_node_id_string
+zeek.opcua_binary_variant_extension_object.ext_obj_node_id_guid=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_guid;help:ext_obj_node_id_guid
+zeek.opcua_binary_variant_extension_object.ext_obj_node_id_opaque=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_opaque;help:ext_obj_node_id_opaque
+zeek.opcua_binary_variant_extension_object.ext_obj_type_id_str=db:zeek.opcua_binary_variant_extension_object.ext_obj_type_id_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_str;help:ext_obj_type_id_str
+zeek.opcua_binary_variant_extension_object.ext_obj_encoding=db:zeek.opcua_binary_variant_extension_object.ext_obj_encoding;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_encoding;help:ext_obj_encoding
 
 # opcua_binary_variant_metadata.log
 # https://github.com/cisagov/icsnpp-opcua-binary
-zeek.opcua_binary_variant_metadata.variant_data_source=db:zeek.opcua_binary_variant_metadata.variant_data_source;group:zeek_opcua;kind:integer;friendly:variant_data_source;help:variant_data_source
-zeek.opcua_binary_variant_metadata.variant_data_source_str=db:zeek.opcua_binary_variant_metadata.variant_data_source_str;group:zeek_opcua;kind:termfield;friendly:variant_data_source_str;help:variant_data_source_str
-zeek.opcua_binary_variant_metadata.dara_variant_encoding_mask=db:zeek.opcua_binary_variant_metadata.dara_variant_encoding_mask;group:zeek_opcua;kind:termfield;friendly:dara_variant_encoding_mask;help:dara_variant_encoding_mask
-zeek.opcua_binary_variant_metadata.data_variant_data_type=db:zeek.opcua_binary_variant_metadata.data_variant_data_type;group:zeek_opcua;kind:integer;friendly:data_variant_data_type;help:data_variant_data_type
-zeek.opcua_binary_variant_metadata.data_variant_data_type_str=db:zeek.opcua_binary_variant_metadata.data_variant_data_type_str;group:zeek_opcua;kind:termfield;friendly:data_variant_data_type_str;help:data_variant_data_type_str
-zeek.opcua_binary_variant_metadata.built_in_data_type=db:zeek.opcua_binary_variant_metadata.built_in_data_type;group:zeek_opcua;kind:integer;friendly:built_in_data_type;help:built_in_data_type
-zeek.opcua_binary_variant_metadata.built_in_data_type_str=db:zeek.opcua_binary_variant_metadata.built_in_data_type_str;group:zeek_opcua;kind:termfield;friendly:built_in_data_type_str;help:built_in_data_type_str
-zeek.opcua_binary_variant_metadata.variant_data_array_dim=db:zeek.opcua_binary_variant_metadata.variant_data_array_dim;group:zeek_opcua;kind:integer;friendly:variant_data_array_dim;help:variant_data_array_dim
+zeek.opcua_binary_variant_metadata.variant_data_source=db:zeek.opcua_binary_variant_metadata.variant_data_source;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_source;help:variant_data_source
+zeek.opcua_binary_variant_metadata.variant_data_source_str=db:zeek.opcua_binary_variant_metadata.variant_data_source_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_source_str;help:variant_data_source_str
+zeek.opcua_binary_variant_metadata.dara_variant_encoding_mask=db:zeek.opcua_binary_variant_metadata.dara_variant_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:dara_variant_encoding_mask;help:dara_variant_encoding_mask
+zeek.opcua_binary_variant_metadata.data_variant_data_type=db:zeek.opcua_binary_variant_metadata.data_variant_data_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:data_variant_data_type;help:data_variant_data_type
+zeek.opcua_binary_variant_metadata.data_variant_data_type_str=db:zeek.opcua_binary_variant_metadata.data_variant_data_type_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:data_variant_data_type_str;help:data_variant_data_type_str
+zeek.opcua_binary_variant_metadata.built_in_data_type=db:zeek.opcua_binary_variant_metadata.built_in_data_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:built_in_data_type;help:built_in_data_type
+zeek.opcua_binary_variant_metadata.built_in_data_type_str=db:zeek.opcua_binary_variant_metadata.built_in_data_type_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:built_in_data_type_str;help:built_in_data_type_str
+zeek.opcua_binary_variant_metadata.variant_data_array_dim=db:zeek.opcua_binary_variant_metadata.variant_data_array_dim;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_array_dim;help:variant_data_array_dim
 
 # ocsp.log
 # https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info
-zeek.ocsp.hashAlgorithm=db:zeek.ocsp.hashAlgorithm;group:zeek_ocsp;kind:termfield;friendly:Issuer Name and Key Hash Algorithm;help:Issuer Name and Key Hash Algorithm
-zeek.ocsp.issuerNameHash=db:zeek.ocsp.issuerNameHash;group:zeek_ocsp;kind:termfield;friendly:Issuer Name Hash;help:Issuer Name Hash
-zeek.ocsp.issuerKeyHash=db:zeek.ocsp.issuerKeyHash;group:zeek_ocsp;kind:termfield;friendly:Issuer Key Hash;help:Issuer Key Hash
-zeek.ocsp.serialNumber=db:zeek.ocsp.serialNumber;group:zeek_ocsp;kind:termfield;friendly:Certificate Serial Number;help:Certificate Serial Number
-zeek.ocsp.certStatus=db:zeek.ocsp.certStatus;group:zeek_ocsp;kind:termfield;friendly:Certificate Status;help:Certificate Status
-zeek.ocsp.revoketime=db:zeek.ocsp.revoketime;group:zeek_ocsp;kind:termfield;friendly:Time Revoked;help:Time Revoked
-zeek.ocsp.revokereason=db:zeek.ocsp.revokereason;group:zeek_ocsp;kind:termfield;friendly:Reason Revoked;help:Reason Revoked
-zeek.ocsp.thisUpdate=db:zeek.ocsp.thisUpdate;group:zeek_ocsp;kind:termfield;friendly:Update Time;help:Update Time
-zeek.ocsp.nextUpdate=db:zeek.ocsp.nextUpdate;group:zeek_ocsp;kind:termfield;friendly:Next Update Time;help:Next Update Time
+zeek.ocsp.hashAlgorithm=db:zeek.ocsp.hashAlgorithm;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Issuer Name and Key Hash Algorithm;help:Issuer Name and Key Hash Algorithm
+zeek.ocsp.issuerNameHash=db:zeek.ocsp.issuerNameHash;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Issuer Name Hash;help:Issuer Name Hash
+zeek.ocsp.issuerKeyHash=db:zeek.ocsp.issuerKeyHash;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Issuer Key Hash;help:Issuer Key Hash
+zeek.ocsp.serialNumber=db:zeek.ocsp.serialNumber;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Certificate Serial Number;help:Certificate Serial Number
+zeek.ocsp.certStatus=db:zeek.ocsp.certStatus;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Certificate Status;help:Certificate Status
+zeek.ocsp.revoketime=db:zeek.ocsp.revoketime;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Time Revoked;help:Time Revoked
+zeek.ocsp.revokereason=db:zeek.ocsp.revokereason;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Reason Revoked;help:Reason Revoked
+zeek.ocsp.thisUpdate=db:zeek.ocsp.thisUpdate;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Update Time;help:Update Time
+zeek.ocsp.nextUpdate=db:zeek.ocsp.nextUpdate;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Next Update Time;help:Next Update Time
 
 # ospf.log
 # https://github.com/corelight/zeek-spicy-ospf
-zeek.ospf.advert_router=db:zeek.ospf.advert_router;group:zeek_ospf;kind:termfield;friendly:Router Advertisement;help:Router Advertisement
-zeek.ospf.area_id=db:zeek.ospf.area_id;group:zeek_ospf;kind:termfield;friendly:Area ID;help:Area ID
-zeek.ospf.backup_router=db:zeek.ospf.backup_router;group:zeek_ospf;kind:termfield;friendly:Backup Router;help:Backup Router
-zeek.ospf.desig_router=db:zeek.ospf.desig_router;group:zeek_ospf;kind:termfield;friendly:Designated Router;help:Designated Router
-zeek.ospf.dest_router_id=db:zeek.ospf.dest_router_id;group:zeek_ospf;kind:termfield;friendly:Destination Router ID (IA Router);help:Destination Router ID (IA Router)
-zeek.ospf.fwd_addrs=db:zeek.ospf.fwd_addrs;group:zeek_ospf;kind:termfield;friendly:Forward Address (External LSA);help:Forward Address (External LSA)
-zeek.ospf.interface_id=db:zeek.ospf.interface_id;group:zeek_ospf;kind:integer;friendly:Interface ID;help:Interface ID
-zeek.ospf.intra_prefixes=db:zeek.ospf.intra_prefixes;group:zeek_ospf;kind:termfield;friendly:Intra Prefix;help:Intra Prefix
-zeek.ospf.link_data=db:zeek.ospf.link_data;group:zeek_ospf;kind:termfield;friendly:Link Data (Router LSA);help:Link Data (Router LSA)
-zeek.ospf.link_id=db:zeek.ospf.link_id;group:zeek_ospf;kind:termfield;friendly:Link ID (Router LSA);help:Link ID (Router LSA)
-zeek.ospf.link_prefixes=db:zeek.ospf.link_prefixes;group:zeek_ospf;kind:termfield;friendly:Link Prefix;help:Link Prefix
-zeek.ospf.link_state_id=db:zeek.ospf.link_state_id;group:zeek_ospf;kind:termfield;friendly:Link State ID;help:Link State ID
-zeek.ospf.link_type=db:zeek.ospf.link_type;group:zeek_ospf;kind:termfield;friendly:Link Type (Router LSA);help:Link Type (Router LSA)
-zeek.ospf.lsa_type=db:zeek.ospf.lsa_type;group:zeek_ospf;kind:termfield;friendly:LSA Type;help:LSA Type
-zeek.ospf.metric=db:zeek.ospf.metric;group:zeek_ospf;kind:integer;friendly:Metric (IA Router);help:Metric (IA Router)
-zeek.ospf.metrics=db:zeek.ospf.metrics;group:zeek_ospf;kind:integer;friendly:Metrics (External LSA);help:Metrics (External LSA)
-zeek.ospf.neighbor_interface_id=db:zeek.ospf.neighbor_interface_id;group:zeek_ospf;kind:integer;friendly:Neighbor Interface ID (External LSA);help:Neighbor Interface ID (External LSA)
-zeek.ospf.neighbor_router_id=db:zeek.ospf.neighbor_router_id;group:zeek_ospf;kind:termfield;friendly:Neighbor Router ID (Router LSA);help:Neighbor Router ID (Router LSA)
-zeek.ospf.neighbors=db:zeek.ospf.neighbors;group:zeek_ospf;kind:termfield;friendly:Neighbors;help:Neighbors
-zeek.ospf.netmask=db:zeek.ospf.netmask;group:zeek_ospf;kind:termfield;friendly:Netmask;help:Netmask
-zeek.ospf.ospf_type=db:zeek.ospf.ospf_type;group:zeek_ospf;kind:termfield;friendly:OSPF Packet Type;help:OSPF Packet Type
-zeek.ospf.prefix=db:zeek.ospf.prefix;group:zeek_ospf;kind:termfield;friendly:Prefix (External LSA);help:Prefix (External LSA)
-zeek.ospf.route_tags=db:zeek.ospf.route_tags;group:zeek_ospf;kind:integer;friendly:Route Tags (External LSA);help:Route Tags (External LSA)
-zeek.ospf.router_id=db:zeek.ospf.router_id;group:zeek_ospf;kind:termfield;friendly:Router ID;help:Router ID
-zeek.ospf.routers=db:zeek.ospf.routers;group:zeek_ospf;kind:termfield;friendly:Router (Network LSA);help:Router (Network LSA)
-zeek.ospf.version=db:zeek.ospf.version;group:zeek_ospf;kind:integer;friendly:OSPF Version;help:OSPF Version
+zeek.ospf.advert_router=db:zeek.ospf.advert_router;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Router Advertisement;help:Router Advertisement
+zeek.ospf.area_id=db:zeek.ospf.area_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Area ID;help:Area ID
+zeek.ospf.backup_router=db:zeek.ospf.backup_router;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Backup Router;help:Backup Router
+zeek.ospf.desig_router=db:zeek.ospf.desig_router;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Designated Router;help:Designated Router
+zeek.ospf.dest_router_id=db:zeek.ospf.dest_router_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Destination Router ID (IA Router);help:Destination Router ID (IA Router)
+zeek.ospf.fwd_addrs=db:zeek.ospf.fwd_addrs;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Forward Address (External LSA);help:Forward Address (External LSA)
+zeek.ospf.interface_id=db:zeek.ospf.interface_id;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Interface ID;help:Interface ID
+zeek.ospf.intra_prefixes=db:zeek.ospf.intra_prefixes;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Intra Prefix;help:Intra Prefix
+zeek.ospf.link_data=db:zeek.ospf.link_data;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link Data (Router LSA);help:Link Data (Router LSA)
+zeek.ospf.link_id=db:zeek.ospf.link_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link ID (Router LSA);help:Link ID (Router LSA)
+zeek.ospf.link_prefixes=db:zeek.ospf.link_prefixes;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link Prefix;help:Link Prefix
+zeek.ospf.link_state_id=db:zeek.ospf.link_state_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link State ID;help:Link State ID
+zeek.ospf.link_type=db:zeek.ospf.link_type;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link Type (Router LSA);help:Link Type (Router LSA)
+zeek.ospf.lsa_type=db:zeek.ospf.lsa_type;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:LSA Type;help:LSA Type
+zeek.ospf.metric=db:zeek.ospf.metric;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Metric (IA Router);help:Metric (IA Router)
+zeek.ospf.metrics=db:zeek.ospf.metrics;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Metrics (External LSA);help:Metrics (External LSA)
+zeek.ospf.neighbor_interface_id=db:zeek.ospf.neighbor_interface_id;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Neighbor Interface ID (External LSA);help:Neighbor Interface ID (External LSA)
+zeek.ospf.neighbor_router_id=db:zeek.ospf.neighbor_router_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Neighbor Router ID (Router LSA);help:Neighbor Router ID (Router LSA)
+zeek.ospf.neighbors=db:zeek.ospf.neighbors;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Neighbors;help:Neighbors
+zeek.ospf.netmask=db:zeek.ospf.netmask;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Netmask;help:Netmask
+zeek.ospf.ospf_type=db:zeek.ospf.ospf_type;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:OSPF Packet Type;help:OSPF Packet Type
+zeek.ospf.prefix=db:zeek.ospf.prefix;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Prefix (External LSA);help:Prefix (External LSA)
+zeek.ospf.route_tags=db:zeek.ospf.route_tags;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Route Tags (External LSA);help:Route Tags (External LSA)
+zeek.ospf.router_id=db:zeek.ospf.router_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Router ID;help:Router ID
+zeek.ospf.routers=db:zeek.ospf.routers;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Router (Network LSA);help:Router (Network LSA)
+zeek.ospf.version=db:zeek.ospf.version;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:OSPF Version;help:OSPF Version
 
 # pe.log
 # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info
-zeek.pe.machine=db:zeek.pe.machine;group:zeek_pe;kind:termfield;friendly:Target Machine;help:Target Machine
-zeek.pe.compile_ts=db:zeek.pe.compile_ts;group:zeek_pe;kind:termfield;friendly:Compile Timestamp;help:Compile Timestamp
-zeek.pe.os=db:zeek.pe.os;group:zeek_pe;kind:termfield;friendly:Target OS;help:Target Operating System
-zeek.pe.subsystem=db:zeek.pe.subsystem;group:zeek_pe;kind:termfield;friendly:Target Subsystem;help:Target Subsystem
-zeek.pe.is_exe=db:zeek.pe.is_exe;group:zeek_pe;kind:termfield;friendly:Executable;help:Is an executable (vs. an object file)
-zeek.pe.is_64bit=db:zeek.pe.is_64bit;group:zeek_pe;kind:termfield;friendly:64 Bit;help:Is a 64-bit object
-zeek.pe.uses_aslr=db:zeek.pe.uses_aslr;group:zeek_pe;kind:termfield;friendly:Uses ASLR;help:Uses Address Space Layout Randomization
-zeek.pe.uses_dep=db:zeek.pe.uses_dep;group:zeek_pe;kind:termfield;friendly:Uses DEP;help:Uses Data Execution Prevention
-zeek.pe.uses_code_integrity=db:zeek.pe.uses_code_integrity;group:zeek_pe;kind:termfield;friendly:Enforces Integrity Checks;help:Enforces Code Integrity Checks
-zeek.pe.uses_seh=db:zeek.pe.uses_seh;group:zeek_pe;kind:termfield;friendly:Uses SEH;help:Uses Structured Exception Handling
-zeek.pe.has_import_table=db:zeek.pe.has_import_table;group:zeek_pe;kind:termfield;friendly:Has Import Table;help:Has Import Table
-zeek.pe.has_export_table=db:zeek.pe.has_export_table;group:zeek_pe;kind:termfield;friendly:Has Export Table;help:Has Export Table
-zeek.pe.has_cert_table=db:zeek.pe.has_cert_table;group:zeek_pe;kind:termfield;friendly:Has Certificate Table;help:Has Attribute Certificate Table
-zeek.pe.has_debug_data=db:zeek.pe.has_debug_data;group:zeek_pe;kind:termfield;friendly:Has Debug Table;help:Has Debug Table
-zeek.pe.section_names=db:zeek.pe.section_names;group:zeek_pe;kind:termfield;friendly:Sections;help:Sections
+zeek.pe.machine=db:zeek.pe.machine;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Target Machine;help:Target Machine
+zeek.pe.compile_ts=db:zeek.pe.compile_ts;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Compile Timestamp;help:Compile Timestamp
+zeek.pe.os=db:zeek.pe.os;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Target OS;help:Target Operating System
+zeek.pe.subsystem=db:zeek.pe.subsystem;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Target Subsystem;help:Target Subsystem
+zeek.pe.is_exe=db:zeek.pe.is_exe;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Executable;help:Is an executable (vs. an object file)
+zeek.pe.is_64bit=db:zeek.pe.is_64bit;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:64 Bit;help:Is a 64-bit object
+zeek.pe.uses_aslr=db:zeek.pe.uses_aslr;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Uses ASLR;help:Uses Address Space Layout Randomization
+zeek.pe.uses_dep=db:zeek.pe.uses_dep;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Uses DEP;help:Uses Data Execution Prevention
+zeek.pe.uses_code_integrity=db:zeek.pe.uses_code_integrity;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Enforces Integrity Checks;help:Enforces Code Integrity Checks
+zeek.pe.uses_seh=db:zeek.pe.uses_seh;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Uses SEH;help:Uses Structured Exception Handling
+zeek.pe.has_import_table=db:zeek.pe.has_import_table;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Has Import Table;help:Has Import Table
+zeek.pe.has_export_table=db:zeek.pe.has_export_table;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Has Export Table;help:Has Export Table
+zeek.pe.has_cert_table=db:zeek.pe.has_cert_table;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Has Certificate Table;help:Has Attribute Certificate Table
+zeek.pe.has_debug_data=db:zeek.pe.has_debug_data;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Has Debug Table;help:Has Debug Table
+zeek.pe.section_names=db:zeek.pe.section_names;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Sections;help:Sections
 
 # profinet.log
 # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek
-zeek.profinet.operation_type=db:zeek.profinet.operation_type;group:zeek_profinet;kind:termfield;friendly:Operation;help:Operation
-zeek.profinet.block_version=db:zeek.profinet.block_version;group:zeek_profinet;kind:termfield;friendly:Block Version;help:Block Version
-zeek.profinet.slot_number=db:zeek.profinet.slot_number;group:zeek_profinet;kind:integer;friendly:Slot;help:Slot
-zeek.profinet.subslot_number=db:zeek.profinet.subslot_number;group:zeek_profinet;kind:integer;friendly:Subslot;help:Subslot
-zeek.profinet.index=db:zeek.profinet.index;group:zeek_profinet;kind:termfield;friendly:Index;help:Index
+zeek.profinet.operation_type=db:zeek.profinet.operation_type;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation
+zeek.profinet.block_version=db:zeek.profinet.block_version;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Block Version;help:Block Version
+zeek.profinet.slot_number=db:zeek.profinet.slot_number;group:zeek_profinet;kind:integer;viewerOnly:true;friendly:Slot;help:Slot
+zeek.profinet.subslot_number=db:zeek.profinet.subslot_number;group:zeek_profinet;kind:integer;viewerOnly:true;friendly:Subslot;help:Subslot
+zeek.profinet.index=db:zeek.profinet.index;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Index;help:Index
 
 # profinet_dce_rpc.log
 # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek
-zeek.profinet_dce_rpc.version=db:zeek.profinet_dce_rpc.version;group:zeek_profinet;kind:integer;friendly:Version;help:Version
-zeek.profinet_dce_rpc.packet_type=db:zeek.profinet_dce_rpc.packet_type;group:zeek_profinet;kind:termfield;friendly:Packet Type;help:Packet Type
-zeek.profinet_dce_rpc.object_uuid=db:zeek.profinet_dce_rpc.object_uuid;group:zeek_profinet;kind:termfield;friendly:Object UUID;help:Object UUID
-zeek.profinet_dce_rpc.interface_uuid=db:zeek.profinet_dce_rpc.interface_uuid;group:zeek_profinet;kind:termfield;friendly:Interface UUID;help:Interface UUID
-zeek.profinet_dce_rpc.activity_uuid=db:zeek.profinet_dce_rpc.activity_uuid;group:zeek_profinet;kind:termfield;friendly:Activity UUID;help:Activity UUID
-zeek.profinet_dce_rpc.server_boot_time=db:zeek.profinet_dce_rpc.server_boot_time;group:zeek_profinet;kind:integer;friendly:Server Boot Time;help:Server Boot Time
-zeek.profinet_dce_rpc.operation=db:zeek.profinet_dce_rpc.operation;group:zeek_profinet;kind:termfield;friendly:Operation;help:Operation
+zeek.profinet_dce_rpc.version=db:zeek.profinet_dce_rpc.version;group:zeek_profinet;kind:integer;viewerOnly:true;friendly:Version;help:Version
+zeek.profinet_dce_rpc.packet_type=db:zeek.profinet_dce_rpc.packet_type;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Packet Type;help:Packet Type
+zeek.profinet_dce_rpc.object_uuid=db:zeek.profinet_dce_rpc.object_uuid;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Object UUID;help:Object UUID
+zeek.profinet_dce_rpc.interface_uuid=db:zeek.profinet_dce_rpc.interface_uuid;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Interface UUID;help:Interface UUID
+zeek.profinet_dce_rpc.activity_uuid=db:zeek.profinet_dce_rpc.activity_uuid;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Activity UUID;help:Activity UUID
+zeek.profinet_dce_rpc.server_boot_time=db:zeek.profinet_dce_rpc.server_boot_time;group:zeek_profinet;kind:integer;viewerOnly:true;friendly:Server Boot Time;help:Server Boot Time
+zeek.profinet_dce_rpc.operation=db:zeek.profinet_dce_rpc.operation;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation
 
 # radius.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info
-zeek.radius.mac=db:zeek.radius.mac;group:zeek_radius;kind:termfield;friendly:MAC Address;help:MAC Address
-zeek.radius.framed_addr=db:zeek.radius.framed_addr;group:zeek_radius;kind:termfield;friendly:Framed Address;help:Framed Address
-zeek.radius.tunnel_client=db:zeek.radius.tunnel_client;group:zeek_radius;kind:termfield;friendly:Initiator Address;help:Initiator Address
-zeek.radius.connect_info=db:zeek.radius.connect_info;group:zeek_radius;kind:termfield;friendly:Connect Info;help:Connect Info
-zeek.radius.reply_msg=db:zeek.radius.reply_msg;group:zeek_radius;kind:termfield;friendly:Reply Message;help:Reply Message
-zeek.radius.result=db:zeek.radius.result;group:zeek_radius;kind:termfield;friendly:Result;help:Result
-zeek.radius.ttl=db:zeek.radius.ttl;group:zeek_radius;kind:termfield;friendly:TTL;help:TTL
+zeek.radius.mac=db:zeek.radius.mac;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:MAC Address;help:MAC Address
+zeek.radius.framed_addr=db:zeek.radius.framed_addr;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Framed Address;help:Framed Address
+zeek.radius.tunnel_client=db:zeek.radius.tunnel_client;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Initiator Address;help:Initiator Address
+zeek.radius.connect_info=db:zeek.radius.connect_info;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Connect Info;help:Connect Info
+zeek.radius.reply_msg=db:zeek.radius.reply_msg;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Reply Message;help:Reply Message
+zeek.radius.result=db:zeek.radius.result;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Result;help:Result
+zeek.radius.ttl=db:zeek.radius.ttl;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:TTL;help:TTL
 
 # rdp.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info
-zeek.rdp.cookie=db:zeek.rdp.cookie;group:zeek_rdp;kind:termfield;friendly:Cookie;help:Cookie
-zeek.rdp.result=db:zeek.rdp.result;group:zeek_rdp;kind:termfield;friendly:Connection Result;help:Connection Result
-zeek.rdp.security_protocol=db:zeek.rdp.security_protocol;group:zeek_rdp;kind:termfield;friendly:Security Protocol;help:Security Protocol
-zeek.rdp.client_channels=db:zeek.rdp.client_channels;group:zeek_rdp;kind:termfield;friendly:Channel;help:Channel
-zeek.rdp.keyboard_layout=db:zeek.rdp.keyboard_layout;group:zeek_rdp;kind:termfield;friendly:Keyboard Layout;help:Keyboard Layout
-zeek.rdp.client_build=db:zeek.rdp.client_build;group:zeek_rdp;kind:termfield;friendly:Client Version;help:Client Version
-zeek.rdp.client_name=db:zeek.rdp.client_name;group:zeek_rdp;kind:termfield;friendly:Client Name;help:Client Name
-zeek.rdp.client_dig_product_id=db:zeek.rdp.client_dig_product_id;group:zeek_rdp;kind:termfield;friendly:Client Product ID;help:Client Product ID
-zeek.rdp.desktop_width=db:zeek.rdp.desktop_width;group:zeek_rdp;kind:integer;friendly:Desktop Width;help:Desktop Width
-zeek.rdp.desktop_height=db:zeek.rdp.desktop_height;group:zeek_rdp;kind:integer;friendly:Desktop Height;help:Desktop Height
-zeek.rdp.requested_color_depth=db:zeek.rdp.requested_color_depth;group:zeek_rdp;kind:termfield;friendly:Color Depth;help:Color Depth
-zeek.rdp.cert_type=db:zeek.rdp.cert_type;group:zeek_rdp;kind:termfield;friendly:Certificate Type;help:Certificate Type
-zeek.rdp.cert_count=db:zeek.rdp.cert_count;group:zeek_rdp;kind:integer;friendly:Certificate Count;help:Certificate Count
-zeek.rdp.cert_permanent=db:zeek.rdp.cert_permanent;group:zeek_rdp;kind:termfield;friendly:Certificate is Permanent;help:Certificate is Permanent
-zeek.rdp.encryption_level=db:zeek.rdp.encryption_level;group:zeek_rdp;kind:termfield;friendly:Encryption Level;help:Encryption Level
-zeek.rdp.encryption_method=db:zeek.rdp.encryption_method;group:zeek_rdp;kind:termfield;friendly:Encryption Method;help:Encryption Method
+zeek.rdp.cookie=db:zeek.rdp.cookie;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Cookie;help:Cookie
+zeek.rdp.result=db:zeek.rdp.result;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Connection Result;help:Connection Result
+zeek.rdp.security_protocol=db:zeek.rdp.security_protocol;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Security Protocol;help:Security Protocol
+zeek.rdp.client_channels=db:zeek.rdp.client_channels;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Channel;help:Channel
+zeek.rdp.keyboard_layout=db:zeek.rdp.keyboard_layout;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Keyboard Layout;help:Keyboard Layout
+zeek.rdp.client_build=db:zeek.rdp.client_build;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Client Version;help:Client Version
+zeek.rdp.client_name=db:zeek.rdp.client_name;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Client Name;help:Client Name
+zeek.rdp.client_dig_product_id=db:zeek.rdp.client_dig_product_id;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Client Product ID;help:Client Product ID
+zeek.rdp.desktop_width=db:zeek.rdp.desktop_width;group:zeek_rdp;kind:integer;viewerOnly:true;friendly:Desktop Width;help:Desktop Width
+zeek.rdp.desktop_height=db:zeek.rdp.desktop_height;group:zeek_rdp;kind:integer;viewerOnly:true;friendly:Desktop Height;help:Desktop Height
+zeek.rdp.requested_color_depth=db:zeek.rdp.requested_color_depth;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Color Depth;help:Color Depth
+zeek.rdp.cert_type=db:zeek.rdp.cert_type;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Certificate Type;help:Certificate Type
+zeek.rdp.cert_count=db:zeek.rdp.cert_count;group:zeek_rdp;kind:integer;viewerOnly:true;friendly:Certificate Count;help:Certificate Count
+zeek.rdp.cert_permanent=db:zeek.rdp.cert_permanent;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Certificate is Permanent;help:Certificate is Permanent
+zeek.rdp.encryption_level=db:zeek.rdp.encryption_level;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Encryption Level;help:Encryption Level
+zeek.rdp.encryption_method=db:zeek.rdp.encryption_method;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Encryption Method;help:Encryption Method
 
 # rfb.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info
-zeek.rfb.client_major_version=db:zeek.rfb.client_major_version;group:zeek_rfb;kind:termfield;friendly:Client Major Version;help:Client Major Version
-zeek.rfb.client_minor_version=db:zeek.rfb.client_minor_version;group:zeek_rfb;kind:termfield;friendly:Client Minor Version;help:Client Minor Version
-zeek.rfb.server_major_version=db:zeek.rfb.server_major_version;group:zeek_rfb;kind:termfield;friendly:Server Major Version;help:Server Major Version
-zeek.rfb.server_minor_version=db:zeek.rfb.server_minor_version;group:zeek_rfb;kind:termfield;friendly:Server Minor Version;help:Server Minor Version
-zeek.rfb.authentication_method=db:zeek.rfb.authentication_method;group:zeek_rfb;kind:termfield;friendly:Authentication Method;help:Authentication Method
-zeek.rfb.auth=db:zeek.rfb.auth;group:zeek_rfb;kind:termfield;friendly:Authentication Success;help:Authentication Success
-zeek.rfb.share_flag=db:zeek.rfb.share_flag;group:zeek_rfb;kind:termfield;friendly:Shared Session;help:Shared Session
-zeek.rfb.desktop_name=db:zeek.rfb.desktop_name;group:zeek_rfb;kind:termfield;friendly:Desktop Name;help:Desktop Name
-zeek.rfb.width=db:zeek.rfb.width;group:zeek_rfb;kind:integer;friendly:Desktop Width;help:Desktop Width
-zeek.rfb.height=db:zeek.rfb.height;group:zeek_rfb;kind:integer;friendly:Desktop Height;help:Desktop Height
+zeek.rfb.client_major_version=db:zeek.rfb.client_major_version;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Client Major Version;help:Client Major Version
+zeek.rfb.client_minor_version=db:zeek.rfb.client_minor_version;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Client Minor Version;help:Client Minor Version
+zeek.rfb.server_major_version=db:zeek.rfb.server_major_version;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Server Major Version;help:Server Major Version
+zeek.rfb.server_minor_version=db:zeek.rfb.server_minor_version;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Server Minor Version;help:Server Minor Version
+zeek.rfb.authentication_method=db:zeek.rfb.authentication_method;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Authentication Method;help:Authentication Method
+zeek.rfb.auth=db:zeek.rfb.auth;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Authentication Success;help:Authentication Success
+zeek.rfb.share_flag=db:zeek.rfb.share_flag;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Shared Session;help:Shared Session
+zeek.rfb.desktop_name=db:zeek.rfb.desktop_name;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Desktop Name;help:Desktop Name
+zeek.rfb.width=db:zeek.rfb.width;group:zeek_rfb;kind:integer;viewerOnly:true;friendly:Desktop Width;help:Desktop Width
+zeek.rfb.height=db:zeek.rfb.height;group:zeek_rfb;kind:integer;viewerOnly:true;friendly:Desktop Height;help:Desktop Height
 
 # s7comm.log
 # https://github.com/cisagov/icsnpp-s7comm
-zeek.s7comm.error_class=db:zeek.s7comm.error_class;group:zeek_s7comm;kind:termfield;friendly:Error Class;help:Error Class
-zeek.s7comm.error_code=db:zeek.s7comm.error_code;group:zeek_s7comm;kind:termfield;friendly:Error Code;help:Error Code
-zeek.s7comm.function_code=db:zeek.s7comm.function_code;group:zeek_s7comm;kind:termfield;friendly:Parameter Function Code;help:Parameter Function Code
-zeek.s7comm.function_name=db:zeek.s7comm.function_name;group:zeek_s7comm;kind:termfield;friendly:Parameter Function Name;help:Parameter Function Name
-zeek.s7comm.pdu_reference=db:zeek.s7comm.pdu_reference;group:zeek_s7comm;kind:integer;friendly:Reference ID;help:Reference ID
-zeek.s7comm.rosctr_code=db:zeek.s7comm.rosctr_code;group:zeek_s7comm;kind:integer;friendly:Remote Operating Service Control Code;help:Remote Operating Service Control Code
-zeek.s7comm.rosctr_name=db:zeek.s7comm.rosctr_name;group:zeek_s7comm;kind:termfield;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name
-zeek.s7comm.subfunction_code=db:zeek.s7comm.subfunction_code;group:zeek_s7comm;kind:termfield;friendly:User Data Subfunction Code;help:User Data Subfunction Code
-zeek.s7comm.subfunction_name=db:zeek.s7comm.subfunction_name;group:zeek_s7comm;kind:termfield;friendly:User Data Subfunction Name;help:User Data Subfunction Name
+zeek.s7comm.error_class=db:zeek.s7comm.error_class;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Error Class;help:Error Class
+zeek.s7comm.error_code=db:zeek.s7comm.error_code;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Error Code;help:Error Code
+zeek.s7comm.function_code=db:zeek.s7comm.function_code;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Parameter Function Code;help:Parameter Function Code
+zeek.s7comm.function_name=db:zeek.s7comm.function_name;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Parameter Function Name;help:Parameter Function Name
+zeek.s7comm.pdu_reference=db:zeek.s7comm.pdu_reference;group:zeek_s7comm;kind:integer;viewerOnly:true;friendly:Reference ID;help:Reference ID
+zeek.s7comm.rosctr_code=db:zeek.s7comm.rosctr_code;group:zeek_s7comm;kind:integer;viewerOnly:true;friendly:Remote Operating Service Control Code;help:Remote Operating Service Control Code
+zeek.s7comm.rosctr_name=db:zeek.s7comm.rosctr_name;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name
+zeek.s7comm.subfunction_code=db:zeek.s7comm.subfunction_code;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:User Data Subfunction Code;help:User Data Subfunction Code
+zeek.s7comm.subfunction_name=db:zeek.s7comm.subfunction_name;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:User Data Subfunction Name;help:User Data Subfunction Name
 
 # s7comm_plus.log
 # https://github.com/cisagov/icsnpp-s7comm
-zeek.s7comm_plus.function_code=db:zeek.s7comm_plus.function_code;group:zeek_s7comm_plus;kind:termfield;friendly:Function Code;help:Function Code
-zeek.s7comm_plus.function_name=db:zeek.s7comm_plus.function_name;group:zeek_s7comm_plus;kind:termfield;friendly:Function Name;help:Function Name
-zeek.s7comm_plus.opcode=db:zeek.s7comm_plus.opcode;group:zeek_s7comm_plus;kind:termfield;friendly:Operation Code;help:Operation Code
-zeek.s7comm_plus.opcode_name=db:zeek.s7comm_plus.opcode_name;group:zeek_s7comm_plus;kind:termfield;friendly:Operation Name;help:Operation Name
-zeek.s7comm_plus.version=db:zeek.s7comm_plus.version;group:zeek_s7comm_plus;kind:integer;friendly:Version;help:Version
+zeek.s7comm_plus.function_code=db:zeek.s7comm_plus.function_code;group:zeek_s7comm_plus;kind:termfield;viewerOnly:true;friendly:Function Code;help:Function Code
+zeek.s7comm_plus.function_name=db:zeek.s7comm_plus.function_name;group:zeek_s7comm_plus;kind:termfield;viewerOnly:true;friendly:Function Name;help:Function Name
+zeek.s7comm_plus.opcode=db:zeek.s7comm_plus.opcode;group:zeek_s7comm_plus;kind:termfield;viewerOnly:true;friendly:Operation Code;help:Operation Code
+zeek.s7comm_plus.opcode_name=db:zeek.s7comm_plus.opcode_name;group:zeek_s7comm_plus;kind:termfield;viewerOnly:true;friendly:Operation Name;help:Operation Name
+zeek.s7comm_plus.version=db:zeek.s7comm_plus.version;group:zeek_s7comm_plus;kind:integer;viewerOnly:true;friendly:Version;help:Version
 
 # s7comm_read_szl.log
 # https://github.com/cisagov/icsnpp-s7comm
-zeek.s7comm_read_szl.method=db:zeek.s7comm_read_szl.method;group:zeek_s7comm_read_szl;kind:termfield;friendly:Method;help:Method
-zeek.s7comm_read_szl.szl_id=db:zeek.s7comm_read_szl.szl_id;group:zeek_s7comm_read_szl;kind:termfield;friendly:SZL ID;help:SZL ID
-zeek.s7comm_read_szl.szl_id_name=db:zeek.s7comm_read_szl.szl_id_name;group:zeek_s7comm_read_szl;kind:termfield;friendly:SZL ID Name;help:SZL ID Name
-zeek.s7comm_read_szl.szl_index=db:zeek.s7comm_read_szl.szl_index;group:zeek_s7comm_read_szl;kind:termfield;friendly:SZL Index;help:SZL Index
-zeek.s7comm_read_szl.return_code=db:zeek.s7comm_read_szl.return_code;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Code;help:Return Code
-zeek.s7comm_read_szl.return_code_name=db:zeek.s7comm_read_szl.return_code_name;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Message;help:Return Message
+zeek.s7comm_read_szl.method=db:zeek.s7comm_read_szl.method;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:Method;help:Method
+zeek.s7comm_read_szl.szl_id=db:zeek.s7comm_read_szl.szl_id;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:SZL ID;help:SZL ID
+zeek.s7comm_read_szl.szl_id_name=db:zeek.s7comm_read_szl.szl_id_name;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:SZL ID Name;help:SZL ID Name
+zeek.s7comm_read_szl.szl_index=db:zeek.s7comm_read_szl.szl_index;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:SZL Index;help:SZL Index
+zeek.s7comm_read_szl.return_code=db:zeek.s7comm_read_szl.return_code;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:Return Code;help:Return Code
+zeek.s7comm_read_szl.return_code_name=db:zeek.s7comm_read_szl.return_code_name;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:Return Message;help:Return Message
 
 # s7comm_upload_download.log
 # https://github.com/cisagov/icsnpp-s7comm
-zeek.s7comm_upload_download.rosctr_name=db:zeek.s7comm_upload_download.rosctr_name;group:zeek_s7comm_upload_download;kind:termfield;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name
-zeek.s7comm_upload_download.function_name=db:zeek.s7comm_upload_download.function_name;group:zeek_s7comm_upload_download;kind:termfield;friendly:Function Name;help:Function Name
-zeek.s7comm_upload_download.function_status=db:zeek.s7comm_upload_download.function_status;group:zeek_s7comm_upload_download;kind:termfield;friendly:Function Result;help:Function Result
-zeek.s7comm_upload_download.session_id=db:zeek.s7comm_upload_download.session_id;group:zeek_s7comm_upload_download;kind:integer;friendly:Session ID;help:Session ID
-zeek.s7comm_upload_download.blocklength=db:zeek.s7comm_upload_download.blocklength;group:zeek_s7comm_upload_download;kind:integer;friendly:Block Length;help:Block Length
-zeek.s7comm_upload_download.filename=db:zeek.s7comm_upload_download.filename;group:zeek_s7comm_upload_download;kind:termfield;friendly:File Name;help:File Name
-zeek.s7comm_upload_download.block_type=db:zeek.s7comm_upload_download.block_type;group:zeek_s7comm_upload_download;kind:termfield;friendly:Block Type;help:Block Type
-zeek.s7comm_upload_download.block_number=db:zeek.s7comm_upload_download.block_number;group:zeek_s7comm_upload_download;kind:termfield;friendly:Block Number;help::Block Number
-zeek.s7comm_upload_download.destination_filesystem=db:zeek.s7comm_upload_download.destination_filesystem;group:zeek_s7comm_upload_download;kind:termfield;friendly:Destination File System;help:Destination File System
+zeek.s7comm_upload_download.rosctr_name=db:zeek.s7comm_upload_download.rosctr_name;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name
+zeek.s7comm_upload_download.function_name=db:zeek.s7comm_upload_download.function_name;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Function Name;help:Function Name
+zeek.s7comm_upload_download.function_status=db:zeek.s7comm_upload_download.function_status;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Function Result;help:Function Result
+zeek.s7comm_upload_download.session_id=db:zeek.s7comm_upload_download.session_id;group:zeek_s7comm_upload_download;kind:integer;viewerOnly:true;friendly:Session ID;help:Session ID
+zeek.s7comm_upload_download.blocklength=db:zeek.s7comm_upload_download.blocklength;group:zeek_s7comm_upload_download;kind:integer;viewerOnly:true;friendly:Block Length;help:Block Length
+zeek.s7comm_upload_download.filename=db:zeek.s7comm_upload_download.filename;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:File Name;help:File Name
+zeek.s7comm_upload_download.block_type=db:zeek.s7comm_upload_download.block_type;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Block Type;help:Block Type
+zeek.s7comm_upload_download.block_number=db:zeek.s7comm_upload_download.block_number;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Block Number;help::Block Number
+zeek.s7comm_upload_download.destination_filesystem=db:zeek.s7comm_upload_download.destination_filesystem;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Destination File System;help:Destination File System
 
 # signatures.log
-zeek.signatures.note=db:zeek.signatures.note;group:zeek_signatures;kind:termfield;friendly:Note;help:Note
-zeek.signatures.signature_id=db:zeek.signatures.signature_id;group:zeek_signatures;kind:termfield;friendly:Signature ID;help:Signature ID
-zeek.signatures.sub_message=db:zeek.signatures.sub_message;group:zeek_signatures;kind:termfield;friendly:Submessage;help:Submessage
-zeek.signatures.signature_count=db:zeek.signatures.signature_count;group:zeek_signatures;kind:integer;friendly:Signatures Matched;help:Signatures Matched
-zeek.signatures.host_count=db:zeek.signatures.host_count;group:zeek_signatures;kind:integer;friendly:Host or Engine Count;help:Host or Engine Count
-zeek.signatures.hits.Capa=db:zeek.signatures.hits.Capa;group:zeek_signatures;kind:termfield;friendly:Capa Hits;help:Capa Hits
-zeek.signatures.hits.ClamAV=db:zeek.signatures.hits.ClamAV;group:zeek_signatures;kind:termfield;friendly:ClamAV Hits;help:ClamAV Hits
-zeek.signatures.hits.Yara=db:zeek.signatures.hits.Yara;group:zeek_signatures;kind:termfield;friendly:Yara Hits;help:Yara Hits
+zeek.signatures.note=db:zeek.signatures.note;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Note;help:Note
+zeek.signatures.signature_id=db:zeek.signatures.signature_id;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Signature ID;help:Signature ID
+zeek.signatures.sub_message=db:zeek.signatures.sub_message;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Submessage;help:Submessage
+zeek.signatures.signature_count=db:zeek.signatures.signature_count;group:zeek_signatures;kind:integer;viewerOnly:true;friendly:Signatures Matched;help:Signatures Matched
+zeek.signatures.host_count=db:zeek.signatures.host_count;group:zeek_signatures;kind:integer;viewerOnly:true;friendly:Host or Engine Count;help:Host or Engine Count
+zeek.signatures.hits.Capa=db:zeek.signatures.hits.Capa;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Capa Hits;help:Capa Hits
+zeek.signatures.hits.ClamAV=db:zeek.signatures.hits.ClamAV;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:ClamAV Hits;help:ClamAV Hits
+zeek.signatures.hits.Yara=db:zeek.signatures.hits.Yara;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Yara Hits;help:Yara Hits
 
 # sip.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info
-zeek.sip.trans_depth=db:zeek.sip.trans_depth;group:zeek_sip;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth
-zeek.sip.method=db:zeek.sip.method;group:zeek_sip;kind:termfield;friendly:Request Method;help:Request Method
-zeek.sip.uri=db:zeek.sip.uri;group:zeek_sip;kind:termfield;friendly:URI;help:URI
-zeek.sip.date=db:zeek.sip.date;group:zeek_sip;kind:termfield;friendly:Request Date Header;help:Request Date Header
-zeek.sip.request_from=db:zeek.sip.request_from;group:zeek_sip;kind:termfield;friendly:Request From Header;help:Request From Header
-zeek.sip.request_to=db:zeek.sip.request_to;group:zeek_sip;kind:termfield;friendly:Request To Header;help:Request To Header
-zeek.sip.response_from=db:zeek.sip.response_from;group:zeek_sip;kind:termfield;friendly:Response From Header;help:Response From Header
-zeek.sip.response_to=db:zeek.sip.response_to;group:zeek_sip;kind:termfield;friendly:Response To Header;help:Response To Header
-zeek.sip.reply_to=db:zeek.sip.reply_to;group:zeek_sip;kind:termfield;friendly:Reply-To Header;help:Reply-To Header
-zeek.sip.call_id=db:zeek.sip.call_id;group:zeek_sip;kind:termfield;friendly:Client Call-ID Header;help:Client Call-ID Header
-zeek.sip.seq=db:zeek.sip.seq;group:zeek_sip;kind:termfield;friendly:Client CSeq Header;help:Client CSeq Header
-zeek.sip.subject=db:zeek.sip.subject;group:zeek_sip;kind:termfield;friendly:Client Subject Header;help:Client Subject Header
-zeek.sip.request_path=db:zeek.sip.request_path;group:zeek_sip;kind:termfield;friendly:Request Path;help:Request Path
-zeek.sip.response_path=db:zeek.sip.response_path;group:zeek_sip;kind:termfield;friendly:Response Path;help:Response Path
-zeek.sip.user_agent=db:zeek.sip.user_agent;group:zeek_sip;kind:termfield;friendly:User Agent;help:User Agent
-zeek.sip.status_code=db:zeek.sip.status_code;group:zeek_sip;kind:termfield;friendly:Status Code;help:Status Code
-zeek.sip.status_msg=db:zeek.sip.status_msg;group:zeek_sip;kind:termfield;friendly:Status Message;help:Status Message
-zeek.sip.warning=db:zeek.sip.warning;group:zeek_sip;kind:termfield;friendly:Warning Header;help:Warning Header
-zeek.sip.request_body_len=db:zeek.sip.request_body_len;group:zeek_sip;kind:integer;friendly:Request Body Length;help:Request Body Length
-zeek.sip.response_body_len=db:zeek.sip.response_body_len;group:zeek_sip;kind:integer;friendly:Response Body Length;help:Response Body Length
-zeek.sip.content_type=db:zeek.sip.content_type;group:zeek_sip;kind:termfield;friendly:Content Type Header;help:Content Type Header
-zeek.sip.version=db:zeek.sip.version;group:zeek_sip;kind:termfield;friendly:Version;help:Version
+zeek.sip.trans_depth=db:zeek.sip.trans_depth;group:zeek_sip;kind:integer;viewerOnly:true;friendly:Pipeline Depth;help:Pipeline Depth
+zeek.sip.method=db:zeek.sip.method;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request Method;help:Request Method
+zeek.sip.uri=db:zeek.sip.uri;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:URI;help:URI
+zeek.sip.date=db:zeek.sip.date;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request Date Header;help:Request Date Header
+zeek.sip.request_from=db:zeek.sip.request_from;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request From Header;help:Request From Header
+zeek.sip.request_to=db:zeek.sip.request_to;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request To Header;help:Request To Header
+zeek.sip.response_from=db:zeek.sip.response_from;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Response From Header;help:Response From Header
+zeek.sip.response_to=db:zeek.sip.response_to;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Response To Header;help:Response To Header
+zeek.sip.reply_to=db:zeek.sip.reply_to;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Reply-To Header;help:Reply-To Header
+zeek.sip.call_id=db:zeek.sip.call_id;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Client Call-ID Header;help:Client Call-ID Header
+zeek.sip.seq=db:zeek.sip.seq;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Client CSeq Header;help:Client CSeq Header
+zeek.sip.subject=db:zeek.sip.subject;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Client Subject Header;help:Client Subject Header
+zeek.sip.request_path=db:zeek.sip.request_path;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request Path;help:Request Path
+zeek.sip.response_path=db:zeek.sip.response_path;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Response Path;help:Response Path
+zeek.sip.user_agent=db:zeek.sip.user_agent;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:User Agent;help:User Agent
+zeek.sip.status_code=db:zeek.sip.status_code;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Status Code;help:Status Code
+zeek.sip.status_msg=db:zeek.sip.status_msg;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Status Message;help:Status Message
+zeek.sip.warning=db:zeek.sip.warning;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Warning Header;help:Warning Header
+zeek.sip.request_body_len=db:zeek.sip.request_body_len;group:zeek_sip;kind:integer;viewerOnly:true;friendly:Request Body Length;help:Request Body Length
+zeek.sip.response_body_len=db:zeek.sip.response_body_len;group:zeek_sip;kind:integer;viewerOnly:true;friendly:Response Body Length;help:Response Body Length
+zeek.sip.content_type=db:zeek.sip.content_type;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Content Type Header;help:Content Type Header
+zeek.sip.version=db:zeek.sip.version;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Version;help:Version
 
 # smb_cmd.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo
-zeek.smb_cmd.command=db:zeek.smb_cmd.command;group:zeek_smb;kind:termfield;friendly:Command;help:Command
-zeek.smb_cmd.sub_command=db:zeek.smb_cmd.sub_command;group:zeek_smb;kind:termfield;friendly:Subcommand;help:Subcommand
-zeek.smb_cmd.argument=db:zeek.smb_cmd.argument;group:zeek_smb;kind:termfield;friendly:Argument;help:Argument
-zeek.smb_cmd.status=db:zeek.smb_cmd.status;group:zeek_smb;kind:termfield;friendly:Status;help:Status
-zeek.smb_cmd.rtt=db:zeek.smb_cmd.rtt;group:zeek_smb;kind:termfield;friendly:Round Trip Time;help:Round Trip Time
-zeek.smb_cmd.version=db:zeek.smb_cmd.version;group:zeek_smb;kind:termfield;friendly:Version;help:Version
-zeek.smb_cmd.tree=db:zeek.smb_cmd.tree;group:zeek_smb;kind:termfield;friendly:Tree;help:Tree
-zeek.smb_cmd.tree_service=db:zeek.smb_cmd.tree_service;group:zeek_smb;kind:termfield;friendly:Tree Service;help:Tree Service
+zeek.smb_cmd.command=db:zeek.smb_cmd.command;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Command;help:Command
+zeek.smb_cmd.sub_command=db:zeek.smb_cmd.sub_command;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Subcommand;help:Subcommand
+zeek.smb_cmd.argument=db:zeek.smb_cmd.argument;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Argument;help:Argument
+zeek.smb_cmd.status=db:zeek.smb_cmd.status;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Status;help:Status
+zeek.smb_cmd.rtt=db:zeek.smb_cmd.rtt;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Round Trip Time;help:Round Trip Time
+zeek.smb_cmd.version=db:zeek.smb_cmd.version;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Version;help:Version
+zeek.smb_cmd.tree=db:zeek.smb_cmd.tree;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Tree;help:Tree
+zeek.smb_cmd.tree_service=db:zeek.smb_cmd.tree_service;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Tree Service;help:Tree Service
 
 # smb_files.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo
-zeek.smb_files.action=db:zeek.smb_files.action;group:zeek_smb;kind:termfield;friendly:Action;help:Action
-zeek.smb_files.path=db:zeek.smb_files.path;group:zeek_smb;kind:termfield;friendly:File Path;help:File Path
-zeek.smb_files.name=db:zeek.smb_files.name;group:zeek_smb;kind:termfield;friendly:File Name;help:File Name
-zeek.smb_files.size=db:zeek.smb_files.size;group:zeek_smb;kind:integer;friendly:File Size;help:File Size
-zeek.smb_files.prev_name=db:zeek.smb_files.prev_name;group:zeek_smb;kind:termfield;friendly:Previous File Name;help:Previous File Name
-zeek.smb_files.times_modified=db:zeek.smb_files.times_modified;group:zeek_smb;kind:termfield;friendly:Write Time;help:Write Time
-zeek.smb_files.times_accessed=db:zeek.smb_files.times_accessed;group:zeek_smb;kind:termfield;friendly:Access Time;help:Access Time
-zeek.smb_files.times_created=db:zeek.smb_files.times_created;group:zeek_smb;kind:termfield;friendly:Creation Time;help:Creation Time
-zeek.smb_files.times_changed=db:zeek.smb_files.times_changed;group:zeek_smb;kind:termfield;friendly:Modified Time;help:Modified Time
-zeek.smb_files.data_offset_req=db:zeek.smb_files.data_offset_req;group:zeek_smb;kind:integer;friendly:Data Offset Requested;help:Data Offset Requested
-zeek.smb_files.data_len_req=db:zeek.smb_files.data_len_req;group:zeek_smb;kind:integer;friendly:Data Length Requested;help:Data Length Requested
-zeek.smb_files.data_len_rsp=db:zeek.smb_files.data_len_rsp;group:zeek_smb;kind:integer;friendly:Data Length In Response;help:Data Length In Response
+zeek.smb_files.action=db:zeek.smb_files.action;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Action;help:Action
+zeek.smb_files.path=db:zeek.smb_files.path;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:File Path;help:File Path
+zeek.smb_files.name=db:zeek.smb_files.name;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:File Name;help:File Name
+zeek.smb_files.size=db:zeek.smb_files.size;group:zeek_smb;kind:integer;viewerOnly:true;friendly:File Size;help:File Size
+zeek.smb_files.prev_name=db:zeek.smb_files.prev_name;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Previous File Name;help:Previous File Name
+zeek.smb_files.times_modified=db:zeek.smb_files.times_modified;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Write Time;help:Write Time
+zeek.smb_files.times_accessed=db:zeek.smb_files.times_accessed;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Access Time;help:Access Time
+zeek.smb_files.times_created=db:zeek.smb_files.times_created;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Creation Time;help:Creation Time
+zeek.smb_files.times_changed=db:zeek.smb_files.times_changed;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Modified Time;help:Modified Time
+zeek.smb_files.data_offset_req=db:zeek.smb_files.data_offset_req;group:zeek_smb;kind:integer;viewerOnly:true;friendly:Data Offset Requested;help:Data Offset Requested
+zeek.smb_files.data_len_req=db:zeek.smb_files.data_len_req;group:zeek_smb;kind:integer;viewerOnly:true;friendly:Data Length Requested;help:Data Length Requested
+zeek.smb_files.data_len_rsp=db:zeek.smb_files.data_len_rsp;group:zeek_smb;kind:integer;viewerOnly:true;friendly:Data Length In Response;help:Data Length In Response
 
 # smb_mapping.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo
-zeek.smb_mapping.path=db:zeek.smb_mapping.path;group:zeek_smb;kind:termfield;friendly:Tree Path;help:Tree Path
-zeek.smb_mapping.resource_type=db:zeek.smb_mapping.resource_type;group:zeek_smb;kind:termfield;friendly:Resource Type;help:Resource Type
-zeek.smb_mapping.native_file_system=db:zeek.smb_mapping.native_file_system;group:zeek_smb;kind:termfield;friendly:File System;help:File System
-zeek.smb_mapping.share_type=db:zeek.smb_mapping.share_type;group:zeek_smb;kind:termfield;friendly:Share Type;help:Share Type
+zeek.smb_mapping.path=db:zeek.smb_mapping.path;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Tree Path;help:Tree Path
+zeek.smb_mapping.resource_type=db:zeek.smb_mapping.resource_type;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Resource Type;help:Resource Type
+zeek.smb_mapping.native_file_system=db:zeek.smb_mapping.native_file_system;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:File System;help:File System
+zeek.smb_mapping.share_type=db:zeek.smb_mapping.share_type;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Share Type;help:Share Type
 
 # smtp.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info
-zeek.smtp.trans_depth=db:zeek.smtp.trans_depth;group:zeek_smtp;kind:integer;friendly:Transaction Depth;help:Transaction Depth
-zeek.smtp.helo=db:zeek.smtp.helo;group:zeek_smtp;kind:termfield;friendly:HELO;help:HELO
-zeek.smtp.mailfrom=db:zeek.smtp.mailfrom;group:zeek_smtp;kind:termfield;friendly:FROM Addresses;help:FROM Addresses
-zeek.smtp.rcptto=db:zeek.smtp.rcptto;group:zeek_smtp;kind:termfield;friendly:RCPT TO;help:RCPT TO
-zeek.smtp.date=db:zeek.smtp.date;group:zeek_smtp;kind:termfield;friendly:Date;help:Date
-zeek.smtp.from=db:zeek.smtp.from;group:zeek_smtp;kind:termfield;friendly:FROM;help:FROM
-zeek.smtp.to=db:zeek.smtp.to;group:zeek_smtp;kind:termfield;friendly:TO;help:TO
-zeek.smtp.cc=db:zeek.smtp.cc;group:zeek_smtp;kind:termfield;friendly:CC;help:CC
-zeek.smtp.reply_to=db:zeek.smtp.reply_to;group:zeek_smtp;kind:termfield;friendly:Reply-To;help:Reply-To
-zeek.smtp.msg_id=db:zeek.smtp.msg_id;group:zeek_smtp;kind:termfield;friendly:MsgId;help:MsgId
-zeek.smtp.in_reply_to=db:zeek.smtp.in_reply_to;group:zeek_smtp;kind:termfield;friendly:In-Reply-To;help:In-Reply-To
-zeek.smtp.subject=db:zeek.smtp.subject;group:zeek_smtp;kind:termfield;friendly:Subject;help:Subject
-zeek.smtp.x_originating_ip=db:zeek.smtp.x_originating_ip;group:zeek_smtp;kind:termfield;friendly:X-Originating-IP;help:X-Originating-IP
-zeek.smtp.first_received=db:zeek.smtp.first_received;group:zeek_smtp;kind:termfield;friendly:First Received;help:First Received
-zeek.smtp.second_received=db:zeek.smtp.second_received;group:zeek_smtp;kind:termfield;friendly:Second Received;help:Second Received
-zeek.smtp.last_reply=db:zeek.smtp.last_reply;group:zeek_smtp;kind:termfield;friendly:Last Reply;help:Last Reply
-zeek.smtp.last_reply_code=db:zeek.smtp.last_reply_code;group:zeek_smtp;kind:termfield;friendly:Last Reply Code;help:Last Reply Code
-zeek.smtp.last_reply_msg=db:zeek.smtp.last_reply_msg;group:zeek_smtp;kind:termfield;friendly:Last Reply Message;help:Last Reply Message
-zeek.smtp.path=db:zeek.smtp.path;group:zeek_smtp;kind:termfield;friendly:Tranmission Path;help:Tranmission Path
-zeek.smtp.user_agent=db:zeek.smtp.user_agent;group:zeek_smtp;kind:termfield;friendly:User Agent;help:User Agent
-zeek.smtp.tls=db:zeek.smtp.tls;group:zeek_smtp;kind:termfield;friendly:TLS;help:TLS
-zeek.smtp.is_webmail=db:zeek.smtp.is_webmail;group:zeek_smtp;kind:termfield;friendly:Is Webmail;help:Is Webmail
+zeek.smtp.trans_depth=db:zeek.smtp.trans_depth;group:zeek_smtp;kind:integer;viewerOnly:true;friendly:Transaction Depth;help:Transaction Depth
+zeek.smtp.helo=db:zeek.smtp.helo;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:HELO;help:HELO
+zeek.smtp.mailfrom=db:zeek.smtp.mailfrom;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:FROM Addresses;help:FROM Addresses
+zeek.smtp.rcptto=db:zeek.smtp.rcptto;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:RCPT TO;help:RCPT TO
+zeek.smtp.date=db:zeek.smtp.date;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Date;help:Date
+zeek.smtp.from=db:zeek.smtp.from;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:FROM;help:FROM
+zeek.smtp.to=db:zeek.smtp.to;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:TO;help:TO
+zeek.smtp.cc=db:zeek.smtp.cc;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:CC;help:CC
+zeek.smtp.reply_to=db:zeek.smtp.reply_to;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Reply-To;help:Reply-To
+zeek.smtp.msg_id=db:zeek.smtp.msg_id;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:MsgId;help:MsgId
+zeek.smtp.in_reply_to=db:zeek.smtp.in_reply_to;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:In-Reply-To;help:In-Reply-To
+zeek.smtp.subject=db:zeek.smtp.subject;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Subject;help:Subject
+zeek.smtp.x_originating_ip=db:zeek.smtp.x_originating_ip;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:X-Originating-IP;help:X-Originating-IP
+zeek.smtp.first_received=db:zeek.smtp.first_received;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:First Received;help:First Received
+zeek.smtp.second_received=db:zeek.smtp.second_received;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Second Received;help:Second Received
+zeek.smtp.last_reply=db:zeek.smtp.last_reply;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Last Reply;help:Last Reply
+zeek.smtp.last_reply_code=db:zeek.smtp.last_reply_code;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Last Reply Code;help:Last Reply Code
+zeek.smtp.last_reply_msg=db:zeek.smtp.last_reply_msg;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Last Reply Message;help:Last Reply Message
+zeek.smtp.path=db:zeek.smtp.path;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Tranmission Path;help:Tranmission Path
+zeek.smtp.user_agent=db:zeek.smtp.user_agent;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:User Agent;help:User Agent
+zeek.smtp.tls=db:zeek.smtp.tls;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:TLS;help:TLS
+zeek.smtp.is_webmail=db:zeek.smtp.is_webmail;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Is Webmail;help:Is Webmail
 
 # snmp.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info
-zeek.snmp.duration=db:zeek.snmp.duration;group:zeek_snmp;kind:termfield;friendly:Duration;help:Duration
-zeek.snmp.version=db:zeek.snmp.version;group:zeek_snmp;kind:termfield;friendly:Version;help:Version
-zeek.snmp.community=db:zeek.snmp.community;group:zeek_snmp;kind:termfield;friendly:Community;help:Community
-zeek.snmp.get_requests=db:zeek.snmp.get_requests;group:zeek_snmp;kind:integer;friendly:Get Requests;help:Get Requests
-zeek.snmp.get_bulk_requests=db:zeek.snmp.get_bulk_requests;group:zeek_snmp;kind:integer;friendly:Get Bulk Requests;help:Get Bulk Requests
-zeek.snmp.get_responses=db:zeek.snmp.get_responses;group:zeek_snmp;kind:integer;friendly:Get Responses;help:Get Responses
-zeek.snmp.set_requests=db:zeek.snmp.set_requests;group:zeek_snmp;kind:integer;friendly:Set Requests;help:Set Requests
-zeek.snmp.display_string=db:zeek.snmp.display_string;group:zeek_snmp;kind:termfield;friendly:Display String;help:Display String
-zeek.snmp.up_since=db:zeek.snmp.up_since;group:zeek_snmp;kind:termfield;friendly:Up Since Timestamp;help:Up Since Timestamp
+zeek.snmp.duration=db:zeek.snmp.duration;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Duration;help:Duration
+zeek.snmp.version=db:zeek.snmp.version;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Version;help:Version
+zeek.snmp.community=db:zeek.snmp.community;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Community;help:Community
+zeek.snmp.get_requests=db:zeek.snmp.get_requests;group:zeek_snmp;kind:integer;viewerOnly:true;friendly:Get Requests;help:Get Requests
+zeek.snmp.get_bulk_requests=db:zeek.snmp.get_bulk_requests;group:zeek_snmp;kind:integer;viewerOnly:true;friendly:Get Bulk Requests;help:Get Bulk Requests
+zeek.snmp.get_responses=db:zeek.snmp.get_responses;group:zeek_snmp;kind:integer;viewerOnly:true;friendly:Get Responses;help:Get Responses
+zeek.snmp.set_requests=db:zeek.snmp.set_requests;group:zeek_snmp;kind:integer;viewerOnly:true;friendly:Set Requests;help:Set Requests
+zeek.snmp.display_string=db:zeek.snmp.display_string;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Display String;help:Display String
+zeek.snmp.up_since=db:zeek.snmp.up_since;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Up Since Timestamp;help:Up Since Timestamp
 
 # socks.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info
-zeek.socks.version=db:zeek.socks.version;group:zeek_socks;kind:integer;friendly:Version;help:Version
-zeek.socks.server_status=db:zeek.socks.server_status;group:zeek_socks;kind:termfield;friendly:Server Status;help:Server Status
-zeek.socks.request_host=db:zeek.socks.request_host;group:zeek_socks;kind:termfield;friendly:Client Address;help:Client Address
-zeek.socks.request_name=db:zeek.socks.request_name;group:zeek_socks;kind:termfield;friendly:Client Name;help:Client Name
-zeek.socks.request_port=db:zeek.socks.request_port;group:zeek_socks;kind:integer;friendly:Client Port;help:Client Port
-zeek.socks.bound_host=db:zeek.socks.bound_host;group:zeek_socks;kind:termfield;friendly:Server Address;help:Server Address
-zeek.socks.bound_name=db:zeek.socks.bound_name;group:zeek_socks;kind:termfield;friendly:Server Name;help:Server Name
-zeek.socks.bound_port=db:zeek.socks.bound_port;group:zeek_socks;kind:integer;friendly:Server Port;help:Server Port
+zeek.socks.version=db:zeek.socks.version;group:zeek_socks;kind:integer;viewerOnly:true;friendly:Version;help:Version
+zeek.socks.server_status=db:zeek.socks.server_status;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Server Status;help:Server Status
+zeek.socks.request_host=db:zeek.socks.request_host;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Client Address;help:Client Address
+zeek.socks.request_name=db:zeek.socks.request_name;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Client Name;help:Client Name
+zeek.socks.request_port=db:zeek.socks.request_port;group:zeek_socks;kind:integer;viewerOnly:true;friendly:Client Port;help:Client Port
+zeek.socks.bound_host=db:zeek.socks.bound_host;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Server Address;help:Server Address
+zeek.socks.bound_name=db:zeek.socks.bound_name;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Server Name;help:Server Name
+zeek.socks.bound_port=db:zeek.socks.bound_port;group:zeek_socks;kind:integer;viewerOnly:true;friendly:Server Port;help:Server Port
 
 # software.log
 # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info
-zeek.software.software_type=db:zeek.software.software_type;group:zeek_software;kind:termfield;friendly:Software Type;help:Software Type
-zeek.software.name=db:zeek.software.name;group:zeek_software;kind:termfield;friendly:Software Name;help:Software Name
-zeek.software.version_major=db:zeek.software.version_major;group:zeek_software;kind:integer;friendly:Major Version;help:Major Version
-zeek.software.version_minor=db:zeek.software.version_minor;group:zeek_software;kind:integer;friendly:Minor Version;help:Minor Version
-zeek.software.version_minor2=db:zeek.software.version_minor2;group:zeek_software;kind:integer;friendly:Minor Subversion;help:Minor Subversion
-zeek.software.version_minor3=db:zeek.software.version_minor3;group:zeek_software;kind:integer;friendly:Minor Patch;help:Minor Patch
-zeek.software.version_addl=db:zeek.software.version_addl;group:zeek_software;kind:termfield;friendly:Additional Version;help:Additional Version
-zeek.software.unparsed_version=db:zeek.software.unparsed_version;group:zeek_software;kind:termfield;friendly:Version;help:Version
+zeek.software.software_type=db:zeek.software.software_type;group:zeek_software;kind:termfield;viewerOnly:true;friendly:Software Type;help:Software Type
+zeek.software.name=db:zeek.software.name;group:zeek_software;kind:termfield;viewerOnly:true;friendly:Software Name;help:Software Name
+zeek.software.version_major=db:zeek.software.version_major;group:zeek_software;kind:integer;viewerOnly:true;friendly:Major Version;help:Major Version
+zeek.software.version_minor=db:zeek.software.version_minor;group:zeek_software;kind:integer;viewerOnly:true;friendly:Minor Version;help:Minor Version
+zeek.software.version_minor2=db:zeek.software.version_minor2;group:zeek_software;kind:integer;viewerOnly:true;friendly:Minor Subversion;help:Minor Subversion
+zeek.software.version_minor3=db:zeek.software.version_minor3;group:zeek_software;kind:integer;viewerOnly:true;friendly:Minor Patch;help:Minor Patch
+zeek.software.version_addl=db:zeek.software.version_addl;group:zeek_software;kind:termfield;viewerOnly:true;friendly:Additional Version;help:Additional Version
+zeek.software.unparsed_version=db:zeek.software.unparsed_version;group:zeek_software;kind:termfield;viewerOnly:true;friendly:Version;help:Version
 
 # ssh.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info
-zeek.ssh.version=db:zeek.ssh.version;group:zeek_ssh;kind:integer;friendly:Version;help:Version
-zeek.ssh.auth_success=db:zeek.ssh.auth_success;group:zeek_ssh;kind:termfield;friendly:Authentication Success;help:Authentication Success
-zeek.ssh.auth_attempts=db:zeek.ssh.auth_attempts;group:zeek_ssh;kind:integer;friendly:Authentication Attempts;help:Authentication Attempts
-zeek.ssh.direction=db:zeek.ssh.direction;group:zeek_ssh;kind:termfield;friendly:Connection Direction;help:Connection Direction
-zeek.ssh.client=db:zeek.ssh.client;group:zeek_ssh;kind:termfield;friendly:Client Version;help:Client Version
-zeek.ssh.server=db:zeek.ssh.server;group:zeek_ssh;kind:termfield;friendly:Server Version;help:Server Version
-zeek.ssh.cipher_alg=db:zeek.ssh.cipher_alg;group:zeek_ssh;kind:termfield;friendly:Cipher;help:Cipher Algorithm
-zeek.ssh.mac_alg=db:zeek.ssh.mac_alg;group:zeek_ssh;kind:termfield;friendly:Signing Algorithm;help:Signing Algorithm
-zeek.ssh.compression_alg=db:zeek.ssh.compression_alg;group:zeek_ssh;kind:termfield;friendly:Compression Algorithm;help:Compression Algorithm
-zeek.ssh.kex_alg=db:zeek.ssh.kex_alg;group:zeek_ssh;kind:termfield;friendly:Key Exchange Algorithm;help:Key Exchange Algorithm
-zeek.ssh.host_key_alg=db:zeek.ssh.host_key_alg;group:zeek_ssh;kind:termfield;friendly:Server Host Key Algorithm;help:Server Host Key Algorithm
-zeek.ssh.host_key=db:zeek.ssh.host_key;group:zeek_ssh;kind:termfield;friendly:Server Key Fingerprint;help:Server Key Fingerprint
-zeek.ssh.remote_location_country_code=db:zeek.ssh.remote_location_country_code;group:zeek_ssh;kind:termfield;friendly:SSH Remote Country Code;help:SSH Remote Country Code
-zeek.ssh.remote_location_region=db:zeek.ssh.remote_location_region;group:zeek_ssh;kind:termfield;friendly:SSH Remote Region;help:SSH Remote Region
-zeek.ssh.remote_location_city=db:zeek.ssh.remote_location_city;group:zeek_ssh;kind:termfield;friendly:SSH Remote City;help:SSH Remote City
-zeek.ssh.remote_location_latitude=db:zeek.ssh.remote_location_latitude;group:zeek_ssh;kind:termfield;friendly:SSH Remote Latitude;help:SSH Remote Latitude
-zeek.ssh.remote_location_longitude=db:zeek.ssh.remote_location_longitude;group:zeek_ssh;kind:termfield;friendly:SSH Remote Longitude;help:SSH Remote Longitude
-zeek.ssh.hasshVersion=db:zeek.ssh.hasshVersion;group:zeek_ssh;kind:termfield;friendly:HASSH Version;help:HASSH Version
-zeek.ssh.hassh=db:zeek.ssh.hassh;group:zeek_ssh;kind:termfield;friendly:HASSH Client Fingerprint;help:HASSH Client Fingerprint
-zeek.ssh.hasshServer=db:zeek.ssh.hasshServer;group:zeek_ssh;kind:termfield;friendly:HASSH Server Fingerprint;help:HASSH Server Fingerprint
-zeek.ssh.hasshAlgorithms=db:zeek.ssh.hasshAlgorithms;group:zeek_ssh;kind:termfield;friendly:HASSH Client Algorithms;help:HASSH Client Algorithms
-zeek.ssh.hasshServerAlgorithms=db:zeek.ssh.hasshServerAlgorithms;group:zeek_ssh;kind:termfield;friendly:HASSH Server Algorithms;help:HASSH Server Algorithms
-zeek.ssh.cshka=db:zeek.ssh.cshka;group:zeek_ssh;kind:termfield;friendly:HASSH Client Host Key Algorithms;help:HASSH Client Host Key Algorithms
-zeek.ssh.sshka=db:zeek.ssh.sshka;group:zeek_ssh;kind:termfield;friendly:HASSH Server Host Key Algorithms;help:HASSH Server Host Key Algorithms
+zeek.ssh.version=db:zeek.ssh.version;group:zeek_ssh;kind:integer;viewerOnly:true;friendly:Version;help:Version
+zeek.ssh.auth_success=db:zeek.ssh.auth_success;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Authentication Success;help:Authentication Success
+zeek.ssh.auth_attempts=db:zeek.ssh.auth_attempts;group:zeek_ssh;kind:integer;viewerOnly:true;friendly:Authentication Attempts;help:Authentication Attempts
+zeek.ssh.direction=db:zeek.ssh.direction;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Connection Direction;help:Connection Direction
+zeek.ssh.client=db:zeek.ssh.client;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Client Version;help:Client Version
+zeek.ssh.server=db:zeek.ssh.server;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Server Version;help:Server Version
+zeek.ssh.cipher_alg=db:zeek.ssh.cipher_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Cipher;help:Cipher Algorithm
+zeek.ssh.mac_alg=db:zeek.ssh.mac_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Signing Algorithm;help:Signing Algorithm
+zeek.ssh.compression_alg=db:zeek.ssh.compression_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Compression Algorithm;help:Compression Algorithm
+zeek.ssh.kex_alg=db:zeek.ssh.kex_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Key Exchange Algorithm;help:Key Exchange Algorithm
+zeek.ssh.host_key_alg=db:zeek.ssh.host_key_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Server Host Key Algorithm;help:Server Host Key Algorithm
+zeek.ssh.host_key=db:zeek.ssh.host_key;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Server Key Fingerprint;help:Server Key Fingerprint
+zeek.ssh.remote_location_country_code=db:zeek.ssh.remote_location_country_code;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote Country Code;help:SSH Remote Country Code
+zeek.ssh.remote_location_region=db:zeek.ssh.remote_location_region;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote Region;help:SSH Remote Region
+zeek.ssh.remote_location_city=db:zeek.ssh.remote_location_city;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote City;help:SSH Remote City
+zeek.ssh.remote_location_latitude=db:zeek.ssh.remote_location_latitude;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote Latitude;help:SSH Remote Latitude
+zeek.ssh.remote_location_longitude=db:zeek.ssh.remote_location_longitude;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote Longitude;help:SSH Remote Longitude
+zeek.ssh.hasshVersion=db:zeek.ssh.hasshVersion;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Version;help:HASSH Version
+zeek.ssh.hassh=db:zeek.ssh.hassh;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Client Fingerprint;help:HASSH Client Fingerprint
+zeek.ssh.hasshServer=db:zeek.ssh.hasshServer;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Server Fingerprint;help:HASSH Server Fingerprint
+zeek.ssh.hasshAlgorithms=db:zeek.ssh.hasshAlgorithms;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Client Algorithms;help:HASSH Client Algorithms
+zeek.ssh.hasshServerAlgorithms=db:zeek.ssh.hasshServerAlgorithms;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Server Algorithms;help:HASSH Server Algorithms
+zeek.ssh.cshka=db:zeek.ssh.cshka;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Client Host Key Algorithms;help:HASSH Client Host Key Algorithms
+zeek.ssh.sshka=db:zeek.ssh.sshka;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Server Host Key Algorithms;help:HASSH Server Host Key Algorithms
 
 # ssl.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info
-zeek.ssl.ssl_version=db:zeek.ssl.ssl_version;group:zeek_ssl;kind:termfield;friendly:Version;help:Version
-zeek.ssl.cipher=db:zeek.ssl.cipher;group:zeek_ssl;kind:termfield;friendly:Cipher;help:Cipher
-zeek.ssl.curve=db:zeek.ssl.curve;group:zeek_ssl;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve
-zeek.ssl.server_name=db:zeek.ssl.server_name;group:zeek_ssl;kind:termfield;friendly:Server Name;help:Server Name
-zeek.ssl.sni_matches_cert=db:zeek.ssl.sni_matches_cert;group:zeek_ssl;kind:termfield;friendly:SNI Matches Certificate;help:SNI Matches Certificate
-zeek.ssl.ssl_history=db:zeek.ssl.ssl_history;group:zeek_ssl;kind:termfield;friendly:SSL Packet History;help:SSL Packet History
-zeek.ssl.resumed=db:zeek.ssl.resumed;group:zeek_ssl;kind:termfield;friendly:Resumed;help:Resumed
-zeek.ssl.last_alert=db:zeek.ssl.last_alert;group:zeek_ssl;kind:termfield;friendly:Last Alert;help:Last Alert
-zeek.ssl.next_protocol=db:zeek.ssl.next_protocol;group:zeek_ssl;kind:termfield;friendly:Next Protocol;help:Next Protocol
-zeek.ssl.established=db:zeek.ssl.established;group:zeek_ssl;kind:termfield;friendly:Established;help:Established
-zeek.ssl.cert_chain_fuids=db:zeek.ssl.cert_chain_fuids;group:zeek_ssl;kind:termfield;friendly:Certificate Chain File ID;help:Certificate Chain File ID
-zeek.ssl.cert_chain_fps=db:zeek.ssl.cert_chain_fps;group:zeek_ssl;kind:termfield;friendly:Certificate Chain File Fingerprints;help:Certificate Chain File Fingerprints
-zeek.ssl.client_cert_chain_fuids=db:zeek.ssl.client_cert_chain_fuids;group:zeek_ssl;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID
-zeek.ssl.client_cert_chain_fps=db:zeek.ssl.client_cert_chain_fps;group:zeek_ssl;kind:termfield;friendly:Client Certificate File Fingerprints;help:Client Certificate File Fingerprints
-zeek.ssl.issuer_full=db:zeek.ssl.issuer_full;group:zeek_ssl;kind:termfield;friendly:Issuer;help:Issuer
-zeek.ssl.subject.C=db:zeek.ssl.subject.C;group:zeek_ssl;kind:termfield;friendly:Subject Country;help:Subject Country
-zeek.ssl.subject.CN=db:zeek.ssl.subject.CN;group:zeek_ssl;kind:termfield;friendly:Subject Common Name;help:Subject Common Name
-zeek.ssl.subject.description=db:zeek.ssl.subject.description;group:zeek_ssl;kind:termfield;friendly:Subject Description;help:Subject Description
-zeek.ssl.subject.emailAddress=db:zeek.ssl.subject.emailAddress;group:zeek_ssl;kind:termfield;friendly:Subject Email Address;help:Subject Email Address
-zeek.ssl.subject_full=db:zeek.ssl.subject_full;group:zeek_ssl;kind:termfield;friendly:Subject;help:Subject
-zeek.ssl.subject.GN=db:zeek.ssl.subject.GN;group:zeek_ssl;kind:termfield;friendly:Subject Given Name;help:Subject Given Name
-zeek.ssl.subject.initials=db:zeek.ssl.subject.initials;group:zeek_ssl;kind:termfield;friendly:Subject Initials;help:Subject Initials
-zeek.ssl.subject.L=db:zeek.ssl.subject.L;group:zeek_ssl;kind:termfield;friendly:Subject Locality;help:Subject Locality
-zeek.ssl.subject.O=db:zeek.ssl.subject.O;group:zeek_ssl;kind:termfield;friendly:Subject Organization;help:Subject Organization
-zeek.ssl.subject.OU=db:zeek.ssl.subject.OU;group:zeek_ssl;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit
-zeek.ssl.subject.postalCode=db:zeek.ssl.subject.postalCode;group:zeek_ssl;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code
-zeek.ssl.subject.pseudonym=db:zeek.ssl.subject.pseudonym;group:zeek_ssl;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym
-zeek.ssl.subject.serialNumber=db:zeek.ssl.subject.serialNumber;group:zeek_ssl;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number
-zeek.ssl.subject.SN=db:zeek.ssl.subject.SN;group:zeek_ssl;kind:termfield;friendly:Subject Surname;help:Subject Surname
-zeek.ssl.subject.ST=db:zeek.ssl.subject.ST;group:zeek_ssl;kind:termfield;friendly:Subject State;help:Subject State
-zeek.ssl.subject.street=db:zeek.ssl.subject.street;group:zeek_ssl;kind:termfield;friendly:Subject Street;help:Subject Street
-zeek.ssl.subject.title=db:zeek.ssl.subject.title;group:zeek_ssl;kind:termfield;friendly:Subject Title;help:Subject Title
-zeek.ssl.issuer.CN=db:zeek.ssl.issuer.CN;group:zeek_ssl;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name
-zeek.ssl.issuer.C=db:zeek.ssl.issuer.C;group:zeek_ssl;kind:termfield;friendly:Issuer Country;help:Issuer Country
-zeek.ssl.issuer.O=db:zeek.ssl.issuer.O;group:zeek_ssl;kind:termfield;friendly:Issuer Organization;help:Issuer Organization
-zeek.ssl.issuer.OU=db:zeek.ssl.issuer.OU;group:zeek_ssl;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit
-zeek.ssl.issuer.ST=db:zeek.ssl.issuer.ST;group:zeek_ssl;kind:termfield;friendly:Issuer State;help:Issuer State
-zeek.ssl.issuer.SN=db:zeek.ssl.issuer.SN;group:zeek_ssl;kind:termfield;friendly:Issuer Surname;help:Issuer Surname
-zeek.ssl.issuer.L=db:zeek.ssl.issuer.L;group:zeek_ssl;kind:termfield;friendly:Issuer Locality;help:Issuer Locality
-zeek.ssl.issuer.DC=db:zeek.ssl.issuer.DC;group:zeek_ssl;kind:termfield;friendly:Issuer Distinguished Name;help:Issuer Distinguished Name
-zeek.ssl.issuer.GN=db:zeek.ssl.issuer.GN;group:zeek_ssl;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name
-zeek.ssl.issuer.pseudonym=db:zeek.ssl.issuer.pseudonym;group:zeek_ssl;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym
-zeek.ssl.issuer.serialNumber=db:zeek.ssl.issuer.serialNumber;group:zeek_ssl;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number
-zeek.ssl.issuer.title=db:zeek.ssl.issuer.title;group:zeek_ssl;kind:termfield;friendly:Issuer Title;help:Issuer Title
-zeek.ssl.issuer.initials=db:zeek.ssl.issuer.initials;group:zeek_ssl;kind:termfield;friendly:Issuer Initials;help:Issuer Initials
-zeek.ssl.issuer.emailAddress=db:zeek.ssl.issuer.emailAddress;group:zeek_ssl;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address
-zeek.ssl.client_subject_full=db:zeek.ssl.client_subject_full;group:zeek_ssl;kind:termfield;friendly:Client Subject;help:Client Subject
-zeek.ssl.client_subject.CN=db:zeek.ssl.client_subject.CN;group:zeek_ssl;kind:termfield;friendly:Client Subject Common Name;help:Client Subject Common Name
-zeek.ssl.client_subject.C=db:zeek.ssl.client_subject.C;group:zeek_ssl;kind:termfield;friendly:Client Subject Country;help:Client Subject Country
-zeek.ssl.client_subject.O=db:zeek.ssl.client_subject.O;group:zeek_ssl;kind:termfield;friendly:Client Subject Organization;help:Client Subject Organization
-zeek.ssl.client_subject.OU=db:zeek.ssl.client_subject.OU;group:zeek_ssl;kind:termfield;friendly:Client Subject Organization Unit;help:Client Subject Organization Unit
-zeek.ssl.client_subject.ST=db:zeek.ssl.client_subject.ST;group:zeek_ssl;kind:termfield;friendly:Client Subject State;help:Client Subject State
-zeek.ssl.client_subject.SN=db:zeek.ssl.client_subject.SN;group:zeek_ssl;kind:termfield;friendly:Client Subject Surname;help:Client Subject Surname
-zeek.ssl.client_subject.L=db:zeek.ssl.client_subject.L;group:zeek_ssl;kind:termfield;friendly:Client Subject Locality;help:Client Subject Locality
-zeek.ssl.client_subject.GN=db:zeek.ssl.client_subject.GN;group:zeek_ssl;kind:termfield;friendly:Client Subject Given Name;help:Client Subject Given Name
-zeek.ssl.client_subject.pseudonym=db:zeek.ssl.client_subject.pseudonym;group:zeek_ssl;kind:termfield;friendly:Client Subject Pseudonym;help:Client Subject Pseudonym
-zeek.ssl.client_subject.serialNumber=db:zeek.ssl.client_subject.serialNumber;group:zeek_ssl;kind:termfield;friendly:Client Subject Serial Number;help:Client Subject Serial Number
-zeek.ssl.client_subject.title=db:zeek.ssl.client_subject.title;group:zeek_ssl;kind:termfield;friendly:Client Subject Title;help:Client Subject Title
-zeek.ssl.client_subject.initials=db:zeek.ssl.client_subject.initials;group:zeek_ssl;kind:termfield;friendly:Client Subject Initials;help:Client Subject Initials
-zeek.ssl.client_subject.emailAddress=db:zeek.ssl.client_subject.emailAddress;group:zeek_ssl;kind:termfield;friendly:Client Subject Email Address;help:Client Subject Email Address
-zeek.ssl.client_issuer_full=db:zeek.ssl.client_issuer_full;group:zeek_ssl;kind:termfield;friendly:Client Issuer;help:Client Issuer
-zeek.ssl.client_issuer.CN=db:zeek.ssl.client_issuer.CN;group:zeek_ssl;kind:termfield;friendly:Client Issuer Common Name;help:Client Issuer Common Name
-zeek.ssl.client_issuer.C=db:zeek.ssl.client_issuer.C;group:zeek_ssl;kind:termfield;friendly:Client Issuer Country;help:Client Issuer Country
-zeek.ssl.client_issuer.O=db:zeek.ssl.client_issuer.O;group:zeek_ssl;kind:termfield;friendly:Client Issuer Organization;help:Client Issuer Organization
-zeek.ssl.client_issuer.OU=db:zeek.ssl.client_issuer.OU;group:zeek_ssl;kind:termfield;friendly:Client Issuer Organization Unit;help:Client Issuer Organization Unit
-zeek.ssl.client_issuer.ST=db:zeek.ssl.client_issuer.ST;group:zeek_ssl;kind:termfield;friendly:Client Issuer State;help:Client Issuer State
-zeek.ssl.client_issuer.SN=db:zeek.ssl.client_issuer.SN;group:zeek_ssl;kind:termfield;friendly:Client Issuer Surname;help:Client Issuer Surname
-zeek.ssl.client_issuer.L=db:zeek.ssl.client_issuer.L;group:zeek_ssl;kind:termfield;friendly:Client Issuer Locality;help:Client Issuer Locality
-zeek.ssl.client_issuer.DC=db:zeek.ssl.client_issuer.DC;group:zeek_ssl;kind:termfield;friendly:Client Issuer Distinguished Name;help:Client Issuer Distinguished Name
-zeek.ssl.client_issuer.GN=db:zeek.ssl.client_issuer.GN;group:zeek_ssl;kind:termfield;friendly:Client Issuer Given Name;help:Client Issuer Given Name
-zeek.ssl.client_issuer.pseudonym=db:zeek.ssl.client_issuer.pseudonym;group:zeek_ssl;kind:termfield;friendly:Client Issuer Pseudonym;help:Client Issuer Pseudonym
-zeek.ssl.client_issuer.serialNumber=db:zeek.ssl.client_issuer.serialNumber;group:zeek_ssl;kind:termfield;friendly:Client Issuer Serial Number;help:Client Issuer Serial Number
-zeek.ssl.client_issuer.title=db:zeek.ssl.client_issuer.title;group:zeek_ssl;kind:termfield;friendly:Client Issuer Title;help:Client Issuer Title
-zeek.ssl.client_issuer.initials=db:zeek.ssl.client_issuer.initials;group:zeek_ssl;kind:termfield;friendly:Client Issuer Initials;help:Client Issuer Initials
-zeek.ssl.client_issuer.emailAddress=db:zeek.ssl.client_issuer.emailAddress;group:zeek_ssl;kind:termfield;friendly:Client Issuer Email Address;help:Client Issuer Email Address
-zeek.ssl.validation_status=db:zeek.ssl.validation_status;group:zeek_ssl;kind:termfield;friendly:Validation Status;help:Validation Status
-tls.client.ja3=db:tls.client.ja3;group:zeek_ssl;kind:termfield;friendly:JA3 Client Fingerprint;help:JA3 Client Fingerprint
-tls.server.ja3s=db:tls.server.ja3s;group:zeek_ssl;kind:termfield;friendly:JA3 Server Fingerprint;help:JA3 Server Fingerprint
-tls.client.ja3_description=db:tls.client.ja3_description;group:zeek_ssl;kind:termfield;friendly:JA3 Client Fingerprint Lookup;help:JA3 Client Fingerprint Lookup
-tls.server.ja3s_description=db:tls.server.ja3s_description;group:zeek_ssl;kind:termfield;friendly:JA3 Server Fingerprint Lookup;help:JA3 Server Fingerprint Lookup
+zeek.ssl.ssl_version=db:zeek.ssl.ssl_version;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Version;help:Version
+zeek.ssl.cipher=db:zeek.ssl.cipher;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Cipher;help:Cipher
+zeek.ssl.curve=db:zeek.ssl.curve;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Elliptic Curve;help:Elliptic Curve
+zeek.ssl.server_name=db:zeek.ssl.server_name;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Server Name;help:Server Name
+zeek.ssl.sni_matches_cert=db:zeek.ssl.sni_matches_cert;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:SNI Matches Certificate;help:SNI Matches Certificate
+zeek.ssl.ssl_history=db:zeek.ssl.ssl_history;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:SSL Packet History;help:SSL Packet History
+zeek.ssl.resumed=db:zeek.ssl.resumed;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Resumed;help:Resumed
+zeek.ssl.last_alert=db:zeek.ssl.last_alert;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Last Alert;help:Last Alert
+zeek.ssl.next_protocol=db:zeek.ssl.next_protocol;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Next Protocol;help:Next Protocol
+zeek.ssl.established=db:zeek.ssl.established;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Established;help:Established
+zeek.ssl.cert_chain_fuids=db:zeek.ssl.cert_chain_fuids;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Certificate Chain File ID;help:Certificate Chain File ID
+zeek.ssl.cert_chain_fps=db:zeek.ssl.cert_chain_fps;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Certificate Chain File Fingerprints;help:Certificate Chain File Fingerprints
+zeek.ssl.client_cert_chain_fuids=db:zeek.ssl.client_cert_chain_fuids;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Certificate File ID;help:Client Certificate File ID
+zeek.ssl.client_cert_chain_fps=db:zeek.ssl.client_cert_chain_fps;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Certificate File Fingerprints;help:Client Certificate File Fingerprints
+zeek.ssl.issuer_full=db:zeek.ssl.issuer_full;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer;help:Issuer
+zeek.ssl.subject.C=db:zeek.ssl.subject.C;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Country;help:Subject Country
+zeek.ssl.subject.CN=db:zeek.ssl.subject.CN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Common Name;help:Subject Common Name
+zeek.ssl.subject.description=db:zeek.ssl.subject.description;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Description;help:Subject Description
+zeek.ssl.subject.emailAddress=db:zeek.ssl.subject.emailAddress;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Email Address;help:Subject Email Address
+zeek.ssl.subject_full=db:zeek.ssl.subject_full;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject;help:Subject
+zeek.ssl.subject.GN=db:zeek.ssl.subject.GN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Given Name;help:Subject Given Name
+zeek.ssl.subject.initials=db:zeek.ssl.subject.initials;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Initials;help:Subject Initials
+zeek.ssl.subject.L=db:zeek.ssl.subject.L;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Locality;help:Subject Locality
+zeek.ssl.subject.O=db:zeek.ssl.subject.O;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Organization;help:Subject Organization
+zeek.ssl.subject.OU=db:zeek.ssl.subject.OU;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Organization Unit;help:Subject Organization Unit
+zeek.ssl.subject.postalCode=db:zeek.ssl.subject.postalCode;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Postal Code;help:Subject Postal Code
+zeek.ssl.subject.pseudonym=db:zeek.ssl.subject.pseudonym;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Pseudonym;help:Subject Pseudonym
+zeek.ssl.subject.serialNumber=db:zeek.ssl.subject.serialNumber;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Serial Number;help:Subject Serial Number
+zeek.ssl.subject.SN=db:zeek.ssl.subject.SN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Surname;help:Subject Surname
+zeek.ssl.subject.ST=db:zeek.ssl.subject.ST;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject State;help:Subject State
+zeek.ssl.subject.street=db:zeek.ssl.subject.street;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Street;help:Subject Street
+zeek.ssl.subject.title=db:zeek.ssl.subject.title;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Title;help:Subject Title
+zeek.ssl.issuer.CN=db:zeek.ssl.issuer.CN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Common Name;help:Issuer Common Name
+zeek.ssl.issuer.C=db:zeek.ssl.issuer.C;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Country;help:Issuer Country
+zeek.ssl.issuer.O=db:zeek.ssl.issuer.O;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Organization;help:Issuer Organization
+zeek.ssl.issuer.OU=db:zeek.ssl.issuer.OU;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Organization Unit;help:Issuer Organization Unit
+zeek.ssl.issuer.ST=db:zeek.ssl.issuer.ST;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer State;help:Issuer State
+zeek.ssl.issuer.SN=db:zeek.ssl.issuer.SN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Surname;help:Issuer Surname
+zeek.ssl.issuer.L=db:zeek.ssl.issuer.L;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Locality;help:Issuer Locality
+zeek.ssl.issuer.DC=db:zeek.ssl.issuer.DC;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Distinguished Name;help:Issuer Distinguished Name
+zeek.ssl.issuer.GN=db:zeek.ssl.issuer.GN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Given Name;help:Issuer Given Name
+zeek.ssl.issuer.pseudonym=db:zeek.ssl.issuer.pseudonym;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Pseudonym;help:Issuer Pseudonym
+zeek.ssl.issuer.serialNumber=db:zeek.ssl.issuer.serialNumber;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Serial Number;help:Issuer Serial Number
+zeek.ssl.issuer.title=db:zeek.ssl.issuer.title;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Title;help:Issuer Title
+zeek.ssl.issuer.initials=db:zeek.ssl.issuer.initials;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Initials;help:Issuer Initials
+zeek.ssl.issuer.emailAddress=db:zeek.ssl.issuer.emailAddress;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Email Address;help:Issuer Email Address
+zeek.ssl.client_subject_full=db:zeek.ssl.client_subject_full;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject;help:Client Subject
+zeek.ssl.client_subject.CN=db:zeek.ssl.client_subject.CN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Common Name;help:Client Subject Common Name
+zeek.ssl.client_subject.C=db:zeek.ssl.client_subject.C;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Country;help:Client Subject Country
+zeek.ssl.client_subject.O=db:zeek.ssl.client_subject.O;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Organization;help:Client Subject Organization
+zeek.ssl.client_subject.OU=db:zeek.ssl.client_subject.OU;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Organization Unit;help:Client Subject Organization Unit
+zeek.ssl.client_subject.ST=db:zeek.ssl.client_subject.ST;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject State;help:Client Subject State
+zeek.ssl.client_subject.SN=db:zeek.ssl.client_subject.SN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Surname;help:Client Subject Surname
+zeek.ssl.client_subject.L=db:zeek.ssl.client_subject.L;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Locality;help:Client Subject Locality
+zeek.ssl.client_subject.GN=db:zeek.ssl.client_subject.GN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Given Name;help:Client Subject Given Name
+zeek.ssl.client_subject.pseudonym=db:zeek.ssl.client_subject.pseudonym;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Pseudonym;help:Client Subject Pseudonym
+zeek.ssl.client_subject.serialNumber=db:zeek.ssl.client_subject.serialNumber;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Serial Number;help:Client Subject Serial Number
+zeek.ssl.client_subject.title=db:zeek.ssl.client_subject.title;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Title;help:Client Subject Title
+zeek.ssl.client_subject.initials=db:zeek.ssl.client_subject.initials;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Initials;help:Client Subject Initials
+zeek.ssl.client_subject.emailAddress=db:zeek.ssl.client_subject.emailAddress;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Email Address;help:Client Subject Email Address
+zeek.ssl.client_issuer_full=db:zeek.ssl.client_issuer_full;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer;help:Client Issuer
+zeek.ssl.client_issuer.CN=db:zeek.ssl.client_issuer.CN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Common Name;help:Client Issuer Common Name
+zeek.ssl.client_issuer.C=db:zeek.ssl.client_issuer.C;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Country;help:Client Issuer Country
+zeek.ssl.client_issuer.O=db:zeek.ssl.client_issuer.O;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Organization;help:Client Issuer Organization
+zeek.ssl.client_issuer.OU=db:zeek.ssl.client_issuer.OU;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Organization Unit;help:Client Issuer Organization Unit
+zeek.ssl.client_issuer.ST=db:zeek.ssl.client_issuer.ST;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer State;help:Client Issuer State
+zeek.ssl.client_issuer.SN=db:zeek.ssl.client_issuer.SN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Surname;help:Client Issuer Surname
+zeek.ssl.client_issuer.L=db:zeek.ssl.client_issuer.L;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Locality;help:Client Issuer Locality
+zeek.ssl.client_issuer.DC=db:zeek.ssl.client_issuer.DC;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Distinguished Name;help:Client Issuer Distinguished Name
+zeek.ssl.client_issuer.GN=db:zeek.ssl.client_issuer.GN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Given Name;help:Client Issuer Given Name
+zeek.ssl.client_issuer.pseudonym=db:zeek.ssl.client_issuer.pseudonym;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Pseudonym;help:Client Issuer Pseudonym
+zeek.ssl.client_issuer.serialNumber=db:zeek.ssl.client_issuer.serialNumber;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Serial Number;help:Client Issuer Serial Number
+zeek.ssl.client_issuer.title=db:zeek.ssl.client_issuer.title;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Title;help:Client Issuer Title
+zeek.ssl.client_issuer.initials=db:zeek.ssl.client_issuer.initials;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Initials;help:Client Issuer Initials
+zeek.ssl.client_issuer.emailAddress=db:zeek.ssl.client_issuer.emailAddress;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Email Address;help:Client Issuer Email Address
+zeek.ssl.validation_status=db:zeek.ssl.validation_status;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Validation Status;help:Validation Status
+tls.client.ja3=db:tls.client.ja3;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:JA3 Client Fingerprint;help:JA3 Client Fingerprint
+tls.server.ja3s=db:tls.server.ja3s;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:JA3 Server Fingerprint;help:JA3 Server Fingerprint
+tls.client.ja3_description=db:tls.client.ja3_description;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:JA3 Client Fingerprint Lookup;help:JA3 Client Fingerprint Lookup
+tls.server.ja3s_description=db:tls.server.ja3s_description;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:JA3 Server Fingerprint Lookup;help:JA3 Server Fingerprint Lookup
 
 # stun.log and stun_nat.log
 # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek
-zeek.stun.trans_id=db:zeek.stun.trans_id;group:zeek_stun;kind:termfield;friendly:Transaction ID;help:Transaction ID
-zeek.stun.method=db:zeek.stun.method;group:zeek_stun;kind:termfield;friendly:STUN Method;help:STUN Method
-zeek.stun.class=db:zeek.stun.class;group:zeek_stun;kind:termfield;friendly:STUN Class;help:STUN Class
-zeek.stun.attr_type=db:zeek.stun.attr_type;group:zeek_stun;kind:termfield;friendly:Attribute Type;help:Attribute Type
-zeek.stun.attr_val=db:zeek.stun.attr_val;group:zeek_stun;kind:termfield;friendly:Attribute Value;help:Attribute Value
-zeek.stun_nat.wan_addr=db:zeek.stun_nat.wan_addr;group:zeek_stun;kind:termfield;friendly:WAN Address;help:WAN Address
-zeek.stun_nat.wan_port=db:zeek.stun_nat.wan_port;group:zeek_stun;kind:integer;friendly:Mapped Port;help:Mapped Port
-zeek.stun_nat.lan_addr=db:zeek.stun_nat.lan_addr;group:zeek_stun;kind:termfield;friendly:NAT LAN Address;help:NAT LAN Address
+zeek.stun.trans_id=db:zeek.stun.trans_id;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:Transaction ID;help:Transaction ID
+zeek.stun.method=db:zeek.stun.method;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:STUN Method;help:STUN Method
+zeek.stun.class=db:zeek.stun.class;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:STUN Class;help:STUN Class
+zeek.stun.attr_type=db:zeek.stun.attr_type;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:Attribute Type;help:Attribute Type
+zeek.stun.attr_val=db:zeek.stun.attr_val;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:Attribute Value;help:Attribute Value
+zeek.stun_nat.wan_addr=db:zeek.stun_nat.wan_addr;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:WAN Address;help:WAN Address
+zeek.stun_nat.wan_port=db:zeek.stun_nat.wan_port;group:zeek_stun;kind:integer;viewerOnly:true;friendly:Mapped Port;help:Mapped Port
+zeek.stun_nat.lan_addr=db:zeek.stun_nat.lan_addr;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:NAT LAN Address;help:NAT LAN Address
 
 # synchrophasor_cmd.log
 # https://github.com/cisagov/icsnpp-synchrophasor
-zeek.synchrophasor_cmd.command=db:zeek.synchrophasor_cmd.command;group:zeek_synchrophasor;kind:termfield;friendly:command;help:command
-zeek.synchrophasor_cmd.extframe=db:zeek.synchrophasor_cmd.extframe;group:zeek_synchrophasor;kind:integer;friendly:extframe;help:extframe
+zeek.synchrophasor_cmd.command=db:zeek.synchrophasor_cmd.command;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:command;help:command
+zeek.synchrophasor_cmd.extframe=db:zeek.synchrophasor_cmd.extframe;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:extframe;help:extframe
 
 # synchrophasor_cfg.log
 # https://github.com/cisagov/icsnpp-synchrophasor
-zeek.synchrophasor_cfg.cont_idx=db:zeek.synchrophasor_cfg.cont_idx;group:zeek_synchrophasor;kind:integer;friendly:cont_idx;help:cont_idx
-zeek.synchrophasor_cfg.pmu_count_expected=db:zeek.synchrophasor_cfg.pmu_count_expected;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_expected;help:pmu_count_expected
-zeek.synchrophasor_cfg.pmu_count_actual=db:zeek.synchrophasor_cfg.pmu_count_actual;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_actual;help:pmu_count_actual
-zeek.synchrophasor_cfg.cfg_frame_id=db:zeek.synchrophasor_cfg.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:cfg_frame_id;help:cfg_frame_id
+zeek.synchrophasor_cfg.cont_idx=db:zeek.synchrophasor_cfg.cont_idx;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:cont_idx;help:cont_idx
+zeek.synchrophasor_cfg.pmu_count_expected=db:zeek.synchrophasor_cfg.pmu_count_expected;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_count_expected;help:pmu_count_expected
+zeek.synchrophasor_cfg.pmu_count_actual=db:zeek.synchrophasor_cfg.pmu_count_actual;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_count_actual;help:pmu_count_actual
+zeek.synchrophasor_cfg.cfg_frame_id=db:zeek.synchrophasor_cfg.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:cfg_frame_id;help:cfg_frame_id
 
 # synchrophasor_cfg_detail.log
 # https://github.com/cisagov/icsnpp-synchrophasor
-zeek.synchrophasor_cfg_detail.cfg_frame_id=db:zeek.synchrophasor_cfg_detail.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:cfg_frame_id;help:cfg_frame_id
-zeek.synchrophasor_cfg_detail.pmu_idx=db:zeek.synchrophasor_cfg_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;friendly:pmu_idx;help:pmu_idx
-zeek.synchrophasor_cfg_detail.svc_class=db:zeek.synchrophasor_cfg_detail.svc_class;group:zeek_synchrophasor;kind:termfield;friendly:svc_class;help:svc_class
-zeek.synchrophasor_cfg_detail.station_name=db:zeek.synchrophasor_cfg_detail.station_name;group:zeek_synchrophasor;kind:termfield;friendly:station_name;help:station_name
-zeek.synchrophasor_cfg_detail.data_source_id=db:zeek.synchrophasor_cfg_detail.data_source_id;group:zeek_synchrophasor;kind:integer;friendly:data_source_id;help:data_source_id
-zeek.synchrophasor_cfg_detail.global_pmuid=db:zeek.synchrophasor_cfg_detail.global_pmuid;group:zeek_synchrophasor;kind:termfield;friendly:global_pmuid;help:global_pmuid
-zeek.synchrophasor_cfg_detail.phasor_shape=db:zeek.synchrophasor_cfg_detail.phasor_shape;group:zeek_synchrophasor;kind:termfield;friendly:phasor_shape;help:phasor_shape
-zeek.synchrophasor_cfg_detail.phasor_format=db:zeek.synchrophasor_cfg_detail.phasor_format;group:zeek_synchrophasor;kind:termfield;friendly:phasor_format;help:phasor_format
-zeek.synchrophasor_cfg_detail.analog_format=db:zeek.synchrophasor_cfg_detail.analog_format;group:zeek_synchrophasor;kind:termfield;friendly:analog_format;help:analog_format
-zeek.synchrophasor_cfg_detail.freq_format=db:zeek.synchrophasor_cfg_detail.freq_format;group:zeek_synchrophasor;kind:termfield;friendly:freq_format;help:freq_format
-zeek.synchrophasor_cfg_detail.phnmr=db:zeek.synchrophasor_cfg_detail.phnmr;group:zeek_synchrophasor;kind:integer;friendly:phnmr;help:phnmr
-zeek.synchrophasor_cfg_detail.annmr=db:zeek.synchrophasor_cfg_detail.annmr;group:zeek_synchrophasor;kind:integer;friendly:annmr;help:annmr
-zeek.synchrophasor_cfg_detail.dgnmr=db:zeek.synchrophasor_cfg_detail.dgnmr;group:zeek_synchrophasor;kind:integer;friendly:dgnmr;help:dgnmr
-zeek.synchrophasor_cfg_detail.phnam=db:zeek.synchrophasor_cfg_detail.phnam;group:zeek_synchrophasor;kind:termfield;friendly:phnam;help:phnam
-zeek.synchrophasor_cfg_detail.annam=db:zeek.synchrophasor_cfg_detail.annam;group:zeek_synchrophasor;kind:termfield;friendly:annam;help:annam
-zeek.synchrophasor_cfg_detail.dgnam=db:zeek.synchrophasor_cfg_detail.dgnam;group:zeek_synchrophasor;kind:termfield;friendly:dgnam;help:dgnam
-zeek.synchrophasor_cfg_detail.phasor_conv_phunit=db:zeek.synchrophasor_cfg_detail.phasor_conv_phunit;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_phunit;help:phasor_conv_phunit
-zeek.synchrophasor_cfg_detail.phasor_conv_phvalue=db:zeek.synchrophasor_cfg_detail.phasor_conv_phvalue;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_phvalue;help:phasor_conv_phvalue
-zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_upsampled_interpolation;help:phasor_conv_upsampled_interpolation
-zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_upsampled_extrapolation;help:phasor_conv_upsampled_extrapolation
-zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_downsampled_reselection;help:phasor_conv_downsampled_reselection
-zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_downsampled_fir_filter;help:phasor_conv_downsampled_fir_filter
-zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_downsampled_no_fir_filter;help:phasor_conv_downsampled_no_fir_filter
-zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling=db:zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_filtered_without_changing_sampling;help:phasor_conv_filtered_without_changing_sampling
-zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_calibration_mag_adj;help:phasor_conv_calibration_mag_adj
-zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_calibration_phas_adj;help:phasor_conv_calibration_phas_adj
-zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_rotation_phase_adj;help:phasor_conv_rotation_phase_adj
-zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val=db:zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_pseudo_phasor_val;help:phasor_conv_pseudo_phasor_val
-zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl=db:zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_mod_appl;help:phasor_conv_mod_appl
-zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_phasor_component;help:phasor_conv_phasor_component
-zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_phasor_type;help:phasor_conv_phasor_type
-zeek.synchrophasor_cfg_detail.phasor_conv_user_def=db:zeek.synchrophasor_cfg_detail.phasor_conv_user_def;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_user_def;help:phasor_conv_user_def
-zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor=db:zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor;group:zeek_synchrophasor;kind:float;friendly:phasor_conv_scale_factor;help:phasor_conv_scale_factor
-zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj;group:zeek_synchrophasor;kind:float;friendly:phasor_conv_angle_adj;help:phasor_conv_angle_adj
-zeek.synchrophasor_cfg_detail.analog_conv_analog_flags=db:zeek.synchrophasor_cfg_detail.analog_conv_analog_flags;group:zeek_synchrophasor;kind:integer;friendly:analog_conv_analog_flags;help:analog_conv_analog_flags
-zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling=db:zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling;group:zeek_synchrophasor;kind:integer;friendly:analog_conv_user_defined_scaling;help:analog_conv_user_defined_scaling
-zeek.synchrophasor_cfg_detail.analog_conv_mag_scale=db:zeek.synchrophasor_cfg_detail.analog_conv_mag_scale;group:zeek_synchrophasor;kind:float;friendly:analog_conv_mag_scale;help:analog_conv_mag_scale
-zeek.synchrophasor_cfg_detail.analog_conv_offset=db:zeek.synchrophasor_cfg_detail.analog_conv_offset;group:zeek_synchrophasor;kind:float;friendly:analog_conv_offset;help:analog_conv_offset
-zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask;group:zeek_synchrophasor;kind:integer;friendly:digital_conv_normal_status_mask;help:digital_conv_normal_status_mask
-zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask;group:zeek_synchrophasor;kind:integer;friendly:digital_conv_valid_inputs_mask;help:digital_conv_valid_inputs_mask
-zeek.synchrophasor_cfg_detail.pmu_lat=db:zeek.synchrophasor_cfg_detail.pmu_lat;group:zeek_synchrophasor;kind:float;friendly:pmu_lat;help:pmu_lat
-zeek.synchrophasor_cfg_detail.pmu_lon=db:zeek.synchrophasor_cfg_detail.pmu_lon;group:zeek_synchrophasor;kind:float;friendly:pmu_lon;help:pmu_lon
-zeek.synchrophasor_cfg_detail.pmu_elev=db:zeek.synchrophasor_cfg_detail.pmu_elev;group:zeek_synchrophasor;kind:float;friendly:pmu_elev;help:pmu_elev
-zeek.synchrophasor_cfg_detail.window=db:zeek.synchrophasor_cfg_detail.window;group:zeek_synchrophasor;kind:integer;friendly:window;help:window
-zeek.synchrophasor_cfg_detail.group_delay=db:zeek.synchrophasor_cfg_detail.group_delay;group:zeek_synchrophasor;kind:integer;friendly:group_delay;help:group_delay
-zeek.synchrophasor_cfg_detail.fnom=db:zeek.synchrophasor_cfg_detail.fnom;group:zeek_synchrophasor;kind:integer;friendly:fnom;help:fnom
-zeek.synchrophasor_cfg_detail.cfgcnt=db:zeek.synchrophasor_cfg_detail.cfgcnt;group:zeek_synchrophasor;kind:integer;friendly:cfgcnt;help:cfgcnt
+zeek.synchrophasor_cfg_detail.cfg_frame_id=db:zeek.synchrophasor_cfg_detail.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:cfg_frame_id;help:cfg_frame_id
+zeek.synchrophasor_cfg_detail.pmu_idx=db:zeek.synchrophasor_cfg_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_idx;help:pmu_idx
+zeek.synchrophasor_cfg_detail.svc_class=db:zeek.synchrophasor_cfg_detail.svc_class;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:svc_class;help:svc_class
+zeek.synchrophasor_cfg_detail.station_name=db:zeek.synchrophasor_cfg_detail.station_name;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:station_name;help:station_name
+zeek.synchrophasor_cfg_detail.data_source_id=db:zeek.synchrophasor_cfg_detail.data_source_id;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:data_source_id;help:data_source_id
+zeek.synchrophasor_cfg_detail.global_pmuid=db:zeek.synchrophasor_cfg_detail.global_pmuid;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:global_pmuid;help:global_pmuid
+zeek.synchrophasor_cfg_detail.phasor_shape=db:zeek.synchrophasor_cfg_detail.phasor_shape;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_shape;help:phasor_shape
+zeek.synchrophasor_cfg_detail.phasor_format=db:zeek.synchrophasor_cfg_detail.phasor_format;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_format;help:phasor_format
+zeek.synchrophasor_cfg_detail.analog_format=db:zeek.synchrophasor_cfg_detail.analog_format;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:analog_format;help:analog_format
+zeek.synchrophasor_cfg_detail.freq_format=db:zeek.synchrophasor_cfg_detail.freq_format;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:freq_format;help:freq_format
+zeek.synchrophasor_cfg_detail.phnmr=db:zeek.synchrophasor_cfg_detail.phnmr;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phnmr;help:phnmr
+zeek.synchrophasor_cfg_detail.annmr=db:zeek.synchrophasor_cfg_detail.annmr;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:annmr;help:annmr
+zeek.synchrophasor_cfg_detail.dgnmr=db:zeek.synchrophasor_cfg_detail.dgnmr;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:dgnmr;help:dgnmr
+zeek.synchrophasor_cfg_detail.phnam=db:zeek.synchrophasor_cfg_detail.phnam;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phnam;help:phnam
+zeek.synchrophasor_cfg_detail.annam=db:zeek.synchrophasor_cfg_detail.annam;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:annam;help:annam
+zeek.synchrophasor_cfg_detail.dgnam=db:zeek.synchrophasor_cfg_detail.dgnam;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:dgnam;help:dgnam
+zeek.synchrophasor_cfg_detail.phasor_conv_phunit=db:zeek.synchrophasor_cfg_detail.phasor_conv_phunit;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phasor_conv_phunit;help:phasor_conv_phunit
+zeek.synchrophasor_cfg_detail.phasor_conv_phvalue=db:zeek.synchrophasor_cfg_detail.phasor_conv_phvalue;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phasor_conv_phvalue;help:phasor_conv_phvalue
+zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_upsampled_interpolation;help:phasor_conv_upsampled_interpolation
+zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_upsampled_extrapolation;help:phasor_conv_upsampled_extrapolation
+zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_downsampled_reselection;help:phasor_conv_downsampled_reselection
+zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_downsampled_fir_filter;help:phasor_conv_downsampled_fir_filter
+zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_downsampled_no_fir_filter;help:phasor_conv_downsampled_no_fir_filter
+zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling=db:zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_filtered_without_changing_sampling;help:phasor_conv_filtered_without_changing_sampling
+zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_calibration_mag_adj;help:phasor_conv_calibration_mag_adj
+zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_calibration_phas_adj;help:phasor_conv_calibration_phas_adj
+zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_rotation_phase_adj;help:phasor_conv_rotation_phase_adj
+zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val=db:zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_pseudo_phasor_val;help:phasor_conv_pseudo_phasor_val
+zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl=db:zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_mod_appl;help:phasor_conv_mod_appl
+zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phasor_conv_phasor_component;help:phasor_conv_phasor_component
+zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_phasor_type;help:phasor_conv_phasor_type
+zeek.synchrophasor_cfg_detail.phasor_conv_user_def=db:zeek.synchrophasor_cfg_detail.phasor_conv_user_def;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phasor_conv_user_def;help:phasor_conv_user_def
+zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor=db:zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:phasor_conv_scale_factor;help:phasor_conv_scale_factor
+zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:phasor_conv_angle_adj;help:phasor_conv_angle_adj
+zeek.synchrophasor_cfg_detail.analog_conv_analog_flags=db:zeek.synchrophasor_cfg_detail.analog_conv_analog_flags;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:analog_conv_analog_flags;help:analog_conv_analog_flags
+zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling=db:zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:analog_conv_user_defined_scaling;help:analog_conv_user_defined_scaling
+zeek.synchrophasor_cfg_detail.analog_conv_mag_scale=db:zeek.synchrophasor_cfg_detail.analog_conv_mag_scale;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:analog_conv_mag_scale;help:analog_conv_mag_scale
+zeek.synchrophasor_cfg_detail.analog_conv_offset=db:zeek.synchrophasor_cfg_detail.analog_conv_offset;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:analog_conv_offset;help:analog_conv_offset
+zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:digital_conv_normal_status_mask;help:digital_conv_normal_status_mask
+zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:digital_conv_valid_inputs_mask;help:digital_conv_valid_inputs_mask
+zeek.synchrophasor_cfg_detail.pmu_lat=db:zeek.synchrophasor_cfg_detail.pmu_lat;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:pmu_lat;help:pmu_lat
+zeek.synchrophasor_cfg_detail.pmu_lon=db:zeek.synchrophasor_cfg_detail.pmu_lon;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:pmu_lon;help:pmu_lon
+zeek.synchrophasor_cfg_detail.pmu_elev=db:zeek.synchrophasor_cfg_detail.pmu_elev;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:pmu_elev;help:pmu_elev
+zeek.synchrophasor_cfg_detail.window=db:zeek.synchrophasor_cfg_detail.window;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:window;help:window
+zeek.synchrophasor_cfg_detail.group_delay=db:zeek.synchrophasor_cfg_detail.group_delay;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:group_delay;help:group_delay
+zeek.synchrophasor_cfg_detail.fnom=db:zeek.synchrophasor_cfg_detail.fnom;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:fnom;help:fnom
+zeek.synchrophasor_cfg_detail.cfgcnt=db:zeek.synchrophasor_cfg_detail.cfgcnt;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:cfgcnt;help:cfgcnt
 
 # synchrophasor_data.log
 # https://github.com/cisagov/icsnpp-synchrophasor
-zeek.synchrophasor_data.pmu_count_expected=db:zeek.synchrophasor_data.pmu_count_expected;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_expected;help:pmu_count_expected
-zeek.synchrophasor_data.pmu_count_actual=db:zeek.synchrophasor_data.pmu_count_actual;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_actual;help:pmu_count_actual
-zeek.synchrophasor_data.data_frame_id=db:zeek.synchrophasor_data.data_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:data_frame_id;help:data_frame_id
+zeek.synchrophasor_data.pmu_count_expected=db:zeek.synchrophasor_data.pmu_count_expected;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_count_expected;help:pmu_count_expected
+zeek.synchrophasor_data.pmu_count_actual=db:zeek.synchrophasor_data.pmu_count_actual;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_count_actual;help:pmu_count_actual
+zeek.synchrophasor_data.data_frame_id=db:zeek.synchrophasor_data.data_frame_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_frame_id;help:data_frame_id
 
 # synchrophasor_data_detail.log
 # https://github.com/cisagov/icsnpp-synchrophasor
-zeek.synchrophasor_data_detail.data_frame_id=db:zeek.synchrophasor_data_detail.data_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:data_frame_id;help:data_frame_id
-zeek.synchrophasor_data_detail.pmu_idx=db:zeek.synchrophasor_data_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;friendly:pmu_idx;help:pmu_idx
-zeek.synchrophasor_data_detail.trigger_reason=db:zeek.synchrophasor_data_detail.trigger_reason;group:zeek_synchrophasor;kind:integer;friendly:trigger_reason;help:trigger_reason
-zeek.synchrophasor_data_detail.unlocked_time=db:zeek.synchrophasor_data_detail.unlocked_time;group:zeek_synchrophasor;kind:integer;friendly:unlocked_time;help:unlocked_time
-zeek.synchrophasor_data_detail.pmu_time_quality=db:zeek.synchrophasor_data_detail.pmu_time_quality;group:zeek_synchrophasor;kind:integer;friendly:pmu_time_quality;help:pmu_time_quality
-zeek.synchrophasor_data_detail.data_modified=db:zeek.synchrophasor_data_detail.data_modified;group:zeek_synchrophasor;kind:termfield;friendly:data_modified;help:data_modified
-zeek.synchrophasor_data_detail.config_change=db:zeek.synchrophasor_data_detail.config_change;group:zeek_synchrophasor;kind:termfield;friendly:config_change;help:config_change
-zeek.synchrophasor_data_detail.pmu_trigger_pickup=db:zeek.synchrophasor_data_detail.pmu_trigger_pickup;group:zeek_synchrophasor;kind:termfield;friendly:pmu_trigger_pickup;help:pmu_trigger_pickup
-zeek.synchrophasor_data_detail.data_sorting_type=db:zeek.synchrophasor_data_detail.data_sorting_type;group:zeek_synchrophasor;kind:termfield;friendly:data_sorting_type;help:data_sorting_type
-zeek.synchrophasor_data_detail.pmu_sync_error=db:zeek.synchrophasor_data_detail.pmu_sync_error;group:zeek_synchrophasor;kind:termfield;friendly:pmu_sync_error;help:pmu_sync_error
-zeek.synchrophasor_data_detail.data_error_indicator=db:zeek.synchrophasor_data_detail.data_error_indicator;group:zeek_synchrophasor;kind:integer;friendly:data_error_indicator;help:data_error_indicator
-zeek.synchrophasor_data_detail.est_rectangular_real=db:zeek.synchrophasor_data_detail.est_rectangular_real;group:zeek_synchrophasor;kind:float;friendly:est_rectangular_real;help:est_rectangular_real
-zeek.synchrophasor_data_detail.est_rectangular_imaginary=db:zeek.synchrophasor_data_detail.est_rectangular_imaginary;group:zeek_synchrophasor;kind:float;friendly:est_rectangular_imaginary;help:est_rectangular_imaginary
-zeek.synchrophasor_data_detail.est_polar_magnitude=db:zeek.synchrophasor_data_detail.est_polar_magnitude;group:zeek_synchrophasor;kind:float;friendly:est_polar_magnitude;help:est_polar_magnitude
-zeek.synchrophasor_data_detail.est_polar_angle=db:zeek.synchrophasor_data_detail.est_polar_angle;group:zeek_synchrophasor;kind:float;friendly:est_polar_angle;help:est_polar_angle
-zeek.synchrophasor_data_detail.freq_dev_mhz=db:zeek.synchrophasor_data_detail.freq_dev_mhz;group:zeek_synchrophasor;kind:float;friendly:freq_dev_mhz;help:freq_dev_mhz
-zeek.synchrophasor_data_detail.rocof=db:zeek.synchrophasor_data_detail.rocof;group:zeek_synchrophasor;kind:float;friendly:rocof;help:rocof
-zeek.synchrophasor_data_detail.analog_data=db:zeek.synchrophasor_data_detail.analog_data;group:zeek_synchrophasor;kind:float;friendly:analog_data;help:analog_data
-zeek.synchrophasor_data_detail.digital=db:zeek.synchrophasor_data_detail.digital;group:zeek_synchrophasor;kind:integer;friendly:digital;help:digital
+zeek.synchrophasor_data_detail.data_frame_id=db:zeek.synchrophasor_data_detail.data_frame_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_frame_id;help:data_frame_id
+zeek.synchrophasor_data_detail.pmu_idx=db:zeek.synchrophasor_data_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_idx;help:pmu_idx
+zeek.synchrophasor_data_detail.trigger_reason=db:zeek.synchrophasor_data_detail.trigger_reason;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:trigger_reason;help:trigger_reason
+zeek.synchrophasor_data_detail.unlocked_time=db:zeek.synchrophasor_data_detail.unlocked_time;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:unlocked_time;help:unlocked_time
+zeek.synchrophasor_data_detail.pmu_time_quality=db:zeek.synchrophasor_data_detail.pmu_time_quality;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_time_quality;help:pmu_time_quality
+zeek.synchrophasor_data_detail.data_modified=db:zeek.synchrophasor_data_detail.data_modified;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_modified;help:data_modified
+zeek.synchrophasor_data_detail.config_change=db:zeek.synchrophasor_data_detail.config_change;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:config_change;help:config_change
+zeek.synchrophasor_data_detail.pmu_trigger_pickup=db:zeek.synchrophasor_data_detail.pmu_trigger_pickup;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:pmu_trigger_pickup;help:pmu_trigger_pickup
+zeek.synchrophasor_data_detail.data_sorting_type=db:zeek.synchrophasor_data_detail.data_sorting_type;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_sorting_type;help:data_sorting_type
+zeek.synchrophasor_data_detail.pmu_sync_error=db:zeek.synchrophasor_data_detail.pmu_sync_error;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:pmu_sync_error;help:pmu_sync_error
+zeek.synchrophasor_data_detail.data_error_indicator=db:zeek.synchrophasor_data_detail.data_error_indicator;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:data_error_indicator;help:data_error_indicator
+zeek.synchrophasor_data_detail.est_rectangular_real=db:zeek.synchrophasor_data_detail.est_rectangular_real;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:est_rectangular_real;help:est_rectangular_real
+zeek.synchrophasor_data_detail.est_rectangular_imaginary=db:zeek.synchrophasor_data_detail.est_rectangular_imaginary;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:est_rectangular_imaginary;help:est_rectangular_imaginary
+zeek.synchrophasor_data_detail.est_polar_magnitude=db:zeek.synchrophasor_data_detail.est_polar_magnitude;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:est_polar_magnitude;help:est_polar_magnitude
+zeek.synchrophasor_data_detail.est_polar_angle=db:zeek.synchrophasor_data_detail.est_polar_angle;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:est_polar_angle;help:est_polar_angle
+zeek.synchrophasor_data_detail.freq_dev_mhz=db:zeek.synchrophasor_data_detail.freq_dev_mhz;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:freq_dev_mhz;help:freq_dev_mhz
+zeek.synchrophasor_data_detail.rocof=db:zeek.synchrophasor_data_detail.rocof;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:rocof;help:rocof
+zeek.synchrophasor_data_detail.analog_data=db:zeek.synchrophasor_data_detail.analog_data;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:analog_data;help:analog_data
+zeek.synchrophasor_data_detail.digital=db:zeek.synchrophasor_data_detail.digital;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:digital;help:digital
 
 # synchrophasor_hdr.log
 # https://github.com/cisagov/icsnpp-synchrophasor
-zeek.synchrophasor_hdr.data=db:zeek.synchrophasor_hdr.data;group:zeek_synchrophasor;kind:termfield;friendly:data;help:data
+zeek.synchrophasor_hdr.data=db:zeek.synchrophasor_hdr.data;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data;help:data
 
 # synchrophasor.log
 # https://github.com/cisagov/icsnpp-synchrophasor
-zeek.synchrophasor.version=db:zeek.synchrophasor.version;group:zeek_synchrophasor;kind:termfield;friendly:version;help:version
-zeek.synchrophasor.data_stream_id=db:zeek.synchrophasor.data_stream_id;group:zeek_synchrophasor;kind:termfield;friendly:data_stream_id;help:data_stream_id
-zeek.synchrophasor.history=db:zeek.synchrophasor.history;group:zeek_synchrophasor;kind:termfield;friendly:history;help:history
-zeek.synchrophasor.frame_size_min=db:zeek.synchrophasor.frame_size_min;group:zeek_synchrophasor;kind:integer;friendly:frame_size_min;help:frame_size_min
-zeek.synchrophasor.frame_size_max=db:zeek.synchrophasor.frame_size_max;group:zeek_synchrophasor;kind:integer;friendly:frame_size_max;help:frame_size_max
-zeek.synchrophasor.frame_size_tot=db:zeek.synchrophasor.frame_size_tot;group:zeek_synchrophasor;kind:integer;friendly:frame_size_tot;help:frame_size_tot
-zeek.synchrophasor.data_frame_count=db:zeek.synchrophasor.data_frame_count;group:zeek_synchrophasor;kind:integer;friendly:data_frame_count;help:data_frame_count
-zeek.synchrophasor.data_rate=db:zeek.synchrophasor.data_rate;group:zeek_synchrophasor;kind:termfield;friendly:data_rate;help:data_rate
-zeek.synchrophasor.header_time_stamp=db:zeek.synchrophasor.header_time_stamp;group:zeek_synchrophasor;kind:termfield;friendly:header_time_stamp;help:header_time_stamp
-zeek.synchrophasor.frame_type=db:zeek.synchrophasor.frame_type;group:zeek_synchrophasor;kind:termfield;friendly:frame_type;help:frame_type
-zeek.synchrophasor.frame_size=db:zeek.synchrophasor.frame_size;group:zeek_synchrophasor;kind:integer;friendly:frame_size;help:frame_size
+zeek.synchrophasor.version=db:zeek.synchrophasor.version;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:version;help:version
+zeek.synchrophasor.data_stream_id=db:zeek.synchrophasor.data_stream_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_stream_id;help:data_stream_id
+zeek.synchrophasor.history=db:zeek.synchrophasor.history;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:history;help:history
+zeek.synchrophasor.frame_size_min=db:zeek.synchrophasor.frame_size_min;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:frame_size_min;help:frame_size_min
+zeek.synchrophasor.frame_size_max=db:zeek.synchrophasor.frame_size_max;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:frame_size_max;help:frame_size_max
+zeek.synchrophasor.frame_size_tot=db:zeek.synchrophasor.frame_size_tot;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:frame_size_tot;help:frame_size_tot
+zeek.synchrophasor.data_frame_count=db:zeek.synchrophasor.data_frame_count;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:data_frame_count;help:data_frame_count
+zeek.synchrophasor.data_rate=db:zeek.synchrophasor.data_rate;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_rate;help:data_rate
+zeek.synchrophasor.header_time_stamp=db:zeek.synchrophasor.header_time_stamp;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:header_time_stamp;help:header_time_stamp
+zeek.synchrophasor.frame_type=db:zeek.synchrophasor.frame_type;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:frame_type;help:frame_type
+zeek.synchrophasor.frame_size=db:zeek.synchrophasor.frame_size;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:frame_size;help:frame_size
 
 # syslog.log
 # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info
-zeek.syslog.facility=db:zeek.syslog.facility;group:zeek_syslog;kind:termfield;friendly:Facility;help:Facility
-zeek.syslog.severity=db:zeek.syslog.severity;group:zeek_syslog;kind:termfield;friendly:Severity;help:Severity
-zeek.syslog.message=db:zeek.syslog.message;group:zeek_syslog;kind:termfield;friendly:Message;help:Message
+zeek.syslog.facility=db:zeek.syslog.facility;group:zeek_syslog;kind:termfield;viewerOnly:true;friendly:Facility;help:Facility
+zeek.syslog.severity=db:zeek.syslog.severity;group:zeek_syslog;kind:termfield;viewerOnly:true;friendly:Severity;help:Severity
+zeek.syslog.message=db:zeek.syslog.message;group:zeek_syslog;kind:termfield;viewerOnly:true;friendly:Message;help:Message
 
 # tds.log - https://github.com/amzn/zeek-plugin-tds
 # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
-zeek.tds.command=db:zeek.tds.command;group:zeek_tds;kind:termfield;friendly:Command;help:Command
+zeek.tds.command=db:zeek.tds.command;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Command;help:Command
 
 # tds_rpc.log - https://github.com/amzn/zeek-plugin-tds
 # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
-zeek.tds_rpc.procedure_name=db:zeek.tds_rpc.procedure_name;group:zeek_tds;kind:termfield;friendly:Procedure;help:Procedure
-zeek.tds_rpc.parameters=db:zeek.tds_rpc.parameters;group:zeek_tds;kind:termfield;friendly:Parameters;help:Parameters
+zeek.tds_rpc.procedure_name=db:zeek.tds_rpc.procedure_name;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Procedure;help:Procedure
+zeek.tds_rpc.parameters=db:zeek.tds_rpc.parameters;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Parameters;help:Parameters
 
 # tds_sql_batch.log - https://github.com/amzn/zeek-plugin-tds
 # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
-zeek.tds_sql_batch.header_type=db:zeek.tds_sql_batch.header_type;group:zeek_tds;kind:termfield;friendly:Header Type;help:Header Type
-zeek.tds_sql_batch.query=db:zeek.tds_sql_batch.query;group:zeek_tds;kind:termfield;friendly:Query;help:Query
+zeek.tds_sql_batch.header_type=db:zeek.tds_sql_batch.header_type;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Header Type;help:Header Type
+zeek.tds_sql_batch.query=db:zeek.tds_sql_batch.query;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Query;help:Query
 
 # tftp.log
 # https://github.com/zeek/spicy-tftp
-zeek.tftp.block_acked=db:zeek.tftp.block_acked;group:zeek_tftp;kind:integer;friendly:Highest Block ACKed;help:Highest Block ACKed
-zeek.tftp.block_sent=db:zeek.tftp.block_sent;group:zeek_tftp;kind:integer;friendly:Highest Block Sent;help:Highest Block Sent
-zeek.tftp.error_code=db:zeek.tftp.error_code;group:zeek_tftp;kind:integer;friendly:Error Code;help:Error Code
-zeek.tftp.error_msg=db:zeek.tftp.error_msg;group:zeek_tftp;kind:integer;friendly:Error Message;help:Error Message
-zeek.tftp.fname=db:zeek.tftp.fname;group:zeek_tftp;kind:termfield;friendly:File Name;help:File Name
-zeek.tftp.mode=db:zeek.tftp.mode;group:zeek_tftp;kind:termfield;friendly:Transfer Mode;help:Transfer Mode
-zeek.tftp.size=db:zeek.tftp.size;group:zeek_tftp;kind:termfield;friendly:Transfer Size;help:Transfer Size
-zeek.tftp.uid_data=db:zeek.tftp.uid_data;group:zeek_tftp;kind:termfield;friendly:Data Connection ID;help:Data Connection ID
-zeek.tftp.wrq=db:zeek.tftp.wrq;group:zeek_tftp;kind:termfield;friendly:Write Request;help:Write Request
+zeek.tftp.block_acked=db:zeek.tftp.block_acked;group:zeek_tftp;kind:integer;viewerOnly:true;friendly:Highest Block ACKed;help:Highest Block ACKed
+zeek.tftp.block_sent=db:zeek.tftp.block_sent;group:zeek_tftp;kind:integer;viewerOnly:true;friendly:Highest Block Sent;help:Highest Block Sent
+zeek.tftp.error_code=db:zeek.tftp.error_code;group:zeek_tftp;kind:integer;viewerOnly:true;friendly:Error Code;help:Error Code
+zeek.tftp.error_msg=db:zeek.tftp.error_msg;group:zeek_tftp;kind:integer;viewerOnly:true;friendly:Error Message;help:Error Message
+zeek.tftp.fname=db:zeek.tftp.fname;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:File Name;help:File Name
+zeek.tftp.mode=db:zeek.tftp.mode;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:Transfer Mode;help:Transfer Mode
+zeek.tftp.size=db:zeek.tftp.size;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:Transfer Size;help:Transfer Size
+zeek.tftp.uid_data=db:zeek.tftp.uid_data;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:Data Connection ID;help:Data Connection ID
+zeek.tftp.wrq=db:zeek.tftp.wrq;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:Write Request;help:Write Request
 
 # tunnel.log
 # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info
-zeek.tunnel.tunnel_type=db:zeek.tunnel.tunnel_type;group:zeek_tunnel;kind:termfield;friendly:Tunnel Type;help:Tunnel Type
-zeek.tunnel.action=db:zeek.tunnel.action;group:zeek_tunnel;kind:termfield;friendly:Action;help:Action
+zeek.tunnel.tunnel_type=db:zeek.tunnel.tunnel_type;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Tunnel Type;help:Tunnel Type
+zeek.tunnel.action=db:zeek.tunnel.action;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Action;help:Action
 
 # weird.log
 # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info
-zeek.weird.name=db:zeek.weird.name;group:zeek_weird;kind:termfield;friendly:Name;help:Name
-zeek.weird.addl=db:zeek.weird.addl;group:zeek_weird;kind:termfield;friendly:Additional Info;help:Additional Info
-zeek.weird.notice=db:zeek.weird.notice;group:zeek_weird;kind:termfield;friendly:Notice;help:Generated a notice
-zeek.weird.peer=db:zeek.weird.peer;group:zeek_weird;kind:termfield;friendly:Remote Peer;help:Remote Peer
+zeek.weird.name=db:zeek.weird.name;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Name;help:Name
+zeek.weird.addl=db:zeek.weird.addl;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Additional Info;help:Additional Info
+zeek.weird.notice=db:zeek.weird.notice;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Notice;help:Generated a notice
+zeek.weird.peer=db:zeek.weird.peer;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Remote Peer;help:Remote Peer
 
 # wireguard.log
 # https://github.com/corelight/zeek-spicy-wireguard/blob/master/analyzer/main.zeek
-zeek.wireguard.established=db:zeek.wireguard.established;group:zeek_wireguard;kind:termfield;friendly:Established;help:Established
-zeek.wireguard.initiations=db:zeek.wireguard.initiations;group:zeek_wireguard;kind:integer;friendly:Initiation Packets;help:Initiation Packets
-zeek.wireguard.responses=db:zeek.wireguard.responses;group:zeek_wireguard;kind:integer;friendly:Response Packets;help:Response Packets
+zeek.wireguard.established=db:zeek.wireguard.established;group:zeek_wireguard;kind:termfield;viewerOnly:true;friendly:Established;help:Established
+zeek.wireguard.initiations=db:zeek.wireguard.initiations;group:zeek_wireguard;kind:integer;viewerOnly:true;friendly:Initiation Packets;help:Initiation Packets
+zeek.wireguard.responses=db:zeek.wireguard.responses;group:zeek_wireguard;kind:integer;viewerOnly:true;friendly:Response Packets;help:Response Packets
 
 # x509.log
 # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info
-zeek.x509.basic_constraints_ca=db:zeek.x509.basic_constraints_ca;group:zeek_x509;kind:termfield;friendly:CA Flag;help:CA Flag
-zeek.x509.basic_constraints_path_len=db:zeek.x509.basic_constraints_path_len;group:zeek_x509;kind:integer;friendly:Maximum Path Length;help:Maximum Path Length
-zeek.x509.certificate_curve=db:zeek.x509.certificate_curve;group:zeek_x509;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve
-zeek.x509.certificate_exponent=db:zeek.x509.certificate_exponent;group:zeek_x509;kind:termfield;friendly:RSA Exponent;help:RSA Exponent
-zeek.x509.certificate_issuer.C=db:zeek.x509.certificate_issuer.C;group:zeek_x509;kind:termfield;friendly:Issuer Country;help:Issuer Country
-zeek.x509.certificate_issuer.CN=db:zeek.x509.certificate_issuer.CN;group:zeek_x509;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name
-zeek.x509.certificate_issuer.DC=db:zeek.x509.certificate_issuer.DC;group:zeek_x509;kind:termfield;friendly:Issuer Common Name;help:Issuer Distinguished Name
-zeek.x509.certificate_issuer.emailAddress=db:zeek.x509.certificate_issuer.emailAddress;group:zeek_x509;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address
-zeek.x509.certificate_issuer.GN=db:zeek.x509.certificate_issuer.GN;group:zeek_x509;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name
-zeek.x509.certificate_issuer.initials=db:zeek.x509.certificate_issuer.initials;group:zeek_x509;kind:termfield;friendly:Issuer Initials;help:Issuer Initials
-zeek.x509.certificate_issuer.L=db:zeek.x509.certificate_issuer.L;group:zeek_x509;kind:termfield;friendly:Issuer Locality;help:Issuer Locality
-zeek.x509.certificate_issuer.name=db:zeek.x509.certificate_issuer.name;group:zeek_x509;kind:termfield;friendly:Issuer Name;help:Issuer Name
-zeek.x509.certificate_issuer.O=db:zeek.x509.certificate_issuer.O;group:zeek_x509;kind:termfield;friendly:Issuer Organization;help:Issuer Organization
-zeek.x509.certificate_issuer.OU=db:zeek.x509.certificate_issuer.OU;group:zeek_x509;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit
-zeek.x509.certificate_issuer.postalCode=db:zeek.x509.certificate_issuer.postalCode;group:zeek_x509;kind:termfield;friendly:Issuer Name;help:Issuer Postal Code
-zeek.x509.certificate_issuer.pseudonym=db:zeek.x509.certificate_issuer.pseudonym;group:zeek_x509;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym
-zeek.x509.certificate_issuer.serialNumber=db:zeek.x509.certificate_issuer.serialNumber;group:zeek_x509;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number
-zeek.x509.certificate_issuer.SN=db:zeek.x509.certificate_issuer.SN;group:zeek_x509;kind:termfield;friendly:Issuer Surname;help:Issuer Surname
-zeek.x509.certificate_issuer.ST=db:zeek.x509.certificate_issuer.ST;group:zeek_x509;kind:termfield;friendly:Issuer State;help:Issuer State
-zeek.x509.certificate_issuer.street=db:zeek.x509.certificate_issuer.street;group:zeek_x509;kind:termfield;friendly:Issuer Street;help:Issuer Street
-zeek.x509.certificate_issuer.title=db:zeek.x509.certificate_issuer.title;group:zeek_x509;kind:termfield;friendly:Issuer Title;help:Issuer Title
-zeek.x509.certificate_issuer_full=db:zeek.x509.certificate_issuer_full;group:zeek_x509;kind:termfield;friendly:Issuer;help:Issuer
-zeek.x509.certificate_key_alg=db:zeek.x509.certificate_key_alg;group:zeek_x509;kind:termfield;friendly:Key Algorithm;help:Key Algorithm
-zeek.x509.certificate_key_length=db:zeek.x509.certificate_key_length;group:zeek_x509;kind:integer;friendly:Key Bitlength;help:Key Bitlength
-zeek.x509.certificate_key_type=db:zeek.x509.certificate_key_type;group:zeek_x509;kind:termfield;friendly:Key Type;help:Key Type
-zeek.x509.certificate_not_valid_after=db:zeek.x509.certificate_not_valid_after;group:zeek_x509;kind:termfield;friendly:Not Valid After;help:Not Valid After
-zeek.x509.certificate_not_valid_before=db:zeek.x509.certificate_not_valid_before;group:zeek_x509;kind:termfield;friendly:Not Valid Before;help:Not Valid Before
-zeek.x509.certificate_serial=db:zeek.x509.certificate_serial;group:zeek_x509;kind:termfield;friendly:Serial Number;help:Serial Number
-zeek.x509.certificate_sig_alg=db:zeek.x509.certificate_sig_alg;group:zeek_x509;kind:termfield;friendly:Signature Algorithm;help:Signature Algorithm
-zeek.x509.certificate_subject.businessCategory=db:zeek.x509.certificate_subject.businessCategory;group:zeek_x509;kind:termfield;friendly:Issuer Business Category;help:Subject Category
-zeek.x509.certificate_subject.C=db:zeek.x509.certificate_subject.C;group:zeek_x509;kind:termfield;friendly:Subject Country;help:Subject Country
-zeek.x509.certificate_subject.CN=db:zeek.x509.certificate_subject.CN;group:zeek_x509;kind:termfield;friendly:Subject Common Name;help:Subject Common Name
-zeek.x509.certificate_subject.DC=db:zeek.x509.certificate_subject.DC;group:zeek_x509;kind:termfield;friendly:Subject Distinguished Name;help:Subject Distinguished Name
-zeek.x509.certificate_subject.description=db:zeek.x509.certificate_subject.description;group:zeek_x509;kind:termfield;friendly:Subject Description;help:Subject Description
-zeek.x509.certificate_subject.emailAddress=db:zeek.x509.certificate_subject.emailAddress;group:zeek_x509;kind:termfield;friendly:Subject Email Address;help:Subject Email Address
-zeek.x509.certificate_subject.GN=db:zeek.x509.certificate_subject.GN;group:zeek_x509;kind:termfield;friendly:Subject Given Name;help:Subject Given Name
-zeek.x509.certificate_subject.initials=db:zeek.x509.certificate_subject.initials;group:zeek_x509;kind:termfield;friendly:Subject Initials;help:Subject Initials
-zeek.x509.certificate_subject.jurisdictionC=db:zeek.x509.certificate_subject.jurisdictionC;group:zeek_x509;kind:termfield;friendly:Subject Jurisdiction Country;help:Subject Jurisdiction Country
-zeek.x509.certificate_subject.jurisdictionST=db:zeek.x509.certificate_subject.jurisdictionST;group:zeek_x509;kind:termfield;friendly:Subject Jurisdiction State;help:Subject Jurisdiction State
-zeek.x509.certificate_subject.L=db:zeek.x509.certificate_subject.L;group:zeek_x509;kind:termfield;friendly:Subject Locality;help:Subject Locality
-zeek.x509.certificate_subject.name=db:zeek.x509.certificate_subject.name;group:zeek_x509;kind:termfield;friendly:Subject Name;help:Subject Name
-zeek.x509.certificate_subject.O=db:zeek.x509.certificate_subject.O;group:zeek_x509;kind:termfield;friendly:Subject Organization;help:Subject Organization
-zeek.x509.certificate_subject.OU=db:zeek.x509.certificate_subject.OU;group:zeek_x509;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit
-zeek.x509.certificate_subject.postalCode=db:zeek.x509.certificate_subject.postalCode;group:zeek_x509;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code
-zeek.x509.certificate_subject.pseudonym=db:zeek.x509.certificate_subject.pseudonym;group:zeek_x509;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym
-zeek.x509.certificate_subject.serialNumber=db:zeek.x509.certificate_subject.serialNumber;group:zeek_x509;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number
-zeek.x509.certificate_subject.SN=db:zeek.x509.certificate_subject.SN;group:zeek_x509;kind:termfield;friendly:Subject Surname;help:Subject Surname
-zeek.x509.certificate_subject.ST=db:zeek.x509.certificate_subject.ST;group:zeek_x509;kind:termfield;friendly:Subject State;help:Subject State
-zeek.x509.certificate_subject.street=db:zeek.x509.certificate_subject.street;group:zeek_x509;kind:termfield;friendly:Subject Street;help:Subject Street
-zeek.x509.certificate_subject.title=db:zeek.x509.certificate_subject.title;group:zeek_x509;kind:termfield;friendly:Subject Title;help:Subject Title
-zeek.x509.certificate_subject_full=db:zeek.x509.certificate_subject_full;group:zeek_x509;kind:termfield;friendly:Subject;help:Subject
-zeek.x509.certificate_version=db:zeek.x509.certificate_version;group:zeek_x509;kind:integer;friendly:Version;help:Version
-zeek.x509.client_cert=db:zeek.x509.client_cert;group:zeek_x509;kind:termfield;friendly:Client Certificate;help:Client Certificate
-zeek.x509.fingerprint=db:zeek.x509.fingerprint;group:zeek_x509;kind:termfield;friendly:Certificate Fingerprint;help:Certificate Fingerprint
-zeek.x509.host_cert=db:zeek.x509.host_cert;group:zeek_x509;kind:termfield;friendly:Host Certificate;help:Host Certificate
-zeek.x509.san_dns=db:zeek.x509.san_dns;group:zeek_x509;kind:termfield;friendly:SAN DNS;help:Subject Alternative Name DNS
-zeek.x509.san_email=db:zeek.x509.san_email;group:zeek_x509;kind:termfield;friendly:SAN Email;help:Subject Alternative Name Email
-zeek.x509.san_ip=db:zeek.x509.san_ip;group:zeek_x509;kind:termfield;friendly:SAN IP;help:Subject Alternative Name IP
-zeek.x509.san_uri=db:zeek.x509.san_uri;group:zeek_x509;kind:termfield;friendly:SAN URI;help:Subject Alternative Name URI
+zeek.x509.basic_constraints_ca=db:zeek.x509.basic_constraints_ca;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:CA Flag;help:CA Flag
+zeek.x509.basic_constraints_path_len=db:zeek.x509.basic_constraints_path_len;group:zeek_x509;kind:integer;viewerOnly:true;friendly:Maximum Path Length;help:Maximum Path Length
+zeek.x509.certificate_curve=db:zeek.x509.certificate_curve;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Elliptic Curve;help:Elliptic Curve
+zeek.x509.certificate_exponent=db:zeek.x509.certificate_exponent;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:RSA Exponent;help:RSA Exponent
+zeek.x509.certificate_issuer.C=db:zeek.x509.certificate_issuer.C;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Country;help:Issuer Country
+zeek.x509.certificate_issuer.CN=db:zeek.x509.certificate_issuer.CN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Common Name;help:Issuer Common Name
+zeek.x509.certificate_issuer.DC=db:zeek.x509.certificate_issuer.DC;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Common Name;help:Issuer Distinguished Name
+zeek.x509.certificate_issuer.emailAddress=db:zeek.x509.certificate_issuer.emailAddress;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Email Address;help:Issuer Email Address
+zeek.x509.certificate_issuer.GN=db:zeek.x509.certificate_issuer.GN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Given Name;help:Issuer Given Name
+zeek.x509.certificate_issuer.initials=db:zeek.x509.certificate_issuer.initials;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Initials;help:Issuer Initials
+zeek.x509.certificate_issuer.L=db:zeek.x509.certificate_issuer.L;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Locality;help:Issuer Locality
+zeek.x509.certificate_issuer.name=db:zeek.x509.certificate_issuer.name;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Name;help:Issuer Name
+zeek.x509.certificate_issuer.O=db:zeek.x509.certificate_issuer.O;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Organization;help:Issuer Organization
+zeek.x509.certificate_issuer.OU=db:zeek.x509.certificate_issuer.OU;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Organization Unit;help:Issuer Organization Unit
+zeek.x509.certificate_issuer.postalCode=db:zeek.x509.certificate_issuer.postalCode;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Name;help:Issuer Postal Code
+zeek.x509.certificate_issuer.pseudonym=db:zeek.x509.certificate_issuer.pseudonym;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Pseudonym;help:Issuer Pseudonym
+zeek.x509.certificate_issuer.serialNumber=db:zeek.x509.certificate_issuer.serialNumber;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Serial Number;help:Issuer Serial Number
+zeek.x509.certificate_issuer.SN=db:zeek.x509.certificate_issuer.SN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Surname;help:Issuer Surname
+zeek.x509.certificate_issuer.ST=db:zeek.x509.certificate_issuer.ST;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer State;help:Issuer State
+zeek.x509.certificate_issuer.street=db:zeek.x509.certificate_issuer.street;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Street;help:Issuer Street
+zeek.x509.certificate_issuer.title=db:zeek.x509.certificate_issuer.title;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Title;help:Issuer Title
+zeek.x509.certificate_issuer_full=db:zeek.x509.certificate_issuer_full;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer;help:Issuer
+zeek.x509.certificate_key_alg=db:zeek.x509.certificate_key_alg;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Key Algorithm;help:Key Algorithm
+zeek.x509.certificate_key_length=db:zeek.x509.certificate_key_length;group:zeek_x509;kind:integer;viewerOnly:true;friendly:Key Bitlength;help:Key Bitlength
+zeek.x509.certificate_key_type=db:zeek.x509.certificate_key_type;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Key Type;help:Key Type
+zeek.x509.certificate_not_valid_after=db:zeek.x509.certificate_not_valid_after;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Not Valid After;help:Not Valid After
+zeek.x509.certificate_not_valid_before=db:zeek.x509.certificate_not_valid_before;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Not Valid Before;help:Not Valid Before
+zeek.x509.certificate_serial=db:zeek.x509.certificate_serial;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Serial Number;help:Serial Number
+zeek.x509.certificate_sig_alg=db:zeek.x509.certificate_sig_alg;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Signature Algorithm;help:Signature Algorithm
+zeek.x509.certificate_subject.businessCategory=db:zeek.x509.certificate_subject.businessCategory;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Business Category;help:Subject Category
+zeek.x509.certificate_subject.C=db:zeek.x509.certificate_subject.C;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Country;help:Subject Country
+zeek.x509.certificate_subject.CN=db:zeek.x509.certificate_subject.CN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Common Name;help:Subject Common Name
+zeek.x509.certificate_subject.DC=db:zeek.x509.certificate_subject.DC;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Distinguished Name;help:Subject Distinguished Name
+zeek.x509.certificate_subject.description=db:zeek.x509.certificate_subject.description;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Description;help:Subject Description
+zeek.x509.certificate_subject.emailAddress=db:zeek.x509.certificate_subject.emailAddress;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Email Address;help:Subject Email Address
+zeek.x509.certificate_subject.GN=db:zeek.x509.certificate_subject.GN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Given Name;help:Subject Given Name
+zeek.x509.certificate_subject.initials=db:zeek.x509.certificate_subject.initials;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Initials;help:Subject Initials
+zeek.x509.certificate_subject.jurisdictionC=db:zeek.x509.certificate_subject.jurisdictionC;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Jurisdiction Country;help:Subject Jurisdiction Country
+zeek.x509.certificate_subject.jurisdictionST=db:zeek.x509.certificate_subject.jurisdictionST;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Jurisdiction State;help:Subject Jurisdiction State
+zeek.x509.certificate_subject.L=db:zeek.x509.certificate_subject.L;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Locality;help:Subject Locality
+zeek.x509.certificate_subject.name=db:zeek.x509.certificate_subject.name;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Name;help:Subject Name
+zeek.x509.certificate_subject.O=db:zeek.x509.certificate_subject.O;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Organization;help:Subject Organization
+zeek.x509.certificate_subject.OU=db:zeek.x509.certificate_subject.OU;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Organization Unit;help:Subject Organization Unit
+zeek.x509.certificate_subject.postalCode=db:zeek.x509.certificate_subject.postalCode;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Postal Code;help:Subject Postal Code
+zeek.x509.certificate_subject.pseudonym=db:zeek.x509.certificate_subject.pseudonym;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Pseudonym;help:Subject Pseudonym
+zeek.x509.certificate_subject.serialNumber=db:zeek.x509.certificate_subject.serialNumber;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Serial Number;help:Subject Serial Number
+zeek.x509.certificate_subject.SN=db:zeek.x509.certificate_subject.SN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Surname;help:Subject Surname
+zeek.x509.certificate_subject.ST=db:zeek.x509.certificate_subject.ST;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject State;help:Subject State
+zeek.x509.certificate_subject.street=db:zeek.x509.certificate_subject.street;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Street;help:Subject Street
+zeek.x509.certificate_subject.title=db:zeek.x509.certificate_subject.title;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Title;help:Subject Title
+zeek.x509.certificate_subject_full=db:zeek.x509.certificate_subject_full;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject;help:Subject
+zeek.x509.certificate_version=db:zeek.x509.certificate_version;group:zeek_x509;kind:integer;viewerOnly:true;friendly:Version;help:Version
+zeek.x509.client_cert=db:zeek.x509.client_cert;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Client Certificate;help:Client Certificate
+zeek.x509.fingerprint=db:zeek.x509.fingerprint;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Certificate Fingerprint;help:Certificate Fingerprint
+zeek.x509.host_cert=db:zeek.x509.host_cert;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Host Certificate;help:Host Certificate
+zeek.x509.san_dns=db:zeek.x509.san_dns;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:SAN DNS;help:Subject Alternative Name DNS
+zeek.x509.san_email=db:zeek.x509.san_email;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:SAN Email;help:Subject Alternative Name Email
+zeek.x509.san_ip=db:zeek.x509.san_ip;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:SAN IP;help:Subject Alternative Name IP
+zeek.x509.san_uri=db:zeek.x509.san_uri;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:SAN URI;help:Subject Alternative Name URI
 
 # Suricata
 # some of the suricata custom views are commented out when > 2 levels
 # deep due to arkime/arkime#1781 (and pugjs/pug#3292)
 
-suricata.action=db:suricata.action;group:suricata_common;kind:termfield
-suricata.app_proto_expected=db:suricata.app_proto_expected;group:suricata_common;kind:termfield
-suricata.app_proto_orig=db:suricata.app_proto_orig;group:suricata_common;kind:termfield
-suricata.app_proto_tc=db:suricata.app_proto_tc;group:suricata_common;kind:termfield
-suricata.app_proto_ts=db:suricata.app_proto_ts;group:suricata_common;kind:termfield
-suricata.category=db:suricata.category;group:suricata_common;kind:termfield
-suricata.flow_id=db:suricata.flow_id;group:suricata_common;kind:termfield
-suricata.pcap_cnt=db:suricata.pcap_cnt;group:suricata_common;kind:integer
-suricata.pcap_filename=db:suricata.pcap_filename;group:suricata_common;kind:termfield
-suricata.severity=db:suricata.severity;group:suricata_common;kind:termfield
-suricata.signature=db:suricata.signature;group:suricata_common;kind:termfield
-suricata.stream=db:suricata.stream;group:suricata_common;kind:integer
-suricata.timestamp=db:suricata.timestamp;group:suricata_common;kind:termfield
-suricata.tx_id=db:suricata.tx_id;group:suricata_common;kind:termfield
-
-suricata.alert.action=db:suricata.alert.action;group:suricata_alert;kind:termfield
-suricata.alert.metadata.created_at=db:suricata.alert.metadata.created_at;group:suricata_alert;kind:termfield
-suricata.alert.metadata.malware_family=db:suricata.alert.metadata.malware_family;group:suricata_alert;kind:termfield
-suricata.alert.metadata.performance_impact=db:suricata.alert.metadata.performance_impact;group:suricata_alert;kind:termfield
-suricata.alert.metadata.signature_severity=db:suricata.alert.metadata.signature_severity;group:suricata_alert;kind:termfield
-suricata.alert.metadata.updated_at=db:suricata.alert.metadata.updated_at;group:suricata_alert;kind:termfield
-suricata.alert.rev=db:suricata.alert.rev;group:suricata_alert;kind:integer
-suricata.alert.severity=db:suricata.alert.severity;group:suricata_alert;kind:integer
-
-suricata.anomaly.app_proto=db:suricata.anomaly.app_proto;group:suricata_anomaly;kind:termfield
-suricata.anomaly.code=db:suricata.anomaly.code;group:suricata_anomaly;kind:integer
-suricata.anomaly.event=db:suricata.anomaly.event;group:suricata_anomaly;kind:termfield
-suricata.anomaly.event_no=db:suricata.anomaly.event_no;group:suricata_anomaly;kind:termfield
-suricata.anomaly.layer=db:suricata.anomaly.layer;group:suricata_anomaly;kind:termfield
-suricata.anomaly.type=db:suricata.anomaly.type;group:suricata_anomaly;kind:termfield
-
-suricata.dhcp.assigned_ip=db:suricata.dhcp.assigned_ip;group:suricata_dhcp;kind:termfield
-suricata.dhcp.client_id=db:suricata.dhcp.client_id;group:suricata_dhcp;kind:termfield
-suricata.dhcp.client_ip=db:suricata.dhcp.client_ip;group:suricata_dhcp;kind:termfield
-suricata.dhcp.client_mac=db:suricata.dhcp.client_mac;group:suricata_dhcp;kind:termfield
-suricata.dhcp.dhcp_type=db:suricata.dhcp.dhcp_type;group:suricata_dhcp;kind:termfield
-suricata.dhcp.dns_servers=db:suricata.dhcp.dns_servers;group:suricata_dhcp;kind:termfield
-suricata.dhcp.hostname=db:suricata.dhcp.hostname;group:suricata_dhcp;kind:termfield
-suricata.dhcp.id=db:suricata.dhcp.id;group:suricata_dhcp;kind:termfield
-suricata.dhcp.lease_time=db:suricata.dhcp.lease_time;group:suricata_dhcp;kind:integer
-suricata.dhcp.next_server_ip=db:suricata.dhcp.next_server_ip;group:suricata_dhcp;kind:termfield
-suricata.dhcp.params=db:suricata.dhcp.params;group:suricata_dhcp;kind:termfield
-suricata.dhcp.rebinding_time=db:suricata.dhcp.rebinding_time;group:suricata_dhcp;kind:integer
-suricata.dhcp.relay_ip=db:suricata.dhcp.relay_ip;group:suricata_dhcp;kind:termfield
-suricata.dhcp.renewal_time=db:suricata.dhcp.renewal_time;group:suricata_dhcp;kind:integer
-suricata.dhcp.requested_ip=db:suricata.dhcp.requested_ip;group:suricata_dhcp;kind:termfield
-suricata.dhcp.routers=db:suricata.dhcp.routers;group:suricata_dhcp;kind:termfield
-suricata.dhcp.subnet_mask=db:suricata.dhcp.subnet_mask;group:suricata_dhcp;kind:termfield
-suricata.dhcp.type=db:suricata.dhcp.type;group:suricata_dhcp;kind:termfield
-
-suricata.dnp3.application.complete=db:suricata.dnp3.application.complete;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.control.con=db:suricata.dnp3.application.control.con;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.control.fin=db:suricata.dnp3.application.control.fin;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.control.fir=db:suricata.dnp3.application.control.fir;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.control.sequence=db:suricata.dnp3.application.control.sequence;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.control.uns=db:suricata.dnp3.application.control.uns;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.function_code=db:suricata.dnp3.application.function_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.count=db:suricata.dnp3.application.objects.count;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.group=db:suricata.dnp3.application.objects.group;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.authentication_key=db:suricata.dnp3.application.objects.points.authentication_key;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.block_number=db:suricata.dnp3.application.objects.points.block_number;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.challenge_data_len=db:suricata.dnp3.application.objects.points.challenge_data_len;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.chatter_filter=db:suricata.dnp3.application.objects.points.chatter_filter;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.comm_lost=db:suricata.dnp3.application.objects.points.comm_lost;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.count=db:suricata.dnp3.application.objects.points.count;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.cr=db:suricata.dnp3.application.objects.points.cr;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.created=db:suricata.dnp3.application.objects.points.created;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.data.mac_value=db:suricata.dnp3.application.objects.points.data.mac_value;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.objects.points.data.wrapped_key_data=db:suricata.dnp3.application.objects.points.data.wrapped_key_data;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.objects.points.delay_ms=db:suricata.dnp3.application.objects.points.delay_ms;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.file_data=db:suricata.dnp3.application.objects.points.file_data;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.objects.points.file_handle=db:suricata.dnp3.application.objects.points.file_handle;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.file_size=db:suricata.dnp3.application.objects.points.file_size;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.filename=db:suricata.dnp3.application.objects.points.filename;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.objects.points.filename_offset=db:suricata.dnp3.application.objects.points.filename_offset;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.filename_size=db:suricata.dnp3.application.objects.points.filename_size;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.index=db:suricata.dnp3.application.objects.points.index;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.key_status=db:suricata.dnp3.application.objects.points.key_status;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.key_wrap_alg=db:suricata.dnp3.application.objects.points.key_wrap_alg;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.ksq=db:suricata.dnp3.application.objects.points.ksq;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.local_forced=db:suricata.dnp3.application.objects.points.local_forced;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.mal=db:suricata.dnp3.application.objects.points.mal;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.maximum_block_size=db:suricata.dnp3.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.offtime=db:suricata.dnp3.application.objects.points.offtime;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.online=db:suricata.dnp3.application.objects.points.online;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.ontime=db:suricata.dnp3.application.objects.points.ontime;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.op_type=db:suricata.dnp3.application.objects.points.op_type;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.operational_mode=db:suricata.dnp3.application.objects.points.operational_mode;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.optional_text=db:suricata.dnp3.application.objects.points.optional_text;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.objects.points.over_range=db:suricata.dnp3.application.objects.points.over_range;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.permissions=db:suricata.dnp3.application.objects.points.permissions;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.prefix=db:suricata.dnp3.application.objects.points.prefix;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.qu=db:suricata.dnp3.application.objects.points.qu;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.reference_err=db:suricata.dnp3.application.objects.points.reference_err;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.remote_forced=db:suricata.dnp3.application.objects.points.remote_forced;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.request_id=db:suricata.dnp3.application.objects.points.request_id;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.objects.points.reserved0=db:suricata.dnp3.application.objects.points.reserved0;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.reserved1=db:suricata.dnp3.application.objects.points.reserved1;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.reserved=db:suricata.dnp3.application.objects.points.reserved;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.restart=db:suricata.dnp3.application.objects.points.restart;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.size=db:suricata.dnp3.application.objects.points.size;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.state=db:suricata.dnp3.application.objects.points.state;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.status_code=db:suricata.dnp3.application.objects.points.status_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.tcc=db:suricata.dnp3.application.objects.points.tcc;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.timestamp=db:suricata.dnp3.application.objects.points.timestamp;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.objects.points.user_number=db:suricata.dnp3.application.objects.points.user_number;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.usr=db:suricata.dnp3.application.objects.points.usr;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.points.value=db:suricata.dnp3.application.objects.points.value;group:suricata_dnp3;kind:termfield
-suricata.dnp3.application.objects.prefix_code=db:suricata.dnp3.application.objects.prefix_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.qualifier=db:suricata.dnp3.application.objects.qualifier;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.range_code=db:suricata.dnp3.application.objects.range_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.start=db:suricata.dnp3.application.objects.start;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.stop=db:suricata.dnp3.application.objects.stop;group:suricata_dnp3;kind:integer
-suricata.dnp3.application.objects.variation=db:suricata.dnp3.application.objects.variation;group:suricata_dnp3;kind:integer
-suricata.dnp3.control.dir=db:suricata.dnp3.control.dir;group:suricata_dnp3;kind:termfield
-suricata.dnp3.control.fcb=db:suricata.dnp3.control.fcb;group:suricata_dnp3;kind:termfield
-suricata.dnp3.control.fcv=db:suricata.dnp3.control.fcv;group:suricata_dnp3;kind:termfield
-suricata.dnp3.control.function_code=db:suricata.dnp3.control.function_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.control.pri=db:suricata.dnp3.control.pri;group:suricata_dnp3;kind:termfield
-suricata.dnp3.dst=db:suricata.dnp3.dst;group:suricata_dnp3;kind:integer
-suricata.dnp3.iin.indicators=db:suricata.dnp3.iin.indicators;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.application.complete=db:suricata.dnp3.request.application.complete;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.application.control.con=db:suricata.dnp3.request.application.control.con;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.application.control.fin=db:suricata.dnp3.request.application.control.fin;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.application.control.fir=db:suricata.dnp3.request.application.control.fir;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.application.control.sequence=db:suricata.dnp3.request.application.control.sequence;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.control.uns=db:suricata.dnp3.request.application.control.uns;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.application.function_code=db:suricata.dnp3.request.application.function_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.count=db:suricata.dnp3.request.application.objects.count;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.group=db:suricata.dnp3.request.application.objects.group;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.authentication_key=db:suricata.dnp3.request.application.objects.points.authentication_key;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.count=db:suricata.dnp3.request.application.objects.points.count;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.cr=db:suricata.dnp3.request.application.objects.points.cr;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.created=db:suricata.dnp3.request.application.objects.points.created;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.file_size=db:suricata.dnp3.request.application.objects.points.file_size;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.filename=db:suricata.dnp3.request.application.objects.points.filename;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.application.objects.points.filename_offset=db:suricata.dnp3.request.application.objects.points.filename_offset;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.filename_size=db:suricata.dnp3.request.application.objects.points.filename_size;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.index=db:suricata.dnp3.request.application.objects.points.index;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.maximum_block_size=db:suricata.dnp3.request.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.offtime=db:suricata.dnp3.request.application.objects.points.offtime;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.ontime=db:suricata.dnp3.request.application.objects.points.ontime;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.op_type=db:suricata.dnp3.request.application.objects.points.op_type;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.operational_mode=db:suricata.dnp3.request.application.objects.points.operational_mode;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.permissions=db:suricata.dnp3.request.application.objects.points.permissions;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.prefix=db:suricata.dnp3.request.application.objects.points.prefix;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.qu=db:suricata.dnp3.request.application.objects.points.qu;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.request_id=db:suricata.dnp3.request.application.objects.points.request_id;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.application.objects.points.reserved=db:suricata.dnp3.request.application.objects.points.reserved;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.size=db:suricata.dnp3.request.application.objects.points.size;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.status_code=db:suricata.dnp3.request.application.objects.points.status_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.tcc=db:suricata.dnp3.request.application.objects.points.tcc;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.points.timestamp=db:suricata.dnp3.request.application.objects.points.timestamp;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.application.objects.points.user_number=db:suricata.dnp3.request.application.objects.points.user_number;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.prefix_code=db:suricata.dnp3.request.application.objects.prefix_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.qualifier=db:suricata.dnp3.request.application.objects.qualifier;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.range_code=db:suricata.dnp3.request.application.objects.range_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.start=db:suricata.dnp3.request.application.objects.start;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.stop=db:suricata.dnp3.request.application.objects.stop;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.application.objects.variation=db:suricata.dnp3.request.application.objects.variation;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.control.dir=db:suricata.dnp3.request.control.dir;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.control.fcb=db:suricata.dnp3.request.control.fcb;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.control.fcv=db:suricata.dnp3.request.control.fcv;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.control.function_code=db:suricata.dnp3.request.control.function_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.control.pri=db:suricata.dnp3.request.control.pri;group:suricata_dnp3;kind:termfield
-suricata.dnp3.request.dst=db:suricata.dnp3.request.dst;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.src=db:suricata.dnp3.request.src;group:suricata_dnp3;kind:integer
-suricata.dnp3.request.type=db:suricata.dnp3.request.type;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.complete=db:suricata.dnp3.response.application.complete;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.control.con=db:suricata.dnp3.response.application.control.con;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.control.fin=db:suricata.dnp3.response.application.control.fin;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.control.fir=db:suricata.dnp3.response.application.control.fir;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.control.sequence=db:suricata.dnp3.response.application.control.sequence;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.control.uns=db:suricata.dnp3.response.application.control.uns;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.function_code=db:suricata.dnp3.response.application.function_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.count=db:suricata.dnp3.response.application.objects.count;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.group=db:suricata.dnp3.response.application.objects.group;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.challenge_data_len=db:suricata.dnp3.response.application.objects.points.challenge_data_len;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.chatter_filter=db:suricata.dnp3.response.application.objects.points.chatter_filter;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.comm_lost=db:suricata.dnp3.response.application.objects.points.comm_lost;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.count=db:suricata.dnp3.response.application.objects.points.count;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.cr=db:suricata.dnp3.response.application.objects.points.cr;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.data.challenge_data=db:suricata.dnp3.response.application.objects.points.data.challenge_data;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.objects.points.data.mac_value=db:suricata.dnp3.response.application.objects.points.data.mac_value;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.objects.points.delay_ms=db:suricata.dnp3.response.application.objects.points.delay_ms;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.file_handle=db:suricata.dnp3.response.application.objects.points.file_handle;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.file_size=db:suricata.dnp3.response.application.objects.points.file_size;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.index=db:suricata.dnp3.response.application.objects.points.index;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.key_status=db:suricata.dnp3.response.application.objects.points.key_status;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.key_wrap_alg=db:suricata.dnp3.response.application.objects.points.key_wrap_alg;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.ksq=db:suricata.dnp3.response.application.objects.points.ksq;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.local_forced=db:suricata.dnp3.response.application.objects.points.local_forced;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.mal=db:suricata.dnp3.response.application.objects.points.mal;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.maximum_block_size=db:suricata.dnp3.response.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.offtime=db:suricata.dnp3.response.application.objects.points.offtime;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.online=db:suricata.dnp3.response.application.objects.points.online;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.ontime=db:suricata.dnp3.response.application.objects.points.ontime;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.op_type=db:suricata.dnp3.response.application.objects.points.op_type;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.optional_text=db:suricata.dnp3.response.application.objects.points.optional_text;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.objects.points.over_range=db:suricata.dnp3.response.application.objects.points.over_range;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.prefix=db:suricata.dnp3.response.application.objects.points.prefix;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.qu=db:suricata.dnp3.response.application.objects.points.qu;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.reference_err=db:suricata.dnp3.response.application.objects.points.reference_err;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.remote_forced=db:suricata.dnp3.response.application.objects.points.remote_forced;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.request_id=db:suricata.dnp3.response.application.objects.points.request_id;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.objects.points.reserved0=db:suricata.dnp3.response.application.objects.points.reserved0;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.reserved1=db:suricata.dnp3.response.application.objects.points.reserved1;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.reserved=db:suricata.dnp3.response.application.objects.points.reserved;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.restart=db:suricata.dnp3.response.application.objects.points.restart;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.size=db:suricata.dnp3.response.application.objects.points.size;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.state=db:suricata.dnp3.response.application.objects.points.state;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.status_code=db:suricata.dnp3.response.application.objects.points.status_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.tcc=db:suricata.dnp3.response.application.objects.points.tcc;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.user_number=db:suricata.dnp3.response.application.objects.points.user_number;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.points.value=db:suricata.dnp3.response.application.objects.points.value;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.application.objects.prefix_code=db:suricata.dnp3.response.application.objects.prefix_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.qualifier=db:suricata.dnp3.response.application.objects.qualifier;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.range_code=db:suricata.dnp3.response.application.objects.range_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.start=db:suricata.dnp3.response.application.objects.start;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.stop=db:suricata.dnp3.response.application.objects.stop;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.application.objects.variation=db:suricata.dnp3.response.application.objects.variation;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.control.dir=db:suricata.dnp3.response.control.dir;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.control.fcb=db:suricata.dnp3.response.control.fcb;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.control.fcv=db:suricata.dnp3.response.control.fcv;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.control.function_code=db:suricata.dnp3.response.control.function_code;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.control.pri=db:suricata.dnp3.response.control.pri;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.dst=db:suricata.dnp3.response.dst;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.iin.indicators=db:suricata.dnp3.response.iin.indicators;group:suricata_dnp3;kind:termfield
-suricata.dnp3.response.src=db:suricata.dnp3.response.src;group:suricata_dnp3;kind:integer
-suricata.dnp3.response.type=db:suricata.dnp3.response.type;group:suricata_dnp3;kind:termfield
-suricata.dnp3.src=db:suricata.dnp3.src;group:suricata_dnp3;kind:integer
-suricata.dnp3.type=db:suricata.dnp3.type;group:suricata_dnp3;kind:termfield
-
-suricata.dns.aa=db:suricata.dns.aa;group:suricata_dns;kind:termfield
-suricata.dns.answer.aa=db:suricata.dns.answer.aa;group:suricata_dns;kind:termfield
-suricata.dns.answer.authorities.rrname=db:suricata.dns.answer.authorities.rrname;group:suricata_dns;kind:termfield
-suricata.dns.answer.authorities.rrtype=db:suricata.dns.answer.authorities.rrtype;group:suricata_dns;kind:termfield
-suricata.dns.answer.authorities.ttl=db:suricata.dns.answer.authorities.ttl;group:suricata_dns;kind:integer
-suricata.dns.answer.flags=db:suricata.dns.answer.flags;group:suricata_dns;kind:termfield
-suricata.dns.answer.id=db:suricata.dns.answer.id;group:suricata_dns;kind:integer
-suricata.dns.answer.qr=db:suricata.dns.answer.qr;group:suricata_dns;kind:termfield
-suricata.dns.answer.ra=db:suricata.dns.answer.ra;group:suricata_dns;kind:termfield
-suricata.dns.answer.rcode=db:suricata.dns.answer.rcode;group:suricata_dns;kind:termfield
-suricata.dns.answer.rrname=db:suricata.dns.answer.rrname;group:suricata_dns;kind:termfield
-suricata.dns.answer.rrtype=db:suricata.dns.answer.rrtype;group:suricata_dns;kind:termfield
-suricata.dns.answer.type=db:suricata.dns.answer.type;group:suricata_dns;kind:termfield
-suricata.dns.answer.version=db:suricata.dns.answer.version;group:suricata_dns;kind:integer
-suricata.dns.answers.rdata=db:suricata.dns.answers.rdata;group:suricata_dns;kind:termfield
-suricata.dns.answers.rrname=db:suricata.dns.answers.rrname;group:suricata_dns;kind:termfield
-suricata.dns.answers.rrtype=db:suricata.dns.answers.rrtype;group:suricata_dns;kind:termfield
-suricata.dns.answers.ttl=db:suricata.dns.answers.ttl;group:suricata_dns;kind:integer
-suricata.dns.authorities.rdata=db:suricata.dns.authorities.rdata;group:suricata_dns;kind:termfield
-suricata.dns.authorities.rrname=db:suricata.dns.authorities.rrname;group:suricata_dns;kind:termfield
-suricata.dns.authorities.rrtype=db:suricata.dns.authorities.rrtype;group:suricata_dns;kind:termfield
-suricata.dns.authorities.ttl=db:suricata.dns.authorities.ttl;group:suricata_dns;kind:integer
-suricata.dns.flags=db:suricata.dns.flags;group:suricata_dns;kind:termfield
-suricata.dns.qr=db:suricata.dns.qr;group:suricata_dns;kind:termfield
-suricata.dns.query.id=db:suricata.dns.query.id;group:suricata_dns;kind:integer
-suricata.dns.query.rrname=db:suricata.dns.query.rrname;group:suricata_dns;kind:termfield
-suricata.dns.query.rrtype=db:suricata.dns.query.rrtype;group:suricata_dns;kind:termfield
-suricata.dns.query.tx_id=db:suricata.dns.query.tx_id;group:suricata_dns;kind:termfield
-suricata.dns.query.type=db:suricata.dns.query.type;group:suricata_dns;kind:termfield
-suricata.dns.ra=db:suricata.dns.ra;group:suricata_dns;kind:termfield
-suricata.dns.rd=db:suricata.dns.rd;group:suricata_dns;kind:termfield
-suricata.dns.rrname=db:suricata.dns.rrname;group:suricata_dns;kind:termfield
-suricata.dns.rrtype=db:suricata.dns.rrtype;group:suricata_dns;kind:termfield
-suricata.dns.tc=db:suricata.dns.tc;group:suricata_dns;kind:termfield
-suricata.dns.tx_id=db:suricata.dns.tx_id;group:suricata_dns;kind:termfield
-suricata.dns.version=db:suricata.dns.version;group:suricata_dns;kind:integer
-
-suricata.email.attachment=db:suricata.email.attachment;group:suricata_email;kind:termfield
-suricata.email.body_md5=db:suricata.email.body_md5;group:suricata_email;kind:termfield
-suricata.email.cc=db:suricata.email.cc;group:suricata_email;kind:termfield
-suricata.email.from=db:suricata.email.from;group:suricata_email;kind:termfield
-suricata.email.status=db:suricata.email.status;group:suricata_email;kind:termfield
-suricata.email.subject_md5=db:suricata.email.subject_md5;group:suricata_email;kind:termfield
-suricata.email.to=db:suricata.email.to;group:suricata_email;kind:termfield
-
-suricata.fileinfo.end=db:suricata.fileinfo.end;group:suricata_fileinfo;kind:integer
-suricata.fileinfo.file_id=db:suricata.fileinfo.file_id;group:suricata_fileinfo;kind:termfield
-suricata.fileinfo.filename=db:suricata.fileinfo.filename;group:suricata_fileinfo;kind:termfield
-suricata.fileinfo.gaps=db:suricata.fileinfo.gaps;group:suricata_fileinfo;kind:termfield
-suricata.fileinfo.magic=db:suricata.fileinfo.magic;group:suricata_fileinfo;kind:termfield
-suricata.fileinfo.md5=db:suricata.fileinfo.md5;group:suricata_fileinfo;kind:termfield
-suricata.fileinfo.sha1=db:suricata.fileinfo.sha1;group:suricata_fileinfo;kind:termfield
-suricata.fileinfo.sha256=db:suricata.fileinfo.sha256;group:suricata_fileinfo;kind:termfield
-suricata.fileinfo.sid=db:suricata.fileinfo.sid;group:suricata_fileinfo;kind:integer
-suricata.fileinfo.size=db:suricata.fileinfo.size;group:suricata_fileinfo;kind:integer
-suricata.fileinfo.start=db:suricata.fileinfo.start;group:suricata_fileinfo;kind:integer
-suricata.fileinfo.state=db:suricata.fileinfo.state;group:suricata_fileinfo;kind:termfield
-suricata.fileinfo.tx_id=db:suricata.fileinfo.tx_id;group:suricata_fileinfo;kind:termfield
-
-suricata.files.end=db:suricata.files.end;group:suricata_files;kind:termfield
-suricata.files.filename=db:suricata.files.filename;group:suricata_files;kind:termfield
-suricata.files.gaps=db:suricata.files.gaps;group:suricata_files;kind:termfield
-suricata.files.size=db:suricata.files.size;group:suricata_files;kind:integer
-suricata.files.start=db:suricata.files.start;group:suricata_files;kind:termfield
-suricata.files.state=db:suricata.files.state;group:suricata_files;kind:termfield
-suricata.files.tx_id=db:suricata.files.tx_id;group:suricata_files;kind:termfield
-
-suricata.flow.age=db:suricata.flow.age;group:suricata_flow;kind:integer
-suricata.flow.alerted=db:suricata.flow.alerted;group:suricata_flow;kind:termfield
-suricata.flow.bytes_toclient=db:suricata.flow.bytes_toclient;group:suricata_flow;kind:integer
-suricata.flow.bytes_toserver=db:suricata.flow.bytes_toserver;group:suricata_flow;kind:integer
-suricata.flow.emergency=db:suricata.flow.emergency;group:suricata_flow;kind:termfield
-suricata.flow.end=db:suricata.flow.end;group:suricata_flow;kind:termfield
-suricata.flow.pkts_toclient=db:suricata.flow.pkts_toclient;group:suricata_flow;kind:integer
-suricata.flow.pkts_toserver=db:suricata.flow.pkts_toserver;group:suricata_flow;kind:integer
-suricata.flow.reason=db:suricata.flow.reason;group:suricata_flow;kind:termfield
-suricata.flow.start=db:suricata.flow.start;group:suricata_flow;kind:termfield
-suricata.flow.state=db:suricata.flow.state;group:suricata_flow;kind:termfield
-
-suricata.ftp.command=db:suricata.ftp.command;group:suricata_ftp;kind:termfield
-suricata.ftp.command_data=db:suricata.ftp.command_data;group:suricata_ftp;kind:termfield
-suricata.ftp.completion_code=db:suricata.ftp.completion_code;group:suricata_ftp;kind:termfield
-suricata.ftp.dynamic_port=db:suricata.ftp.dynamic_port;group:suricata_ftp;kind:integer
-suricata.ftp.reply=db:suricata.ftp.reply;group:suricata_ftp;kind:termfield
-suricata.ftp.reply_received=db:suricata.ftp.reply_received;group:suricata_ftp;kind:termfield
-
-suricata.http.content_range.end=db:suricata.http.content_range.end;group:suricata_http;kind:integer
-suricata.http.content_range.raw=db:suricata.http.content_range.raw;group:suricata_http;kind:termfield
-suricata.http.content_range.size=db:suricata.http.content_range.size;group:suricata_http;kind:integer
-suricata.http.content_range.start=db:suricata.http.content_range.start;group:suricata_http;kind:integer
-suricata.http.hostname=db:suricata.http.hostname;group:suricata_http;kind:termfield
-suricata.http.http_content_type=db:suricata.http.http_content_type;group:suricata_http;kind:termfield
-suricata.http.http_method=db:suricata.http.http_method;group:suricata_http;kind:termfield
-suricata.http.http_port=db:suricata.http.http_port;group:suricata_http;kind:integer
-suricata.http.http_refer=db:suricata.http.http_refer;group:suricata_http;kind:termfield
-suricata.http.http_request_body=db:suricata.http.http_request_body;group:suricata_http;kind:termfield
-suricata.http.http_request_body_printable=db:suricata.http.http_request_body_printable;group:suricata_http;kind:termfield
-suricata.http.http_response_body=db:suricata.http.http_response_body;group:suricata_http;kind:termfield
-suricata.http.http_response_body_printable=db:suricata.http.http_response_body_printable;group:suricata_http;kind:termfield
-suricata.http.http_user_agent=db:suricata.http.http_user_agent;group:suricata_http;kind:termfield
-suricata.http.length=db:suricata.http.length;group:suricata_http;kind:integer
-suricata.http.protocol=db:suricata.http.protocol;group:suricata_http;kind:termfield
-suricata.http.redirect=db:suricata.http.redirect;group:suricata_http;kind:termfield
-suricata.http.request_headers.name=db:suricata.http.request_headers.name;group:suricata_http;kind:termfield
-suricata.http.request_headers.value=db:suricata.http.request_headers.value;group:suricata_http;kind:termfield
-suricata.http.response_headers.name=db:suricata.http.response_headers.name;group:suricata_http;kind:termfield
-suricata.http.response_headers.value=db:suricata.http.response_headers.value;group:suricata_http;kind:termfield
-suricata.http.status=db:suricata.http.status;group:suricata_http;kind:termfield
-suricata.http.url=db:suricata.http.url;group:suricata_http;kind:termfield
-
-suricata.icmp_code=db:suricata.icmp_code;group:suricata_icmp;kind:integer
-suricata.icmp_type=db:suricata.icmp_type;group:suricata_icmp;kind:integer
-suricata.response_icmp_code=db:suricata.response_icmp_code;group:suricata_icmp;kind:integer
-suricata.response_icmp_type=db:suricata.response_icmp_type;group:suricata_icmp;kind:integer
-
-suricata.ikev2.alg_auth=db:suricata.ikev2.alg_auth;group:suricata_ikev2;kind:termfield
-suricata.ikev2.alg_dh=db:suricata.ikev2.alg_dh;group:suricata_ikev2;kind:termfield
-suricata.ikev2.alg_enc=db:suricata.ikev2.alg_enc;group:suricata_ikev2;kind:termfield
-suricata.ikev2.alg_esn=db:suricata.ikev2.alg_esn;group:suricata_ikev2;kind:termfield
-suricata.ikev2.alg_prf=db:suricata.ikev2.alg_prf;group:suricata_ikev2;kind:termfield
-suricata.ikev2.errors=db:suricata.ikev2.errors;group:suricata_ikev2;kind:integer
-suricata.ikev2.exchange_type=db:suricata.ikev2.exchange_type;group:suricata_ikev2;kind:integer
-suricata.ikev2.init_spi=db:suricata.ikev2.init_spi;group:suricata_ikev2;kind:termfield
-suricata.ikev2.message_id=db:suricata.ikev2.message_id;group:suricata_ikev2;kind:termfield
-suricata.ikev2.notify=db:suricata.ikev2.notify;group:suricata_ikev2;kind:termfield
-suricata.ikev2.payload=db:suricata.ikev2.payload;group:suricata_ikev2;kind:termfield
-suricata.ikev2.resp_spi=db:suricata.ikev2.resp_spi;group:suricata_ikev2;kind:termfield
-suricata.ikev2.role=db:suricata.ikev2.role;group:suricata_ikev2;kind:termfield
-suricata.ikev2.version_major=db:suricata.ikev2.version_major;group:suricata_ikev2;kind:integer
-suricata.ikev2.version_minor=db:suricata.ikev2.version_minor;group:suricata_ikev2;kind:integer
-
-suricata.krb5.cname=db:suricata.krb5.cname;group:suricata_krb5;kind:termfield
-suricata.krb5.encryption=db:suricata.krb5.encryption;group:suricata_krb5;kind:termfield
-suricata.krb5.error_code=db:suricata.krb5.error_code;group:suricata_krb5;kind:termfield
-suricata.krb5.failed_request=db:suricata.krb5.failed_request;group:suricata_krb5;kind:termfield
-suricata.krb5.msg_type=db:suricata.krb5.msg_type;group:suricata_krb5;kind:termfield
-suricata.krb5.realm=db:suricata.krb5.realm;group:suricata_krb5;kind:termfield
-suricata.krb5.sname=db:suricata.krb5.sname;group:suricata_krb5;kind:termfield
-suricata.krb5.weak_encryption=db:suricata.krb5.weak_encryption;group:suricata_krb5;kind:termfield
-
-suricata.netflow.age=db:suricata.netflow.age;group:suricata_netflow;kind:integer
-suricata.netflow.bytes=db:suricata.netflow.bytes;group:suricata_netflow;kind:integer
-suricata.netflow.end=db:suricata.netflow.end;group:suricata_netflow;kind:termfield
-suricata.netflow.max_ttl=db:suricata.netflow.max_ttl;group:suricata_netflow;kind:integer
-suricata.netflow.min_ttl=db:suricata.netflow.min_ttl;group:suricata_netflow;kind:integer
-suricata.netflow.pkts=db:suricata.netflow.pkts;group:suricata_netflow;kind:integer
-suricata.netflow.start=db:suricata.netflow.start;group:suricata_netflow;kind:termfield
-
-suricata.nfs.file_tx=db:suricata.nfs.file_tx;group:suricata_nfs;kind:termfield
-suricata.nfs.filename=db:suricata.nfs.filename;group:suricata_nfs;kind:termfield
-suricata.nfs.hhash=db:suricata.nfs.hhash;group:suricata_nfs;kind:termfield
-suricata.nfs.id=db:suricata.nfs.id;group:suricata_nfs;kind:integer
-suricata.nfs.procedure=db:suricata.nfs.procedure;group:suricata_nfs;kind:termfield
-suricata.nfs.rename.from=db:suricata.nfs.rename.from;group:suricata_nfs;kind:termfield
-suricata.nfs.rename.to=db:suricata.nfs.rename.to;group:suricata_nfs;kind:termfield
-suricata.nfs.status=db:suricata.nfs.status;group:suricata_nfs;kind:termfield
-suricata.nfs.type=db:suricata.nfs.type;group:suricata_nfs;kind:termfield
-suricata.nfs.version=db:suricata.nfs.version;group:suricata_nfs;kind:integer
-
-suricata.rdp.channels=db:suricata.rdp.channels;group:suricata_rdp;kind:termfield
-suricata.rdp.client.build=db:suricata.rdp.client.build;group:suricata_rdp;kind:termfield
-suricata.rdp.client.capabilities=db:suricata.rdp.client.capabilities;group:suricata_rdp;kind:termfield
-suricata.rdp.client.client_name=db:suricata.rdp.client.client_name;group:suricata_rdp;kind:termfield
-suricata.rdp.client.color_depth=db:suricata.rdp.client.color_depth;group:suricata_rdp;kind:integer
-suricata.rdp.client.connection_hint=db:suricata.rdp.client.connection_hint;group:suricata_rdp;kind:termfield
-suricata.rdp.client.desktop_height=db:suricata.rdp.client.desktop_height;group:suricata_rdp;kind:integer
-suricata.rdp.client.desktop_width=db:suricata.rdp.client.desktop_width;group:suricata_rdp;kind:integer
-suricata.rdp.client.function_keys=db:suricata.rdp.client.function_keys;group:suricata_rdp;kind:integer
-suricata.rdp.client.id=db:suricata.rdp.client.id;group:suricata_rdp;kind:termfield
-suricata.rdp.client.keyboard_layout=db:suricata.rdp.client.keyboard_layout;group:suricata_rdp;kind:termfield
-suricata.rdp.client.keyboard_type=db:suricata.rdp.client.keyboard_type;group:suricata_rdp;kind:termfield
-suricata.rdp.client.product_id=db:suricata.rdp.client.product_id;group:suricata_rdp;kind:termfield
-suricata.rdp.client.version=db:suricata.rdp.client.version;group:suricata_rdp;kind:termfield
-suricata.rdp.cookie=db:suricata.rdp.cookie;group:suricata_rdp;kind:termfield
-suricata.rdp.error_code=db:suricata.rdp.error_code;group:suricata_rdp;kind:integer
-suricata.rdp.event_type=db:suricata.rdp.event_type;group:suricata_rdp;kind:termfield
-suricata.rdp.protocol=db:suricata.rdp.protocol;group:suricata_rdp;kind:termfield
-suricata.rdp.reason=db:suricata.rdp.reason;group:suricata_rdp;kind:termfield
-suricata.rdp.server_supports=db:suricata.rdp.server_supports;group:suricata_rdp;kind:termfield
-suricata.rdp.tx_id=db:suricata.rdp.tx_id;group:suricata_rdp;kind:termfield
-suricata.rdp.x509_serials=db:suricata.rdp.x509_serials;group:suricata_rdp;kindrpc:termfield
-
-suricata.rpc.auth_type=db:suricata.rpc.auth_type;group:suricata_rpc;kind:termfield
-suricata.rpc.creds.gid=db:suricata.rpc.creds.gid;group:suricata_rpc;kind:integer
-suricata.rpc.creds.machine_name=db:suricata.rpc.creds.machine_name;group:suricata_rpc;kind:termfield
-suricata.rpc.creds.uid=db:suricata.rpc.creds.uid;group:suricata_rpc;kind:integer
-suricata.rpc.status=db:suricata.rpc.status;group:suricata_rpc;kind:termfield
-suricata.rpc.xid=db:suricata.rpc.xid;group:suricata_rpc;kind:integer
-
-suricata.sip.code=db:suricata.sip.code;group:suricata_sip;kind:termfield
-suricata.sip.method=db:suricata.sip.method;group:suricata_sip;kind:termfield
-suricata.sip.reason=db:suricata.sip.reason;group:suricata_sip;kind:termfield
-suricata.sip.request_line=db:suricata.sip.request_line;group:suricata_sip;kind:termfield
-suricata.sip.response_line=db:suricata.sip.response_line;group:suricata_sip;kind:termfield
-suricata.sip.uri=db:suricata.sip.uri;group:suricata_sip;kind:termfield
-suricata.sip.version=db:suricata.sip.version;group:suricata_sip;kind:termfield
-
-suricata.smb.access=db:suricata.smb.access;group:suricata_smb;kind:termfield
-suricata.smb.accessed=db:suricata.smb.accessed;group:suricata_smb;kind:integer
-suricata.smb.changed=db:suricata.smb.changed;group:suricata_smb;kind:integer
-suricata.smb.client_dialects=db:suricata.smb.client_dialects;group:suricata_smb;kind:termfield
-suricata.smb.client_guid=db:suricata.smb.client_guid;group:suricata_smb;kind:termfield
-suricata.smb.command=db:suricata.smb.command;group:suricata_smb;kind:termfield
-suricata.smb.created=db:suricata.smb.created;group:suricata_smb;kind:integer
-suricata.smb.dcerpc.call_id=db:suricata.smb.dcerpc.call_id;group:suricata_smb;kind:termfield
-suricata.smb.dcerpc.interfaces.ack_reason=db:suricata.smb.dcerpc.interfaces.ack_reason;group:suricata_smb;kind:integer
-suricata.smb.dcerpc.interfaces.ack_result=db:suricata.smb.dcerpc.interfaces.ack_result;group:suricata_smb;kind:integer
-suricata.smb.dcerpc.interfaces.uuid=db:suricata.smb.dcerpc.interfaces.uuid;group:suricata_smb;kind:termfield
-suricata.smb.dcerpc.interfaces.version=db:suricata.smb.dcerpc.interfaces.version;group:suricata_smb;kind:termfield
-suricata.smb.dcerpc.opnum=db:suricata.smb.dcerpc.opnum;group:suricata_smb;kind:integer
-suricata.smb.dcerpc.req.frag_cnt=db:suricata.smb.dcerpc.req.frag_cnt;group:suricata_smb;kind:integer
-suricata.smb.dcerpc.req.stub_data_size=db:suricata.smb.dcerpc.req.stub_data_size;group:suricata_smb;kind:integer
-suricata.smb.dcerpc.request=db:suricata.smb.dcerpc.request;group:suricata_smb;kind:termfield
-suricata.smb.dcerpc.res.frag_cnt=db:suricata.smb.dcerpc.res.frag_cnt;group:suricata_smb;kind:integer
-suricata.smb.dcerpc.res.stub_data_size=db:suricata.smb.dcerpc.res.stub_data_size;group:suricata_smb;kind:integer
-suricata.smb.dcerpc.response=db:suricata.smb.dcerpc.response;group:suricata_smb;kind:termfield
-suricata.smb.dialect=db:suricata.smb.dialect;group:suricata_smb;kind:termfield
-suricata.smb.directory=db:suricata.smb.directory;group:suricata_smb;kind:termfield
-suricata.smb.disposition=db:suricata.smb.disposition;group:suricata_smb;kind:termfield
-suricata.smb.filename=db:suricata.smb.filename;group:suricata_smb;kind:termfield
-suricata.smb.fuid=db:suricata.smb.fuid;group:suricata_smb;kind:termfield
-suricata.smb.function=db:suricata.smb.function;group:suricata_smb;kind:termfield
-suricata.smb.id=db:suricata.smb.id;group:suricata_smb;kind:integer
-suricata.smb.kerberos.realm=db:suricata.smb.kerberos.realm;group:suricata_smb;kind:termfield
-suricata.smb.kerberos.snames=db:suricata.smb.kerberos.snames;group:suricata_smb;kind:termfield
-suricata.smb.modified=db:suricata.smb.modified;group:suricata_smb;kind:integer
-suricata.smb.named_pipe=db:suricata.smb.named_pipe;group:suricata_smb;kind:termfield
-suricata.smb.ntlmssp.domain=db:suricata.smb.ntlmssp.domain;group:suricata_smb;kind:termfield
-suricata.smb.ntlmssp.host=db:suricata.smb.ntlmssp.host;group:suricata_smb;kind:termfield
-suricata.smb.ntlmssp.user=db:suricata.smb.ntlmssp.user;group:suricata_smb;kind:termfield
-suricata.smb.rename.from=db:suricata.smb.rename.from;group:suricata_smb;kind:termfield
-suricata.smb.rename.to=db:suricata.smb.rename.to;group:suricata_smb;kind:termfield
-suricata.smb.request.native_lm=db:suricata.smb.request.native_lm;group:suricata_smb;kind:termfield
-suricata.smb.request.native_os=db:suricata.smb.request.native_os;group:suricata_smb;kind:termfield
-suricata.smb.response.native_lm=db:suricata.smb.response.native_lm;group:suricata_smb;kind:termfield
-suricata.smb.response.native_os=db:suricata.smb.response.native_os;group:suricata_smb;kind:termfield
-suricata.smb.server_guid=db:suricata.smb.server_guid;group:suricata_smb;kind:termfield
-suricata.smb.service.request=db:suricata.smb.service.request;group:suricata_smb;kind:termfield
-suricata.smb.service.response=db:suricata.smb.service.response;group:suricata_smb;kind:termfield
-suricata.smb.session_id=db:suricata.smb.session_id;group:suricata_smb;kind:termfield
-suricata.smb.set_info.class=db:suricata.smb.set_info.class;group:suricata_smb;kind:termfield
-suricata.smb.set_info.info_level=db:suricata.smb.set_info.info_level;group:suricata_smb;kind:termfield
-suricata.smb.share=db:suricata.smb.share;group:suricata_smb;kind:termfield
-suricata.smb.share_type=db:suricata.smb.share_type;group:suricata_smb;kind:termfield
-suricata.smb.size=db:suricata.smb.size;group:suricata_smb;kind:integer
-suricata.smb.status=db:suricata.smb.status;group:suricata_smb;kind:termfield
-suricata.smb.status_code=db:suricata.smb.status_code;group:suricata_smb;kind:termfield
-suricata.smb.tree_id=db:suricata.smb.tree_id;group:suricata_smb;kind:termfield
-
-suricata.smtp.helo=db:suricata.smtp.helo;group:suricata_smtp;kind:termfield
-suricata.smtp.mail_from=db:suricata.smtp.mail_from;group:suricata_smtp;kind:termfield
-suricata.smtp.rcpt_to=db:suricata.smtp.rcpt_to;group:suricata_smtp;kind:termfield
-
-suricata.snmp.community=db:suricata.snmp.community;group:suricata_snmp;kind:termfield
-suricata.snmp.error=db:suricata.snmp.error;group:suricata_snmp;kind:termfield
-suricata.snmp.pdu_type=db:suricata.snmp.pdu_type;group:suricata_snmp;kind:termfield
-suricata.snmp.trap_address=db:suricata.snmp.trap_address;group:suricata_snmp;kind:termfield
-suricata.snmp.trap_oid=db:suricata.snmp.trap_oid;group:suricata_snmp;kind:termfield
-suricata.snmp.trap_type=db:suricata.snmp.trap_type;group:suricata_snmp;kind:termfield
-suricata.snmp.usm=db:suricata.snmp.usm;group:suricata_snmp;kind:termfield
-suricata.snmp.vars=db:suricata.snmp.vars;group:suricata_snmp;kind:termfield
-suricata.snmp.version=db:suricata.snmp.version;group:suricata_snmp;kind:integer
-
-suricata.ssh.client.proto_version=db:suricata.ssh.client.proto_version;group:suricata_ssh;kind:termfield
-suricata.ssh.client.software_version=db:suricata.ssh.client.software_version;group:suricata_ssh;kind:termfield
-suricata.ssh.server.proto_version=db:suricata.ssh.server.proto_version;group:suricata_ssh;kind:termfield
-suricata.ssh.server.software_version=db:suricata.ssh.server.software_version;group:suricata_ssh;kind:termfield
-
-suricata.tcp.ack=db:suricata.tcp.ack;group:suricata_tcp;kind:termfield
-suricata.tcp.cwr=db:suricata.tcp.cwr;group:suricata_tcp;kind:termfield
-suricata.tcp.ecn=db:suricata.tcp.ecn;group:suricata_tcp;kind:termfield
-suricata.tcp.fin=db:suricata.tcp.fin;group:suricata_tcp;kind:termfield
-suricata.tcp.psh=db:suricata.tcp.psh;group:suricata_tcp;kind:termfield
-suricata.tcp.rst=db:suricata.tcp.rst;group:suricata_tcp;kind:termfield
-suricata.tcp.state=db:suricata.tcp.state;group:suricata_tcp;kind:termfield
-suricata.tcp.syn=db:suricata.tcp.syn;group:suricata_tcp;kind:termfield
-suricata.tcp.tcp_flags=db:suricata.tcp.tcp_flags;group:suricata_tcp;kind:termfield
-suricata.tcp.tcp_flags_tc=db:suricata.tcp.tcp_flags_tc;group:suricata_tcp;kind:termfield
-suricata.tcp.tcp_flags_ts=db:suricata.tcp.tcp_flags_ts;group:suricata_tcp;kind:termfield
-suricata.tcp.urg=db:suricata.tcp.urg;group:suricata_tcp;kind:termfield
-
-suricata.tftp.file=db:suricata.tftp.file;group:suricata_tftp;kind:termfield
-suricata.tftp.mode=db:suricata.tftp.mode;group:suricata_tftp;kind:termfield
-suricata.tftp.packet=db:suricata.tftp.packet;group:suricata_tftp;kind:termfield
-
-suricata.tls.fingerprint=db:suricata.tls.fingerprint;group:suricata_tls;kind:termfield
-suricata.tls.from_proto=db:suricata.tls.from_proto;group:suricata_tls;kind:termfield
-suricata.tls.issuerdn=db:suricata.tls.issuerdn;group:suricata_tls;kind:termfield
-suricata.tls.notafter=db:suricata.tls.notafter;group:suricata_tls;kind:termfield
-suricata.tls.notbefore=db:suricata.tls.notbefore;group:suricata_tls;kind:termfield
-suricata.tls.serial=db:suricata.tls.serial;group:suricata_tls;kind:termfield
-suricata.tls.session_resumed=db:suricata.tls.session_resumed;group:suricata_tls;kind:termfield
-suricata.tls.sni=db:suricata.tls.sni;group:suricata_tls;kind:termfield
-suricata.tls.subject=db:suricata.tls.subject;group:suricata_tls;kind:termfield
-suricata.tls.version=db:suricata.tls.version;group:suricata_tls;kind:termfield
-
-suricata.tunnel.depth=db:suricata.tunnel.depth;group:suricata_tunnel;kind:integer
-suricata.tunnel.dest_ip=db:suricata.tunnel.dest_ip;group:suricata_tunnel;kind:termfield
-suricata.tunnel.dest_port=db:suricata.tunnel.dest_port;group:suricata_tunnel;kind:integer
-suricata.tunnel.proto=db:suricata.tunnel.proto;group:suricata_tunnel;kind:termfield
-suricata.tunnel.src_ip=db:suricata.tunnel.src_ip;group:suricata_tunnel;kind:termfield
-suricata.tunnel.src_port=db:suricata.tunnel.src_port;group:suricata_tunnel;kind:integer
+suricata.action=db:suricata.action;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.app_proto_expected=db:suricata.app_proto_expected;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.app_proto_orig=db:suricata.app_proto_orig;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.app_proto_tc=db:suricata.app_proto_tc;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.app_proto_ts=db:suricata.app_proto_ts;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.category=db:suricata.category;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.flow_id=db:suricata.flow_id;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.pcap_cnt=db:suricata.pcap_cnt;group:suricata_common;kind:integer;viewerOnly:true
+suricata.pcap_filename=db:suricata.pcap_filename;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.severity=db:suricata.severity;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.signature=db:suricata.signature;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.stream=db:suricata.stream;group:suricata_common;kind:integer;viewerOnly:true
+suricata.timestamp=db:suricata.timestamp;group:suricata_common;kind:termfield;viewerOnly:true
+suricata.tx_id=db:suricata.tx_id;group:suricata_common;kind:termfield;viewerOnly:true
+
+suricata.alert.action=db:suricata.alert.action;group:suricata_alert;kind:termfield;viewerOnly:true
+suricata.alert.metadata.created_at=db:suricata.alert.metadata.created_at;group:suricata_alert;kind:termfield;viewerOnly:true
+suricata.alert.metadata.malware_family=db:suricata.alert.metadata.malware_family;group:suricata_alert;kind:termfield;viewerOnly:true
+suricata.alert.metadata.performance_impact=db:suricata.alert.metadata.performance_impact;group:suricata_alert;kind:termfield;viewerOnly:true
+suricata.alert.metadata.signature_severity=db:suricata.alert.metadata.signature_severity;group:suricata_alert;kind:termfield;viewerOnly:true
+suricata.alert.metadata.updated_at=db:suricata.alert.metadata.updated_at;group:suricata_alert;kind:termfield;viewerOnly:true
+suricata.alert.rev=db:suricata.alert.rev;group:suricata_alert;kind:integer;viewerOnly:true
+suricata.alert.severity=db:suricata.alert.severity;group:suricata_alert;kind:integer;viewerOnly:true
+
+suricata.anomaly.app_proto=db:suricata.anomaly.app_proto;group:suricata_anomaly;kind:termfield;viewerOnly:true
+suricata.anomaly.code=db:suricata.anomaly.code;group:suricata_anomaly;kind:integer;viewerOnly:true
+suricata.anomaly.event=db:suricata.anomaly.event;group:suricata_anomaly;kind:termfield;viewerOnly:true
+suricata.anomaly.event_no=db:suricata.anomaly.event_no;group:suricata_anomaly;kind:termfield;viewerOnly:true
+suricata.anomaly.layer=db:suricata.anomaly.layer;group:suricata_anomaly;kind:termfield;viewerOnly:true
+suricata.anomaly.type=db:suricata.anomaly.type;group:suricata_anomaly;kind:termfield;viewerOnly:true
+
+suricata.dhcp.assigned_ip=db:suricata.dhcp.assigned_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.client_id=db:suricata.dhcp.client_id;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.client_ip=db:suricata.dhcp.client_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.client_mac=db:suricata.dhcp.client_mac;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.dhcp_type=db:suricata.dhcp.dhcp_type;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.dns_servers=db:suricata.dhcp.dns_servers;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.hostname=db:suricata.dhcp.hostname;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.id=db:suricata.dhcp.id;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.lease_time=db:suricata.dhcp.lease_time;group:suricata_dhcp;kind:integer;viewerOnly:true
+suricata.dhcp.next_server_ip=db:suricata.dhcp.next_server_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.params=db:suricata.dhcp.params;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.rebinding_time=db:suricata.dhcp.rebinding_time;group:suricata_dhcp;kind:integer;viewerOnly:true
+suricata.dhcp.relay_ip=db:suricata.dhcp.relay_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.renewal_time=db:suricata.dhcp.renewal_time;group:suricata_dhcp;kind:integer;viewerOnly:true
+suricata.dhcp.requested_ip=db:suricata.dhcp.requested_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.routers=db:suricata.dhcp.routers;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.subnet_mask=db:suricata.dhcp.subnet_mask;group:suricata_dhcp;kind:termfield;viewerOnly:true
+suricata.dhcp.type=db:suricata.dhcp.type;group:suricata_dhcp;kind:termfield;viewerOnly:true
+
+suricata.dnp3.application.complete=db:suricata.dnp3.application.complete;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.control.con=db:suricata.dnp3.application.control.con;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.control.fin=db:suricata.dnp3.application.control.fin;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.control.fir=db:suricata.dnp3.application.control.fir;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.control.sequence=db:suricata.dnp3.application.control.sequence;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.control.uns=db:suricata.dnp3.application.control.uns;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.function_code=db:suricata.dnp3.application.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.count=db:suricata.dnp3.application.objects.count;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.group=db:suricata.dnp3.application.objects.group;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.authentication_key=db:suricata.dnp3.application.objects.points.authentication_key;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.block_number=db:suricata.dnp3.application.objects.points.block_number;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.challenge_data_len=db:suricata.dnp3.application.objects.points.challenge_data_len;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.chatter_filter=db:suricata.dnp3.application.objects.points.chatter_filter;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.comm_lost=db:suricata.dnp3.application.objects.points.comm_lost;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.count=db:suricata.dnp3.application.objects.points.count;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.cr=db:suricata.dnp3.application.objects.points.cr;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.created=db:suricata.dnp3.application.objects.points.created;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.data.mac_value=db:suricata.dnp3.application.objects.points.data.mac_value;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.objects.points.data.wrapped_key_data=db:suricata.dnp3.application.objects.points.data.wrapped_key_data;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.objects.points.delay_ms=db:suricata.dnp3.application.objects.points.delay_ms;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.file_data=db:suricata.dnp3.application.objects.points.file_data;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.objects.points.file_handle=db:suricata.dnp3.application.objects.points.file_handle;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.file_size=db:suricata.dnp3.application.objects.points.file_size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.filename=db:suricata.dnp3.application.objects.points.filename;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.objects.points.filename_offset=db:suricata.dnp3.application.objects.points.filename_offset;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.filename_size=db:suricata.dnp3.application.objects.points.filename_size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.index=db:suricata.dnp3.application.objects.points.index;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.key_status=db:suricata.dnp3.application.objects.points.key_status;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.key_wrap_alg=db:suricata.dnp3.application.objects.points.key_wrap_alg;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.ksq=db:suricata.dnp3.application.objects.points.ksq;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.local_forced=db:suricata.dnp3.application.objects.points.local_forced;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.mal=db:suricata.dnp3.application.objects.points.mal;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.maximum_block_size=db:suricata.dnp3.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.offtime=db:suricata.dnp3.application.objects.points.offtime;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.online=db:suricata.dnp3.application.objects.points.online;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.ontime=db:suricata.dnp3.application.objects.points.ontime;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.op_type=db:suricata.dnp3.application.objects.points.op_type;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.operational_mode=db:suricata.dnp3.application.objects.points.operational_mode;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.optional_text=db:suricata.dnp3.application.objects.points.optional_text;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.objects.points.over_range=db:suricata.dnp3.application.objects.points.over_range;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.permissions=db:suricata.dnp3.application.objects.points.permissions;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.prefix=db:suricata.dnp3.application.objects.points.prefix;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.qu=db:suricata.dnp3.application.objects.points.qu;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.reference_err=db:suricata.dnp3.application.objects.points.reference_err;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.remote_forced=db:suricata.dnp3.application.objects.points.remote_forced;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.request_id=db:suricata.dnp3.application.objects.points.request_id;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.objects.points.reserved0=db:suricata.dnp3.application.objects.points.reserved0;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.reserved1=db:suricata.dnp3.application.objects.points.reserved1;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.reserved=db:suricata.dnp3.application.objects.points.reserved;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.restart=db:suricata.dnp3.application.objects.points.restart;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.size=db:suricata.dnp3.application.objects.points.size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.state=db:suricata.dnp3.application.objects.points.state;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.status_code=db:suricata.dnp3.application.objects.points.status_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.tcc=db:suricata.dnp3.application.objects.points.tcc;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.timestamp=db:suricata.dnp3.application.objects.points.timestamp;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.objects.points.user_number=db:suricata.dnp3.application.objects.points.user_number;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.usr=db:suricata.dnp3.application.objects.points.usr;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.points.value=db:suricata.dnp3.application.objects.points.value;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.application.objects.prefix_code=db:suricata.dnp3.application.objects.prefix_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.qualifier=db:suricata.dnp3.application.objects.qualifier;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.range_code=db:suricata.dnp3.application.objects.range_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.start=db:suricata.dnp3.application.objects.start;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.stop=db:suricata.dnp3.application.objects.stop;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.application.objects.variation=db:suricata.dnp3.application.objects.variation;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.control.dir=db:suricata.dnp3.control.dir;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.control.fcb=db:suricata.dnp3.control.fcb;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.control.fcv=db:suricata.dnp3.control.fcv;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.control.function_code=db:suricata.dnp3.control.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.control.pri=db:suricata.dnp3.control.pri;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.dst=db:suricata.dnp3.dst;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.iin.indicators=db:suricata.dnp3.iin.indicators;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.application.complete=db:suricata.dnp3.request.application.complete;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.application.control.con=db:suricata.dnp3.request.application.control.con;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.application.control.fin=db:suricata.dnp3.request.application.control.fin;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.application.control.fir=db:suricata.dnp3.request.application.control.fir;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.application.control.sequence=db:suricata.dnp3.request.application.control.sequence;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.control.uns=db:suricata.dnp3.request.application.control.uns;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.application.function_code=db:suricata.dnp3.request.application.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.count=db:suricata.dnp3.request.application.objects.count;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.group=db:suricata.dnp3.request.application.objects.group;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.authentication_key=db:suricata.dnp3.request.application.objects.points.authentication_key;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.count=db:suricata.dnp3.request.application.objects.points.count;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.cr=db:suricata.dnp3.request.application.objects.points.cr;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.created=db:suricata.dnp3.request.application.objects.points.created;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.file_size=db:suricata.dnp3.request.application.objects.points.file_size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.filename=db:suricata.dnp3.request.application.objects.points.filename;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.application.objects.points.filename_offset=db:suricata.dnp3.request.application.objects.points.filename_offset;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.filename_size=db:suricata.dnp3.request.application.objects.points.filename_size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.index=db:suricata.dnp3.request.application.objects.points.index;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.maximum_block_size=db:suricata.dnp3.request.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.offtime=db:suricata.dnp3.request.application.objects.points.offtime;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.ontime=db:suricata.dnp3.request.application.objects.points.ontime;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.op_type=db:suricata.dnp3.request.application.objects.points.op_type;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.operational_mode=db:suricata.dnp3.request.application.objects.points.operational_mode;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.permissions=db:suricata.dnp3.request.application.objects.points.permissions;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.prefix=db:suricata.dnp3.request.application.objects.points.prefix;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.qu=db:suricata.dnp3.request.application.objects.points.qu;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.request_id=db:suricata.dnp3.request.application.objects.points.request_id;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.application.objects.points.reserved=db:suricata.dnp3.request.application.objects.points.reserved;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.size=db:suricata.dnp3.request.application.objects.points.size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.status_code=db:suricata.dnp3.request.application.objects.points.status_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.tcc=db:suricata.dnp3.request.application.objects.points.tcc;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.points.timestamp=db:suricata.dnp3.request.application.objects.points.timestamp;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.application.objects.points.user_number=db:suricata.dnp3.request.application.objects.points.user_number;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.prefix_code=db:suricata.dnp3.request.application.objects.prefix_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.qualifier=db:suricata.dnp3.request.application.objects.qualifier;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.range_code=db:suricata.dnp3.request.application.objects.range_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.start=db:suricata.dnp3.request.application.objects.start;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.stop=db:suricata.dnp3.request.application.objects.stop;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.application.objects.variation=db:suricata.dnp3.request.application.objects.variation;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.control.dir=db:suricata.dnp3.request.control.dir;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.control.fcb=db:suricata.dnp3.request.control.fcb;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.control.fcv=db:suricata.dnp3.request.control.fcv;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.control.function_code=db:suricata.dnp3.request.control.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.control.pri=db:suricata.dnp3.request.control.pri;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.request.dst=db:suricata.dnp3.request.dst;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.src=db:suricata.dnp3.request.src;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.request.type=db:suricata.dnp3.request.type;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.complete=db:suricata.dnp3.response.application.complete;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.control.con=db:suricata.dnp3.response.application.control.con;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.control.fin=db:suricata.dnp3.response.application.control.fin;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.control.fir=db:suricata.dnp3.response.application.control.fir;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.control.sequence=db:suricata.dnp3.response.application.control.sequence;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.control.uns=db:suricata.dnp3.response.application.control.uns;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.function_code=db:suricata.dnp3.response.application.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.count=db:suricata.dnp3.response.application.objects.count;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.group=db:suricata.dnp3.response.application.objects.group;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.challenge_data_len=db:suricata.dnp3.response.application.objects.points.challenge_data_len;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.chatter_filter=db:suricata.dnp3.response.application.objects.points.chatter_filter;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.comm_lost=db:suricata.dnp3.response.application.objects.points.comm_lost;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.count=db:suricata.dnp3.response.application.objects.points.count;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.cr=db:suricata.dnp3.response.application.objects.points.cr;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.data.challenge_data=db:suricata.dnp3.response.application.objects.points.data.challenge_data;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.objects.points.data.mac_value=db:suricata.dnp3.response.application.objects.points.data.mac_value;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.objects.points.delay_ms=db:suricata.dnp3.response.application.objects.points.delay_ms;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.file_handle=db:suricata.dnp3.response.application.objects.points.file_handle;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.file_size=db:suricata.dnp3.response.application.objects.points.file_size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.index=db:suricata.dnp3.response.application.objects.points.index;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.key_status=db:suricata.dnp3.response.application.objects.points.key_status;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.key_wrap_alg=db:suricata.dnp3.response.application.objects.points.key_wrap_alg;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.ksq=db:suricata.dnp3.response.application.objects.points.ksq;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.local_forced=db:suricata.dnp3.response.application.objects.points.local_forced;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.mal=db:suricata.dnp3.response.application.objects.points.mal;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.maximum_block_size=db:suricata.dnp3.response.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.offtime=db:suricata.dnp3.response.application.objects.points.offtime;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.online=db:suricata.dnp3.response.application.objects.points.online;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.ontime=db:suricata.dnp3.response.application.objects.points.ontime;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.op_type=db:suricata.dnp3.response.application.objects.points.op_type;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.optional_text=db:suricata.dnp3.response.application.objects.points.optional_text;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.objects.points.over_range=db:suricata.dnp3.response.application.objects.points.over_range;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.prefix=db:suricata.dnp3.response.application.objects.points.prefix;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.qu=db:suricata.dnp3.response.application.objects.points.qu;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.reference_err=db:suricata.dnp3.response.application.objects.points.reference_err;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.remote_forced=db:suricata.dnp3.response.application.objects.points.remote_forced;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.request_id=db:suricata.dnp3.response.application.objects.points.request_id;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.objects.points.reserved0=db:suricata.dnp3.response.application.objects.points.reserved0;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.reserved1=db:suricata.dnp3.response.application.objects.points.reserved1;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.reserved=db:suricata.dnp3.response.application.objects.points.reserved;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.restart=db:suricata.dnp3.response.application.objects.points.restart;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.size=db:suricata.dnp3.response.application.objects.points.size;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.state=db:suricata.dnp3.response.application.objects.points.state;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.status_code=db:suricata.dnp3.response.application.objects.points.status_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.tcc=db:suricata.dnp3.response.application.objects.points.tcc;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.user_number=db:suricata.dnp3.response.application.objects.points.user_number;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.points.value=db:suricata.dnp3.response.application.objects.points.value;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.application.objects.prefix_code=db:suricata.dnp3.response.application.objects.prefix_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.qualifier=db:suricata.dnp3.response.application.objects.qualifier;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.range_code=db:suricata.dnp3.response.application.objects.range_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.start=db:suricata.dnp3.response.application.objects.start;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.stop=db:suricata.dnp3.response.application.objects.stop;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.application.objects.variation=db:suricata.dnp3.response.application.objects.variation;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.control.dir=db:suricata.dnp3.response.control.dir;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.control.fcb=db:suricata.dnp3.response.control.fcb;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.control.fcv=db:suricata.dnp3.response.control.fcv;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.control.function_code=db:suricata.dnp3.response.control.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.control.pri=db:suricata.dnp3.response.control.pri;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.dst=db:suricata.dnp3.response.dst;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.iin.indicators=db:suricata.dnp3.response.iin.indicators;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.response.src=db:suricata.dnp3.response.src;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.response.type=db:suricata.dnp3.response.type;group:suricata_dnp3;kind:termfield;viewerOnly:true
+suricata.dnp3.src=db:suricata.dnp3.src;group:suricata_dnp3;kind:integer;viewerOnly:true
+suricata.dnp3.type=db:suricata.dnp3.type;group:suricata_dnp3;kind:termfield;viewerOnly:true
+
+suricata.dns.aa=db:suricata.dns.aa;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.aa=db:suricata.dns.answer.aa;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.authorities.rrname=db:suricata.dns.answer.authorities.rrname;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.authorities.rrtype=db:suricata.dns.answer.authorities.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.authorities.ttl=db:suricata.dns.answer.authorities.ttl;group:suricata_dns;kind:integer;viewerOnly:true
+suricata.dns.answer.flags=db:suricata.dns.answer.flags;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.id=db:suricata.dns.answer.id;group:suricata_dns;kind:integer;viewerOnly:true
+suricata.dns.answer.qr=db:suricata.dns.answer.qr;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.ra=db:suricata.dns.answer.ra;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.rcode=db:suricata.dns.answer.rcode;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.rrname=db:suricata.dns.answer.rrname;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.rrtype=db:suricata.dns.answer.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.type=db:suricata.dns.answer.type;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answer.version=db:suricata.dns.answer.version;group:suricata_dns;kind:integer;viewerOnly:true
+suricata.dns.answers.rdata=db:suricata.dns.answers.rdata;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answers.rrname=db:suricata.dns.answers.rrname;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answers.rrtype=db:suricata.dns.answers.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.answers.ttl=db:suricata.dns.answers.ttl;group:suricata_dns;kind:integer;viewerOnly:true
+suricata.dns.authorities.rdata=db:suricata.dns.authorities.rdata;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.authorities.rrname=db:suricata.dns.authorities.rrname;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.authorities.rrtype=db:suricata.dns.authorities.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.authorities.ttl=db:suricata.dns.authorities.ttl;group:suricata_dns;kind:integer;viewerOnly:true
+suricata.dns.flags=db:suricata.dns.flags;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.qr=db:suricata.dns.qr;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.query.id=db:suricata.dns.query.id;group:suricata_dns;kind:integer;viewerOnly:true
+suricata.dns.query.rrname=db:suricata.dns.query.rrname;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.query.rrtype=db:suricata.dns.query.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.query.tx_id=db:suricata.dns.query.tx_id;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.query.type=db:suricata.dns.query.type;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.ra=db:suricata.dns.ra;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.rd=db:suricata.dns.rd;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.rrname=db:suricata.dns.rrname;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.rrtype=db:suricata.dns.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.tc=db:suricata.dns.tc;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.tx_id=db:suricata.dns.tx_id;group:suricata_dns;kind:termfield;viewerOnly:true
+suricata.dns.version=db:suricata.dns.version;group:suricata_dns;kind:integer;viewerOnly:true
+
+suricata.email.attachment=db:suricata.email.attachment;group:suricata_email;kind:termfield;viewerOnly:true
+suricata.email.body_md5=db:suricata.email.body_md5;group:suricata_email;kind:termfield;viewerOnly:true
+suricata.email.cc=db:suricata.email.cc;group:suricata_email;kind:termfield;viewerOnly:true
+suricata.email.from=db:suricata.email.from;group:suricata_email;kind:termfield;viewerOnly:true
+suricata.email.status=db:suricata.email.status;group:suricata_email;kind:termfield;viewerOnly:true
+suricata.email.subject_md5=db:suricata.email.subject_md5;group:suricata_email;kind:termfield;viewerOnly:true
+suricata.email.to=db:suricata.email.to;group:suricata_email;kind:termfield;viewerOnly:true
+
+suricata.fileinfo.end=db:suricata.fileinfo.end;group:suricata_fileinfo;kind:integer;viewerOnly:true
+suricata.fileinfo.file_id=db:suricata.fileinfo.file_id;group:suricata_fileinfo;kind:termfield;viewerOnly:true
+suricata.fileinfo.filename=db:suricata.fileinfo.filename;group:suricata_fileinfo;kind:termfield;viewerOnly:true
+suricata.fileinfo.gaps=db:suricata.fileinfo.gaps;group:suricata_fileinfo;kind:termfield;viewerOnly:true
+suricata.fileinfo.magic=db:suricata.fileinfo.magic;group:suricata_fileinfo;kind:termfield;viewerOnly:true
+suricata.fileinfo.md5=db:suricata.fileinfo.md5;group:suricata_fileinfo;kind:termfield;viewerOnly:true
+suricata.fileinfo.sha1=db:suricata.fileinfo.sha1;group:suricata_fileinfo;kind:termfield;viewerOnly:true
+suricata.fileinfo.sha256=db:suricata.fileinfo.sha256;group:suricata_fileinfo;kind:termfield;viewerOnly:true
+suricata.fileinfo.sid=db:suricata.fileinfo.sid;group:suricata_fileinfo;kind:integer;viewerOnly:true
+suricata.fileinfo.size=db:suricata.fileinfo.size;group:suricata_fileinfo;kind:integer;viewerOnly:true
+suricata.fileinfo.start=db:suricata.fileinfo.start;group:suricata_fileinfo;kind:integer;viewerOnly:true
+suricata.fileinfo.state=db:suricata.fileinfo.state;group:suricata_fileinfo;kind:termfield;viewerOnly:true
+suricata.fileinfo.tx_id=db:suricata.fileinfo.tx_id;group:suricata_fileinfo;kind:termfield;viewerOnly:true
+
+suricata.files.end=db:suricata.files.end;group:suricata_files;kind:termfield;viewerOnly:true
+suricata.files.filename=db:suricata.files.filename;group:suricata_files;kind:termfield;viewerOnly:true
+suricata.files.gaps=db:suricata.files.gaps;group:suricata_files;kind:termfield;viewerOnly:true
+suricata.files.size=db:suricata.files.size;group:suricata_files;kind:integer;viewerOnly:true
+suricata.files.start=db:suricata.files.start;group:suricata_files;kind:termfield;viewerOnly:true
+suricata.files.state=db:suricata.files.state;group:suricata_files;kind:termfield;viewerOnly:true
+suricata.files.tx_id=db:suricata.files.tx_id;group:suricata_files;kind:termfield;viewerOnly:true
+
+suricata.flow.age=db:suricata.flow.age;group:suricata_flow;kind:integer;viewerOnly:true
+suricata.flow.alerted=db:suricata.flow.alerted;group:suricata_flow;kind:termfield;viewerOnly:true
+suricata.flow.bytes_toclient=db:suricata.flow.bytes_toclient;group:suricata_flow;kind:integer;viewerOnly:true
+suricata.flow.bytes_toserver=db:suricata.flow.bytes_toserver;group:suricata_flow;kind:integer;viewerOnly:true
+suricata.flow.emergency=db:suricata.flow.emergency;group:suricata_flow;kind:termfield;viewerOnly:true
+suricata.flow.end=db:suricata.flow.end;group:suricata_flow;kind:termfield;viewerOnly:true
+suricata.flow.pkts_toclient=db:suricata.flow.pkts_toclient;group:suricata_flow;kind:integer;viewerOnly:true
+suricata.flow.pkts_toserver=db:suricata.flow.pkts_toserver;group:suricata_flow;kind:integer;viewerOnly:true
+suricata.flow.reason=db:suricata.flow.reason;group:suricata_flow;kind:termfield;viewerOnly:true
+suricata.flow.start=db:suricata.flow.start;group:suricata_flow;kind:termfield;viewerOnly:true
+suricata.flow.state=db:suricata.flow.state;group:suricata_flow;kind:termfield;viewerOnly:true
+
+suricata.ftp.command=db:suricata.ftp.command;group:suricata_ftp;kind:termfield;viewerOnly:true
+suricata.ftp.command_data=db:suricata.ftp.command_data;group:suricata_ftp;kind:termfield;viewerOnly:true
+suricata.ftp.completion_code=db:suricata.ftp.completion_code;group:suricata_ftp;kind:termfield;viewerOnly:true
+suricata.ftp.dynamic_port=db:suricata.ftp.dynamic_port;group:suricata_ftp;kind:integer;viewerOnly:true
+suricata.ftp.reply=db:suricata.ftp.reply;group:suricata_ftp;kind:termfield;viewerOnly:true
+suricata.ftp.reply_received=db:suricata.ftp.reply_received;group:suricata_ftp;kind:termfield;viewerOnly:true
+
+suricata.http.content_range.end=db:suricata.http.content_range.end;group:suricata_http;kind:integer;viewerOnly:true
+suricata.http.content_range.raw=db:suricata.http.content_range.raw;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.content_range.size=db:suricata.http.content_range.size;group:suricata_http;kind:integer;viewerOnly:true
+suricata.http.content_range.start=db:suricata.http.content_range.start;group:suricata_http;kind:integer;viewerOnly:true
+suricata.http.hostname=db:suricata.http.hostname;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.http_content_type=db:suricata.http.http_content_type;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.http_method=db:suricata.http.http_method;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.http_port=db:suricata.http.http_port;group:suricata_http;kind:integer;viewerOnly:true
+suricata.http.http_refer=db:suricata.http.http_refer;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.http_request_body=db:suricata.http.http_request_body;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.http_request_body_printable=db:suricata.http.http_request_body_printable;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.http_response_body=db:suricata.http.http_response_body;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.http_response_body_printable=db:suricata.http.http_response_body_printable;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.http_user_agent=db:suricata.http.http_user_agent;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.length=db:suricata.http.length;group:suricata_http;kind:integer;viewerOnly:true
+suricata.http.protocol=db:suricata.http.protocol;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.redirect=db:suricata.http.redirect;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.request_headers.name=db:suricata.http.request_headers.name;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.request_headers.value=db:suricata.http.request_headers.value;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.response_headers.name=db:suricata.http.response_headers.name;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.response_headers.value=db:suricata.http.response_headers.value;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.status=db:suricata.http.status;group:suricata_http;kind:termfield;viewerOnly:true
+suricata.http.url=db:suricata.http.url;group:suricata_http;kind:termfield;viewerOnly:true
+
+suricata.icmp_code=db:suricata.icmp_code;group:suricata_icmp;kind:integer;viewerOnly:true
+suricata.icmp_type=db:suricata.icmp_type;group:suricata_icmp;kind:integer;viewerOnly:true
+suricata.response_icmp_code=db:suricata.response_icmp_code;group:suricata_icmp;kind:integer;viewerOnly:true
+suricata.response_icmp_type=db:suricata.response_icmp_type;group:suricata_icmp;kind:integer;viewerOnly:true
+
+suricata.ikev2.alg_auth=db:suricata.ikev2.alg_auth;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.alg_dh=db:suricata.ikev2.alg_dh;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.alg_enc=db:suricata.ikev2.alg_enc;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.alg_esn=db:suricata.ikev2.alg_esn;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.alg_prf=db:suricata.ikev2.alg_prf;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.errors=db:suricata.ikev2.errors;group:suricata_ikev2;kind:integer;viewerOnly:true
+suricata.ikev2.exchange_type=db:suricata.ikev2.exchange_type;group:suricata_ikev2;kind:integer;viewerOnly:true
+suricata.ikev2.init_spi=db:suricata.ikev2.init_spi;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.message_id=db:suricata.ikev2.message_id;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.notify=db:suricata.ikev2.notify;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.payload=db:suricata.ikev2.payload;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.resp_spi=db:suricata.ikev2.resp_spi;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.role=db:suricata.ikev2.role;group:suricata_ikev2;kind:termfield;viewerOnly:true
+suricata.ikev2.version_major=db:suricata.ikev2.version_major;group:suricata_ikev2;kind:integer;viewerOnly:true
+suricata.ikev2.version_minor=db:suricata.ikev2.version_minor;group:suricata_ikev2;kind:integer;viewerOnly:true
+
+suricata.krb5.cname=db:suricata.krb5.cname;group:suricata_krb5;kind:termfield;viewerOnly:true
+suricata.krb5.encryption=db:suricata.krb5.encryption;group:suricata_krb5;kind:termfield;viewerOnly:true
+suricata.krb5.error_code=db:suricata.krb5.error_code;group:suricata_krb5;kind:termfield;viewerOnly:true
+suricata.krb5.failed_request=db:suricata.krb5.failed_request;group:suricata_krb5;kind:termfield;viewerOnly:true
+suricata.krb5.msg_type=db:suricata.krb5.msg_type;group:suricata_krb5;kind:termfield;viewerOnly:true
+suricata.krb5.realm=db:suricata.krb5.realm;group:suricata_krb5;kind:termfield;viewerOnly:true
+suricata.krb5.sname=db:suricata.krb5.sname;group:suricata_krb5;kind:termfield;viewerOnly:true
+suricata.krb5.weak_encryption=db:suricata.krb5.weak_encryption;group:suricata_krb5;kind:termfield;viewerOnly:true
+
+suricata.netflow.age=db:suricata.netflow.age;group:suricata_netflow;kind:integer;viewerOnly:true
+suricata.netflow.bytes=db:suricata.netflow.bytes;group:suricata_netflow;kind:integer;viewerOnly:true
+suricata.netflow.end=db:suricata.netflow.end;group:suricata_netflow;kind:termfield;viewerOnly:true
+suricata.netflow.max_ttl=db:suricata.netflow.max_ttl;group:suricata_netflow;kind:integer;viewerOnly:true
+suricata.netflow.min_ttl=db:suricata.netflow.min_ttl;group:suricata_netflow;kind:integer;viewerOnly:true
+suricata.netflow.pkts=db:suricata.netflow.pkts;group:suricata_netflow;kind:integer;viewerOnly:true
+suricata.netflow.start=db:suricata.netflow.start;group:suricata_netflow;kind:termfield;viewerOnly:true
+
+suricata.nfs.file_tx=db:suricata.nfs.file_tx;group:suricata_nfs;kind:termfield;viewerOnly:true
+suricata.nfs.filename=db:suricata.nfs.filename;group:suricata_nfs;kind:termfield;viewerOnly:true
+suricata.nfs.hhash=db:suricata.nfs.hhash;group:suricata_nfs;kind:termfield;viewerOnly:true
+suricata.nfs.id=db:suricata.nfs.id;group:suricata_nfs;kind:integer;viewerOnly:true
+suricata.nfs.procedure=db:suricata.nfs.procedure;group:suricata_nfs;kind:termfield;viewerOnly:true
+suricata.nfs.rename.from=db:suricata.nfs.rename.from;group:suricata_nfs;kind:termfield;viewerOnly:true
+suricata.nfs.rename.to=db:suricata.nfs.rename.to;group:suricata_nfs;kind:termfield;viewerOnly:true
+suricata.nfs.status=db:suricata.nfs.status;group:suricata_nfs;kind:termfield;viewerOnly:true
+suricata.nfs.type=db:suricata.nfs.type;group:suricata_nfs;kind:termfield;viewerOnly:true
+suricata.nfs.version=db:suricata.nfs.version;group:suricata_nfs;kind:integer;viewerOnly:true
+
+suricata.rdp.channels=db:suricata.rdp.channels;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.client.build=db:suricata.rdp.client.build;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.client.capabilities=db:suricata.rdp.client.capabilities;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.client.client_name=db:suricata.rdp.client.client_name;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.client.color_depth=db:suricata.rdp.client.color_depth;group:suricata_rdp;kind:integer;viewerOnly:true
+suricata.rdp.client.connection_hint=db:suricata.rdp.client.connection_hint;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.client.desktop_height=db:suricata.rdp.client.desktop_height;group:suricata_rdp;kind:integer;viewerOnly:true
+suricata.rdp.client.desktop_width=db:suricata.rdp.client.desktop_width;group:suricata_rdp;kind:integer;viewerOnly:true
+suricata.rdp.client.function_keys=db:suricata.rdp.client.function_keys;group:suricata_rdp;kind:integer;viewerOnly:true
+suricata.rdp.client.id=db:suricata.rdp.client.id;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.client.keyboard_layout=db:suricata.rdp.client.keyboard_layout;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.client.keyboard_type=db:suricata.rdp.client.keyboard_type;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.client.product_id=db:suricata.rdp.client.product_id;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.client.version=db:suricata.rdp.client.version;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.cookie=db:suricata.rdp.cookie;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.error_code=db:suricata.rdp.error_code;group:suricata_rdp;kind:integer;viewerOnly:true
+suricata.rdp.event_type=db:suricata.rdp.event_type;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.protocol=db:suricata.rdp.protocol;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.reason=db:suricata.rdp.reason;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.server_supports=db:suricata.rdp.server_supports;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.tx_id=db:suricata.rdp.tx_id;group:suricata_rdp;kind:termfield;viewerOnly:true
+suricata.rdp.x509_serials=db:suricata.rdp.x509_serials;group:suricata_rdp;kind:termfield;viewerOnly:true
+
+suricata.rpc.auth_type=db:suricata.rpc.auth_type;group:suricata_rpc;kind:termfield;viewerOnly:true
+suricata.rpc.creds.gid=db:suricata.rpc.creds.gid;group:suricata_rpc;kind:integer;viewerOnly:true
+suricata.rpc.creds.machine_name=db:suricata.rpc.creds.machine_name;group:suricata_rpc;kind:termfield;viewerOnly:true
+suricata.rpc.creds.uid=db:suricata.rpc.creds.uid;group:suricata_rpc;kind:integer;viewerOnly:true
+suricata.rpc.status=db:suricata.rpc.status;group:suricata_rpc;kind:termfield;viewerOnly:true
+suricata.rpc.xid=db:suricata.rpc.xid;group:suricata_rpc;kind:integer;viewerOnly:true
+
+suricata.sip.code=db:suricata.sip.code;group:suricata_sip;kind:termfield;viewerOnly:true
+suricata.sip.method=db:suricata.sip.method;group:suricata_sip;kind:termfield;viewerOnly:true
+suricata.sip.reason=db:suricata.sip.reason;group:suricata_sip;kind:termfield;viewerOnly:true
+suricata.sip.request_line=db:suricata.sip.request_line;group:suricata_sip;kind:termfield;viewerOnly:true
+suricata.sip.response_line=db:suricata.sip.response_line;group:suricata_sip;kind:termfield;viewerOnly:true
+suricata.sip.uri=db:suricata.sip.uri;group:suricata_sip;kind:termfield;viewerOnly:true
+suricata.sip.version=db:suricata.sip.version;group:suricata_sip;kind:termfield;viewerOnly:true
+
+suricata.smb.access=db:suricata.smb.access;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.accessed=db:suricata.smb.accessed;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.changed=db:suricata.smb.changed;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.client_dialects=db:suricata.smb.client_dialects;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.client_guid=db:suricata.smb.client_guid;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.command=db:suricata.smb.command;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.created=db:suricata.smb.created;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.dcerpc.call_id=db:suricata.smb.dcerpc.call_id;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.dcerpc.interfaces.ack_reason=db:suricata.smb.dcerpc.interfaces.ack_reason;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.dcerpc.interfaces.ack_result=db:suricata.smb.dcerpc.interfaces.ack_result;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.dcerpc.interfaces.uuid=db:suricata.smb.dcerpc.interfaces.uuid;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.dcerpc.interfaces.version=db:suricata.smb.dcerpc.interfaces.version;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.dcerpc.opnum=db:suricata.smb.dcerpc.opnum;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.dcerpc.req.frag_cnt=db:suricata.smb.dcerpc.req.frag_cnt;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.dcerpc.req.stub_data_size=db:suricata.smb.dcerpc.req.stub_data_size;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.dcerpc.request=db:suricata.smb.dcerpc.request;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.dcerpc.res.frag_cnt=db:suricata.smb.dcerpc.res.frag_cnt;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.dcerpc.res.stub_data_size=db:suricata.smb.dcerpc.res.stub_data_size;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.dcerpc.response=db:suricata.smb.dcerpc.response;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.dialect=db:suricata.smb.dialect;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.directory=db:suricata.smb.directory;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.disposition=db:suricata.smb.disposition;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.filename=db:suricata.smb.filename;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.fuid=db:suricata.smb.fuid;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.function=db:suricata.smb.function;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.id=db:suricata.smb.id;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.kerberos.realm=db:suricata.smb.kerberos.realm;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.kerberos.snames=db:suricata.smb.kerberos.snames;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.modified=db:suricata.smb.modified;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.named_pipe=db:suricata.smb.named_pipe;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.ntlmssp.domain=db:suricata.smb.ntlmssp.domain;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.ntlmssp.host=db:suricata.smb.ntlmssp.host;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.ntlmssp.user=db:suricata.smb.ntlmssp.user;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.rename.from=db:suricata.smb.rename.from;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.rename.to=db:suricata.smb.rename.to;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.request.native_lm=db:suricata.smb.request.native_lm;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.request.native_os=db:suricata.smb.request.native_os;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.response.native_lm=db:suricata.smb.response.native_lm;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.response.native_os=db:suricata.smb.response.native_os;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.server_guid=db:suricata.smb.server_guid;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.service.request=db:suricata.smb.service.request;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.service.response=db:suricata.smb.service.response;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.session_id=db:suricata.smb.session_id;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.set_info.class=db:suricata.smb.set_info.class;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.set_info.info_level=db:suricata.smb.set_info.info_level;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.share=db:suricata.smb.share;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.share_type=db:suricata.smb.share_type;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.size=db:suricata.smb.size;group:suricata_smb;kind:integer;viewerOnly:true
+suricata.smb.status=db:suricata.smb.status;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.status_code=db:suricata.smb.status_code;group:suricata_smb;kind:termfield;viewerOnly:true
+suricata.smb.tree_id=db:suricata.smb.tree_id;group:suricata_smb;kind:termfield;viewerOnly:true
+
+suricata.smtp.helo=db:suricata.smtp.helo;group:suricata_smtp;kind:termfield;viewerOnly:true
+suricata.smtp.mail_from=db:suricata.smtp.mail_from;group:suricata_smtp;kind:termfield;viewerOnly:true
+suricata.smtp.rcpt_to=db:suricata.smtp.rcpt_to;group:suricata_smtp;kind:termfield;viewerOnly:true
+
+suricata.snmp.community=db:suricata.snmp.community;group:suricata_snmp;kind:termfield;viewerOnly:true
+suricata.snmp.error=db:suricata.snmp.error;group:suricata_snmp;kind:termfield;viewerOnly:true
+suricata.snmp.pdu_type=db:suricata.snmp.pdu_type;group:suricata_snmp;kind:termfield;viewerOnly:true
+suricata.snmp.trap_address=db:suricata.snmp.trap_address;group:suricata_snmp;kind:termfield;viewerOnly:true
+suricata.snmp.trap_oid=db:suricata.snmp.trap_oid;group:suricata_snmp;kind:termfield;viewerOnly:true
+suricata.snmp.trap_type=db:suricata.snmp.trap_type;group:suricata_snmp;kind:termfield;viewerOnly:true
+suricata.snmp.usm=db:suricata.snmp.usm;group:suricata_snmp;kind:termfield;viewerOnly:true
+suricata.snmp.vars=db:suricata.snmp.vars;group:suricata_snmp;kind:termfield;viewerOnly:true
+suricata.snmp.version=db:suricata.snmp.version;group:suricata_snmp;kind:integer;viewerOnly:true
+
+suricata.ssh.client.proto_version=db:suricata.ssh.client.proto_version;group:suricata_ssh;kind:termfield;viewerOnly:true
+suricata.ssh.client.software_version=db:suricata.ssh.client.software_version;group:suricata_ssh;kind:termfield;viewerOnly:true
+suricata.ssh.server.proto_version=db:suricata.ssh.server.proto_version;group:suricata_ssh;kind:termfield;viewerOnly:true
+suricata.ssh.server.software_version=db:suricata.ssh.server.software_version;group:suricata_ssh;kind:termfield;viewerOnly:true
+
+suricata.tcp.ack=db:suricata.tcp.ack;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.cwr=db:suricata.tcp.cwr;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.ecn=db:suricata.tcp.ecn;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.fin=db:suricata.tcp.fin;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.psh=db:suricata.tcp.psh;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.rst=db:suricata.tcp.rst;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.state=db:suricata.tcp.state;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.syn=db:suricata.tcp.syn;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.tcp_flags=db:suricata.tcp.tcp_flags;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.tcp_flags_tc=db:suricata.tcp.tcp_flags_tc;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.tcp_flags_ts=db:suricata.tcp.tcp_flags_ts;group:suricata_tcp;kind:termfield;viewerOnly:true
+suricata.tcp.urg=db:suricata.tcp.urg;group:suricata_tcp;kind:termfield;viewerOnly:true
+
+suricata.tftp.file=db:suricata.tftp.file;group:suricata_tftp;kind:termfield;viewerOnly:true
+suricata.tftp.mode=db:suricata.tftp.mode;group:suricata_tftp;kind:termfield;viewerOnly:true
+suricata.tftp.packet=db:suricata.tftp.packet;group:suricata_tftp;kind:termfield;viewerOnly:true
+
+suricata.tls.fingerprint=db:suricata.tls.fingerprint;group:suricata_tls;kind:termfield;viewerOnly:true
+suricata.tls.from_proto=db:suricata.tls.from_proto;group:suricata_tls;kind:termfield;viewerOnly:true
+suricata.tls.issuerdn=db:suricata.tls.issuerdn;group:suricata_tls;kind:termfield;viewerOnly:true
+suricata.tls.notafter=db:suricata.tls.notafter;group:suricata_tls;kind:termfield;viewerOnly:true
+suricata.tls.notbefore=db:suricata.tls.notbefore;group:suricata_tls;kind:termfield;viewerOnly:true
+suricata.tls.serial=db:suricata.tls.serial;group:suricata_tls;kind:termfield;viewerOnly:true
+suricata.tls.session_resumed=db:suricata.tls.session_resumed;group:suricata_tls;kind:termfield;viewerOnly:true
+suricata.tls.sni=db:suricata.tls.sni;group:suricata_tls;kind:termfield;viewerOnly:true
+suricata.tls.subject=db:suricata.tls.subject;group:suricata_tls;kind:termfield;viewerOnly:true
+suricata.tls.version=db:suricata.tls.version;group:suricata_tls;kind:termfield;viewerOnly:true
+
+suricata.tunnel.depth=db:suricata.tunnel.depth;group:suricata_tunnel;kind:integer;viewerOnly:true
+suricata.tunnel.dest_ip=db:suricata.tunnel.dest_ip;group:suricata_tunnel;kind:termfield;viewerOnly:true
+suricata.tunnel.dest_port=db:suricata.tunnel.dest_port;group:suricata_tunnel;kind:integer;viewerOnly:true
+suricata.tunnel.proto=db:suricata.tunnel.proto;group:suricata_tunnel;kind:termfield;viewerOnly:true
+suricata.tunnel.src_ip=db:suricata.tunnel.src_ip;group:suricata_tunnel;kind:termfield;viewerOnly:true
+suricata.tunnel.src_port=db:suricata.tunnel.src_port;group:suricata_tunnel;kind:integer;viewerOnly:true
 
 # some of the suricata custom views are commented out when > 2 levels
 # deep due to arkime/arkime#1781 (and pugjs/pug#3292)
@@ -2559,9 +2556,9 @@ n_netbox_segment_originator=require:source.segment.id;title:NetBox Segment (Orig
 n_netbox_segment_responder=require:destination.segment.id;title:NetBox Segment (Responder);fields:destination.segment.id,destination.segment.name,destination.segment.site,destination.segment.tenant,destination.segment.url
 n_netbox_z_related=require:related.site;title:NetBox Related;fields:related.site,network.name,related.manufacturer,related.device_type,related.role,related.device_name,related.service
 o_zeek_bacnet=require:zeek.bacnet;title:Zeek bacnet.log;fields:zeek.bacnet.bvlc_function,zeek.bacnet.pdu_type,zeek.bacnet.pdu_service,zeek.bacnet.invoke_id,zeek.bacnet.instance_number,zeek.bacnet.result_code
-o_zeek_bacnet_discovery=require:zeek.bacnet_discovery;title:Zeek bacnet_discovery.log;fields:zeek.bacnet_discovery.pdu_service,zeek.bacnet_discovery.object_type,zeek.bacnet_discovery.vendor,zeek.bacnet_discovery.range,zeek.bacnet_discovery.range_low,zeek.bacnet_discovery.range_high,zeek.bacnet_discovery.object_name
-o_zeek_bacnet_device_control=require:zeek.bacnet_device_control;title:Zeek bacnet_device_control.log;fields:zeek.bacnet_device_control.pdu_service,zeek.bacnet_device_control.time_duration,zeek.bacnet_device_control.device_state,zeek.bacnet_device_control.result,zeek.bacnet_device_control.result_code
-o_zeek_bacnet_property=require:zeek.bacnet_property;title:Zeek bacnet_property.log;fields:zeek.bacnet_property.pdu_service,zeek.bacnet_property.object_type,zeek.bacnet_property.property,zeek.bacnet_property.array_index,zeek.bacnet_property.value
+o_zeek_bacnet_discovery=require:zeek.bacnet_discovery;title:Zeek bacnet_discovery.log;fields:zeek.bacnet.pdu_service,zeek.bacnet_discovery.object_type,zeek.bacnet_discovery.vendor,zeek.bacnet_discovery.range,zeek.bacnet_discovery.range_low,zeek.bacnet_discovery.range_high,zeek.bacnet_discovery.object_name
+o_zeek_bacnet_device_control=require:zeek.bacnet_device_control;title:Zeek bacnet_device_control.log;fields:zeek.bacnet.pdu_service,zeek.bacnet_device_control.time_duration,zeek.bacnet_device_control.device_state,zeek.bacnet_device_control.result,zeek.bacnet_device_control.result_code
+o_zeek_bacnet_property=require:zeek.bacnet_property;title:Zeek bacnet_property.log;fields:zeek.bacnet.pdu_service,zeek.bacnet_property.object_type,zeek.bacnet_property.property,zeek.bacnet_property.array_index,zeek.bacnet_property.value
 o_zeek_bestguess=require:zeek.bestguess;title:Zeek bestguess.log;fields:zeek.bestguess.name,zeek.bestguess.category
 o_zeek_bsap_ip_header=require:zeek.bsap_ip_header;title:Zeek bsap_ip_header.log;fields:zeek.bsap_ip_header.num_msg,zeek.bsap_ip_header.type_name
 o_zeek_bsap_ip_rdb=require:zeek.bsap_ip_rdb;title:Zeek bsap_ip_rdb.log;fields:zeek.bsap_ip_rdb.app_func_code,zeek.bsap_ip_rdb.variables.var,zeek.bsap_ip_rdb.variables.val,zeek.bsap_ip_rdb.variable_count,zeek.bsap_ip_rdb.func_code,zeek.bsap_ip_rdb.header_size,zeek.bsap_ip_rdb.mes_seq,zeek.bsap_ip_rdb.node_status,zeek.bsap_ip_rdb.res_seq,zeek.bsap_ip_rdb.sequence
diff --git a/arkime/patch/fields_db_max_5000.patch b/arkime/patch/fields_db_max_5000.patch
deleted file mode 100644
index 71f802603..000000000
--- a/arkime/patch/fields_db_max_5000.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff --git a/capture/db.c b/capture/db.c
-index 8970c661..8d7dddd1 100644
---- a/capture/db.c
-+++ b/capture/db.c
-@@ -2323,7 +2323,7 @@ LOCAL void moloch_db_load_fields()
-     char                   key[100];
-     int                    key_len;
- 
--    key_len = snprintf(key, sizeof(key), "/%sfields/_search?size=3000", config.prefix);
-+    key_len = snprintf(key, sizeof(key), "/%sfields/_search?size=%d", config.prefix, MOLOCH_FIELDS_DB_MAX);
-     unsigned char     *data = moloch_http_get(esServer, key, key_len, &data_len);
- 
-     if (!data) {
-diff --git a/capture/moloch.h b/capture/moloch.h
-index c5f93acd..c41e3ede 100644
---- a/capture/moloch.h
-+++ b/capture/moloch.h
-@@ -364,7 +364,7 @@ enum MolochRotate {
-  */
- 
- #define MOLOCH_FIELD_NOT_FOUND  -1
--#define MOLOCH_FIELDS_DB_MAX 512
-+#define MOLOCH_FIELDS_DB_MAX 5000
- #define MOLOCH_FIELDS_CNT_MIN MOLOCH_FIELDS_DB_MAX
- #define MOLOCH_FIELDS_CNT_MAX (MOLOCH_FIELDS_DB_MAX*2)
- #define MOLOCH_FIELD_EXSPECIAL_START            (MOLOCH_FIELDS_CNT_MAX)
-diff --git a/capture/plugins/wise.c b/capture/plugins/wise.c
-index 8000ad0c..f809ad3d 100644
---- a/capture/plugins/wise.c
-+++ b/capture/plugins/wise.c
-@@ -111,7 +111,7 @@ typedef struct wiseitem_head {
-     uint32_t              wil_count;
- } WiseItemHead_t;
- 
--#define WISE_MAX_REQUEST_ITEMS 512
-+#define WISE_MAX_REQUEST_ITEMS MOLOCH_FIELDS_DB_MAX
- typedef struct wiserequest {
-     BSB          bsb;
-     WiseItem_t  *items[WISE_MAX_REQUEST_ITEMS];
-diff --git a/viewer/db.js b/viewer/db.js
-index 96a75ecd..12f24c0b 100644
---- a/viewer/db.js
-+++ b/viewer/db.js
-@@ -1747,7 +1747,7 @@ exports.sid2Index = function (id, options) {
- };
- 
- exports.loadFields = async () => {
--  return exports.search('fields', 'field', { size: 3000 });
-+  return exports.search('fields', 'field', { size: 5000 });
- };
- 
- exports.getIndices = async (startTime, stopTime, bounding, rotateIndex) => {
diff --git a/arkime/patch/viewer_db_opensearchv2_keyword_hack.patch b/arkime/patch/viewer_db_opensearchv2_keyword_hack.patch
deleted file mode 100644
index 1d18f92a8..000000000
--- a/arkime/patch/viewer_db_opensearchv2_keyword_hack.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-diff --git a/viewer/db.js b/viewer/db.js
-index 96a75ecd..0289b67c 100644
---- a/viewer/db.js
-+++ b/viewer/db.js
-@@ -392,7 +392,13 @@ function fixSessionFields (fields, unflatten) {
-     delete fields[f];
-     for (let i = 0; i < path.length; i++) {
-       if (i === path.length - 1) {
--        key[path[i]] = value;
-+        // HACKITY-HACK-HACK
-+        // This was breaking in OpenSearch v2. @andywick says he doesn't think the .keyword
-+        // fields should be showing up here, but here we are.
-+        // "Doctor, it hurts when I do this." "Don't do that."
-+        if (path[i] !== 'keyword') {
-+          key[path[i]] = value;
-+        }
-         break;
-       } else if (key[path[i]] === undefined) {
-         key[path[i]] = {};
diff --git a/arkime/patch/viewer_loadfields_max_10000.patch b/arkime/patch/viewer_loadfields_max_10000.patch
new file mode 100644
index 000000000..8c0ef6c3c
--- /dev/null
+++ b/arkime/patch/viewer_loadfields_max_10000.patch
@@ -0,0 +1,13 @@
+diff --git a/viewer/db.js b/viewer/db.js
+index 96a75ecd..12f24c0b 100644
+--- a/viewer/db.js
++++ b/viewer/db.js
+@@ -1747,7 +1747,7 @@ exports.sid2Index = function (id, options) {
+ };
+ 
+ exports.loadFields = async () => {
+-  return exports.search('fields', 'field', { size: 3000 });
++  return exports.search('fields', 'field', { size: 10000 });
+ };
+ 
+ exports.getIndices = async (startTime, stopTime, bounding, rotateIndex) => {
diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
index 063b6ea45..dcd12298e 100644
--- a/arkime/wise/source.zeeklogs.js
+++ b/arkime/wise/source.zeeklogs.js
@@ -753,21 +753,18 @@ class MalcolmSource extends WISESource {
       "zeek.bacnet.pdu_service",
       "zeek.bacnet.pdu_type",
       "zeek.bacnet.result_code",
-      "zeek.bacnet_device_control.pdu_service",
       "zeek.bacnet_device_control.time_duration",
       "zeek.bacnet_device_control.device_state",
       "zeek.bacnet_device_control.result",
       "zeek.bacnet_device_control.result_code",
       "zeek.bacnet_discovery.object_name",
       "zeek.bacnet_discovery.object_type",
-      "zeek.bacnet_discovery.pdu_service",
       "zeek.bacnet_discovery.range",
       "zeek.bacnet_discovery.range_high",
       "zeek.bacnet_discovery.range_low",
       "zeek.bacnet_discovery.vendor",
       "zeek.bacnet_property.array_index",
       "zeek.bacnet_property.object_type",
-      "zeek.bacnet_property.pdu_service",
       "zeek.bacnet_property.property",
       "zeek.bacnet_property.value",
       "zeek.bestguess.category",
diff --git a/config/zeek.env.example b/config/zeek.env.example
index 060fe1290..843463bb2 100644
--- a/config/zeek.env.example
+++ b/config/zeek.env.example
@@ -50,7 +50,6 @@ ZEEK_DISABLE_HASH_ALL_FILES=
 ZEEK_DISABLE_LOG_PASSWORDS=
 ZEEK_DISABLE_SSL_VALIDATE_CERTS=
 ZEEK_DISABLE_TRACK_ALL_ASSETS=
-ZEEK_DISABLE_BEST_GUESS_ICS=true
 ZEEK_DISABLE_SPICY_DHCP=true
 ZEEK_DISABLE_SPICY_DNS=true
 ZEEK_DISABLE_SPICY_HTTP=true
@@ -61,4 +60,19 @@ ZEEK_DISABLE_SPICY_STUN=
 ZEEK_DISABLE_SPICY_TAILSCALE=
 ZEEK_DISABLE_SPICY_TFTP=
 ZEEK_DISABLE_SPICY_WIREGUARD=
-ZEEK_SYNCHROPHASOR_DETAILED=
\ No newline at end of file
+ZEEK_DISABLE_ICS_ALL=
+ZEEK_DISABLE_ICS_BACNET=
+ZEEK_DISABLE_ICS_BSAP=
+ZEEK_DISABLE_ICS_DNP3=
+ZEEK_DISABLE_ICS_ENIP=
+ZEEK_DISABLE_ICS_ETHERCAT=
+ZEEK_DISABLE_ICS_GENISYS=
+ZEEK_DISABLE_ICS_OPCUA_BINARY=
+ZEEK_DISABLE_ICS_MODBUS=
+ZEEK_DISABLE_ICS_PROFINET=
+ZEEK_DISABLE_ICS_S7COMM=
+ZEEK_DISABLE_ICS_SYNCHROPHASOR=
+ZEEK_SYNCHROPHASOR_PORTS=
+ZEEK_SYNCHROPHASOR_DETAILED=
+ZEEK_GENISYS_PORTS=
+ZEEK_DISABLE_BEST_GUESS_ICS=true
\ No newline at end of file
diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
index b2eddc07c..9f7aed2f3 100644
--- a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
+++ b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
@@ -651,7 +651,7 @@
         "columns": [
           "source.ip",
           "zeek.known_modbus.device_type",
-          "event.id"
+          "network.direction"
         ],
         "sort": [
           [
diff --git a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json
index 2f218e86c..0ccb7b879 100644
--- a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json
+++ b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json
@@ -370,7 +370,7 @@
       "version": "WzIwMywxXQ==",
       "attributes": {
         "title": "BACnet - Device Discovery",
-        "visState": "{\"title\":\"BACnet - Device Discovery\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Identifier\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vendor\"}}]}",
+        "visState": "{\"title\":\"BACnet - Device Discovery\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Identifier\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vendor\"}}]}",
         "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
         "description": "Results from BACnet i-am and i-have commands",
         "version": 1,
@@ -400,7 +400,7 @@
       "version": "WzIwMiwxXQ==",
       "attributes": {
         "title": "BACnet  - Read and Write Property ",
-        "visState": "{\"title\":\"BACnet  - Read and Write Property \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":6,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Property Value\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Identifier\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.property\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Value\"}}]}",
+        "visState": "{\"title\":\"BACnet  - Read and Write Property \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":6,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Property Value\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Identifier\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.property\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Value\"}}]}",
         "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}}}}",
         "description": "Results from BACnet Read-Property and Write-Property Commands",
         "version": 1,
@@ -477,7 +477,7 @@
         "columns": [
           "source.ip",
           "destination.ip",
-          "zeek.bacnet_property.pdu_service",
+          "zeek.bacnet.pdu_service",
           "zeek.bacnet_property.object_type",
           "zeek.bacnet.instance_number",
           "zeek.bacnet_property.property",
@@ -520,7 +520,7 @@
         "columns": [
           "source.ip",
           "destination.ip",
-          "zeek.bacnet_discovery.pdu_service",
+          "zeek.bacnet.pdu_service",
           "zeek.bacnet_discovery.object_type",
           "zeek.bacnet.instance_number",
           "zeek.bacnet_discovery.vendor"
@@ -570,7 +570,7 @@
         "sort": [],
         "version": 1,
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:bacnet_device_control\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:bacnet_device_control\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
         }
       },
       "references": [
diff --git a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json
index 50ce2f5c9..1bd5dfef3 100644
--- a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json
+++ b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json
@@ -1,569 +1,569 @@
-{
-  "version": "1.3.1",
-  "objects": [
-    {
-      "id": "95479950-41f2-11ea-88fa-7151df485405",
-      "type": "dashboard",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:31:25.103Z",
-      "version": "WzExMjYsMV0=",
-      "attributes": {
-        "title": "Security Overview",
-        "hits": 0,
-        "description": "",
-        "panelsJSON": "[{\"version\":\"1.3.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":32,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":32,\"i\":\"e8718353-4f86-4746-9ac0-8a755bd3813a\"},\"panelIndex\":\"e8718353-4f86-4746-9ac0-8a755bd3813a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":32,\"i\":\"172d3708-82e7-4cb1-84ad-010955614e8b\"},\"panelIndex\":\"172d3708-82e7-4cb1-84ad-010955614e8b\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":0,\"y\":32,\"w\":12,\"h\":18,\"i\":\"1789e54a-db27-4e5e-92d3-2f44b3f9f96e\"},\"panelIndex\":\"1789e54a-db27-4e5e-92d3-2f44b3f9f96e\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":12,\"y\":32,\"w\":21,\"h\":18,\"i\":\"e1779497-5073-4664-9f4a-474aebfa2c78\"},\"panelIndex\":\"e1779497-5073-4664-9f4a-474aebfa2c78\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":33,\"y\":32,\"w\":15,\"h\":18,\"i\":\"119a8b45-c803-4c71-93b4-a9514803021a\"},\"panelIndex\":\"119a8b45-c803-4c71-93b4-a9514803021a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":0,\"y\":50,\"w\":28,\"h\":18,\"i\":\"2231b6ad-9e0d-4524-a359-bdc2c8332991\"},\"panelIndex\":\"2231b6ad-9e0d-4524-a359-bdc2c8332991\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_6\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":28,\"y\":50,\"w\":10,\"h\":18,\"i\":\"61f158d0-8c28-499f-af09-4df087948d42\"},\"panelIndex\":\"61f158d0-8c28-499f-af09-4df087948d42\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":38,\"y\":50,\"w\":10,\"h\":18,\"i\":\"4cdbaf8d-bb32-457f-a198-e9734168c5eb\"},\"panelIndex\":\"4cdbaf8d-bb32-457f-a198-e9734168c5eb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":0,\"y\":68,\"w\":26,\"h\":29,\"i\":\"6beedf2b-5d72-48af-a90f-f56781764efe\"},\"panelIndex\":\"6beedf2b-5d72-48af-a90f-f56781764efe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":26,\"y\":68,\"w\":22,\"h\":29,\"i\":\"071a1c98-695f-4708-92c9-2c950e515131\"},\"panelIndex\":\"071a1c98-695f-4708-92c9-2c950e515131\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":null}},\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}}}},\"panelRefName\":\"panel_10\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":0,\"y\":97,\"w\":48,\"h\":33,\"i\":\"9df4498d-9d4d-4613-bc54-8fca34ade25c\"},\"panelIndex\":\"9df4498d-9d4d-4613-bc54-8fca34ade25c\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_11\"},{\"version\":\"1.3.1\",\"gridData\":{\"x\":0,\"y\":130,\"w\":48,\"h\":31,\"i\":\"ad7c7773-e54a-4da3-8e6e-7da232febdef\"},\"panelIndex\":\"ad7c7773-e54a-4da3-8e6e-7da232febdef\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"}]",
-        "optionsJSON": "{\"useMargins\":true}",
-        "version": 1,
-        "timeRestore": false,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
-        }
-      },
-      "references": [
-        {
-          "name": "panel_0",
-          "type": "visualization",
-          "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
-        },
-        {
-          "name": "panel_1",
-          "type": "visualization",
-          "id": "8f673450-cbd9-11ec-a50a-5fedd672f5c5"
-        },
-        {
-          "name": "panel_2",
-          "type": "visualization",
-          "id": "a5acf7f0-cbdd-11ec-a50a-5fedd672f5c5"
-        },
-        {
-          "name": "panel_3",
-          "type": "visualization",
-          "id": "e9f27fa0-41f8-11ea-88fa-7151df485405"
-        },
-        {
-          "name": "panel_4",
-          "type": "visualization",
-          "id": "596d20d0-d147-11ec-ab4e-83a83b5e27a4"
-        },
-        {
-          "name": "panel_5",
-          "type": "visualization",
-          "id": "c5b1e590-41f3-11ea-88fa-7151df485405"
-        },
-        {
-          "name": "panel_6",
-          "type": "visualization",
-          "id": "d8b8a6a0-41fe-11ea-88fa-7151df485405"
-        },
-        {
-          "name": "panel_7",
-          "type": "visualization",
-          "id": "4a183420-41f3-11ea-88fa-7151df485405"
-        },
-        {
-          "name": "panel_8",
-          "type": "visualization",
-          "id": "0ffb5790-41f3-11ea-88fa-7151df485405"
-        },
-        {
-          "name": "panel_9",
-          "type": "visualization",
-          "id": "3a582cc0-6fab-11eb-958c-51e33b5cae2a"
-        },
-        {
-          "name": "panel_10",
-          "type": "visualization",
-          "id": "69241a80-421d-11ea-9084-41ab7c5fff2e"
-        },
-        {
-          "name": "panel_11",
-          "type": "visualization",
-          "id": "f7b3ba60-41f7-11ea-88fa-7151df485405"
-        },
-        {
-          "name": "panel_12",
-          "type": "search",
-          "id": "33ba96c0-cbdd-11ec-a50a-5fedd672f5c5"
-        }
-      ],
-      "migrationVersion": {
-        "dashboard": "7.9.3"
-      }
-    },
-    {
-      "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:09:14.850Z",
-      "version": "WzgwNiwxXQ==",
-      "attributes": {
-        "title": "Network Logs",
-        "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
-        "uiStateJSON": "{}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
-        }
-      },
-      "references": [],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "8f673450-cbd9-11ec-a50a-5fedd672f5c5",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUwNywxXQ==",
-      "attributes": {
-        "title": "Normalized Event Category",
-        "visState": "{\"title\":\"Normalized Event Category\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\" \"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\" \"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Transport\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":40},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\" \"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\" \",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
-        "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"rule.category:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "a5acf7f0-cbdd-11ec-a50a-5fedd672f5c5",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUwOCwxXQ==",
-      "attributes": {
-        "title": "Notice, Alert, Signature and Weird - Summary",
-        "visState": "{\"title\":\"Notice, Alert, Signature and Weird - Summary\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Provider\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "33ba96c0-cbdd-11ec-a50a-5fedd672f5c5"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "e9f27fa0-41f8-11ea-88fa-7151df485405",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUwOSwxXQ==",
-      "attributes": {
-        "title": "Outdated/Insecure Application Protocols",
-        "visState": "{\"title\":\"Outdated/Insecure Application Protocols\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol Version\"}}]}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"(NOT event.dataset:known*) AND ((network.protocol:ssh AND network.protocol_version < 2) OR (network.protocol:smb AND network.protocol_version < 2) OR (network.protocol:tls AND NOT network.protocol_version:(*TLS*v12* OR *TLS*v13*)) OR (network.protocol:ntp AND network.protocol_version < 4) OR (network.protocol:rfb AND network.protocol_version < 3.8) OR (network.protocol:rdp AND network.protocol_version < 6.0) OR (network.protocol:snmp AND network.protocol_version < 3) OR (network.protocol:ldap AND network.protocol_version < 3) OR (network.protocol:ftp) OR (network.protocol:tftp) OR (network.protocol:telnet) OR (network.protocol:rlogin) OR (network.protocol:rsh))\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "596d20d0-d147-11ec-ab4e-83a83b5e27a4",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:28:11.485Z",
-      "version": "WzEwOTksMV0=",
-      "attributes": {
-        "title": "Vulnerabilities",
-        "visState": "{\"title\":\"Vulnerabilities\",\"type\":\"table\",\"aggs\":[{\"id\":\"5\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"firstPacket\",\"customLabel\":\"Last Seen\"},\"schema\":\"metric\"},{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Data Source\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Log Type\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"vulnerability.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vulnerability ID\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "33ba96c0-cbdd-11ec-a50a-5fedd672f5c5"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "c5b1e590-41f3-11ea-88fa-7151df485405",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUxMiwxXQ==",
-      "attributes": {
-        "title": "Clear-text Transmission of Passwords ",
-        "visState": "{\"title\":\"Clear-text Transmission of Passwords \",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Username\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\\\\*password:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "d8b8a6a0-41fe-11ea-88fa-7151df485405",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUxNCwxXQ==",
-      "attributes": {
-        "title": "Inbound Access By Protocol Over Time",
-        "visState": "{\"title\":\"Inbound Access By Protocol Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-01-28T18:52:45.953Z\",\"max\":\"2020-01-28T18:52:45.953Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}}}",
-        "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:(ssh OR rdp OR rfb OR telnet OR rlogin OR rsh OR openvpn OR ipsec OR wireguard) AND network.direction:(inbound OR outbound)\",\"language\":\"kuery\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "4a183420-41f3-11ea-88fa-7151df485405",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUxMSwxXQ==",
-      "attributes": {
-        "title": "Outbound Internal Traffic by Country",
-        "visState": "{\"title\":\"Outbound Internal Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Responding Country\"}}]}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"network.direction:outbound\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "0ffb5790-41f3-11ea-88fa-7151df485405",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUxMCwxXQ==",
-      "attributes": {
-        "title": "Inbound External Traffic by Country",
-        "visState": "{\"title\":\"Inbound External Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Originating Country\"}}]}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"network.direction:inbound\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "3a582cc0-6fab-11eb-958c-51e33b5cae2a",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUxMywxXQ==",
-      "attributes": {
-        "title": "File Transfers",
-        "visState": "{\"title\":\"File Transfers\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"file.mime_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":false}}",
-        "uiStateJSON": "{}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "69241a80-421d-11ea-9084-41ab7c5fff2e",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUxNSwxXQ==",
-      "attributes": {
-        "title": "DNS Queries by Randomness",
-        "visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"},\"schema\":\"bucket\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":20,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"},\"totalFunc\":\"sum\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "f7b3ba60-41f7-11ea-88fa-7151df485405",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUxNiwxXQ==",
-      "attributes": {
-        "title": "Connections by Destination Country (region map)",
-        "visState": "{\"title\":\"Connections by Destination Country (region map)\",\"type\":\"region_map\",\"params\":{\"legendPosition\":\"bottomright\",\"addTooltip\":true,\"colorSchema\":\"Blues\",\"emsHotLink\":\"\",\"isDisplayWarning\":false,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"<p><a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">OpenStreetMap contributors</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://openmaptiles.org\\\">OpenMapTiles</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.maptiler.com\\\">MapTiler</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>\"}},\"mapZoom\":2,\"mapCenter\":[0,0],\"outlineWeight\":1,\"showAllShapes\":true,\"selectedLayer\":{\"name\":\"World (offline)\",\"url\":\"/world.geojson\",\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"name\":\"ISO_A2\",\"description\":\"Country Code\"},{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},{\"name\":\"NAME\",\"description\":\"Country Name\"}],\"format\":{\"type\":\"geojson\"},\"meta\":{\"feature_collection_path\":\"data\"},\"layerId\":\"self_hosted.World (offline)\",\"isEMS\":false},\"selectedJoinField\":{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Connections\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_code2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}",
-        "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[37.16031654673677,-5.7511603125000015]}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "33ba96c0-cbdd-11ec-a50a-5fedd672f5c5",
-      "type": "search",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUxNywxXQ==",
-      "attributes": {
-        "title": "Notice, Alert, Signature and Weird - Logs",
-        "description": "",
-        "hits": 0,
-        "columns": [
-          "event.provider",
-          "event.dataset",
-          "event.module",
-          "rule.category",
-          "rule.name",
-          "network.protocol",
-          "source.ip",
-          "destination.ip",
-          "event.severity_tags",
-          "event.id"
-        ],
-        "sort": [],
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"(event.provider:zeek AND event.dataset:(notice OR signatures OR weird)) OR (event.provider:suricata AND event.dataset:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "search": "7.9.3"
-      }
-    },
-    {
-      "id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
-      "type": "search",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:09:11.826Z",
-      "version": "Wzc4MSwxXQ==",
-      "attributes": {
-        "title": "Connections - Logs",
-        "description": "",
-        "hits": 0,
-        "columns": [
-          "network.transport",
-          "network.protocol",
-          "source.ip",
-          "source.port",
-          "destination.ip",
-          "destination.port",
-          "network.bytes",
-          "event.id"
-        ],
-        "sort": [
-          [
-            "firstPacket",
-            "desc"
-          ]
-        ],
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "search": "7.9.3"
-      }
-    },
-    {
-      "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e",
-      "type": "search",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-05-11T16:08:47.608Z",
-      "version": "WzUxOSwxXQ==",
-      "attributes": {
-        "title": "DNS - Logs",
-        "description": "",
-        "hits": 0,
-        "columns": [
-          "source.ip",
-          "destination.ip",
-          "zeek.dns.query",
-          "zeek.dns.answers",
-          "event.id"
-        ],
-        "sort": [
-          [
-            "firstPacket",
-            "desc"
-          ]
-        ],
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "search": "7.9.3"
-      }
-    }
-  ]
+{
+  "version": "2.8.0",
+  "objects": [
+    {
+      "id": "95479950-41f2-11ea-88fa-7151df485405",
+      "type": "dashboard",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T19:51:11.803Z",
+      "version": "Wzk0OSwxXQ==",
+      "attributes": {
+        "title": "Security Overview",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":32,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":32,\"i\":\"e8718353-4f86-4746-9ac0-8a755bd3813a\"},\"panelIndex\":\"e8718353-4f86-4746-9ac0-8a755bd3813a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":32,\"i\":\"172d3708-82e7-4cb1-84ad-010955614e8b\"},\"panelIndex\":\"172d3708-82e7-4cb1-84ad-010955614e8b\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":32,\"w\":12,\"h\":18,\"i\":\"1789e54a-db27-4e5e-92d3-2f44b3f9f96e\"},\"panelIndex\":\"1789e54a-db27-4e5e-92d3-2f44b3f9f96e\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":12,\"y\":32,\"w\":21,\"h\":18,\"i\":\"e1779497-5073-4664-9f4a-474aebfa2c78\"},\"panelIndex\":\"e1779497-5073-4664-9f4a-474aebfa2c78\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":33,\"y\":32,\"w\":15,\"h\":18,\"i\":\"119a8b45-c803-4c71-93b4-a9514803021a\"},\"panelIndex\":\"119a8b45-c803-4c71-93b4-a9514803021a\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":50,\"w\":28,\"h\":18,\"i\":\"2231b6ad-9e0d-4524-a359-bdc2c8332991\"},\"panelIndex\":\"2231b6ad-9e0d-4524-a359-bdc2c8332991\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":28,\"y\":50,\"w\":10,\"h\":18,\"i\":\"61f158d0-8c28-499f-af09-4df087948d42\"},\"panelIndex\":\"61f158d0-8c28-499f-af09-4df087948d42\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":38,\"y\":50,\"w\":10,\"h\":18,\"i\":\"4cdbaf8d-bb32-457f-a198-e9734168c5eb\"},\"panelIndex\":\"4cdbaf8d-bb32-457f-a198-e9734168c5eb\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":68,\"w\":26,\"h\":29,\"i\":\"6beedf2b-5d72-48af-a90f-f56781764efe\"},\"panelIndex\":\"6beedf2b-5d72-48af-a90f-f56781764efe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":26,\"y\":68,\"w\":22,\"h\":29,\"i\":\"071a1c98-695f-4708-92c9-2c950e515131\"},\"panelIndex\":\"071a1c98-695f-4708-92c9-2c950e515131\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":null}},\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"sortColumn\":{\"colIndex\":2,\"direction\":\"asc\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":97,\"w\":48,\"h\":33,\"i\":\"9df4498d-9d4d-4613-bc54-8fca34ade25c\"},\"panelIndex\":\"9df4498d-9d4d-4613-bc54-8fca34ade25c\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":130,\"w\":48,\"h\":31,\"i\":\"ad7c7773-e54a-4da3-8e6e-7da232febdef\"},\"panelIndex\":\"ad7c7773-e54a-4da3-8e6e-7da232febdef\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"}]",
+        "optionsJSON": "{\"useMargins\":true}",
+        "version": 1,
+        "timeRestore": false,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+        }
+      },
+      "references": [
+        {
+          "name": "panel_0",
+          "type": "visualization",
+          "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
+        },
+        {
+          "name": "panel_1",
+          "type": "visualization",
+          "id": "8f673450-cbd9-11ec-a50a-5fedd672f5c5"
+        },
+        {
+          "name": "panel_2",
+          "type": "visualization",
+          "id": "a5acf7f0-cbdd-11ec-a50a-5fedd672f5c5"
+        },
+        {
+          "name": "panel_3",
+          "type": "visualization",
+          "id": "e9f27fa0-41f8-11ea-88fa-7151df485405"
+        },
+        {
+          "name": "panel_4",
+          "type": "visualization",
+          "id": "596d20d0-d147-11ec-ab4e-83a83b5e27a4"
+        },
+        {
+          "name": "panel_5",
+          "type": "visualization",
+          "id": "c5b1e590-41f3-11ea-88fa-7151df485405"
+        },
+        {
+          "name": "panel_6",
+          "type": "visualization",
+          "id": "d8b8a6a0-41fe-11ea-88fa-7151df485405"
+        },
+        {
+          "name": "panel_7",
+          "type": "visualization",
+          "id": "4a183420-41f3-11ea-88fa-7151df485405"
+        },
+        {
+          "name": "panel_8",
+          "type": "visualization",
+          "id": "0ffb5790-41f3-11ea-88fa-7151df485405"
+        },
+        {
+          "name": "panel_9",
+          "type": "visualization",
+          "id": "3a582cc0-6fab-11eb-958c-51e33b5cae2a"
+        },
+        {
+          "name": "panel_10",
+          "type": "visualization",
+          "id": "69241a80-421d-11ea-9084-41ab7c5fff2e"
+        },
+        {
+          "name": "panel_11",
+          "type": "visualization",
+          "id": "f7b3ba60-41f7-11ea-88fa-7151df485405"
+        },
+        {
+          "name": "panel_12",
+          "type": "search",
+          "id": "33ba96c0-cbdd-11ec-a50a-5fedd672f5c5"
+        }
+      ],
+      "migrationVersion": {
+        "dashboard": "7.9.3"
+      }
+    },
+    {
+      "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:39:21.339Z",
+      "version": "Wzg1NywxXQ==",
+      "attributes": {
+        "title": "Network Logs",
+        "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](/dashboards/app/dashboards#/view/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](/dashboards/app/dashboards#/view/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](/dashboards/app/dashboards#/view/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "8f673450-cbd9-11ec-a50a-5fedd672f5c5",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU1OCwxXQ==",
+      "attributes": {
+        "title": "Normalized Event Category",
+        "visState": "{\"title\":\"Normalized Event Category\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\" \"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\" \"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Transport\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":40},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\" \"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\" \",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"(rule.category:*) AND (NOT rule.category:Generic Protocol Command Decode)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "a5acf7f0-cbdd-11ec-a50a-5fedd672f5c5",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU1OSwxXQ==",
+      "attributes": {
+        "title": "Notice, Alert and Signature - Summary",
+        "visState": "{\"title\":\"Notice, Alert, and Signature - Summary\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Provider\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0"
+      },
+      "references": [
+        {
+          "name": "search_0",
+          "type": "search",
+          "id": "33ba96c0-cbdd-11ec-a50a-5fedd672f5c5"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "e9f27fa0-41f8-11ea-88fa-7151df485405",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2MCwxXQ==",
+      "attributes": {
+        "title": "Outdated/Insecure Application Protocols",
+        "visState": "{\"title\":\"Outdated/Insecure Application Protocols\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol Version\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"(NOT event.dataset:known*) AND ((network.protocol:ssh AND network.protocol_version < 2) OR (network.protocol:smb AND network.protocol_version < 2) OR (network.protocol:tls AND NOT network.protocol_version:(*TLS*v12* OR *TLS*v13*)) OR (network.protocol:ntp AND network.protocol_version < 4) OR (network.protocol:rfb AND network.protocol_version < 3.8) OR (network.protocol:rdp AND network.protocol_version < 6.0) OR (network.protocol:snmp AND network.protocol_version < 3) OR (network.protocol:ldap AND network.protocol_version < 3) OR (network.protocol:ftp) OR (network.protocol:tftp) OR (network.protocol:telnet) OR (network.protocol:rlogin) OR (network.protocol:rsh))\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "596d20d0-d147-11ec-ab4e-83a83b5e27a4",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2MSwxXQ==",
+      "attributes": {
+        "title": "Vulnerabilities",
+        "visState": "{\"title\":\"Vulnerabilities\",\"type\":\"table\",\"aggs\":[{\"id\":\"5\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"firstPacket\",\"customLabel\":\"Last Seen\"},\"schema\":\"metric\"},{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Data Source\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Log Type\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"vulnerability.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vulnerability ID\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0"
+      },
+      "references": [
+        {
+          "name": "search_0",
+          "type": "search",
+          "id": "33ba96c0-cbdd-11ec-a50a-5fedd672f5c5"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "c5b1e590-41f3-11ea-88fa-7151df485405",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2MiwxXQ==",
+      "attributes": {
+        "title": "Clear-text Transmission of Passwords ",
+        "visState": "{\"title\":\"Clear-text Transmission of Passwords \",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Username\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}}}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\\\\*password:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "d8b8a6a0-41fe-11ea-88fa-7151df485405",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2MywxXQ==",
+      "attributes": {
+        "title": "Inbound Access By Protocol Over Time",
+        "visState": "{\"title\":\"Inbound Access By Protocol Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-01-28T18:52:45.953Z\",\"max\":\"2020-01-28T18:52:45.953Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}}}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:(ssh OR rdp OR rfb OR telnet OR rlogin OR rsh OR openvpn OR ipsec OR wireguard) AND network.direction:(inbound OR outbound)\",\"language\":\"kuery\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0"
+      },
+      "references": [
+        {
+          "name": "search_0",
+          "type": "search",
+          "id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "4a183420-41f3-11ea-88fa-7151df485405",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2NCwxXQ==",
+      "attributes": {
+        "title": "Outbound Internal Traffic by Country",
+        "visState": "{\"title\":\"Outbound Internal Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Responding Country\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"network.direction:outbound\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "0ffb5790-41f3-11ea-88fa-7151df485405",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2NSwxXQ==",
+      "attributes": {
+        "title": "Inbound External Traffic by Country",
+        "visState": "{\"title\":\"Inbound External Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Originating Country\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"network.direction:inbound\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "3a582cc0-6fab-11eb-958c-51e33b5cae2a",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2NiwxXQ==",
+      "attributes": {
+        "title": "File Transfers",
+        "visState": "{\"title\":\"File Transfers\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"file.mime_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":false}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "69241a80-421d-11ea-9084-41ab7c5fff2e",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2NywxXQ==",
+      "attributes": {
+        "title": "DNS Queries by Randomness",
+        "visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"},\"schema\":\"bucket\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":20,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"},\"totalFunc\":\"sum\"}}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0"
+      },
+      "references": [
+        {
+          "name": "search_0",
+          "type": "search",
+          "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "f7b3ba60-41f7-11ea-88fa-7151df485405",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2OCwxXQ==",
+      "attributes": {
+        "title": "Connections by Destination Country (region map)",
+        "visState": "{\"title\":\"Connections by Destination Country (region map)\",\"type\":\"region_map\",\"params\":{\"legendPosition\":\"bottomright\",\"addTooltip\":true,\"colorSchema\":\"Blues\",\"emsHotLink\":\"\",\"isDisplayWarning\":false,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"<p><a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">OpenStreetMap contributors</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://openmaptiles.org\\\">OpenMapTiles</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.maptiler.com\\\">MapTiler</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>\"}},\"mapZoom\":2,\"mapCenter\":[0,0],\"outlineWeight\":1,\"showAllShapes\":true,\"selectedLayer\":{\"name\":\"World (offline)\",\"url\":\"/world.geojson\",\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"name\":\"ISO_A2\",\"description\":\"Country Code\"},{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},{\"name\":\"NAME\",\"description\":\"Country Name\"}],\"format\":{\"type\":\"geojson\"},\"meta\":{\"feature_collection_path\":\"data\"},\"layerId\":\"self_hosted.World (offline)\",\"isEMS\":false},\"selectedJoinField\":{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Connections\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_code2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}",
+        "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[37.16031654673677,-5.7511603125000015]}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0"
+      },
+      "references": [
+        {
+          "name": "search_0",
+          "type": "search",
+          "id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "33ba96c0-cbdd-11ec-a50a-5fedd672f5c5",
+      "type": "search",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU2OSwxXQ==",
+      "attributes": {
+        "title": "Notice, Alert, and Signature - Logs",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "event.provider",
+          "event.dataset",
+          "event.module",
+          "rule.category",
+          "rule.name",
+          "network.protocol",
+          "source.ip",
+          "destination.ip",
+          "event.severity_tags",
+          "event.id"
+        ],
+        "sort": [],
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"(event.provider:zeek AND event.dataset:(notice OR signatures)) OR (event.provider:suricata AND event.dataset:alert AND (NOT rule.category:Generic Protocol Command Decode))\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "search": "7.9.3"
+      }
+    },
+    {
+      "id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
+      "type": "search",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:39:18.257Z",
+      "version": "WzgzMiwxXQ==",
+      "attributes": {
+        "title": "Connections - Logs",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "network.transport",
+          "network.protocol",
+          "source.ip",
+          "source.port",
+          "destination.ip",
+          "destination.port",
+          "network.bytes",
+          "event.id"
+        ],
+        "sort": [
+          [
+            "firstPacket",
+            "desc"
+          ]
+        ],
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "search": "7.9.3"
+      }
+    },
+    {
+      "id": "0b971165-4c39-42ed-b80d-8a8f5658a38e",
+      "type": "search",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-09-14T18:38:53.716Z",
+      "version": "WzU3MSwxXQ==",
+      "attributes": {
+        "title": "DNS - Logs",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "source.ip",
+          "destination.ip",
+          "zeek.dns.query",
+          "zeek.dns.answers",
+          "event.id"
+        ],
+        "sort": [
+          [
+            "firstPacket",
+            "desc"
+          ]
+        ],
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "search": "7.9.3"
+      }
+    }
+  ]
 }
\ No newline at end of file
diff --git a/dashboards/templates/composable/component/arkime.json b/dashboards/templates/composable/component/arkime.json
index 678585380..1944b4cdd 100644
--- a/dashboards/templates/composable/component/arkime.json
+++ b/dashboards/templates/composable/component/arkime.json
@@ -2,6 +2,7 @@
   "template": {
     "mappings": {
       "properties": {
+        "destination.as.full": { "type": "keyword" },
         "destination.geo.country_code2": { "type": "keyword" },
         "destination.geo.country_code3": { "type": "keyword" },
         "destination.geo.dma_code": { "type": "short" },
@@ -9,18 +10,9 @@
         "destination.geo.latitude": { "type": "float" },
         "destination.geo.location": { "type": "geo_point" },
         "destination.geo.longitude": { "type": "float" },
-        "dns.host": { "type": "keyword" },
-        "firstPacket": { "type": "date" },
-        "http.xffASN": { "type": "keyword" },
-        "http.xffGEO": { "type": "keyword" },
-        "http.xffIp": { "type": "ip" },
-        "http.xffRIR": { "type": "keyword" },
-        "lastPacket": { "type": "date" },
-        "node": { "type": "keyword" },
-        "protocol": { "type": "keyword" },
-        "quic.host": { "type": "keyword" },
-        "quic.version": { "type": "keyword" },
-        "rootId": { "type": "keyword" },
+        "destination.mac-cnt": { "type": "long" },
+        "network.vlan.id-cnt": { "type": "long" },
+        "source.as.full": { "type": "keyword" },
         "source.geo.country_code2": { "type": "keyword" },
         "source.geo.country_code3": { "type": "keyword" },
         "source.geo.dma_code": { "type": "short" },
@@ -28,9 +20,896 @@
         "source.geo.latitude": { "type": "float" },
         "source.geo.location": { "type": "geo_point" },
         "source.geo.longitude": { "type": "float" },
+        "source.mac-cnt": { "type": "long" },
         "timestamp": { "type": "date" },
-        "user": { "type": "keyword" }
+        "asset" : {
+          "type" : "keyword"
+        },
+        "assetCnt" : {
+          "type" : "long"
+        },
+        "bgp" : {
+          "properties" : {
+            "type" : {
+              "type" : "keyword"
+            }
+          }
+        },
+        "cert" : {
+          "properties" : {
+            "alt" : {
+              "type" : "keyword"
+            },
+            "altCnt" : {
+              "type" : "long"
+            },
+            "curve" : {
+              "type" : "keyword"
+            },
+            "hash" : {
+              "type" : "keyword"
+            },
+            "issuerCN" : {
+              "type" : "keyword"
+            },
+            "issuerON" : {
+              "type" : "keyword"
+            },
+            "notAfter" : {
+              "type" : "date"
+            },
+            "notBefore" : {
+              "type" : "date"
+            },
+            "publicAlgorithm" : {
+              "type" : "keyword"
+            },
+            "remainingDays" : {
+              "type" : "long"
+            },
+            "serial" : {
+              "type" : "keyword"
+            },
+            "subjectCN" : {
+              "type" : "keyword"
+            },
+            "subjectON" : {
+              "type" : "keyword"
+            },
+            "validDays" : {
+              "type" : "long"
+            }
+          }
+        },
+        "certCnt" : {
+          "type" : "long"
+        },
+        "dhcp" : {
+          "properties" : {
+            "host" : {
+              "type" : "keyword"
+            },
+            "hostCnt" : {
+              "type" : "long"
+            },
+            "id" : {
+              "type" : "keyword"
+            },
+            "idCnt" : {
+              "type" : "long"
+            },
+            "mac" : {
+              "type" : "keyword"
+            },
+            "macCnt" : {
+              "type" : "long"
+            },
+            "oui" : {
+              "type" : "keyword"
+            },
+            "ouiCnt" : {
+              "type" : "long"
+            },
+            "type" : {
+              "type" : "keyword"
+            },
+            "typeCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "dns" : {
+          "properties" : {
+            "ASN" : {
+              "type" : "keyword"
+            },
+            "GEO" : {
+              "type" : "keyword"
+            },
+            "RIR" : {
+              "type" : "keyword"
+            },
+            "host" : {
+              "type" : "keyword"
+            },
+            "hostCnt" : {
+              "type" : "long"
+            },
+            "ip" : {
+              "type" : "ip"
+            },
+            "ipCnt" : {
+              "type" : "long"
+            },
+            "opcode" : {
+              "type" : "keyword"
+            },
+            "opcodeCnt" : {
+              "type" : "long"
+            },
+            "puny" : {
+              "type" : "keyword"
+            },
+            "punyCnt" : {
+              "type" : "long"
+            },
+            "qc" : {
+              "type" : "keyword"
+            },
+            "qcCnt" : {
+              "type" : "long"
+            },
+            "qt" : {
+              "type" : "keyword"
+            },
+            "qtCnt" : {
+              "type" : "long"
+            },
+            "status" : {
+              "type" : "keyword"
+            },
+            "statusCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "dstOui" : {
+          "type" : "keyword"
+        },
+        "dstOuiCnt" : {
+          "type" : "long"
+        },
+        "dstPayload8" : {
+          "type" : "keyword"
+        },
+        "dstRIR" : {
+          "type" : "keyword"
+        },
+        "email" : {
+          "properties" : {
+            "ASN" : {
+              "type" : "keyword"
+            },
+            "GEO" : {
+              "type" : "keyword"
+            },
+            "RIR" : {
+              "type" : "keyword"
+            },
+            "bodyMagic" : {
+              "type" : "keyword"
+            },
+            "bodyMagicCnt" : {
+              "type" : "long"
+            },
+            "contentType" : {
+              "type" : "keyword"
+            },
+            "contentTypeCnt" : {
+              "type" : "long"
+            },
+            "dst" : {
+              "type" : "keyword"
+            },
+            "dstCnt" : {
+              "type" : "long"
+            },
+            "filename" : {
+              "type" : "keyword"
+            },
+            "filenameCnt" : {
+              "type" : "long"
+            },
+            "header" : {
+              "type" : "keyword"
+            },
+            "header-chad" : {
+              "type" : "keyword"
+            },
+            "header-chadCnt" : {
+              "type" : "long"
+            },
+            "headerCnt" : {
+              "type" : "long"
+            },
+            "host" : {
+              "type" : "keyword"
+            },
+            "hostCnt" : {
+              "type" : "long"
+            },
+            "id" : {
+              "type" : "keyword"
+            },
+            "idCnt" : {
+              "type" : "long"
+            },
+            "ip" : {
+              "type" : "ip"
+            },
+            "ipCnt" : {
+              "type" : "long"
+            },
+            "md5" : {
+              "type" : "keyword"
+            },
+            "md5Cnt" : {
+              "type" : "long"
+            },
+            "mimeVersion" : {
+              "type" : "keyword"
+            },
+            "mimeVersionCnt" : {
+              "type" : "long"
+            },
+            "smtpHello" : {
+              "type" : "keyword"
+            },
+            "smtpHelloCnt" : {
+              "type" : "long"
+            },
+            "src" : {
+              "type" : "keyword"
+            },
+            "srcCnt" : {
+              "type" : "long"
+            },
+            "subject" : {
+              "type" : "keyword"
+            },
+            "subjectCnt" : {
+              "type" : "long"
+            },
+            "useragent" : {
+              "type" : "keyword"
+            },
+            "useragentCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "fileId" : {
+          "type" : "long"
+        },
+        "firstPacket" : {
+          "type" : "date"
+        },
+        "srcOuterIp" : {
+          "type" : "ip"
+        },
+        "srcOuterIpCnt" : {
+          "type" : "long"
+        },
+        "dstOuterIp" : {
+          "type" : "ip"
+        },
+        "dstOuterIpCnt" : {
+          "type" : "long"
+        },
+        "srcOuterOui" : {
+          "type" : "keyword"
+        },
+        "srcOuterOuiCnt" : {
+          "type" : "long"
+        },
+        "dstOuterOui" : {
+          "type" : "keyword"
+        },
+        "dstOuterOuiCnt" : {
+          "type" : "long"
+        },
+        "srcOuterMac" : {
+          "type" : "keyword"
+        },
+        "srcOuterMacCnt" : {
+          "type" : "long"
+        },
+        "dstOuterMac" : {
+          "type" : "keyword"
+        },
+        "dstOuterMacCnt" : {
+          "type" : "long"
+        },
+        "srcOuterRIR" : {
+          "type" : "keyword"
+        },
+        "dstOuterRIR" : {
+          "type" : "keyword"
+        },
+        "srcOuterGEO" : {
+          "type" : "keyword"
+        },
+        "dstOuterGEO" : {
+          "type" : "keyword"
+        },
+        "srcOuterASN" : {
+          "type" : "keyword"
+        },
+        "dstOuterASN" : {
+          "type" : "keyword"
+        },
+        "http" : {
+          "properties" : {
+            "authType" : {
+              "type" : "keyword"
+            },
+            "authTypeCnt" : {
+              "type" : "long"
+            },
+            "bodyMagic" : {
+              "type" : "keyword"
+            },
+            "bodyMagicCnt" : {
+              "type" : "long"
+            },
+            "clientVersion" : {
+              "type" : "keyword"
+            },
+            "clientVersionCnt" : {
+              "type" : "long"
+            },
+            "cookieKey" : {
+              "type" : "keyword"
+            },
+            "cookieKeyCnt" : {
+              "type" : "long"
+            },
+            "cookieValue" : {
+              "type" : "keyword"
+            },
+            "cookieValueCnt" : {
+              "type" : "long"
+            },
+            "host" : {
+              "type" : "keyword"
+            },
+            "hostCnt" : {
+              "type" : "long"
+            },
+            "key" : {
+              "type" : "keyword"
+            },
+            "keyCnt" : {
+              "type" : "long"
+            },
+            "md5" : {
+              "type" : "keyword"
+            },
+            "md5Cnt" : {
+              "type" : "long"
+            },
+            "method" : {
+              "type" : "keyword"
+            },
+            "methodCnt" : {
+              "type" : "long"
+            },
+            "path" : {
+              "type" : "keyword"
+            },
+            "pathCnt" : {
+              "type" : "long"
+            },
+            "request-authorization" : {
+              "type" : "keyword"
+            },
+            "request-authorizationCnt" : {
+              "type" : "long"
+            },
+            "request-chad" : {
+              "type" : "keyword"
+            },
+            "request-chadCnt" : {
+              "type" : "long"
+            },
+            "request-content-type" : {
+              "type" : "keyword"
+            },
+            "request-content-typeCnt" : {
+              "type" : "long"
+            },
+            "request-origin" : {
+              "type" : "keyword"
+            },
+            "request-referer" : {
+              "type" : "keyword"
+            },
+            "request-refererCnt" : {
+              "type" : "long"
+            },
+            "requestBody" : {
+              "type" : "keyword"
+            },
+            "requestHeader" : {
+              "type" : "keyword"
+            },
+            "requestHeaderCnt" : {
+              "type" : "long"
+            },
+            "response-content-type" : {
+              "type" : "keyword"
+            },
+            "response-content-typeCnt" : {
+              "type" : "long"
+            },
+            "response-location" : {
+              "type" : "keyword"
+            },
+            "response-server" : {
+              "type" : "keyword"
+            },
+            "responseHeader" : {
+              "type" : "keyword"
+            },
+            "responseHeaderCnt" : {
+              "type" : "long"
+            },
+            "serverVersion" : {
+              "type" : "keyword"
+            },
+            "serverVersionCnt" : {
+              "type" : "long"
+            },
+            "statuscode" : {
+              "type" : "long"
+            },
+            "statuscodeCnt" : {
+              "type" : "long"
+            },
+            "uri" : {
+              "type" : "keyword"
+            },
+            "uriCnt" : {
+              "type" : "long"
+            },
+            "user" : {
+              "type" : "keyword"
+            },
+            "userCnt" : {
+              "type" : "long"
+            },
+            "useragent" : {
+              "type" : "keyword"
+            },
+            "useragentCnt" : {
+              "type" : "long"
+            },
+            "value" : {
+              "type" : "keyword"
+            },
+            "valueCnt" : {
+              "type" : "long"
+            },
+            "xffASN" : {
+              "type" : "keyword"
+            },
+            "xffGEO" : {
+              "type" : "keyword"
+            },
+            "xffIp" : {
+              "type" : "ip"
+            },
+            "xffIpCnt" : {
+              "type" : "long"
+            },
+            "xffRIR" : {
+              "type" : "keyword"
+            }
+          }
+        },
+        "icmp" : {
+          "properties" : {
+            "code" : {
+              "type" : "long"
+            },
+            "type" : {
+              "type" : "long"
+            }
+          }
+        },
+        "initRTT" : {
+          "type" : "long"
+        },
+        "ipProtocol" : {
+          "type" : "long"
+        },
+        "irc" : {
+          "properties" : {
+            "channel" : {
+              "type" : "keyword"
+            },
+            "channelCnt" : {
+              "type" : "long"
+            },
+            "nick" : {
+              "type" : "keyword"
+            },
+            "nickCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "krb5" : {
+          "properties" : {
+            "cname" : {
+              "type" : "keyword"
+            },
+            "cnameCnt" : {
+              "type" : "long"
+            },
+            "realm" : {
+              "type" : "keyword"
+            },
+            "realmCnt" : {
+              "type" : "long"
+            },
+            "sname" : {
+              "type" : "keyword"
+            },
+            "snameCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "lastPacket" : {
+          "type" : "date"
+        },
+        "ldap" : {
+          "properties" : {
+            "authtype" : {
+              "type" : "keyword"
+            },
+            "authtypeCnt" : {
+              "type" : "long"
+            },
+            "bindname" : {
+              "type" : "keyword"
+            },
+            "bindnameCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "length" : {
+          "type" : "long"
+        },
+        "mysql" : {
+          "properties" : {
+            "user" : {
+              "type" : "keyword"
+            },
+            "version" : {
+              "type" : "keyword"
+            }
+          }
+        },
+        "node" : {
+          "type" : "keyword"
+        },
+        "oracle" : {
+          "properties" : {
+            "host" : {
+              "type" : "keyword"
+            },
+            "service" : {
+              "type" : "keyword"
+            },
+            "user" : {
+              "type" : "keyword"
+            }
+          }
+        },
+        "packetLen" : {
+          "type" : "integer",
+          "index" : false
+        },
+        "packetPos" : {
+          "type" : "long",
+          "index" : false
+        },
+        "postgresql" : {
+          "properties" : {
+            "app" : {
+              "type" : "keyword"
+            },
+            "db" : {
+              "type" : "keyword"
+            },
+            "user" : {
+              "type" : "keyword"
+            }
+          }
+        },
+        "protocol" : {
+          "type" : "keyword"
+        },
+        "protocolCnt" : {
+          "type" : "long"
+        },
+        "quic" : {
+          "properties" : {
+            "host" : {
+              "type" : "keyword"
+            },
+            "hostCnt" : {
+              "type" : "long"
+            },
+            "useragent" : {
+              "type" : "keyword"
+            },
+            "useragentCnt" : {
+              "type" : "long"
+            },
+            "version" : {
+              "type" : "keyword"
+            },
+            "versionCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "radius" : {
+          "properties" : {
+            "framedASN" : {
+              "type" : "keyword"
+            },
+            "framedGEO" : {
+              "type" : "keyword"
+            },
+            "framedIp" : {
+              "type" : "ip"
+            },
+            "framedIpCnt" : {
+              "type" : "long"
+            },
+            "framedRIR" : {
+              "type" : "keyword"
+            },
+            "mac" : {
+              "type" : "keyword"
+            },
+            "macCnt" : {
+              "type" : "long"
+            },
+            "user" : {
+              "type" : "keyword"
+            }
+          }
+        },
+        "rootId" : {
+          "type" : "keyword"
+        },
+        "segmentCnt" : {
+          "type" : "long"
+        },
+        "smb" : {
+          "properties" : {
+            "filename" : {
+              "type" : "keyword"
+            },
+            "filenameCnt" : {
+              "type" : "long"
+            },
+            "host" : {
+              "type" : "keyword"
+            }
+          }
+        },
+        "socks" : {
+          "properties" : {
+            "ASN" : {
+              "type" : "keyword"
+            },
+            "GEO" : {
+              "type" : "keyword"
+            },
+            "RIR" : {
+              "type" : "keyword"
+            },
+            "host" : {
+              "type" : "keyword"
+            },
+            "ip" : {
+              "type" : "ip"
+            },
+            "port" : {
+              "type" : "long"
+            },
+            "user" : {
+              "type" : "keyword"
+            }
+          }
+        },
+        "srcOui" : {
+          "type" : "keyword"
+        },
+        "srcOuiCnt" : {
+          "type" : "long"
+        },
+        "srcPayload8" : {
+          "type" : "keyword"
+        },
+        "srcRIR" : {
+          "type" : "keyword"
+        },
+        "ssh" : {
+          "properties" : {
+            "hassh" : {
+              "type" : "keyword"
+            },
+            "hasshCnt" : {
+              "type" : "long"
+            },
+            "hasshServer" : {
+              "type" : "keyword"
+            },
+            "hasshServerCnt" : {
+              "type" : "long"
+            },
+            "key" : {
+              "type" : "keyword"
+            },
+            "keyCnt" : {
+              "type" : "long"
+            },
+            "version" : {
+              "type" : "keyword"
+            },
+            "versionCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "suricata" : {
+          "properties" : {
+            "action" : {
+              "type" : "keyword"
+            },
+            "actionCnt" : {
+              "type" : "long"
+            },
+            "category" : {
+              "type" : "keyword"
+            },
+            "categoryCnt" : {
+              "type" : "long"
+            },
+            "flowId" : {
+              "type" : "keyword"
+            },
+            "flowIdCnt" : {
+              "type" : "long"
+            },
+            "gid" : {
+              "type" : "long"
+            },
+            "gidCnt" : {
+              "type" : "long"
+            },
+            "severity" : {
+              "type" : "long"
+            },
+            "severityCnt" : {
+              "type" : "long"
+            },
+            "signature" : {
+              "type" : "keyword"
+            },
+            "signatureCnt" : {
+              "type" : "long"
+            },
+            "signatureId" : {
+              "type" : "long"
+            },
+            "signatureIdCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "tags" : {
+          "type" : "keyword"
+        },
+        "tagsCnt" : {
+          "type" : "long"
+        },
+        "tcpflags" : {
+          "properties" : {
+            "ack" : {
+              "type" : "long"
+            },
+            "dstZero" : {
+              "type" : "long"
+            },
+            "fin" : {
+              "type" : "long"
+            },
+            "psh" : {
+              "type" : "long"
+            },
+            "rst" : {
+              "type" : "long"
+            },
+            "srcZero" : {
+              "type" : "long"
+            },
+            "syn" : {
+              "type" : "long"
+            },
+            "syn-ack" : {
+              "type" : "long"
+            },
+            "urg" : {
+              "type" : "long"
+            }
+          }
+        },
+        "tls" : {
+          "properties" : {
+            "cipher" : {
+              "type" : "keyword"
+            },
+            "cipherCnt" : {
+              "type" : "long"
+            },
+            "dstSessionId" : {
+              "type" : "keyword"
+            },
+            "ja3" : {
+              "type" : "keyword"
+            },
+            "ja3Cnt" : {
+              "type" : "long"
+            },
+            "ja3s" : {
+              "type" : "keyword"
+            },
+            "ja3sCnt" : {
+              "type" : "long"
+            },
+            "srcSessionId" : {
+              "type" : "keyword"
+            },
+            "version" : {
+              "type" : "keyword"
+            },
+            "versionCnt" : {
+              "type" : "long"
+            }
+          }
+        },
+        "totDataBytes" : {
+          "type" : "long"
+        },
+        "user" : {
+          "type" : "keyword"
+        },
+        "userCnt" : {
+          "type" : "long"
+        }
       }
     }
+  },
+  "_meta": {
+    "description": "mostly lifted from Arkime's db.pl sessions3Update"
   }
 }
diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json
index 6e974155c..6a1870503 100644
--- a/dashboards/templates/composable/component/zeek_ot.json
+++ b/dashboards/templates/composable/component/zeek_ot.json
@@ -9,21 +9,18 @@
         "zeek.bacnet.pdu_type": { "type": "keyword" },
         "zeek.bacnet.result_code": { "type": "keyword" },
         "zeek.bacnet_device_control.is_orig": { "type": "keyword" },
-        "zeek.bacnet_device_control.pdu_service": { "type": "keyword" },
         "zeek.bacnet_device_control.time_duration": { "type": "long" },
         "zeek.bacnet_device_control.device_state": { "type": "keyword" },
         "zeek.bacnet_device_control.result": { "type": "keyword" },
         "zeek.bacnet_device_control.result_code": { "type": "keyword" },
         "zeek.bacnet_discovery.object_name": { "type": "keyword" },
         "zeek.bacnet_discovery.object_type": { "type": "keyword" },
-        "zeek.bacnet_discovery.pdu_service": { "type": "keyword" },
         "zeek.bacnet_discovery.range": { "type": "keyword" },
         "zeek.bacnet_discovery.range_high": { "type": "integer" },
         "zeek.bacnet_discovery.range_low": { "type": "integer" },
         "zeek.bacnet_discovery.vendor": { "type": "keyword" },
         "zeek.bacnet_property.array_index": { "type": "long" },
         "zeek.bacnet_property.object_type": { "type": "keyword" },
-        "zeek.bacnet_property.pdu_service": { "type": "keyword" },
         "zeek.bacnet_property.property": { "type": "keyword" },
         "zeek.bacnet_property.value": { "type": "keyword" },
         "zeek.bestguess.category": { "type": "keyword" },
diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index 1d14192b8..c251b7cef 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -4,7 +4,7 @@ version: '3.7'
 
 services:
   opensearch:
-    image: ghcr.io/idaholab/malcolm/opensearch:23.08.1
+    image: ghcr.io/idaholab/malcolm/opensearch:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -37,7 +37,7 @@ services:
       retries: 3
       start_period: 180s
   dashboards-helper:
-    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.08.1
+    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -64,7 +64,7 @@ services:
       retries: 3
       start_period: 30s
   dashboards:
-    image: ghcr.io/idaholab/malcolm/dashboards:23.08.1
+    image: ghcr.io/idaholab/malcolm/dashboards:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -90,7 +90,7 @@ services:
       retries: 3
       start_period: 210s
   logstash:
-    image: ghcr.io/idaholab/malcolm/logstash-oss:23.08.1
+    image: ghcr.io/idaholab/malcolm/logstash-oss:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -132,7 +132,7 @@ services:
       retries: 3
       start_period: 600s
   filebeat:
-    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.08.1
+    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -167,7 +167,7 @@ services:
       retries: 3
       start_period: 60s
   arkime:
-    image: ghcr.io/idaholab/malcolm/arkime:23.08.1
+    image: ghcr.io/idaholab/malcolm/arkime:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -203,7 +203,7 @@ services:
       retries: 3
       start_period: 210s
   zeek:
-    image: ghcr.io/idaholab/malcolm/zeek:23.08.1
+    image: ghcr.io/idaholab/malcolm/zeek:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -241,7 +241,7 @@ services:
       retries: 3
       start_period: 60s
   zeek-live:
-    image: ghcr.io/idaholab/malcolm/zeek:23.08.1
+    image: ghcr.io/idaholab/malcolm/zeek:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -269,7 +269,7 @@ services:
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
   suricata:
-    image: ghcr.io/idaholab/malcolm/suricata:23.08.1
+    image: ghcr.io/idaholab/malcolm/suricata:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -305,7 +305,7 @@ services:
       retries: 3
       start_period: 120s
   suricata-live:
-    image: ghcr.io/idaholab/malcolm/suricata:23.08.1
+    image: ghcr.io/idaholab/malcolm/suricata:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -331,7 +331,7 @@ services:
       - ./suricata-logs:/var/log/suricata
       - ./suricata/rules:/opt/suricata/rules:ro
   file-monitor:
-    image: ghcr.io/idaholab/malcolm/file-monitor:23.08.1
+    image: ghcr.io/idaholab/malcolm/file-monitor:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -357,7 +357,7 @@ services:
       retries: 3
       start_period: 60s
   pcap-capture:
-    image: ghcr.io/idaholab/malcolm/pcap-capture:23.08.1
+    image: ghcr.io/idaholab/malcolm/pcap-capture:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -379,7 +379,7 @@ services:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
       - ./pcap/upload:/pcap
   pcap-monitor:
-    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.08.1
+    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -405,7 +405,7 @@ services:
       retries: 3
       start_period: 90s
   upload:
-    image: ghcr.io/idaholab/malcolm/file-upload:23.08.1
+    image: ghcr.io/idaholab/malcolm/file-upload:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -432,7 +432,7 @@ services:
       retries: 3
       start_period: 60s
   htadmin:
-    image: ghcr.io/idaholab/malcolm/htadmin:23.08.1
+    image: ghcr.io/idaholab/malcolm/htadmin:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -457,7 +457,7 @@ services:
       retries: 3
       start_period: 60s
   freq:
-    image: ghcr.io/idaholab/malcolm/freq:23.08.1
+    image: ghcr.io/idaholab/malcolm/freq:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -479,7 +479,7 @@ services:
       retries: 3
       start_period: 60s
   netbox:
-    image: ghcr.io/idaholab/malcolm/netbox:23.08.1
+    image: ghcr.io/idaholab/malcolm/netbox:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -511,7 +511,7 @@ services:
       retries: 3
       start_period: 120s
   netbox-postgres:
-    image: ghcr.io/idaholab/malcolm/postgresql:23.08.1
+    image: ghcr.io/idaholab/malcolm/postgresql:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -535,7 +535,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis:
-    image: ghcr.io/idaholab/malcolm/redis:23.08.1
+    image: ghcr.io/idaholab/malcolm/redis:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -563,7 +563,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis-cache:
-    image: ghcr.io/idaholab/malcolm/redis:23.08.1
+    image: ghcr.io/idaholab/malcolm/redis:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -590,7 +590,7 @@ services:
       retries: 3
       start_period: 45s
   api:
-    image: ghcr.io/idaholab/malcolm/api:23.08.1
+    image: ghcr.io/idaholab/malcolm/api:23.09.0
     command: gunicorn --bind 0:5000 manage:app
     restart: "no"
     stdin_open: false
@@ -614,7 +614,7 @@ services:
       retries: 3
       start_period: 60s
   nginx-proxy:
-    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.08.1
+    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
diff --git a/docker-compose.yml b/docker-compose.yml
index 6a6f7c449..f2366e792 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/opensearch.Dockerfile
-    image: ghcr.io/idaholab/malcolm/opensearch:23.08.1
+    image: ghcr.io/idaholab/malcolm/opensearch:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -43,7 +43,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/dashboards-helper.Dockerfile
-    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.08.1
+    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -73,7 +73,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/dashboards.Dockerfile
-    image: ghcr.io/idaholab/malcolm/dashboards:23.08.1
+    image: ghcr.io/idaholab/malcolm/dashboards:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -102,7 +102,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/logstash.Dockerfile
-    image: ghcr.io/idaholab/malcolm/logstash-oss:23.08.1
+    image: ghcr.io/idaholab/malcolm/logstash-oss:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -151,7 +151,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/filebeat.Dockerfile
-    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.08.1
+    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -189,7 +189,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/arkime.Dockerfile
-    image: ghcr.io/idaholab/malcolm/arkime:23.08.1
+    image: ghcr.io/idaholab/malcolm/arkime:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -231,7 +231,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/zeek.Dockerfile
-    image: ghcr.io/idaholab/malcolm/zeek:23.08.1
+    image: ghcr.io/idaholab/malcolm/zeek:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -273,7 +273,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/zeek.Dockerfile
-    image: ghcr.io/idaholab/malcolm/zeek:23.08.1
+    image: ghcr.io/idaholab/malcolm/zeek:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -305,7 +305,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/suricata.Dockerfile
-    image: ghcr.io/idaholab/malcolm/suricata:23.08.1
+    image: ghcr.io/idaholab/malcolm/suricata:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -344,7 +344,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/suricata.Dockerfile
-    image: ghcr.io/idaholab/malcolm/suricata:23.08.1
+    image: ghcr.io/idaholab/malcolm/suricata:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -373,7 +373,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/file-monitor.Dockerfile
-    image: ghcr.io/idaholab/malcolm/file-monitor:23.08.1
+    image: ghcr.io/idaholab/malcolm/file-monitor:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -402,7 +402,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/pcap-capture.Dockerfile
-    image: ghcr.io/idaholab/malcolm/pcap-capture:23.08.1
+    image: ghcr.io/idaholab/malcolm/pcap-capture:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -427,7 +427,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/pcap-monitor.Dockerfile
-    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.08.1
+    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -456,7 +456,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/file-upload.Dockerfile
-    image: ghcr.io/idaholab/malcolm/file-upload:23.08.1
+    image: ghcr.io/idaholab/malcolm/file-upload:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
@@ -483,7 +483,7 @@ services:
       retries: 3
       start_period: 60s
   htadmin:
-    image: ghcr.io/idaholab/malcolm/htadmin:23.08.1
+    image: ghcr.io/idaholab/malcolm/htadmin:23.09.0
     build:
       context: .
       dockerfile: Dockerfiles/htadmin.Dockerfile
@@ -511,7 +511,7 @@ services:
       retries: 3
       start_period: 60s
   freq:
-    image: ghcr.io/idaholab/malcolm/freq:23.08.1
+    image: ghcr.io/idaholab/malcolm/freq:23.09.0
     build:
       context: .
       dockerfile: Dockerfiles/freq.Dockerfile
@@ -536,7 +536,7 @@ services:
       retries: 3
       start_period: 60s
   netbox:
-    image: ghcr.io/idaholab/malcolm/netbox:23.08.1
+    image: ghcr.io/idaholab/malcolm/netbox:23.09.0
     build:
       context: .
       dockerfile: Dockerfiles/netbox.Dockerfile
@@ -571,7 +571,7 @@ services:
       retries: 3
       start_period: 120s
   netbox-postgres:
-    image: ghcr.io/idaholab/malcolm/postgresql:23.08.1
+    image: ghcr.io/idaholab/malcolm/postgresql:23.09.0
     build:
       context: .
       dockerfile: Dockerfiles/postgresql.Dockerfile
@@ -598,7 +598,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis:
-    image: ghcr.io/idaholab/malcolm/redis:23.08.1
+    image: ghcr.io/idaholab/malcolm/redis:23.09.0
     build:
       context: .
       dockerfile: Dockerfiles/redis.Dockerfile
@@ -629,7 +629,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis-cache:
-    image: ghcr.io/idaholab/malcolm/redis:23.08.1
+    image: ghcr.io/idaholab/malcolm/redis:23.09.0
     build:
       context: .
       dockerfile: Dockerfiles/redis.Dockerfile
@@ -659,7 +659,7 @@ services:
       retries: 3
       start_period: 45s
   api:
-    image: ghcr.io/idaholab/malcolm/api:23.08.1
+    image: ghcr.io/idaholab/malcolm/api:23.09.0
     build:
       context: .
       dockerfile: Dockerfiles/api.Dockerfile
@@ -689,7 +689,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/nginx.Dockerfile
-    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.08.1
+    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.09.0
     restart: "no"
     stdin_open: false
     tty: true
diff --git a/docs/README.md b/docs/README.md
index cee5df17e..f8f8e2793 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -24,12 +24,14 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation
 * [Configuration](malcolm-preparation.md#Configuration)
     - [Recommended system requirements](system-requirements.md#SystemRequirements)
     - [Malcolm Configuration](malcolm-config.md#ConfigAndTuning)
-        + [Environment Variable Files](malcolm-config.md#MalcolmConfigEnvVars)
+        + [Environment variable files](malcolm-config.md#MalcolmConfigEnvVars)
+        + [Command-line arguments](malcolm-config.md#CommandLineConfig)
     - [Configure authentication](authsetup.md#AuthSetup)
         + [Local account management](authsetup.md#AuthBasicAccountManagement)
         + [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP)
             * [LDAP connection security](authsetup.md#AuthLDAPSecurity)
         + [TLS certificates](authsetup.md#TLSCerts)
+        + [Command-line arguments](authsetup.md#CommandLineConfig)
     - [Platform-specific Configuration](host-config.md#HostSystemConfig)
         + [Linux host system configuration](host-config-linux.md#HostSystemConfigLinux)
         + [macOS host system configuration](host-config-macos.md#HostSystemConfigMac)
diff --git a/docs/authsetup.md b/docs/authsetup.md
index f4878cffd..b589d7715 100644
--- a/docs/authsetup.md
+++ b/docs/authsetup.md
@@ -5,6 +5,7 @@
     - [Lightweight Directory Access Protocol (LDAP) authentication](#AuthLDAP)
         + [LDAP connection security](#AuthLDAPSecurity)
     - [TLS certificates](#TLSCerts)
+    - [Command-line arguments](#CommandLineConfig)
 
 Malcolm requires authentication to access the [user interface](quickstart.md#UserInterfaceURLs). [Nginx](https://nginx.org/) can authenticate users with either local TLS-encrypted HTTP basic authentication or a remote Lightweight Directory Access Protocol (LDAP) authentication server.
 
@@ -102,4 +103,46 @@ When users [set up authentication](#AuthSetup) for Malcolm a set of unique [self
 
 Another option is for users to generate their own certificates (or have them issued directly) and have them placed in the `nginx/certs/` directory. The certificate and key file should be named `cert.pem` and `key.pem`, respectively.
 
-A third possibility is to use a third-party reverse proxy (e.g., [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)) to handle the issuance of the certificates and to broker the connections between clients and Malcolm. Reverse proxies such as these often implement the [ACME](https://datatracker.ietf.org/doc/html/rfc8555) protocol for domain name authentication and can be used to request certificates from certificate authorities such as [Let's Encrypt](https://letsencrypt.org/how-it-works/). In this configuration, the reverse proxy will be encrypting the connections instead of Malcolm, so users will need to set the `NGINX_SSL` environment variable to `false` in [`nginx.env`](malcolm-config.md#MalcolmConfigEnvVars) (or answer `no` to the "Require encrypted HTTPS connections?" question posed by `./scripts/configure`). If you are setting `NGINX_SSL` to `false`, **make sure** user must understand precisely what they are doing, ensuring that external connections cannot reach ports over which Malcolm will be communicating without encryption, including verifying local firewall configuration.
\ No newline at end of file
+A third possibility is to use a third-party reverse proxy (e.g., [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)) to handle the issuance of the certificates and to broker the connections between clients and Malcolm. Reverse proxies such as these often implement the [ACME](https://datatracker.ietf.org/doc/html/rfc8555) protocol for domain name authentication and can be used to request certificates from certificate authorities such as [Let's Encrypt](https://letsencrypt.org/how-it-works/). In this configuration, the reverse proxy will be encrypting the connections instead of Malcolm, so users will need to set the `NGINX_SSL` environment variable to `false` in [`nginx.env`](malcolm-config.md#MalcolmConfigEnvVars) (or answer `no` to the "Require encrypted HTTPS connections?" question posed by `./scripts/configure`). If you are setting `NGINX_SSL` to `false`, **make sure** user must understand precisely what they are doing, ensuring that external connections cannot reach ports over which Malcolm will be communicating without encryption, including verifying local firewall configuration.
+
+# <a name="CommandLineConfig"></a>Command-line arguments
+
+The `./scripts/auth_setup` script can also be run noninteractively which can be useful for scripting Malcolm setup. This behavior can be selected by supplying the `--auth-noninteractive` option on the command line. Running with the `--help` option will list the arguments accepted by the script:
+
+```
+$ ./scripts/auth_setup --help
+usage: auth_setup <arguments>
+
+Malcolm control script
+
+options:
+  -v [DEBUG], --verbose [DEBUG]
+                        Verbose output
+  -f <string>, --file <string>
+                        docker-compose or kubeconfig YML file
+  -e <string>, --environment-dir <string>
+                        Directory containing Malcolm's .env files
+
+…
+
+Authentication Setup:
+  --auth [CMDAUTHSETUP]
+                        Configure Malcolm authentication
+  --auth-noninteractive [CMDAUTHSETUPNONINTERACTIVE]
+                        Configure Malcolm authentication (noninteractive using arguments provided)
+  --auth-admin-username <string>
+                        Administrator username (for --auth-noninteractive)
+  --auth-admin-password-openssl <string>
+                        Administrator password hash from "openssl -passwd -1" (for --auth-noninteractive)
+  --auth-admin-password-htpasswd <string>
+                        Administrator password hash from "htpasswd -n -B username | cut -d: -f2" (for --auth-noninteractive)
+  --auth-generate-webcerts [AUTHGENWEBCERTS]
+                        (Re)generate self-signed certificates for HTTPS access (for --auth-noninteractive)
+  --auth-generate-fwcerts [AUTHGENFWCERTS]
+                        (Re)generate self-signed certificates for a remote log forwarder
+  --auth-generate-netbox-passwords [AUTHGENNETBOXPASSWORDS]
+                        (Re)generate internal passwords for NetBox
+…
+```
+
+In order to avoid specifying passwords as command line arguments, when setting the administrator password noninteractively the user must instead provide hashes generated by [`openssl -passwd -1`](https://www.openssl.org/docs/man1.1.1/man1/openssl-passwd.html) and [`htpasswd -n -B username`](https://httpd.apache.org/docs/2.4/programs/htpasswd.html).
diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md
index 444d611ab..c485cdc8f 100644
--- a/docs/contributing-pcap.md
+++ b/docs/contributing-pcap.md
@@ -1,6 +1,6 @@
 # <a name="PCAP"></a>PCAP processors
 
-When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.08.1 release]({{ site.github.repository_url }}/releases/tag/v23.08.1)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
+When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.09.0 release]({{ site.github.repository_url }}/releases/tag/v23.09.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
 
 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section
     * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory
diff --git a/docs/download.md b/docs/download.md
index 0e54f018a..00f66c255 100644
--- a/docs/download.md
+++ b/docs/download.md
@@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [malcolm-23.08.1.iso](/iso/malcolm-23.08.1.iso) (4.6GiB) |  [`3775b44cc85665568df01cb9ab1d5525d1966747a08f0788de622832030a6002`](/iso/malcolm-23.08.1.iso.sha256.txt) |
+| [malcolm-23.09.0.iso](/iso/malcolm-23.09.0.iso) (5.4GiB) |  [`1f340ea861dc00f7020879b0b4fa9b4c0ba55779d8b6be6eb6e276e4de2a24ae`](/iso/malcolm-23.09.0.iso.sha256.txt) |
 
 ## Hedgehog Linux
 
@@ -26,7 +26,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [hedgehog-23.08.1.iso](/iso/hedgehog-23.08.1.iso) (2.3GiB) |  [`5371c49ca8bc26008dc0d654b6cbcfad738970ba5e301ca2d43743317a547b36`](/iso/hedgehog-23.08.1.iso.sha256.txt) |
+| [hedgehog-23.09.0.iso](/iso/hedgehog-23.09.0.iso) (2.6GiB) |  [`2e8332e7865e79ae3841b50f66aa311d0748ed8fe897686112ba7a8d5c797395`](/iso/hedgehog-23.09.0.iso.sha256.txt) |
 
 ## Warning
 
diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md
index 55fa167fa..549d8179a 100644
--- a/docs/hedgehog-iso-build.md
+++ b/docs/hedgehog-iso-build.md
@@ -29,7 +29,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu
 
 ```
 …
-Finished, created "/sensor-build/hedgehog-23.08.1.iso"
+Finished, created "/sensor-build/hedgehog-23.09.0.iso"
 …
 ```
 
diff --git a/docs/kubernetes.md b/docs/kubernetes.md
index 69269ce02..3ff1a3bf9 100644
--- a/docs/kubernetes.md
+++ b/docs/kubernetes.md
@@ -9,7 +9,7 @@
     - [OpenSearch Instances](#OpenSearchInstances)
     - [PersistentVolumeClaim Definitions](#PVC)
 * [Running Malcolm](#Running)
-* [Deployment Example](#Example)n
+* [Deployment Example](#Example)
 * [Future Enhancements](#Future)
     - [Live Traffic Analysis](#FutureLiveCap)
     - [Horizontal Scaling](#FutureScaleOut)
@@ -64,51 +64,48 @@ Malcolm's [ingress controller manifest]({{ site.github.repository_url }}/blob/{{
                     + --tcp-services-configmap=ingress-nginx/tcp-services
         …
         ```
-
     - Add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` load-balancer service definition:
         ```
-        ---
-        apiVersion: v1
-        kind: Service
-        metadata:
-        …
-          name: ingress-nginx-controller
-          namespace: ingress-nginx
-        spec:
-          externalTrafficPolicy: Local
-          ipFamilies:
-            - IPv4
-          ipFamilyPolicy: SingleStack
-          ports:
-            - appProtocol: http
-              name: http
-              port: 80
-              protocol: TCP
-              targetPort: http
-            - appProtocol: https
-              name: https
-              port: 443
-              protocol: TCP
-              targetPort: https
-            - appProtocol: tcp
-              name: lumberjack
-              port: 5044
-              targetPort: 5044
-              protocol: TCP
-            - appProtocol: tcp
-              name: tcpjson
-              port: 5045
-              targetPort: 5045
-              protocol: TCP
-        - appProtocol: tcp
-              name: opensearch
-              port: 9200
-              targetPort: 9200
-              protocol: TCP
-        …
-          type: LoadBalancer
+          apiVersion: v1
+          kind: Service
+          metadata:
+          …
+            name: ingress-nginx-controller
+            namespace: ingress-nginx
+          spec:
+            externalTrafficPolicy: Local
+            ipFamilies:
+              - IPv4
+            ipFamilyPolicy: SingleStack
+            ports:
+              - appProtocol: http
+                name: http
+                port: 80
+                protocol: TCP
+                targetPort: http
+              - appProtocol: https
+                name: https
+                port: 443
+                protocol: TCP
+                targetPort: https
+              - appProtocol: tcp
+                name: lumberjack
+                port: 5044
+                targetPort: 5044
+                protocol: TCP
+              - appProtocol: tcp
+                name: tcpjson
+                port: 5045
+                targetPort: 5045
+                protocol: TCP
+          - appProtocol: tcp
+                name: opensearch
+                port: 9200
+                targetPort: 9200
+                protocol: TCP
+          …
+            type: LoadBalancer
         ```
-
     - Add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` deployment container's definition:
         ```
         apiVersion: apps/v1
@@ -275,28 +272,28 @@ agent2    | agent2   | 192.168.56.12 | agent2      | k3s           | 6000m     |
 agent1    | agent1   | 192.168.56.11 | agent1      | k3s           | 6000m     | 861.34m   | 14.36%      | 19.55Gi      | 9.29Gi       | 61.28Gi       | 11           |
 
 Pod Name                                       | State   | Pod IP     | Pod Kind   | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts        | Container Image              |
-api-deployment-6f4686cf59-bn286                | Running | 10.42.2.14 | ReplicaSet | agent1      | 0.11m     | 59.62Mi      | api-container:0                | api:23.08.1               |
-file-monitor-deployment-855646bd75-vk7st       | Running | 10.42.2.16 | ReplicaSet | agent1      | 8.47m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.08.1      |
-zeek-live-deployment-64b69d4b6f-947vr          | Running | 10.42.2.17 | ReplicaSet | agent1      | 0.02m     | 12.44Mi      | zeek-live-container:0          | zeek:23.08.1              |
-dashboards-helper-deployment-69dc54f6b6-ln4sq  | Running | 10.42.2.15 | ReplicaSet | agent1      | 10.77m    | 38.43Mi      | dashboards-helper-container:0  | dashboards-helper:23.08.1 |
-upload-deployment-586568844b-4jnk9             | Running | 10.42.2.18 | ReplicaSet | agent1      | 0.15m     | 29.78Mi      | upload-container:0             | file-upload:23.08.1       |
-filebeat-deployment-6ff8bc444f-t7h49           | Running | 10.42.2.20 | ReplicaSet | agent1      | 2.84m     | 70.71Mi      | filebeat-container:0           | filebeat-oss:23.08.1      |
-zeek-offline-deployment-844f4865bd-g2sdm       | Running | 10.42.2.21 | ReplicaSet | agent1      | 0.17m     | 41.92Mi      | zeek-offline-container:0       | zeek:23.08.1              |
-logstash-deployment-6fbc9fdcd5-hwx8s           | Running | 10.42.2.22 | ReplicaSet | agent1      | 85.55m    | 2.91Gi       | logstash-container:0           | logstash-oss:23.08.1      |
-netbox-deployment-cdcff4977-hbbw5              | Running | 10.42.2.23 | ReplicaSet | agent1      | 807.64m   | 702.86Mi     | netbox-container:0             | netbox:23.08.1            |
-suricata-offline-deployment-6ccdb89478-z5696   | Running | 10.42.2.19 | ReplicaSet | agent1      | 0.22m     | 34.88Mi      | suricata-offline-container:0   | suricata:23.08.1          |
-dashboards-deployment-69b5465db-vz88g          | Running | 10.42.1.14 | ReplicaSet | agent2      | 0.94m     | 100.12Mi     | dashboards-container:0         | dashboards:23.08.1        |
-netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2      | 3.57m     | 7.36Mi       | netbox-redis-cache-container:0 | redis:23.08.1             |
-suricata-live-deployment-6494c77759-9rlnt      | Running | 10.42.1.16 | ReplicaSet | agent2      | 0.02m     | 9.69Mi       | suricata-live-container:0      | suricata:23.08.1          |
-freq-deployment-cfd84fd97-dnngf                | Running | 10.42.1.17 | ReplicaSet | agent2      | 0.2m      | 26.36Mi      | freq-container:0               | freq:23.08.1              |
-arkime-deployment-56999cdd66-s98pp             | Running | 10.42.1.18 | ReplicaSet | agent2      | 4.15m     | 113.07Mi     | arkime-container:0             | arkime:23.08.1            |
-pcap-monitor-deployment-594ff674c4-fsm7m       | Running | 10.42.1.19 | ReplicaSet | agent2      | 1.24m     | 48.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.08.1      |
-pcap-capture-deployment-7c8bf6957-jzpzn        | Running | 10.42.1.20 | ReplicaSet | agent2      | 0.02m     | 9.64Mi       | pcap-capture-container:0       | pcap-capture:23.08.1      |
-netbox-postgres-deployment-5879b8dffc-kkt56    | Running | 10.42.1.21 | ReplicaSet | agent2      | 70.91m    | 33.02Mi      | netbox-postgres-container:0    | postgresql:23.08.1        |
-htadmin-deployment-6fc46888b9-sq6ln            | Running | 10.42.1.23 | ReplicaSet | agent2      | 0.14m     | 30.53Mi      | htadmin-container:0            | htadmin:23.08.1           |
-netbox-redis-deployment-5bcd8f6c96-j5xpf       | Running | 10.42.1.24 | ReplicaSet | agent2      | 1.46m     | 7.34Mi       | netbox-redis-container:0       | redis:23.08.1             |
-nginx-proxy-deployment-69fcc4968d-f68tq        | Running | 10.42.1.22 | ReplicaSet | agent2      | 0.31m     | 22.63Mi      | nginx-proxy-container:0        | nginx-proxy:23.08.1       |
-opensearch-deployment-75498799f6-4zmwd         | Running | 10.42.1.25 | ReplicaSet | agent2      | 89.8m     | 11.03Gi      | opensearch-container:0         | opensearch:23.08.1        |
+api-deployment-6f4686cf59-bn286                | Running | 10.42.2.14 | ReplicaSet | agent1      | 0.11m     | 59.62Mi      | api-container:0                | api:23.09.0               |
+file-monitor-deployment-855646bd75-vk7st       | Running | 10.42.2.16 | ReplicaSet | agent1      | 8.47m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.09.0      |
+zeek-live-deployment-64b69d4b6f-947vr          | Running | 10.42.2.17 | ReplicaSet | agent1      | 0.02m     | 12.44Mi      | zeek-live-container:0          | zeek:23.09.0              |
+dashboards-helper-deployment-69dc54f6b6-ln4sq  | Running | 10.42.2.15 | ReplicaSet | agent1      | 10.77m    | 38.43Mi      | dashboards-helper-container:0  | dashboards-helper:23.09.0 |
+upload-deployment-586568844b-4jnk9             | Running | 10.42.2.18 | ReplicaSet | agent1      | 0.15m     | 29.78Mi      | upload-container:0             | file-upload:23.09.0       |
+filebeat-deployment-6ff8bc444f-t7h49           | Running | 10.42.2.20 | ReplicaSet | agent1      | 2.84m     | 70.71Mi      | filebeat-container:0           | filebeat-oss:23.09.0      |
+zeek-offline-deployment-844f4865bd-g2sdm       | Running | 10.42.2.21 | ReplicaSet | agent1      | 0.17m     | 41.92Mi      | zeek-offline-container:0       | zeek:23.09.0              |
+logstash-deployment-6fbc9fdcd5-hwx8s           | Running | 10.42.2.22 | ReplicaSet | agent1      | 85.55m    | 2.91Gi       | logstash-container:0           | logstash-oss:23.09.0      |
+netbox-deployment-cdcff4977-hbbw5              | Running | 10.42.2.23 | ReplicaSet | agent1      | 807.64m   | 702.86Mi     | netbox-container:0             | netbox:23.09.0            |
+suricata-offline-deployment-6ccdb89478-z5696   | Running | 10.42.2.19 | ReplicaSet | agent1      | 0.22m     | 34.88Mi      | suricata-offline-container:0   | suricata:23.09.0          |
+dashboards-deployment-69b5465db-vz88g          | Running | 10.42.1.14 | ReplicaSet | agent2      | 0.94m     | 100.12Mi     | dashboards-container:0         | dashboards:23.09.0        |
+netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2      | 3.57m     | 7.36Mi       | netbox-redis-cache-container:0 | redis:23.09.0             |
+suricata-live-deployment-6494c77759-9rlnt      | Running | 10.42.1.16 | ReplicaSet | agent2      | 0.02m     | 9.69Mi       | suricata-live-container:0      | suricata:23.09.0          |
+freq-deployment-cfd84fd97-dnngf                | Running | 10.42.1.17 | ReplicaSet | agent2      | 0.2m      | 26.36Mi      | freq-container:0               | freq:23.09.0              |
+arkime-deployment-56999cdd66-s98pp             | Running | 10.42.1.18 | ReplicaSet | agent2      | 4.15m     | 113.07Mi     | arkime-container:0             | arkime:23.09.0            |
+pcap-monitor-deployment-594ff674c4-fsm7m       | Running | 10.42.1.19 | ReplicaSet | agent2      | 1.24m     | 48.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.09.0      |
+pcap-capture-deployment-7c8bf6957-jzpzn        | Running | 10.42.1.20 | ReplicaSet | agent2      | 0.02m     | 9.64Mi       | pcap-capture-container:0       | pcap-capture:23.09.0      |
+netbox-postgres-deployment-5879b8dffc-kkt56    | Running | 10.42.1.21 | ReplicaSet | agent2      | 70.91m    | 33.02Mi      | netbox-postgres-container:0    | postgresql:23.09.0        |
+htadmin-deployment-6fc46888b9-sq6ln            | Running | 10.42.1.23 | ReplicaSet | agent2      | 0.14m     | 30.53Mi      | htadmin-container:0            | htadmin:23.09.0           |
+netbox-redis-deployment-5bcd8f6c96-j5xpf       | Running | 10.42.1.24 | ReplicaSet | agent2      | 1.46m     | 7.34Mi       | netbox-redis-container:0       | redis:23.09.0             |
+nginx-proxy-deployment-69fcc4968d-f68tq        | Running | 10.42.1.22 | ReplicaSet | agent2      | 0.31m     | 22.63Mi      | nginx-proxy-container:0        | nginx-proxy:23.09.0       |
+opensearch-deployment-75498799f6-4zmwd         | Running | 10.42.1.25 | ReplicaSet | agent2      | 89.8m     | 11.03Gi      | opensearch-container:0         | opensearch:23.09.0        |
 ```
 
 The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes.
@@ -384,7 +381,7 @@ Download updated Suricata signatures periodically? (y/N): y
 
 Automatically analyze all PCAP files with Zeek? (Y/n): y
 
-Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek? (y/N): n
+Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network? (y/N): n
 
 Perform reverse DNS lookup locally for source and destination IP addresses in logs? (y/N): n
 
@@ -552,28 +549,28 @@ agent1    | agent1   | 192.168.56.11 | agent1      | k3s           | 6000m     |
 agent2    | agent2   | 192.168.56.12 | agent2      | k3s           | 6000m     | 552.71m   | 9.21%       | 19.55Gi      | 13.27Gi      | 61.28Gi       | 12           |
 
 Pod Name                                       | State   | Pod IP     | Pod Kind   | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts        | Container Image              |
-netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6  | ReplicaSet | agent2      | 1.89m     | 7.24Mi       | netbox-redis-cache-container:0 | redis:23.08.1             |
-netbox-redis-deployment-5bcd8f6c96-bkzmh       | Running | 10.42.2.5  | ReplicaSet | agent2      | 1.62m     | 7.52Mi       | netbox-redis-container:0       | redis:23.08.1             |
-dashboards-helper-deployment-69dc54f6b6-ks7ps  | Running | 10.42.2.4  | ReplicaSet | agent2      | 12.95m    | 40.75Mi      | dashboards-helper-container:0  | dashboards-helper:23.08.1 |
-freq-deployment-cfd84fd97-5bwp6                | Running | 10.42.2.8  | ReplicaSet | agent2      | 0.11m     | 26.33Mi      | freq-container:0               | freq:23.08.1              |
-pcap-capture-deployment-7c8bf6957-hkvkn        | Running | 10.42.2.12 | ReplicaSet | agent2      | 0.02m     | 9.21Mi       | pcap-capture-container:0       | pcap-capture:23.08.1      |
-nginx-proxy-deployment-69fcc4968d-m57rz        | Running | 10.42.2.10 | ReplicaSet | agent2      | 0.91m     | 22.72Mi      | nginx-proxy-container:0        | nginx-proxy:23.08.1       |
-htadmin-deployment-6fc46888b9-vpt7l            | Running | 10.42.2.7  | ReplicaSet | agent2      | 0.16m     | 30.21Mi      | htadmin-container:0            | htadmin:23.08.1           |
-opensearch-deployment-75498799f6-5v92w         | Running | 10.42.2.13 | ReplicaSet | agent2      | 139.2m    | 10.86Gi      | opensearch-container:0         | opensearch:23.08.1        |
-zeek-live-deployment-64b69d4b6f-fcb6n          | Running | 10.42.2.9  | ReplicaSet | agent2      | 0.02m     | 109.55Mi     | zeek-live-container:0          | zeek:23.08.1              |
-dashboards-deployment-69b5465db-kgsqk          | Running | 10.42.2.3  | ReplicaSet | agent2      | 14.98m    | 108.85Mi     | dashboards-container:0         | dashboards:23.08.1        |
-arkime-deployment-56999cdd66-xxpw9             | Running | 10.42.2.11 | ReplicaSet | agent2      | 208.95m   | 78.42Mi      | arkime-container:0             | arkime:23.08.1            |
-api-deployment-6f4686cf59-xt9md                | Running | 10.42.1.3  | ReplicaSet | agent1      | 0.14m     | 56.88Mi      | api-container:0                | api:23.08.1               |
-netbox-postgres-deployment-5879b8dffc-lb4qm    | Running | 10.42.1.6  | ReplicaSet | agent1      | 141.2m    | 48.02Mi      | netbox-postgres-container:0    | postgresql:23.08.1        |
-pcap-monitor-deployment-594ff674c4-fwq7g       | Running | 10.42.1.12 | ReplicaSet | agent1      | 3.93m     | 46.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.08.1      |
-suricata-offline-deployment-6ccdb89478-j5fgj   | Running | 10.42.1.10 | ReplicaSet | agent1      | 10.42m    | 35.12Mi      | suricata-offline-container:0   | suricata:23.08.1          |
-suricata-live-deployment-6494c77759-rpt48      | Running | 10.42.1.8  | ReplicaSet | agent1      | 0.01m     | 9.62Mi       | suricata-live-container:0      | suricata:23.08.1          |
-netbox-deployment-cdcff4977-7ns2q              | Running | 10.42.1.7  | ReplicaSet | agent1      | 830.47m   | 530.7Mi      | netbox-container:0             | netbox:23.08.1            |
-zeek-offline-deployment-844f4865bd-7x68b       | Running | 10.42.1.9  | ReplicaSet | agent1      | 1.44m     | 43.66Mi      | zeek-offline-container:0       | zeek:23.08.1              |
-filebeat-deployment-6ff8bc444f-pdgzj           | Running | 10.42.1.11 | ReplicaSet | agent1      | 0.78m     | 75.25Mi      | filebeat-container:0           | filebeat-oss:23.08.1      |
-file-monitor-deployment-855646bd75-nbngq       | Running | 10.42.1.4  | ReplicaSet | agent1      | 1.69m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.08.1      |
-upload-deployment-586568844b-9s7f5             | Running | 10.42.1.13 | ReplicaSet | agent1      | 0.14m     | 29.62Mi      | upload-container:0             | file-upload:23.08.1       |
-logstash-deployment-6fbc9fdcd5-2hhx8           | Running | 10.42.1.5  | ReplicaSet | agent1      | 3236.29m  | 357.36Mi     | logstash-container:0           | logstash-oss:23.08.1      |
+netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6  | ReplicaSet | agent2      | 1.89m     | 7.24Mi       | netbox-redis-cache-container:0 | redis:23.09.0             |
+netbox-redis-deployment-5bcd8f6c96-bkzmh       | Running | 10.42.2.5  | ReplicaSet | agent2      | 1.62m     | 7.52Mi       | netbox-redis-container:0       | redis:23.09.0             |
+dashboards-helper-deployment-69dc54f6b6-ks7ps  | Running | 10.42.2.4  | ReplicaSet | agent2      | 12.95m    | 40.75Mi      | dashboards-helper-container:0  | dashboards-helper:23.09.0 |
+freq-deployment-cfd84fd97-5bwp6                | Running | 10.42.2.8  | ReplicaSet | agent2      | 0.11m     | 26.33Mi      | freq-container:0               | freq:23.09.0              |
+pcap-capture-deployment-7c8bf6957-hkvkn        | Running | 10.42.2.12 | ReplicaSet | agent2      | 0.02m     | 9.21Mi       | pcap-capture-container:0       | pcap-capture:23.09.0      |
+nginx-proxy-deployment-69fcc4968d-m57rz        | Running | 10.42.2.10 | ReplicaSet | agent2      | 0.91m     | 22.72Mi      | nginx-proxy-container:0        | nginx-proxy:23.09.0       |
+htadmin-deployment-6fc46888b9-vpt7l            | Running | 10.42.2.7  | ReplicaSet | agent2      | 0.16m     | 30.21Mi      | htadmin-container:0            | htadmin:23.09.0           |
+opensearch-deployment-75498799f6-5v92w         | Running | 10.42.2.13 | ReplicaSet | agent2      | 139.2m    | 10.86Gi      | opensearch-container:0         | opensearch:23.09.0        |
+zeek-live-deployment-64b69d4b6f-fcb6n          | Running | 10.42.2.9  | ReplicaSet | agent2      | 0.02m     | 109.55Mi     | zeek-live-container:0          | zeek:23.09.0              |
+dashboards-deployment-69b5465db-kgsqk          | Running | 10.42.2.3  | ReplicaSet | agent2      | 14.98m    | 108.85Mi     | dashboards-container:0         | dashboards:23.09.0        |
+arkime-deployment-56999cdd66-xxpw9             | Running | 10.42.2.11 | ReplicaSet | agent2      | 208.95m   | 78.42Mi      | arkime-container:0             | arkime:23.09.0            |
+api-deployment-6f4686cf59-xt9md                | Running | 10.42.1.3  | ReplicaSet | agent1      | 0.14m     | 56.88Mi      | api-container:0                | api:23.09.0               |
+netbox-postgres-deployment-5879b8dffc-lb4qm    | Running | 10.42.1.6  | ReplicaSet | agent1      | 141.2m    | 48.02Mi      | netbox-postgres-container:0    | postgresql:23.09.0        |
+pcap-monitor-deployment-594ff674c4-fwq7g       | Running | 10.42.1.12 | ReplicaSet | agent1      | 3.93m     | 46.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.09.0      |
+suricata-offline-deployment-6ccdb89478-j5fgj   | Running | 10.42.1.10 | ReplicaSet | agent1      | 10.42m    | 35.12Mi      | suricata-offline-container:0   | suricata:23.09.0          |
+suricata-live-deployment-6494c77759-rpt48      | Running | 10.42.1.8  | ReplicaSet | agent1      | 0.01m     | 9.62Mi       | suricata-live-container:0      | suricata:23.09.0          |
+netbox-deployment-cdcff4977-7ns2q              | Running | 10.42.1.7  | ReplicaSet | agent1      | 830.47m   | 530.7Mi      | netbox-container:0             | netbox:23.09.0            |
+zeek-offline-deployment-844f4865bd-7x68b       | Running | 10.42.1.9  | ReplicaSet | agent1      | 1.44m     | 43.66Mi      | zeek-offline-container:0       | zeek:23.09.0              |
+filebeat-deployment-6ff8bc444f-pdgzj           | Running | 10.42.1.11 | ReplicaSet | agent1      | 0.78m     | 75.25Mi      | filebeat-container:0           | filebeat-oss:23.09.0      |
+file-monitor-deployment-855646bd75-nbngq       | Running | 10.42.1.4  | ReplicaSet | agent1      | 1.69m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.09.0      |
+upload-deployment-586568844b-9s7f5             | Running | 10.42.1.13 | ReplicaSet | agent1      | 0.14m     | 29.62Mi      | upload-container:0             | file-upload:23.09.0       |
+logstash-deployment-6fbc9fdcd5-2hhx8           | Running | 10.42.1.5  | ReplicaSet | agent1      | 3236.29m  | 357.36Mi     | logstash-container:0           | logstash-oss:23.09.0      |
 ```
 
 View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`):
diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md
index a99202165..e46f5115d 100644
--- a/docs/malcolm-config.md
+++ b/docs/malcolm-config.md
@@ -4,7 +4,7 @@ Malcolm's runtime settings are stored (with a few exceptions) as environment var
 
 Run `./scripts/configure` and answer the questions to configure Malcolm. For an in-depth treatment of these configuration questions, see the **Configuration** section in **[End-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig)**.
 
-## <a name="MalcolmConfigEnvVars"></a>Environment Variable Files
+## <a name="MalcolmConfigEnvVars"></a>Environment variable files
 
 Although the configuration script automates many of the following configuration and tuning parameters, some environment variables of particular interest are listed here for reference.
 
@@ -12,7 +12,7 @@ Although the configuration script automates many of the following configuration
     - `ARKIME_ANALYZE_PCAP_THREADS` – the number of threads available to Arkime for analyzing PCAP files (default `1`)
     - `MANAGE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will be marked as available for deletion by Arkime if available storage space becomes too low (default `false`)
     - `MAXMIND_GEOIP_DB_LICENSE_KEY` - Malcolm uses MaxMind's free GeoLite2 databases for GeoIP lookups. As of December 30, 2019, these databases are [no longer available](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) for download via a public URL. Instead, they must be downloaded using a MaxMind license key (available without charge [from MaxMind](https://www.maxmind.com/en/geolite2/signup)). The license key can be specified here for GeoIP database downloads during build- and run-time.
-* **`auth-common.env`** - [authentication](#MalcolmAuthSetup)-related settings
+* **`auth-common.env`** - [authentication](authsetup.md)-related settings
     - `NGINX_BASIC_AUTH` - if set to `true`, use [TLS-encrypted HTTP basic](authsetup.md#AuthBasicAccountManagement) authentication (default); if set to `false`, use [Lightweight Directory Access Protocol (LDAP)](authsetup.md#AuthLDAP) authentication
 * **`auth.env`** - stores the Malcolm administrator's username and password hash for its nginx reverse proxy
 * **`beats-common.env`** - settings for interactions between [Logstash](https://www.elastic.co/products/logstash) and [Filebeat](https://www.elastic.co/products/beats/filebeat)
@@ -85,10 +85,36 @@ Although the configuration script automates many of the following configuration
     - `ZEEK_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`)
     - `ZEEK_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Zeek logs (default `1`)
     - `ZEEK_DISABLE_…` - if set to any non-blank value, each of these variables can be used to disable a certain Zeek function when it analyzes PCAP files (for example, setting `ZEEK_DISABLE_LOG_PASSWORDS` to `true` to disable logging of cleartext passwords)
+    - `ZEEK_…_PORTS` - used to specify non-default ports to register certain Zeek analyzers (e.g., `ZEEK_SYNCHROPHASOR_PORTS` for the [ICSNPP-Synchrophasor analyzer](https://github.com/cisagov/icsnpp-synchrophasor/) and `ZEEK_GENISYS_PORTS` for the [ICSNPP-Genisys analyzer](https://github.com/cisagov/icsnpp-genisys/)) formatted as a comma-separated list of [Zeek ports](https://docs.zeek.org/en/master/scripting/basics.html#port) (e.g., `12345/tcp` or `4041/tcp,4042/udp`)
+    - `ZEEK_DISABLE_ICS_ALL` and `ZEEK_DISABLE_ICS_…` - if set to any non-blank value, these variables can be used to disable Zeek's protocol analyzers for Operational Technology/Industrial Control Systems (OT/ICS) protocols
     - `ZEEK_DISABLE_BEST_GUESS_ICS` - see ["Best Guess" Fingerprinting for ICS Protocols](ics-best-guess.md#ICSBestGuess)
     - `ZEEK_EXTRACTOR_MODE` – determines the file extraction behavior for file transfers detected by Zeek; see [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction) for more details
     - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`)
     - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration)
     - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh)
     - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER`
-    - `ZEEK_ROTATED_PCAP` - if set to `true`, Zeek can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `ZEEK_AUTO_ANALYZE_PCAP_FILES`); if `ZEEK_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Zeek will see duplicate traffic
\ No newline at end of file
+    - `ZEEK_ROTATED_PCAP` - if set to `true`, Zeek can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `ZEEK_AUTO_ANALYZE_PCAP_FILES`); if `ZEEK_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Zeek will see duplicate traffic
+
+## <a name="CommandLineConfig"></a>Command-line arguments
+
+The `./scripts/configure` script can also be run noninteractively which can be useful for scripting Malcolm setup. This behavior can be selected by supplying the `-d` or `--defaults` option on the command line. Running with the `--help` option will list the arguments accepted by the script:
+
+```
+$ ./scripts/configure --help
+usage: configure <arguments>
+
+Malcolm install script
+
+options:
+  -v [true|false], --verbose [true|false]
+                        Verbose output
+  -d [true|false], --defaults [true|false]
+                        Accept defaults to prompts without user interaction
+  -c [true|false], --configure [true|false]
+                        Only do configuration (not installation)
+…
+```
+
+Note that the value for **any** argument not specified on the command line will be reset to its default (as if for a new Malcolm installation) regardless of the setting's current value in the corresponding `.env` file. In other words, users who want to use the `--defaults` option should carefully review all available command-line options and choose all that apply.
+
+Similarly, [authentication](authsetup.md#AuthSetup)-related settings can also be set noninteractively by using the [command-line arguments](authsetup.md#CommandLineConfig) for `./scripts/auth_setup`.
\ No newline at end of file
diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md
index 5ea807a38..17e5b34d5 100644
--- a/docs/malcolm-hedgehog-e2e-iso-install.md
+++ b/docs/malcolm-hedgehog-e2e-iso-install.md
@@ -171,16 +171,20 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest
     - When using LDAP authentication, this question allows users to configure [LDAP connection security](authsetup.md#AuthLDAPSecurity)
 * **Store PCAP, log and index files locally under /home/user/Malcolm?**
     - Malcolm generates a number of large file sets during normal operation: PCAP files, Zeek or Suricata logs, OpenSearch indices, etc. By default all of these are stored in subdirectories in the Malcolm installation directory. This question allows users to specify alternative storage location(s) (for example, a separate dedicated drive or RAID volume) for these artifacts.
-* **Delete the oldest indices when the database exceeds a certain size?**
-    - Most of the configuration around OpenSearch [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/) can be done in OpenSearch Dashboards. In addition to (or instead of) the OpenSearch index state management operations, Malcolm can also be configured to delete the oldest network session metadata indices when the database exceeds a certain size to prevent filling up all available storage with OpenSearch indices.
-* **Should Arkime delete PCAP files based on available storage?**
-    - Answering **Y** allows Arkime to prune (delete) old PCAP files based on available disk space (see https://arkime.com/faq#pcap-deletion).
+* **Should Malcolm delete the oldest database indices and/or PCAP files based on available storage?**
+    - Choose **Y** to proceed to the following related questions about managing the data storage used by Malcolm.
+    - **Delete the oldest indices when the database exceeds a certain size?**
+        - Most of the configuration around OpenSearch [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/) can be done in OpenSearch Dashboards. In addition to (or instead of) the OpenSearch index state management operations, Malcolm can also be configured to delete the oldest network session metadata indices when the database exceeds a certain size to prevent filling up all available storage with OpenSearch indices.
+    - **Should Arkime delete PCAP files based on available storage?**
+        - Answering **Y** allows Arkime to prune (delete) old PCAP files based on available disk space (see https://arkime.com/faq#pcap-deletion).
 * **Automatically analyze all PCAP files with Suricata?**
     - This option is used to enable [Suricata](https://suricata.io/) (an IDS and threat detection engine) to analyze PCAP files uploaded to Malcolm via its upload web interface.
 * **Download updated Suricata signatures periodically?**
     - If the Malcolm instance has Internet connectivity, answer **Y** to [enable automatic updates](https://suricata-update.readthedocs.io/en/latest/) of the Suricata rules used by Malcolm.
 * **Automatically analyze all PCAP files with Zeek?**
     - This option is used to enable [Zeek](https://www.zeek.org/index.html) (a network analysis framework and IDS) to analyze PCAP files uploaded to Malcolm via its upload web interface.
+* **Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network?**
+    - If using Malcolm in a control systems (OT/ICS) network, answer **Y** to enable Malcolm's ICS protocol analyzers for Zeek.
 * **Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?**
     - If using Malcolm in a control systems (OT/ICS) network, answer **Y** to enable ["Best Guess" Fingerprinting for ICS Protocols](ics-best-guess.md#ICSBestGuess).
 * **Perform reverse DNS lookup locally for source and destination IP addresses in logs?**
@@ -249,22 +253,24 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest
     - Answer **Y** to [populate the NetBox inventory](asset-interaction-analysis.md#NetBoxPopPassive) based on observed network traffic. Autopopulation is **not** recommended: [manual inventory population](asset-interaction-analysis.md#NetBoxPopManual) is the preferred method to create an accurate representation of the intended network design.
 * **Specify default NetBox site name**
     - NetBox has the concept of [sites](https://demo.netbox.dev/static/docs/core-functionality/sites-and-racks/); this default site name will be used as a query parameter for these enrichment lookups.
-* **Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?**
-    - Malcolm itself can perform [live analysis](live-analysis.md#LocalPCAP) of traffic it sees on another network interface (ideally not the same one used for its management). Answer **N** to this question in installations where Hedgehog Linux will be handling all network traffic capture. If users want Malcolm to observe and capture traffic instead of, or in addition to, a sensor running Hedgehog Linux, they should answer **Y**.
-* **Capture packets using netsniff-ng?**
-    - Answer **Y** for Malcolm to [capture network traffic](live-analysis.md#LocalPCAP) on the local network interface(s) indicated using [netsniff-ng](http://netsniff-ng.org/) (instead of tcpdump). These PCAP files are then periodically rotated into Arkime for analysis. netsniff-ng is Malcolm's preferred tool for capturing network traffic.
-* **Capture packets using tcpdump?**
-    - Answer **Y** for Malcolm to [capture network traffic](live-analysis.md#LocalPCAP) on the local network interface(s) indicated using [tcpdump](https://www.tcpdump.org/) (instead of netsniff-ng). Do not answer **Y** for both `tcpdump` and `netsniff-ng`.
-* **Should Malcolm analyze live network traffic with Suricata?**
-    - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Suricata. Users configuring Hedgehog Linux for capture probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic."
-* **Should Malcolm analyze live network traffic with Zeek?**
-    - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Zeek. Users configuring Hedgehog Linux for capture probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic."
+* **Should Malcolm capture live network traffic?**
+    - Malcolm itself can perform [live analysis](live-analysis.md#LocalPCAP) of traffic it sees on another network interface (ideally not the same one used for its management). Answer **no** to this question in installations where Hedgehog Linux will be handling all network traffic capture. If users want Malcolm to observe and capture traffic instead of, or in addition to, a sensor running Hedgehog Linux, they should answer **yes** enable life traffic analysis using default settings, or select **customize** to proceed to answer the following related questions individually.
+    - **Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?**
+        - Answer **Y** for Malcolm to [capture network traffic](live-analysis.md#LocalPCAP) on the local network interface(s) indicated to be periodically rotated into Arkime for analysis.
+    - **Capture packets using netsniff-ng?**
+        - Answer **Y** to use [netsniff-ng](http://netsniff-ng.org/) to generate PCAP files for Arkime to analyze. netsniff-ng is Malcolm's preferred tool for capturing network traffic.
+    - **Capture packets using tcpdump?**
+        - Answer **Y** to use [tcpdump](https://www.tcpdump.org/) (instead of netsniff-ng) to generate PCAP files for Arkime to analyze.
+    - **Should Malcolm analyze live network traffic with Suricata?**
+        - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Suricata. Users configuring Hedgehog Linux for capture probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic."
+    - **Should Malcolm analyze live network traffic with Zeek?**
+        - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Zeek. Users configuring Hedgehog Linux for capture probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic."
+    - **Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)**
+        - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) as described above, users may optionally provide a capture filter. This filter will be used to limit what traffic the PCAP service ([netsniff-ng](http://netsniff-ng.org/) or [tcpdump](https://www.tcpdump.org/)) and the traffic analysis services ([Zeek](https://www.zeek.org/) and [Suricata](https://suricata.io/)) will see. Capture filters are specified using [Berkeley Packet Filter (BPF)](http://biot.com/capstats/bpf.html) syntax. For example, to indicate that Malcolm should ignore the ports it uses to communicate with Hedgehog Linux, users could specify `not port 5044 and not port 5045 and not port 8005 and not port 9200`.
+    - **Disable capture interface hardware offloading and adjust ring buffer sizes?**
+        - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) and users answer **Y** to this question, Malcolm will [use `ethtool`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/nic-capture-setup.sh) to disable NIC hardware offloading features and adjust ring buffer sizes for capture interface(s); this should be enabled if the interface(s) are being used for capture **only**, otherwise answer **N**. If unsure, users should probably answer **N**.
 * **Specify capture interface(s) (comma-separated)**
     - Specify the network interface(s) for [live traffic analysis](live-analysis.md#LocalPCAP) if it is enabled for netsniff-ng, tcpdump, Suricata or Zeek as described above. For multiple interfaces, separate the interface names with a comma (e.g., `enp0s25` or `enp10s0,enp11s0`).
-* **Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)**
-    - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) as described above, users may optionally provide a capture filter. This filter will be used to limit what traffic the PCAP service ([netsniff-ng](http://netsniff-ng.org/) or [tcpdump](https://www.tcpdump.org/)) and the traffic analysis services ([Zeek](https://www.zeek.org/) and [Suricata](https://suricata.io/)) will see. Capture filters are specified using [Berkeley Packet Filter (BPF)](http://biot.com/capstats/bpf.html) syntax. For example, to indicate that Malcolm should ignore the ports it uses to communicate with Hedgehog Linux, users could specify `not port 5044 and not port 5045 and not port 8005 and not port 9200`.
-* **Disable capture interface hardware offloading and adjust ring buffer sizes?**
-    - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) and users answer **Y** to this question, Malcolm will [use `ethtool`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/nic-capture-setup.sh) to disable NIC hardware offloading features and adjust ring buffer sizes for capture interface(s); this should be enabled if the interface(s) are being used for capture **only**, otherwise answer **N**. If unsure, users should probably answer **N**.
 * **Enable dark mode for OpenSearch Dashboards?**
     - Answer **Y** for dark-themed dashboards or **N** for light-themed ones.
 
diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md
index 7d12a5d0a..17bf425d9 100644
--- a/docs/malcolm-iso.md
+++ b/docs/malcolm-iso.md
@@ -41,7 +41,7 @@ Building the ISO may take 30 minutes or more depending on the system. As the bui
 
 ```
 …
-Finished, created "/malcolm-build/malcolm-iso/malcolm-23.08.1.iso"
+Finished, created "/malcolm-build/malcolm-iso/malcolm-23.09.0.iso"
 …
 ```
 
diff --git a/docs/malcolm-preparation.md b/docs/malcolm-preparation.md
index 468138b53..b1ab467e8 100644
--- a/docs/malcolm-preparation.md
+++ b/docs/malcolm-preparation.md
@@ -3,12 +3,14 @@
 * [Configuration](#Configuration)
     - [Recommended system requirements](system-requirements.md#SystemRequirements)
     - [Malcolm Configuration](malcolm-config.md#ConfigAndTuning)
-        + [Environment Variable Files](malcolm-config.md#MalcolmConfigEnvVars)
+        + [Environment variable files](malcolm-config.md#MalcolmConfigEnvVars)
+        + [Command-line arguments](malcolm-config.md#CommandLineConfig)
     - [Configure authentication](authsetup.md#AuthSetup)
         + [Local account management](authsetup.md#AuthBasicAccountManagement)
         + [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP)
             * [LDAP connection security](authsetup.md#AuthLDAPSecurity)
         + [TLS certificates](authsetup.md#TLSCerts)
+        + [Command-line arguments](authsetup.md#CommandLineConfig)
     - [Platform-specific Configuration](host-config.md#HostSystemConfig)
         + [Linux host system configuration](host-config-linux.md#HostSystemConfigLinux)
         + [macOS host system configuration](host-config-macos.md#HostSystemConfigMac)
diff --git a/docs/quickstart.md b/docs/quickstart.md
index 1e29f9e2b..49ac0af1e 100644
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -54,25 +54,25 @@ You can then observe the images have been retrieved by running `docker images`:
 ```
 $ docker images
 REPOSITORY                                                     TAG               IMAGE ID       CREATED      SIZE
-ghcr.io/idaholab/malcolm/api                                   23.08.1           xxxxxxxxxxxx   3 days ago   158MB
-ghcr.io/idaholab/malcolm/arkime                                23.08.1           xxxxxxxxxxxx   3 days ago   816MB
-ghcr.io/idaholab/malcolm/dashboards                            23.08.1           xxxxxxxxxxxx   3 days ago   1.02GB
-ghcr.io/idaholab/malcolm/dashboards-helper                     23.08.1           xxxxxxxxxxxx   3 days ago   184MB
-ghcr.io/idaholab/malcolm/file-monitor                          23.08.1           xxxxxxxxxxxx   3 days ago   588MB
-ghcr.io/idaholab/malcolm/file-upload                           23.08.1           xxxxxxxxxxxx   3 days ago   259MB
-ghcr.io/idaholab/malcolm/filebeat-oss                          23.08.1           xxxxxxxxxxxx   3 days ago   624MB
-ghcr.io/idaholab/malcolm/freq                                  23.08.1           xxxxxxxxxxxx   3 days ago   132MB
-ghcr.io/idaholab/malcolm/htadmin                               23.08.1           xxxxxxxxxxxx   3 days ago   242MB
-ghcr.io/idaholab/malcolm/logstash-oss                          23.08.1           xxxxxxxxxxxx   3 days ago   1.35GB
-ghcr.io/idaholab/malcolm/netbox                                23.08.1           xxxxxxxxxxxx   3 days ago   1.01GB
-ghcr.io/idaholab/malcolm/nginx-proxy                           23.08.1           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/opensearch                            23.08.1           xxxxxxxxxxxx   3 days ago   1.17GB
-ghcr.io/idaholab/malcolm/pcap-capture                          23.08.1           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/pcap-monitor                          23.08.1           xxxxxxxxxxxx   3 days ago   213MB
-ghcr.io/idaholab/malcolm/postgresql                            23.08.1           xxxxxxxxxxxx   3 days ago   268MB
-ghcr.io/idaholab/malcolm/redis                                 23.08.1           xxxxxxxxxxxx   3 days ago   34.2MB
-ghcr.io/idaholab/malcolm/suricata                              23.08.1           xxxxxxxxxxxx   3 days ago   278MB
-ghcr.io/idaholab/malcolm/zeek                                  23.08.1           xxxxxxxxxxxx   3 days ago   1GB
+ghcr.io/idaholab/malcolm/api                                   23.09.0           xxxxxxxxxxxx   3 days ago   158MB
+ghcr.io/idaholab/malcolm/arkime                                23.09.0           xxxxxxxxxxxx   3 days ago   816MB
+ghcr.io/idaholab/malcolm/dashboards                            23.09.0           xxxxxxxxxxxx   3 days ago   1.02GB
+ghcr.io/idaholab/malcolm/dashboards-helper                     23.09.0           xxxxxxxxxxxx   3 days ago   184MB
+ghcr.io/idaholab/malcolm/file-monitor                          23.09.0           xxxxxxxxxxxx   3 days ago   588MB
+ghcr.io/idaholab/malcolm/file-upload                           23.09.0           xxxxxxxxxxxx   3 days ago   259MB
+ghcr.io/idaholab/malcolm/filebeat-oss                          23.09.0           xxxxxxxxxxxx   3 days ago   624MB
+ghcr.io/idaholab/malcolm/freq                                  23.09.0           xxxxxxxxxxxx   3 days ago   132MB
+ghcr.io/idaholab/malcolm/htadmin                               23.09.0           xxxxxxxxxxxx   3 days ago   242MB
+ghcr.io/idaholab/malcolm/logstash-oss                          23.09.0           xxxxxxxxxxxx   3 days ago   1.35GB
+ghcr.io/idaholab/malcolm/netbox                                23.09.0           xxxxxxxxxxxx   3 days ago   1.01GB
+ghcr.io/idaholab/malcolm/nginx-proxy                           23.09.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/opensearch                            23.09.0           xxxxxxxxxxxx   3 days ago   1.17GB
+ghcr.io/idaholab/malcolm/pcap-capture                          23.09.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/pcap-monitor                          23.09.0           xxxxxxxxxxxx   3 days ago   213MB
+ghcr.io/idaholab/malcolm/postgresql                            23.09.0           xxxxxxxxxxxx   3 days ago   268MB
+ghcr.io/idaholab/malcolm/redis                                 23.09.0           xxxxxxxxxxxx   3 days ago   34.2MB
+ghcr.io/idaholab/malcolm/suricata                              23.09.0           xxxxxxxxxxxx   3 days ago   278MB
+ghcr.io/idaholab/malcolm/zeek                                  23.09.0           xxxxxxxxxxxx   3 days ago   1GB
 ```
 
 ### Import from pre-packaged tarballs
diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md
index 4e3e9386a..8b5bb2ad1 100644
--- a/docs/ubuntu-install-example.md
+++ b/docs/ubuntu-install-example.md
@@ -130,9 +130,7 @@ Select authentication method (Basic): 1
 
 Store PCAP, log and index files locally under /home/user/Malcolm? (Y/n): y
 
-Delete the oldest indices when the database exceeds a certain size? (y/N): n
-
-Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y/N): y
+Should Malcolm delete the oldest database indices and/or PCAP files based on available storage? n
 
 Automatically analyze all PCAP files with Suricata? (Y/n): y
 
@@ -140,7 +138,7 @@ Download updated Suricata signatures periodically? (y/N): y
 
 Automatically analyze all PCAP files with Zeek? (Y/n): y
 
-Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek? (y/N): n
+Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network? (y/N): n
 
 Perform reverse DNS lookup locally for source and destination IP addresses in logs? (y/N): n
 
@@ -183,20 +181,13 @@ Download updated file scanner signatures periodically? (n/Y): y
 
 Should Malcolm run and maintain an instance of NetBox, an infrastructure resource modeling tool? (y/N): n
 
-Should Malcolm capture live network traffic to PCAP files for analysis with Arkime? (y/N): y
-
-Capture packets using netsniff-ng? (Y/n): y   
-
-Should Malcolm analyze live network traffic with Suricata? (y/N): y
-
-Should Malcolm analyze live network traffic with Zeek? (y/N): y
+1: no
+2: yes
+3: customize
+Should Malcolm capture live network traffic? 2
 
 Specify capture interface(s) (comma-separated): eth0
 
-Capture filter (tcpdump-like filter expression; leave blank to capture all traffic) (): not port 5044 and not port 8005 and not port 9200
-
-Disable capture interface hardware offloading and adjust ring buffer sizes? (y/N): n
-
 Enable dark mode for OpenSearch Dashboards? (n/Y): y
 
 Malcolm has been installed to /home/user/Malcolm. See README.md for more information.
@@ -253,25 +244,25 @@ Pulling zeek              ... done
 
 user@host:~/Malcolm$ docker images
 REPOSITORY                                                     TAG               IMAGE ID       CREATED      SIZE
-ghcr.io/idaholab/malcolm/api                                   23.08.1           xxxxxxxxxxxx   3 days ago   158MB
-ghcr.io/idaholab/malcolm/arkime                                23.08.1           xxxxxxxxxxxx   3 days ago   816MB
-ghcr.io/idaholab/malcolm/dashboards                            23.08.1           xxxxxxxxxxxx   3 days ago   1.02GB
-ghcr.io/idaholab/malcolm/dashboards-helper                     23.08.1           xxxxxxxxxxxx   3 days ago   184MB
-ghcr.io/idaholab/malcolm/file-monitor                          23.08.1           xxxxxxxxxxxx   3 days ago   588MB
-ghcr.io/idaholab/malcolm/file-upload                           23.08.1           xxxxxxxxxxxx   3 days ago   259MB
-ghcr.io/idaholab/malcolm/filebeat-oss                          23.08.1           xxxxxxxxxxxx   3 days ago   624MB
-ghcr.io/idaholab/malcolm/freq                                  23.08.1           xxxxxxxxxxxx   3 days ago   132MB
-ghcr.io/idaholab/malcolm/htadmin                               23.08.1           xxxxxxxxxxxx   3 days ago   242MB
-ghcr.io/idaholab/malcolm/logstash-oss                          23.08.1           xxxxxxxxxxxx   3 days ago   1.35GB
-ghcr.io/idaholab/malcolm/netbox                                23.08.1           xxxxxxxxxxxx   3 days ago   1.01GB
-ghcr.io/idaholab/malcolm/nginx-proxy                           23.08.1           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/opensearch                            23.08.1           xxxxxxxxxxxx   3 days ago   1.17GB
-ghcr.io/idaholab/malcolm/pcap-capture                          23.08.1           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/pcap-monitor                          23.08.1           xxxxxxxxxxxx   3 days ago   213MB
-ghcr.io/idaholab/malcolm/postgresql                            23.08.1           xxxxxxxxxxxx   3 days ago   268MB
-ghcr.io/idaholab/malcolm/redis                                 23.08.1           xxxxxxxxxxxx   3 days ago   34.2MB
-ghcr.io/idaholab/malcolm/suricata                              23.08.1           xxxxxxxxxxxx   3 days ago   278MB
-ghcr.io/idaholab/malcolm/zeek                                  23.08.1           xxxxxxxxxxxx   3 days ago   1GB
+ghcr.io/idaholab/malcolm/api                                   23.09.0           xxxxxxxxxxxx   3 days ago   158MB
+ghcr.io/idaholab/malcolm/arkime                                23.09.0           xxxxxxxxxxxx   3 days ago   816MB
+ghcr.io/idaholab/malcolm/dashboards                            23.09.0           xxxxxxxxxxxx   3 days ago   1.02GB
+ghcr.io/idaholab/malcolm/dashboards-helper                     23.09.0           xxxxxxxxxxxx   3 days ago   184MB
+ghcr.io/idaholab/malcolm/file-monitor                          23.09.0           xxxxxxxxxxxx   3 days ago   588MB
+ghcr.io/idaholab/malcolm/file-upload                           23.09.0           xxxxxxxxxxxx   3 days ago   259MB
+ghcr.io/idaholab/malcolm/filebeat-oss                          23.09.0           xxxxxxxxxxxx   3 days ago   624MB
+ghcr.io/idaholab/malcolm/freq                                  23.09.0           xxxxxxxxxxxx   3 days ago   132MB
+ghcr.io/idaholab/malcolm/htadmin                               23.09.0           xxxxxxxxxxxx   3 days ago   242MB
+ghcr.io/idaholab/malcolm/logstash-oss                          23.09.0           xxxxxxxxxxxx   3 days ago   1.35GB
+ghcr.io/idaholab/malcolm/netbox                                23.09.0           xxxxxxxxxxxx   3 days ago   1.01GB
+ghcr.io/idaholab/malcolm/nginx-proxy                           23.09.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/opensearch                            23.09.0           xxxxxxxxxxxx   3 days ago   1.17GB
+ghcr.io/idaholab/malcolm/pcap-capture                          23.09.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/pcap-monitor                          23.09.0           xxxxxxxxxxxx   3 days ago   213MB
+ghcr.io/idaholab/malcolm/postgresql                            23.09.0           xxxxxxxxxxxx   3 days ago   268MB
+ghcr.io/idaholab/malcolm/redis                                 23.09.0           xxxxxxxxxxxx   3 days ago   34.2MB
+ghcr.io/idaholab/malcolm/suricata                              23.09.0           xxxxxxxxxxxx   3 days ago   278MB
+ghcr.io/idaholab/malcolm/zeek                                  23.09.0           xxxxxxxxxxxx   3 days ago   1GB
 ```
 
 Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing.
diff --git a/filebeat/supervisord.conf b/filebeat/supervisord.conf
index b81c54ef5..63ab06f1b 100644
--- a/filebeat/supervisord.conf
+++ b/filebeat/supervisord.conf
@@ -30,7 +30,7 @@ stdout_logfile_maxbytes=0
 redirect_stderr=true
 
 [program:filebeat-nginx]
-command=bash -c "/usr/local/bin/opensearch_status.sh && /usr/local/bin/docker-entrypoint -e --strict.perms=false \
+command=bash -c "/usr/local/bin/opensearch_status.sh -t malcolm_beats_template && /usr/local/bin/docker-entrypoint -e --strict.perms=false \
   --path.home /usr/share/filebeat-nginx \
   --path.config /usr/share/filebeat-nginx \
   --path.data /usr/share/filebeat-nginx/data \
@@ -48,7 +48,7 @@ stdout_logfile_maxbytes=0
 redirect_stderr=true
 
 [program:filebeat-tcp]
-command=bash -c "/usr/local/bin/opensearch_status.sh && /usr/local/bin/docker-entrypoint -e --strict.perms=false \
+command=bash -c "/usr/local/bin/opensearch_status.sh -t malcolm_beats_template && /usr/local/bin/docker-entrypoint -e --strict.perms=false \
   --path.home /usr/share/filebeat-tcp \
   --path.config /usr/share/filebeat-tcp \
   --path.data /usr/share/filebeat-tcp/data \
diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml
index b5df20dd3..e92e3c229 100644
--- a/kubernetes/03-opensearch.yml
+++ b/kubernetes/03-opensearch.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: opensearch-container
-        image: ghcr.io/idaholab/malcolm/opensearch:23.08.1
+        image: ghcr.io/idaholab/malcolm/opensearch:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -69,7 +69,7 @@ spec:
             subPath: "opensearch"
       initContainers:
       - name: opensearch-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml
index 69aac5c2e..1df47b609 100644
--- a/kubernetes/04-dashboards.yml
+++ b/kubernetes/04-dashboards.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-container
-        image: ghcr.io/idaholab/malcolm/dashboards:23.08.1
+        image: ghcr.io/idaholab/malcolm/dashboards:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml
index f0207af37..07545d292 100644
--- a/kubernetes/05-upload.yml
+++ b/kubernetes/05-upload.yml
@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
       - name: upload-container
-        image: ghcr.io/idaholab/malcolm/file-upload:23.08.1
+        image: ghcr.io/idaholab/malcolm/file-upload:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -73,7 +73,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: upload-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml
index d126270d7..32c96cd0c 100644
--- a/kubernetes/06-pcap-monitor.yml
+++ b/kubernetes/06-pcap-monitor.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: pcap-monitor-container
-        image: ghcr.io/idaholab/malcolm/pcap-monitor:23.08.1
+        image: ghcr.io/idaholab/malcolm/pcap-monitor:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -70,7 +70,7 @@ spec:
             name: pcap-monitor-zeek-volume
       initContainers:
       - name: pcap-monitor-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml
index 4f2736cf7..e4c9b9984 100644
--- a/kubernetes/07-arkime.yml
+++ b/kubernetes/07-arkime.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: arkime-container
-        image: ghcr.io/idaholab/malcolm/arkime:23.08.1
+        image: ghcr.io/idaholab/malcolm/arkime:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "arkime"
       initContainers:
       - name: arkime-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml
index a9c85b5a0..5bb0c48c6 100644
--- a/kubernetes/08-api.yml
+++ b/kubernetes/08-api.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: api-container
-        image: ghcr.io/idaholab/malcolm/api:23.08.1
+        image: ghcr.io/idaholab/malcolm/api:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml
index 05ef620c3..2e0e774d6 100644
--- a/kubernetes/09-dashboards-helper.yml
+++ b/kubernetes/09-dashboards-helper.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-helper-container
-        image: ghcr.io/idaholab/malcolm/dashboards-helper:23.08.1
+        image: ghcr.io/idaholab/malcolm/dashboards-helper:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index 55d2cef1d..f1024af87 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-offline-container
-        image: ghcr.io/idaholab/malcolm/zeek:23.08.1
+        image: ghcr.io/idaholab/malcolm/zeek:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -68,7 +68,7 @@ spec:
             subPath: "zeek/intel"
       initContainers:
       - name: zeek-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml
index 28fc5634e..45b8f3297 100644
--- a/kubernetes/11-suricata.yml
+++ b/kubernetes/11-suricata.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-offline-container
-        image: ghcr.io/idaholab/malcolm/suricata:23.08.1
+        image: ghcr.io/idaholab/malcolm/suricata:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -61,7 +61,7 @@ spec:
             name: suricata-offline-custom-rules-volume
       initContainers:
       - name: suricata-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml
index c10f6e611..7e369339d 100644
--- a/kubernetes/12-file-monitor.yml
+++ b/kubernetes/12-file-monitor.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: file-monitor-container
-        image: ghcr.io/idaholab/malcolm/file-monitor:23.08.1
+        image: ghcr.io/idaholab/malcolm/file-monitor:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -81,7 +81,7 @@ spec:
             name: file-monitor-yara-rules-custom-volume
       initContainers:
       - name: file-monitor-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml
index 64769c648..af7a9da02 100644
--- a/kubernetes/13-filebeat.yml
+++ b/kubernetes/13-filebeat.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: filebeat-container
-        image: ghcr.io/idaholab/malcolm/filebeat-oss:23.08.1
+        image: ghcr.io/idaholab/malcolm/filebeat-oss:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "nginx"
       initContainers:
       - name: filebeat-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml
index 5cec2d705..737b4bb0c 100644
--- a/kubernetes/14-logstash.yml
+++ b/kubernetes/14-logstash.yml
@@ -49,7 +49,7 @@ spec:
       #       topologyKey: "kubernetes.io/hostname"
       containers:
       - name: logstash-container
-        image: ghcr.io/idaholab/malcolm/logstash-oss:23.08.1
+        image: ghcr.io/idaholab/malcolm/logstash-oss:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -113,7 +113,7 @@ spec:
             subPath: "logstash"
       initContainers:
       - name: logstash-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml
index 39fccdb8d..825a679d9 100644
--- a/kubernetes/15-netbox-redis.yml
+++ b/kubernetes/15-netbox-redis.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-container
-        image: ghcr.io/idaholab/malcolm/redis:23.08.1
+        image: ghcr.io/idaholab/malcolm/redis:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: netbox/redis
       initContainers:
       - name: netbox-redis-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml
index 2f782c4db..672764ee7 100644
--- a/kubernetes/16-netbox-redis-cache.yml
+++ b/kubernetes/16-netbox-redis-cache.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-cache-container
-        image: ghcr.io/idaholab/malcolm/redis:23.08.1
+        image: ghcr.io/idaholab/malcolm/redis:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml
index c49075195..4fc433e6f 100644
--- a/kubernetes/17-netbox-postgres.yml
+++ b/kubernetes/17-netbox-postgres.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-postgres-container
-        image: ghcr.io/idaholab/malcolm/postgresql:23.08.1
+        image: ghcr.io/idaholab/malcolm/postgresql:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -74,7 +74,7 @@ spec:
             subPath: netbox/postgres
       initContainers:
       - name: netbox-postgres-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml
index e1a35d569..4ae1aa578 100644
--- a/kubernetes/18-netbox.yml
+++ b/kubernetes/18-netbox.yml
@@ -36,7 +36,7 @@ spec:
     spec:
       containers:
       - name: netbox-container
-        image: ghcr.io/idaholab/malcolm/netbox:23.08.1
+        image: ghcr.io/idaholab/malcolm/netbox:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -88,7 +88,7 @@ spec:
             subPath: netbox/media
       initContainers:
       - name: netbox-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml
index 28e828743..c98c89faa 100644
--- a/kubernetes/19-htadmin.yml
+++ b/kubernetes/19-htadmin.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: htadmin-container
-        image: ghcr.io/idaholab/malcolm/htadmin:23.08.1
+        image: ghcr.io/idaholab/malcolm/htadmin:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             subPath: "htadmin"
       initContainers:
       - name: htadmin-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml
index 711ee4248..c90f61430 100644
--- a/kubernetes/20-pcap-capture.yml
+++ b/kubernetes/20-pcap-capture.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: pcap-capture-container
-        image: ghcr.io/idaholab/malcolm/pcap-capture:23.08.1
+        image: ghcr.io/idaholab/malcolm/pcap-capture:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -46,7 +46,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: pcap-capture-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index e1d2f6629..4ddfeb86d 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-live-container
-        image: ghcr.io/idaholab/malcolm/zeek:23.08.1
+        image: ghcr.io/idaholab/malcolm/zeek:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -60,7 +60,7 @@ spec:
             subPath: "zeek/intel"
       initContainers:
       - name: zeek-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml
index 875d78157..73233549b 100644
--- a/kubernetes/22-suricata-live.yml
+++ b/kubernetes/22-suricata-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-live-container
-        image: ghcr.io/idaholab/malcolm/suricata:23.08.1
+        image: ghcr.io/idaholab/malcolm/suricata:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -51,7 +51,7 @@ spec:
             name: suricata-live-suricata-logs-volume
       initContainers:
       - name: suricata-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/23-freq.yml b/kubernetes/23-freq.yml
index b0c066558..139b7eaad 100644
--- a/kubernetes/23-freq.yml
+++ b/kubernetes/23-freq.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: freq-container
-        image: ghcr.io/idaholab/malcolm/freq:23.08.1
+        image: ghcr.io/idaholab/malcolm/freq:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml
index 25a376e0d..2736240d2 100644
--- a/kubernetes/98-nginx-proxy.yml
+++ b/kubernetes/98-nginx-proxy.yml
@@ -39,7 +39,7 @@ spec:
     spec:
       containers:
       - name: nginx-proxy-container
-        image: ghcr.io/idaholab/malcolm/nginx-proxy:23.08.1
+        image: ghcr.io/idaholab/malcolm/nginx-proxy:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -95,7 +95,7 @@ spec:
           subPath: "nginx"
       initContainers:
       - name: nginx-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.08.1
+        image: ghcr.io/idaholab/malcolm/dirinit:23.09.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/logstash/pipelines/enrichment/21_netbox.conf b/logstash/pipelines/enrichment/21_netbox.conf
index 1f82bc030..50731cc12 100644
--- a/logstash/pipelines/enrichment/21_netbox.conf
+++ b/logstash/pipelines/enrichment/21_netbox.conf
@@ -47,7 +47,7 @@ filter {
           "autopopulate_env" => "LOGSTASH_NETBOX_AUTO_POPULATE"
           "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
           "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
-          "default_drole_env" => "NETBOX_DEFAULT_DEVICE_ROLE"
+          "default_role_env" => "NETBOX_DEFAULT_ROLE"
           "autopopulate_fuzzy_threshold_env" => "NETBOX_DEFAULT_FUZZY_THRESHOLD"
           "source_oui" => "[source][oui]"
           "source_mac" => "[source][mac]"
@@ -83,7 +83,7 @@ filter {
           "autopopulate_env" => "LOGSTASH_NETBOX_AUTO_POPULATE"
           "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
           "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
-          "default_drole_env" => "NETBOX_DEFAULT_DEVICE_ROLE"
+          "default_role_env" => "NETBOX_DEFAULT_ROLE"
           "autopopulate_fuzzy_threshold_env" => "NETBOX_DEFAULT_FUZZY_THRESHOLD"
           "source_oui" => "[destination][oui]"
           "source_mac" => "[destination][mac]"
diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
index 1ae4e31cb..fd9fdf627 100644
--- a/logstash/pipelines/zeek/12_zeek_mutate.conf
+++ b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -248,6 +248,9 @@ filter {
       rename => { "[zeek][bacnet_property][invoke_id]" => "[zeek][bacnet][invoke_id]" }
       rename => { "[zeek][bacnet_discovery][instance_number]" => "[zeek][bacnet][instance_number]" }
       rename => { "[zeek][bacnet_property][instance_number]" => "[zeek][bacnet][instance_number]" }
+      rename => { "[zeek][bacnet_device_control][pdu_service]" => "[zeek][bacnet][pdu_service]" }
+      rename => { "[zeek][bacnet_discovery][pdu_service]" => "[zeek][bacnet][pdu_service]" }
+      rename => { "[zeek][bacnet_property][pdu_service]" => "[zeek][bacnet][pdu_service]" }
     }
 
   } else if ([log_source] == "bsap_ip_rdb") {
diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf
index c2bc33f7c..4e735f962 100644
--- a/logstash/pipelines/zeek/13_zeek_normalize.conf
+++ b/logstash/pipelines/zeek/13_zeek_normalize.conf
@@ -161,34 +161,26 @@ filter {
   # Action ############################################################################################################
   # collect all actions/operations/commands under the parent [event][action] array
 
-  if ([zeek][bacnet][pdu_service]) {
-    mutate { id => "mutate_merge_normalize_zeek_bacnet_pdu_service"
-             merge => { "[event][action]" => "[zeek][bacnet][pdu_service]" } }
-  } else if ([zeek][bacnet][bvlc_function]) and
-            # e.g., "BVLC_Result" and "Unknown BVLC Function Code-0x0c" which aren't really "actions"
-            ([zeek][bacnet][bvlc_function] !~ "BVLC") {
-    mutate { id => "mutate_merge_normalize_zeek_bacnet_bvlc_function"
-             merge => { "[event][action]" => "[zeek][bacnet][bvlc_function]" } }
-  }
-
   if ([zeek][bacnet_device_control]) {
     ruby {
       # action = pdu_service:device_state
       id => "ruby_zeek_bacnet_device_control_generate_action"
       code => "
         actions = Array.new unless (actions = event.get('[event][action]'))
-        actions.append([event.get('[zeek][bacnet_device_control][pdu_service]'),
+        actions.append([event.get('[zeek][bacnet][pdu_service]'),
                         event.get('[zeek][bacnet_device_control][device_state]')].reject{ |e| e.nil? || e&.empty? }.join(':'))
         event.set('[event][action]', actions)"
     }
+  } else if ([zeek][bacnet][pdu_service]) {
+    mutate { id => "mutate_merge_normalize_zeek_bacnet_pdu_service"
+             merge => { "[event][action]" => "[zeek][bacnet][pdu_service]" } }
+  } else if ([zeek][bacnet][bvlc_function]) and
+            # e.g., "BVLC_Result" and "Unknown BVLC Function Code-0x0c" which aren't really "actions"
+            ([zeek][bacnet][bvlc_function] !~ "BVLC") {
+    mutate { id => "mutate_merge_normalize_zeek_bacnet_bvlc_function"
+             merge => { "[event][action]" => "[zeek][bacnet][bvlc_function]" } }
   }
 
-  if ([zeek][bacnet_discovery][pdu_service])      { mutate { id => "mutate_merge_normalize_zeek_bacnet_discovery_pdu_service"
-                                                             merge => { "[event][action]" => "[zeek][bacnet_discovery][pdu_service]" } } }
-
-  if ([zeek][bacnet_property][pdu_service])       { mutate { id => "mutate_merge_normalize_zeek_bacnet_property_pdu_service"
-                                                             merge => { "[event][action]" => "[zeek][bacnet_property][pdu_service]" } } }
-
   if ([zeek][bsap_ip_header][type_name])          { mutate { id => "mutate_merge_normalize_zeek_bsap_ip_header_type_name"
                                                              merge => { "[event][action]" => "[zeek][bsap_ip_header][type_name]" } } }
 
@@ -651,19 +643,10 @@ filter {
   # Result ############################################################################################################
   # collect all result/status/response/errors under the parent [event][result] array
 
-  if ([zeek][bacnet]) {
-    if ([zeek][bacnet][result_code]) {
-      mutate { id => "mutate_merge_normalize_zeek_bacnet_result_code"
-               merge => { "[event][result]" => "[zeek][bacnet][result_code]" } }
-    } else if ([zeek][bacnet][pdu_service]) {
-      mutate { id => "mutate_add_field_zeek_bacnet_success"
-               add_field => { "[@metadata][zeek_bacnet_result]" => "Success" } }
-      mutate { id => "mutate_merge_field_zeek_bacnet_success"
-               merge => { "[event][result]" => "[@metadata][zeek_bacnet_result]" } }
-    }
-  }
-
-  if ([zeek][bacnet_device_control][result]) or ([zeek][bacnet_device_control][result_code]) {
+  if ([zeek][bacnet][result_code]) {
+    mutate { id => "mutate_merge_normalize_zeek_bacnet_result_code"
+             merge => { "[event][result]" => "[zeek][bacnet][result_code]" } }
+  } else if ([zeek][bacnet_device_control][result]) or ([zeek][bacnet_device_control][result_code]) {
     if ([zeek][bacnet_device_control][result]) {
       mutate { id => "mutate_lowercase_zeek_bacnet_device_control_result"
                capitalize => [ "[zeek][bacnet_device_control][result]" ] }
@@ -674,11 +657,11 @@ filter {
       mutate { id => "mutate_merge_zeek_bacnet_device_control_result_code"
                merge => { "[event][result]" => "[zeek][bacnet_device_control][result_code]" } }
     }
-  } else if ([zeek][bacnet_device_control][pdu_service]) {
-    mutate { id => "mutate_add_field_zeek_bacnet_device_control_success"
-             add_field => { "[@metadata][zeek_bacnet_device_control_result]" => "Success" } }
-    mutate { id => "mutate_merge_field_zeek_bacnet_device_control_success"
-             merge => { "[event][result]" => "[@metadata][zeek_bacnet_device_control_result]" } }
+  } else if ([zeek][bacnet][pdu_service]) {
+    mutate { id => "mutate_add_field_zeek_bacnet_success"
+             add_field => { "[@metadata][zeek_bacnet_result]" => "Success" } }
+    mutate { id => "mutate_merge_field_zeek_bacnet_success"
+             merge => { "[event][result]" => "[@metadata][zeek_bacnet_result]" } }
   }
 
   if ([zeek][cip][cip_status] or [zeek][cip][cip_extended_status]) {
@@ -825,6 +808,8 @@ filter {
                                                       merge => { "[event][result]" => "[zeek][ldap_search][result_code]" } } }
 
   if ([zeek][modbus]) {
+    mutate { id => "mutate_lowercase_field_modbus_network_direction"
+             lowercase => [ "[zeek][modbus][network_direction]" ] }
     if ([zeek][modbus][exception]) {
       # we have an exception, so set that as result
       mutate { id => "mutate_merge_normalize_zeek_modbus_exception"
diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb
index 4d0c9c608..6de233590 100644
--- a/logstash/ruby/netbox_enrich.rb
+++ b/logstash/ruby/netbox_enrich.rb
@@ -104,7 +104,7 @@ def register(params)
   @source_mac = params["source_mac"]
   @source_segment = params["source_segment"]
 
-  # default manufacturer, device role and device type if not specified, either specified directly or read from ENVs
+  # default manufacturer, role and device type if not specified, either specified directly or read from ENVs
   @default_manuf = params["default_manuf"]
   _default_manuf_env = params["default_manuf_env"]
   if @default_manuf.nil? && !_default_manuf_env.nil?
@@ -149,13 +149,13 @@ def register(params)
     @default_dtype = nil
   end
 
-  @default_drole = params["default_drole"]
-  _default_drole_env = params["default_drole_env"]
-  if @default_drole.nil? && !_default_drole_env.nil?
-    @default_drole = ENV[_default_drole_env]
+  @default_role = params["default_role"]
+  _default_role_env = params["default_role_env"]
+  if @default_role.nil? && !_default_role_env.nil?
+    @default_role = ENV[_default_role_env]
   end
-  if !@default_drole.nil? && @default_drole.empty?
-    @default_drole = nil
+  if !@default_role.nil? && @default_role.empty?
+    @default_role = nil
   end
 
   # threshold for fuzzy string matching (for manufacturer, etc.)
@@ -181,8 +181,8 @@ def register(params)
   # case-insensitive hash of OUIs (https://standards-oui.ieee.org/) to Manufacturers (https://demo.netbox.dev/static/docs/core-functionality/device-types/)
   @manuf_hash = LruRedux::ThreadSafeCache.new(params.fetch("manuf_cache_size", 2048))
 
-  # case-insensitive hash of device role names to IDs
-  @drole_hash = LruRedux::ThreadSafeCache.new(params.fetch("drole_cache_size", 128))
+  # case-insensitive hash of role names to IDs
+  @role_hash = LruRedux::ThreadSafeCache.new(params.fetch("role_cache_size", 128))
 
   # case-insensitive hash of site names to IDs
   @site_hash = LruRedux::ThreadSafeCache.new(params.fetch("site_cache_size", 128))
@@ -209,7 +209,7 @@ def filter(event)
   _lookup_service_port = (@lookup_service ? event.get("#{@lookup_service_port_source}") : nil).to_i
   _autopopulate = @autopopulate
   _autopopulate_default_manuf = (@default_manuf.nil? || @default_manuf.empty?) ? "Unspecified" : @default_manuf
-  _autopopulate_default_drole = (@default_drole.nil? || @default_drole.empty?) ? "Unspecified" : @default_drole
+  _autopopulate_default_role = (@default_role.nil? || @default_role.empty?) ? "Unspecified" : @default_role
   _autopopulate_default_dtype = (@default_dtype.nil? || @default_dtype.empty?) ? "Unspecified" : @default_dtype
   _autopopulate_default_site =  (@lookup_site.nil? || @lookup_site.empty?) ? "default" : @lookup_site
   _autopopulate_fuzzy_threshold = @autopopulate_fuzzy_threshold
@@ -231,7 +231,7 @@ def filter(event)
 
               _lookup_result = nil
               _autopopulate_device = nil
-              _autopopulate_drole = nil
+              _autopopulate_role = nil
               _autopopulate_dtype = nil
               _autopopulate_interface = nil
               _autopopulate_ip = nil
@@ -298,7 +298,7 @@ def filter(event)
                                         :url => _device.fetch(:url, nil),
                                         :service => _device.fetch(:service, []).map {|s| s.fetch(:name, s.fetch(:display, nil)) },
                                         :site => _device_site,
-                                        :role => ((_role = _device.fetch(:role, _device.fetch(:device_role, nil))) && _role&.has_key?(:name)) ? _role[:name] : _role&.fetch(:display, nil),
+                                        :role => ((_role = _device.fetch(:role, nil)) && _role&.has_key?(:name)) ? _role[:name] : _role&.fetch(:display, nil),
                                         :cluster => ((_cluster = _device.fetch(:cluster, nil)) && _cluster&.has_key?(:name)) ? _cluster[:name] : _cluster&.fetch(:display, nil),
                                         :device_type => ((_dtype = _device.fetch(:device_type, nil)) && _dtype&.has_key?(:name)) ? _dtype[:name] : _dtype&.fetch(:display, nil),
                                         :manufacturer => ((_manuf = _device.dig(:device_type, :manufacturer)) && _manuf&.has_key?(:name)) ? _manuf[:name] : _manuf&.fetch(:display, nil),
@@ -409,7 +409,7 @@ def filter(event)
                                             :id => nil}
                   end
 
-                  # make sure the site and device role exists
+                  # make sure the site and role exists
 
                   _autopopulate_site = @site_hash.getset(_autopopulate_default_site) {
                     begin
@@ -447,32 +447,32 @@ def filter(event)
                     _site
                   }
 
-                  _autopopulate_drole = @drole_hash.getset(_autopopulate_default_drole) {
+                  _autopopulate_role = @role_hash.getset(_autopopulate_default_role) {
                     begin
-                      _drole = nil
+                      _role = nil
 
                       # look it up first
                       _query = { :offset => 0,
                                  :limit => 1,
-                                 :name => _autopopulate_default_drole }
-                      if (_droles_response = _nb.get('dcim/device-roles/', _query).body) &&
-                         _droles_response.is_a?(Hash) &&
-                         (_tmp_droles = _droles_response.fetch(:results, [])) &&
-                         (_tmp_droles.length() > 0)
+                                 :name => _autopopulate_default_role }
+                      if (_roles_response = _nb.get('dcim/device-roles/', _query).body) &&
+                         _roles_response.is_a?(Hash) &&
+                         (_tmp_roles = _roles_response.fetch(:results, [])) &&
+                         (_tmp_roles.length() > 0)
                       then
-                         _drole = _tmp_droles.first
+                         _role = _tmp_roles.first
                       end
 
-                      if _drole.nil?
-                        # the device role is not found, create it
-                        _drole_data = { :name => _autopopulate_default_drole,
-                                        :slug => _autopopulate_default_drole.to_url,
+                      if _role.nil?
+                        # the role is not found, create it
+                        _role_data = { :name => _autopopulate_default_role,
+                                        :slug => _autopopulate_default_role.to_url,
                                         :color => "d3d3d3" }
-                        if (_drole_create_response = _nb.post('dcim/device-roles/', _drole_data.to_json, _nb_headers).body) &&
-                           _drole_create_response.is_a?(Hash) &&
-                           _drole_create_response.has_key?(:id)
+                        if (_role_create_response = _nb.post('dcim/device-roles/', _role_data.to_json, _nb_headers).body) &&
+                           _role_create_response.is_a?(Hash) &&
+                           _role_create_response.has_key?(:id)
                         then
-                           _drole = _drole_create_response
+                           _role = _role_create_response
                         end
                       end
 
@@ -480,13 +480,13 @@ def filter(event)
                       # give up aka do nothing
                       _exception_error = true
                     end
-                    _drole
+                    _role
                   }
 
-                  # we should have found or created the autopopulate device role and site
+                  # we should have found or created the autopopulate role and site
                   begin
                     if _autopopulate_site&.fetch(:id, nil)&.nonzero? &&
-                       _autopopulate_drole&.fetch(:id, nil)&.nonzero?
+                       _autopopulate_role&.fetch(:id, nil)&.nonzero?
                     then
 
                       if _autopopulate_manuf[:vm]
@@ -568,7 +568,7 @@ def filter(event)
                             _device_name = _autopopulate_hostname.to_s.empty? ? "#{_autopopulate_manuf[:name]} @ #{_key}" : "#{_autopopulate_hostname} @ #{_key}"
                             _device_data = { :name => _device_name,
                                              :device_type => _autopopulate_dtype[:id],
-                                             :device_role => _autopopulate_drole[:id],
+                                             :role => _autopopulate_role[:id],
                                              :site => _autopopulate_site[:id],
                                              :status => "staged" }
                             if (_device_create_response = _nb.post('dcim/devices/', _device_data.to_json, _nb_headers).body) &&
@@ -584,7 +584,7 @@ def filter(event)
 
                       end # virtual machine vs. regular device
 
-                    end # site and drole are valid
+                    end # site and role are valid
 
                   rescue Faraday::Error
                     # give up aka do nothing
@@ -597,7 +597,7 @@ def filter(event)
                                   :id => _autopopulate_device&.fetch(:id, nil),
                                   :url => _autopopulate_device&.fetch(:url, nil),
                                   :site => _autopopulate_site&.fetch(:name, nil),
-                                  :role => _autopopulate_drole&.fetch(:name, nil),
+                                  :role => _autopopulate_role&.fetch(:name, nil),
                                   :device_type => _autopopulate_dtype&.fetch(:name, nil),
                                   :manufacturer => _autopopulate_manuf&.fetch(:name, nil),
                                   :details => _verbose ? _autopopulate_device : nil }
diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh
index 01f945272..3200c65a4 100755
--- a/logstash/scripts/logstash-start.sh
+++ b/logstash/scripts/logstash-start.sh
@@ -128,6 +128,9 @@ find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_O
 [[ -r /usr/share/logstash/config/logstash.orig.yml ]] && \
   cp /usr/share/logstash/config/logstash.orig.yml /usr/share/logstash/config/logstash.yml
 
+# give OpenSearch time to start before starting Logstash
+/usr/local/bin/opensearch_status.sh -t malcolm_template 2>&1
+
 # start logstash (adapted from docker-entrypoint)
 env2yaml /usr/share/logstash/config/logstash.yml
 export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
diff --git a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot
index 1ad819668..9d160f065 100755
--- a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot
+++ b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot
@@ -150,12 +150,12 @@ sed -r -i "s/((disk_full_action|disk_error_action)\s*=\s*).*/\1 SYSLOG/" /etc/au
 sed -r -i "s/(network_failure_action\s*=\s*).*/\1 syslog/" /etc/audit/audisp-remote.conf
 
 # disable ntp for now, and disable servers, but it could be turned back on later
-systemctl disable ntp || true
-sed -i "s/^\(pool \)/# \1/" /etc/ntp.conf
-sed -i "s/^\(restrict -6\)/# \1/" /etc/ntp.conf
-sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntp.conf
-sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntp
-usermod -d /var/lib/ntp ntp
+systemctl disable ntpsec || true
+sed -i "s/^\(pool \)/# \1/" /etc/ntpsec/ntp.conf
+sed -i "s/^\(restrict -6\)/# \1/" /etc/ntpsec/ntp.conf
+sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntpsec/ntp.conf
+sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntpsec
+usermod -d /var/lib/ntpsec ntpsec
 
 # disable default fluentbit configuration
 systemctl disable fluent-bit || true
diff --git a/malcolm-iso/config/includes.binary/live/filesystem.packages-remove b/malcolm-iso/config/includes.binary/live/filesystem.packages-remove
new file mode 100644
index 000000000..e69de29bb
diff --git a/malcolm-iso/config/package-lists/net.list.chroot b/malcolm-iso/config/package-lists/net.list.chroot
index 2a7aff050..6106c8138 100644
--- a/malcolm-iso/config/package-lists/net.list.chroot
+++ b/malcolm-iso/config/package-lists/net.list.chroot
@@ -11,7 +11,7 @@ libcurl4
 libssh2-1
 macchanger
 netcat-openbsd
-ntp
+ntpsec
 openssh-client
 openssh-server
 openvpn
diff --git a/netbox/config/configuration.py b/netbox/config/configuration.py
index f026afb18..b9d04ad59 100644
--- a/netbox/config/configuration.py
+++ b/netbox/config/configuration.py
@@ -155,8 +155,11 @@ def _environ_get_and_map(
     CHANGELOG_RETENTION = _environ_get_and_map('CHANGELOG_RETENTION', None, _AS_INT)
 
 # Maximum number of days to retain job results (scripts and reports). Set to 0 to retain job results in the database indefinitely. (Default: 90)
-if 'JOBRESULT_RETENTION' in environ:
-    JOBRESULT_RETENTION = _environ_get_and_map('JOBRESULT_RETENTION', None, _AS_INT)
+if 'JOB_RETENTION' in environ:
+    JOB_RETENTION = _environ_get_and_map('JOB_RETENTION', None, _AS_INT)
+# JOBRESULT_RETENTION was renamed to JOB_RETENTION in the v3.5.0 release of NetBox. For backwards compatibility, map JOBRESULT_RETENTION to JOB_RETENTION
+elif 'JOBRESULT_RETENTION' in environ:
+    JOB_RETENTION = _environ_get_and_map('JOBRESULT_RETENTION', None, _AS_INT)
 
 # API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
 # allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
@@ -286,9 +289,9 @@ def _environ_get_and_map(
 
 # Remote authentication support
 REMOTE_AUTH_ENABLED = _environ_get_and_map('REMOTE_AUTH_ENABLED', 'False', _AS_BOOL)
-REMOTE_AUTH_BACKEND = environ.get('REMOTE_AUTH_BACKEND', 'netbox.authentication.RemoteUserBackend')
+REMOTE_AUTH_BACKEND = _environ_get_and_map('REMOTE_AUTH_BACKEND', 'netbox.authentication.RemoteUserBackend', _AS_LIST)
 REMOTE_AUTH_HEADER = environ.get('REMOTE_AUTH_HEADER', 'HTTP_REMOTE_USER')
-REMOTE_AUTH_AUTO_CREATE_USER = _environ_get_and_map('REMOTE_AUTH_AUTO_CREATE_USER', 'True', _AS_BOOL)
+REMOTE_AUTH_AUTO_CREATE_USER = _environ_get_and_map('REMOTE_AUTH_AUTO_CREATE_USER', 'False', _AS_BOOL)
 REMOTE_AUTH_DEFAULT_GROUPS = _environ_get_and_map('REMOTE_AUTH_DEFAULT_GROUPS', '', _AS_LIST)
 # REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
 
diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index 26b1dd8f9..0e2f500fe 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -193,13 +193,13 @@ def main():
     )
     parser.add_argument(
         '-r',
-        '--device-role',
-        dest='deviceRoles',
+        '--role',
+        dest='roles',
         nargs='*',
         type=str,
-        default=[os.getenv('NETBOX_DEFAULT_DEVICE_ROLE', 'Unspecified')],
+        default=[os.getenv('NETBOX_DEFAULT_ROLE', 'Unspecified')],
         required=False,
-        help="Device role(s) to create (see also --device-roles)",
+        help="Role(s) to create",
     )
     parser.add_argument(
         '-y',
@@ -270,7 +270,7 @@ def main():
     interfaces = {}
     ipAddresses = {}
     deviceTypes = {}
-    deviceRoles = {}
+    roles = {}
     manufacturers = {}
     randColor = randomcolor.RandomColor(seed=datetime.now().timestamp())
 
@@ -390,29 +390,29 @@ def main():
     except Exception as e:
         logging.error(f"{type(e).__name__} processing manufacturers: {e}")
 
-    # ###### DEVICE ROLES ##########################################################################################
+    # ###### ROLES #################################################################################################
     try:
-        deviceRolesPreExisting = {x.name: x for x in nb.dcim.device_roles.all()}
-        logging.debug(f"Device roles (before): { {k:v.id for k, v in deviceRolesPreExisting.items()} }")
+        rolesPreExisting = {x.name: x for x in nb.dcim.device_roles.all()}
+        logging.debug(f"Roles (before): { {k:v.id for k, v in rolesPreExisting.items()} }")
 
-        # create device roles that don't already exist
-        for deviceRoleName in [x for x in args.deviceRoles if x not in deviceRolesPreExisting]:
+        # create roles that don't already exist
+        for roleName in [x for x in args.roles if x not in rolesPreExisting]:
             try:
                 nb.dcim.device_roles.create(
                     {
-                        "name": deviceRoleName,
-                        "slug": slugify(deviceRoleName),
+                        "name": roleName,
+                        "slug": slugify(roleName),
                         "vm_role": True,
                         "color": randColor.generate()[0][1:],
                     },
                 )
             except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing device role \"{deviceRoleName}\": {nbe}")
+                logging.warning(f"{type(nbe).__name__} processing role \"{roleName}\": {nbe}")
 
-        deviceRoles = {x.name: x for x in nb.dcim.device_roles.all()}
-        logging.debug(f"Device roles (after): { {k:v.id for k, v in deviceRoles.items()} }")
+        roles = {x.name: x for x in nb.dcim.device_roles.all()}
+        logging.debug(f"Roles (after): { {k:v.id for k, v in roles.items()} }")
     except Exception as e:
-        logging.error(f"{type(e).__name__} processing device roles: {e}")
+        logging.error(f"{type(e).__name__} processing roles: {e}")
 
     # ###### DEVICE TYPES ##########################################################################################
     try:
@@ -541,13 +541,13 @@ def main():
                 try:
                     site = min_hash_value_by_value(sites)
                     dType = min_hash_value_by_value(deviceTypes)
-                    dRole = min_hash_value_by_value(deviceRoles)
+                    role = min_hash_value_by_value(roles)
                     deviceCreated = nb.dcim.devices.create(
                         {
                             "name": host['name'],
                             "site": site.id if site else None,
                             "device_type": dType.id if dType else None,
-                            "device_role": dRole.id if dRole else None,
+                            "role": role.id if role else None,
                         },
                     )
                     if deviceCreated is not None:
@@ -587,7 +587,7 @@ def main():
             logging.debug(f"interfaces (after): { {k:v.id for k, v in interfaces.items()} }")
 
             # and associate IP addresses with them
-            ipAddressesPreExisting = {f"{x.address}:{x.vrf.id}": x for x in nb.ipam.ip_addresses.all()}
+            ipAddressesPreExisting = {f"{x.address}:{x.vrf.id if x.vrf else ''}": x for x in nb.ipam.ip_addresses.all()}
             logging.debug(f"IP addresses (before): { {k:v.id for k, v in ipAddressesPreExisting.items()} }")
 
             for host in [
diff --git a/scripts/build.sh b/scripts/build.sh
index e3c5635e3..8e2728261 100755
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -85,9 +85,9 @@ fi
 
 # build the image(s)
 if [[ $CONFIRMATION =~ ^[Yy] ]]; then
-  $DOCKER_COMPOSE_COMMAND build --progress=plain --force-rm --no-cache --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@"
+  $DOCKER_COMPOSE_COMMAND --progress=plain build --force-rm --no-cache --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@"
 else
-  $DOCKER_COMPOSE_COMMAND build --progress=plain --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@"
+  $DOCKER_COMPOSE_COMMAND --progress=plain build --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@"
 fi
 
 # we're going to do some validation that some things got pulled/built correctly
diff --git a/scripts/control.py b/scripts/control.py
index 9f75030ee..4630d8505 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -47,11 +47,13 @@
     posInt,
     ProcessLogLine,
     ScriptPath,
+    UserInputDefaultsBehavior,
     YAMLDynamic,
     YesOrNo,
 )
 
 from malcolm_utils import (
+    CountUntilException,
     deep_get,
     dictsearch,
     eprint,
@@ -117,7 +119,7 @@ def __exit__(self, *args):
 shuttingDown = [False]
 yamlImported = None
 dotenvImported = None
-
+MaxAskForValueCount = 100
 
 ###################################################################################################
 try:
@@ -1074,7 +1076,7 @@ def start():
 
 
 ###################################################################################################
-def authSetup(wipe=False):
+def authSetup():
     global args
     global opensslBin
 
@@ -1105,19 +1107,32 @@ def authSetup(wipe=False):
             'admin',
             "Store administrator username/password for local Malcolm access",
             False,
-            True,
+            (not args.cmdAuthSetupNonInteractive)
+            or (bool(args.authUserName) and bool(args.authPasswordOpenssl) and bool(args.authPasswordHtpasswd)),
         ),
         (
             'webcerts',
             "(Re)generate self-signed certificates for HTTPS access",
             False,
-            True,
+            not args.cmdAuthSetupNonInteractive
+            or (
+                args.authGenWebCerts
+                or not os.path.isfile(
+                    os.path.join(MalcolmPath, os.path.join('nginx', os.path.join('certs', 'key.pem')))
+                )
+            ),
         ),
         (
             'fwcerts',
             "(Re)generate self-signed certificates for a remote log forwarder",
             False,
-            True,
+            not args.cmdAuthSetupNonInteractive
+            or (
+                args.authGenFwCerts
+                or not os.path.isfile(
+                    os.path.join(MalcolmPath, os.path.join('logstash', os.path.join('certs', 'server.key')))
+                )
+            ),
         ),
         (
             'remoteos',
@@ -1135,9 +1150,12 @@ def authSetup(wipe=False):
             'netbox',
             "(Re)generate internal passwords for NetBox",
             False,
-            not os.path.isfile(
-                os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'netbox-secret.env')))
-            ),
+            (
+                not os.path.isfile(
+                    os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'netbox-secret.env')))
+                )
+            )
+            or (args.cmdAuthSetupNonInteractive and args.authGenNetBoxPasswords),
         ),
         (
             'txfwcerts',
@@ -1147,15 +1165,31 @@ def authSetup(wipe=False):
         ),
     )[: 8 if txRxScript else -1]
 
-    authMode = ChooseOne(
-        'Configure Authentication',
-        choices=[x[:-1] for x in authModeChoices],
+    authMode = (
+        ChooseOne(
+            'Configure Authentication',
+            choices=[x[:-1] for x in authModeChoices],
+        )
+        if not args.cmdAuthSetupNonInteractive
+        else 'all'
+    )
+    defaultBehavior = (
+        UserInputDefaultsBehavior.DefaultsPrompt
+        if not args.cmdAuthSetupNonInteractive
+        else UserInputDefaultsBehavior.DefaultsPrompt
+        | UserInputDefaultsBehavior.DefaultsAccept
+        | UserInputDefaultsBehavior.DefaultsNonInteractive
     )
 
     for authItem in authModeChoices[1:]:
-        if ((authMode == 'all') and YesOrNo(f'{authItem[1]}?', default=authItem[3])) or (
-            (authMode != 'all') and (authMode == authItem[0])
-        ):
+        if (
+            (authMode == 'all')
+            and YesOrNo(
+                f'{authItem[1]}?',
+                default=authItem[3],
+                defaultBehavior=defaultBehavior,
+            )
+        ) or ((authMode != 'all') and (authMode == authItem[0])):
             if authItem[0] == 'admin':
                 # prompt username and password
                 usernamePrevious = None
@@ -1163,15 +1197,29 @@ def authSetup(wipe=False):
                 passwordConfirm = None
                 passwordEncrypted = ''
 
-                while True:
-                    username = AskForString("Administrator username")
+                loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid administrator username')
+                while loopBreaker.increment():
+                    username = AskForString(
+                        "Administrator username",
+                        default=args.authUserName,
+                        defaultBehavior=defaultBehavior,
+                    )
                     if len(username) > 0:
                         break
 
-                while True:
-                    password = AskForPassword(f"{username} password: ")
-                    passwordConfirm = AskForPassword(f"{username} password (again): ")
-                    if password == passwordConfirm:
+                loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid password')
+                while (not args.cmdAuthSetupNonInteractive) and loopBreaker.increment():
+                    password = AskForPassword(
+                        f"{username} password: ",
+                        default='',
+                        defaultBehavior=defaultBehavior,
+                    )
+                    passwordConfirm = AskForPassword(
+                        f"{username} password (again): ",
+                        default='',
+                        defaultBehavior=defaultBehavior,
+                    )
+                    if password and (password == passwordConfirm):
                         break
                     eprint("Passwords do not match")
 
@@ -1190,16 +1238,19 @@ def authSetup(wipe=False):
                         usernamePrevious = prevAuthInfo['MALCOLM_USERNAME']
 
                 # get openssl hash of password
-                err, out = run_process(
-                    [opensslBin, 'passwd', '-1', '-stdin'],
-                    stdin=password,
-                    stderr=False,
-                    debug=args.debug,
-                )
-                if (err == 0) and (len(out) > 0) and (len(out[0]) > 0):
-                    passwordEncrypted = out[0]
+                if args.cmdAuthSetupNonInteractive:
+                    passwordEncrypted = args.authPasswordOpenssl
                 else:
-                    raise Exception('Unable to generate password hash with openssl')
+                    err, out = run_process(
+                        [opensslBin, 'passwd', '-1', '-stdin'],
+                        stdin=password,
+                        stderr=False,
+                        debug=args.debug,
+                    )
+                    if (err == 0) and (len(out) > 0) and (len(out[0]) > 0):
+                        passwordEncrypted = out[0]
+                    else:
+                        raise Exception('Unable to generate password hash with openssl')
 
                 # write auth.env (used by htadmin and file-upload containers)
                 with open(authEnvFile, 'w') as f:
@@ -1213,21 +1264,30 @@ def authSetup(wipe=False):
 
                 # create or update the htpasswd file
                 htpasswdFile = os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd'))
-                htpasswdCmd = ['htpasswd', '-i', '-B', htpasswdFile, username]
-                if not os.path.isfile(htpasswdFile):
-                    htpasswdCmd.insert(1, '-c')
-                err, out = run_process(htpasswdCmd, stdin=password, stderr=True, debug=args.debug)
-                if err != 0:
-                    raise Exception(f'Unable to generate htpasswd file: {out}')
-
-                # if the admininstrator username has changed, remove the previous administrator username from htpasswd
-                if (usernamePrevious is not None) and (usernamePrevious != username):
+                if not args.cmdAuthSetupNonInteractive:
+                    htpasswdCmd = ['htpasswd', '-i', '-B', htpasswdFile, username]
+                    if not os.path.isfile(htpasswdFile):
+                        htpasswdCmd.insert(1, '-c')
+                    err, out = run_process(htpasswdCmd, stdin=password, stderr=True, debug=args.debug)
+                    if err != 0:
+                        raise Exception(f'Unable to generate htpasswd file: {out}')
+
+                if (
+                    (usernamePrevious is not None) and (usernamePrevious != username)
+                ) or args.cmdAuthSetupNonInteractive:
                     htpasswdLines = list()
                     with open(htpasswdFile, 'r') as f:
                         htpasswdLines = f.readlines()
                     with open(htpasswdFile, 'w') as f:
+                        if args.cmdAuthSetupNonInteractive and username and args.authPasswordHtpasswd:
+                            f.write(f'{username}:{args.authPasswordHtpasswd}')
                         for line in htpasswdLines:
-                            if not line.startswith(f"{usernamePrevious}:"):
+                            # if the admininstrator username has changed, remove the previous administrator username from htpasswd
+                            if (
+                                (usernamePrevious is not None)
+                                and (usernamePrevious != username)
+                                and (not line.startswith(f"{usernamePrevious}:"))
+                            ):
                                 f.write(line)
 
                 # configure default LDAP stuff (they'll have to edit it by hand later)
@@ -1302,6 +1362,7 @@ def authSetup(wipe=False):
 
                 DisplayMessage(
                     'Additional local accounts can be created at https://localhost/auth/ when Malcolm is running',
+                    defaultBehavior=defaultBehavior,
                 )
 
             # generate HTTPS self-signed certificates
@@ -1541,6 +1602,7 @@ def authSetup(wipe=False):
                     if YesOrNo(
                         f'Store username/password for {instance} remote OpenSearch instance?',
                         default=False,
+                        defaultBehavior=defaultBehavior,
                     ):
                         prevCurlContents = ParseCurlFile(openSearchCredFileName)
 
@@ -1549,26 +1611,41 @@ def authSetup(wipe=False):
                         esPassword = None
                         esPasswordConfirm = None
 
-                        while True:
+                        loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch username')
+                        while loopBreaker.increment():
                             esUsername = AskForString(
                                 "OpenSearch username",
                                 default=prevCurlContents['user'],
+                                defaultBehavior=defaultBehavior,
                             )
                             if (len(esUsername) > 0) and (':' not in esUsername):
                                 break
                             eprint("Username is blank (or contains a colon, which is not allowed)")
 
-                        while True:
-                            esPassword = AskForPassword(f"{esUsername} password: ")
+                        loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch password')
+                        while loopBreaker.increment():
+                            esPassword = AskForPassword(
+                                f"{esUsername} password: ",
+                                default='',
+                                defaultBehavior=defaultBehavior,
+                            )
                             if (
                                 (len(esPassword) == 0)
                                 and (prevCurlContents['password'] is not None)
-                                and YesOrNo(f'Use previously entered password for "{esUsername}"?', default=True)
+                                and YesOrNo(
+                                    f'Use previously entered password for "{esUsername}"?',
+                                    default=True,
+                                    defaultBehavior=defaultBehavior,
+                                )
                             ):
                                 esPassword = prevCurlContents['password']
                                 esPasswordConfirm = esPassword
                             else:
-                                esPasswordConfirm = AskForPassword(f"{esUsername} password (again): ")
+                                esPasswordConfirm = AskForPassword(
+                                    f"{esUsername} password (again): ",
+                                    default='',
+                                    defaultBehavior=defaultBehavior,
+                                )
                             if (esPassword == esPasswordConfirm) and (len(esPassword) > 0):
                                 break
                             eprint("Passwords do not match")
@@ -1576,6 +1653,7 @@ def authSetup(wipe=False):
                         esSslVerify = YesOrNo(
                             'Require SSL certificate validation for OpenSearch communication?',
                             default=(not (('k' in prevCurlContents) or ('insecure' in prevCurlContents))),
+                            defaultBehavior=defaultBehavior,
                         )
 
                         with open(openSearchCredFileName, 'w') as f:
@@ -1597,16 +1675,26 @@ def authSetup(wipe=False):
                 # prompt username and password
                 emailPassword = None
                 emailPasswordConfirm = None
-                emailSender = AskForString("OpenSearch alerting email sender name")
-                while True:
-                    emailUsername = AskForString("Email account username")
+                emailSender = AskForString("OpenSearch alerting email sender name", defaultBehavior=defaultBehavior)
+                loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Email account username')
+                while loopBreaker.increment():
+                    emailUsername = AskForString("Email account username", defaultBehavior=defaultBehavior)
                     if len(emailUsername) > 0:
                         break
 
-                while True:
-                    emailPassword = AskForPassword(f"{emailUsername} password: ")
-                    emailPasswordConfirm = AskForPassword(f"{emailUsername} password (again): ")
-                    if emailPassword == emailPasswordConfirm:
+                loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Email account password')
+                while loopBreaker.increment():
+                    emailPassword = AskForPassword(
+                        f"{emailUsername} password: ",
+                        default='',
+                        defaultBehavior=defaultBehavior,
+                    )
+                    emailPasswordConfirm = AskForPassword(
+                        f"{emailUsername} password (again): ",
+                        default='',
+                        defaultBehavior=defaultBehavior,
+                    )
+                    if emailPassword and (emailPassword == emailPasswordConfirm):
                         break
                     eprint("Passwords do not match")
 
@@ -1716,6 +1804,7 @@ def authSetup(wipe=False):
             elif authItem[0] == 'txfwcerts':
                 DisplayMessage(
                     'Run configure-capture on the remote log forwarder, select "Configure Forwarding," then "Receive client SSL files..."',
+                    defaultBehavior=defaultBehavior,
                 )
                 with pushd(filebeatPath):
                     with Popen(
@@ -1779,9 +1868,9 @@ def main():
         '--file',
         required=False,
         dest='composeFile',
-        metavar='<STR>',
+        metavar='<string>',
         type=str,
-        default='docker-compose.yml',
+        default=os.getenv('MALCOLM_COMPOSE_FILE', os.path.join(MalcolmPath, 'docker-compose.yml')),
         help='docker-compose or kubeconfig YML file',
     )
     parser.add_argument(
@@ -1789,69 +1878,14 @@ def main():
         '--environment-dir',
         required=False,
         dest='configDir',
-        metavar='<STR>',
+        metavar='<string>',
         type=str,
-        default=None,
+        default=os.getenv('MALCOLM_CONFIG_DIR', None),
         help="Directory containing Malcolm's .env files",
     )
-    parser.add_argument(
-        '-n',
-        '--namespace',
-        required=False,
-        dest='namespace',
-        metavar='<STR>',
-        type=str,
-        default='malcolm',
-        help="Kubernetes namespace",
-    )
-    parser.add_argument(
-        '-s',
-        '--service',
-        required=False,
-        dest='service',
-        metavar='<STR>',
-        type=str,
-        default=None,
-        help='docker-compose service (only for status and logs operations)',
-    )
-    parser.add_argument(
-        '-l',
-        '--logs',
-        dest='cmdLogs',
-        type=str2bool,
-        nargs='?',
-        const=True,
-        default=False,
-        help="Tail Malcolm logs",
-    )
-    parser.add_argument(
-        '--lines',
-        dest='logLineCount',
-        type=posInt,
-        nargs='?',
-        const=False,
-        default=None,
-        help='Number of log lines to output. Outputs all lines by default (only for logs operation)',
-    )
-    parser.add_argument(
-        '--netbox-backup',
-        dest='netboxBackupFile',
-        required=False,
-        metavar='<STR>',
-        type=str,
-        default=None,
-        help='Filename to which to back up NetBox configuration database',
-    )
-    parser.add_argument(
-        '--netbox-restore',
-        dest='netboxRestoreFile',
-        required=False,
-        metavar='<STR>',
-        type=str,
-        default=None,
-        help='Filename from which to restore NetBox configuration database',
-    )
-    parser.add_argument(
+
+    operationsGroup = parser.add_argument_group('Runtime Control')
+    operationsGroup.add_argument(
         '--start',
         dest='cmdStart',
         type=str2bool,
@@ -1860,7 +1894,7 @@ def main():
         default=False,
         help="Start Malcolm",
     )
-    parser.add_argument(
+    operationsGroup.add_argument(
         '--restart',
         dest='cmdRestart',
         type=str2bool,
@@ -1869,7 +1903,7 @@ def main():
         default=False,
         help="Stop and restart Malcolm",
     )
-    parser.add_argument(
+    operationsGroup.add_argument(
         '--stop',
         dest='cmdStop',
         type=str2bool,
@@ -1878,7 +1912,7 @@ def main():
         default=False,
         help="Stop Malcolm",
     )
-    parser.add_argument(
+    operationsGroup.add_argument(
         '--wipe',
         dest='cmdWipe',
         type=str2bool,
@@ -1887,20 +1921,34 @@ def main():
         default=False,
         help="Stop Malcolm and delete all data",
     )
-    parser.add_argument(
+
+    kubernetesGroup = parser.add_argument_group('Kubernetes')
+    kubernetesGroup.add_argument(
+        '-n',
+        '--namespace',
+        required=False,
+        dest='namespace',
+        metavar='<string>',
+        type=str,
+        default='malcolm',
+        help="Kubernetes namespace",
+    )
+    kubernetesGroup.add_argument(
         '--reclaim-persistent-volume',
         dest='deleteRetPerVol',
         action='store_true',
         help='Delete PersistentVolumes with Retain reclaim policy (default; only for "stop" operation with Kubernetes)',
     )
-    parser.add_argument(
+    kubernetesGroup.add_argument(
         '--no-reclaim-persistent-volume',
         dest='deleteRetPerVol',
         action='store_false',
         help='Do not delete PersistentVolumes with Retain reclaim policy (only for "stop" operation with Kubernetes)',
     )
-    parser.set_defaults(deleteRetPerVol=True)
-    parser.add_argument(
+    kubernetesGroup.set_defaults(deleteRetPerVol=True)
+
+    authSetupGroup = parser.add_argument_group('Authentication Setup')
+    authSetupGroup.add_argument(
         '--auth',
         dest='cmdAuthSetup',
         type=str2bool,
@@ -1909,7 +1957,91 @@ def main():
         default=False,
         help="Configure Malcolm authentication",
     )
-    parser.add_argument(
+    authSetupGroup.add_argument(
+        '--auth-noninteractive',
+        dest='cmdAuthSetupNonInteractive',
+        type=str2bool,
+        nargs='?',
+        const=True,
+        default=False,
+        help="Configure Malcolm authentication (noninteractive using arguments provided)",
+    )
+    authSetupGroup.add_argument(
+        '--auth-admin-username',
+        dest='authUserName',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Administrator username (for --auth-noninteractive)',
+    )
+    authSetupGroup.add_argument(
+        '--auth-admin-password-openssl',
+        dest='authPasswordOpenssl',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Administrator password hash from "openssl -passwd -1" (for --auth-noninteractive)',
+    )
+    authSetupGroup.add_argument(
+        '--auth-admin-password-htpasswd',
+        dest='authPasswordHtpasswd',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Administrator password hash from "htpasswd -n -B username | cut -d: -f2" (for --auth-noninteractive)',
+    )
+    authSetupGroup.add_argument(
+        '--auth-generate-webcerts',
+        dest='authGenWebCerts',
+        type=str2bool,
+        nargs='?',
+        const=True,
+        default=False,
+        help="(Re)generate self-signed certificates for HTTPS access (for --auth-noninteractive)",
+    )
+    authSetupGroup.add_argument(
+        '--auth-generate-fwcerts',
+        dest='authGenFwCerts',
+        type=str2bool,
+        nargs='?',
+        const=True,
+        default=False,
+        help="(Re)generate self-signed certificates for a remote log forwarder",
+    )
+    authSetupGroup.add_argument(
+        '--auth-generate-netbox-passwords',
+        dest='authGenNetBoxPasswords',
+        type=str2bool,
+        nargs='?',
+        const=True,
+        default=False,
+        help="(Re)generate internal passwords for NetBox",
+    )
+
+    logsAndStatusGroup = parser.add_argument_group('Logs and Status')
+    logsAndStatusGroup.add_argument(
+        '-l',
+        '--logs',
+        dest='cmdLogs',
+        type=str2bool,
+        nargs='?',
+        const=True,
+        default=False,
+        help="Tail Malcolm logs",
+    )
+    logsAndStatusGroup.add_argument(
+        '--lines',
+        dest='logLineCount',
+        type=posInt,
+        nargs='?',
+        const=False,
+        default=None,
+        help='Number of log lines to output. Outputs all lines by default (only for logs operation)',
+    )
+    logsAndStatusGroup.add_argument(
         '--status',
         dest='cmdStatus',
         type=str2bool,
@@ -1918,7 +2050,7 @@ def main():
         default=False,
         help="Display status of Malcolm components",
     )
-    parser.add_argument(
+    logsAndStatusGroup.add_argument(
         '--urls',
         dest='cmdPrintURLs',
         type=str2bool,
@@ -1927,6 +2059,36 @@ def main():
         default=False,
         help="Display Malcolm URLs",
     )
+    logsAndStatusGroup.add_argument(
+        '-s',
+        '--service',
+        required=False,
+        dest='service',
+        metavar='<string>',
+        type=str,
+        default=None,
+        help='docker-compose service (only for status and logs operations)',
+    )
+
+    netboxGroup = parser.add_argument_group('NetBox Backup and Restore')
+    netboxGroup.add_argument(
+        '--netbox-backup',
+        dest='netboxBackupFile',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default=None,
+        help='Filename to which to back up NetBox configuration database',
+    )
+    netboxGroup.add_argument(
+        '--netbox-restore',
+        dest='netboxRestoreFile',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default=None,
+        help='Filename from which to restore NetBox configuration database',
+    )
 
     try:
         parser.error = parser.exit
@@ -2072,7 +2234,7 @@ def main():
             stop(wipe=args.cmdWipe)
 
         # configure Malcolm authentication
-        if args.cmdAuthSetup:
+        if args.cmdAuthSetup or args.cmdAuthSetupNonInteractive:
             authSetup()
 
         # start Malcolm
diff --git a/scripts/github_image_helper.sh b/scripts/github_image_helper.sh
index 124a9e0e5..931e8faa6 100755
--- a/scripts/github_image_helper.sh
+++ b/scripts/github_image_helper.sh
@@ -4,6 +4,14 @@ set -uo pipefail
 shopt -s nocasematch
 ENCODING="utf-8"
 
+if [ -t 0 ] ; then
+  INTERACTIVE_SHELL=yes
+  QUIET_PULL_FLAG=
+else
+  INTERACTIVE_SHELL=no
+  QUIET_PULL_FLAG=--quiet
+fi
+
 # get the nth column of output
 function _cols() {
   first="awk '{print "
@@ -71,7 +79,7 @@ function _PullAndTagGithubWorkflowBuild() {
   OWNER="$(_gitowner)"
   IMAGE=$1
 
-  docker pull ghcr.io/"$OWNER"/"$IMAGE":"$BRANCH" && \
+  docker pull $QUIET_PULL_FLAG ghcr.io/"$OWNER"/"$IMAGE":"$BRANCH" && \
     docker tag ghcr.io/"$OWNER"/"$IMAGE":"$BRANCH" ghcr.io/idaholab/"$IMAGE":"$VERSION"
 }
 
@@ -173,7 +181,7 @@ function GithubTriggerPackagesBuild () {
 trap "_cleanup" EXIT
 
 # get a list of all the "public" functions (not starting with _)
-FUNCTIONS=($(declare -F | awk '{print $NF}' | sort | egrep -v "^_"))
+FUNCTIONS=($(declare -F | awk '{print $NF}' | sort -f | egrep -v "^_"))
 
 # present the menu to our customer and get their selection
 for i in "${!FUNCTIONS[@]}"; do
diff --git a/scripts/install.py b/scripts/install.py
index 3e3ad3cb6..a7613167a 100755
--- a/scripts/install.py
+++ b/scripts/install.py
@@ -63,6 +63,7 @@
     YesOrNo,
 )
 from malcolm_utils import (
+    CountUntilException,
     deep_get,
     eprint,
     run_process,
@@ -98,6 +99,7 @@
 ###################################################################################################
 TrueOrFalseQuote = lambda x: "'true'" if x else "'false'"
 TrueOrFalseNoQuote = lambda x: 'true' if x else 'false'
+MaxAskForValueCount = 100
 
 
 ###################################################################################################
@@ -309,7 +311,9 @@ def install_docker_images(self, docker_image_file):
         return result
 
     # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    def install_malcolm_files(self, malcolm_install_file):
+    def install_malcolm_files(self, malcolm_install_file, default_config_dir):
+        global args
+
         result = False
         installPath = None
         if (
@@ -320,7 +324,8 @@ def install_malcolm_files(self, malcolm_install_file):
             )
         ):
             # determine and create destination path for installation
-            while True:
+            loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid installation path')
+            while loopBreaker.increment():
                 defaultPath = os.path.join(origPath, 'malcolm')
                 installPath = InstallerAskForString(
                     f'Enter installation path for Malcolm [{defaultPath}]', default=defaultPath, forceInteraction=True
@@ -341,8 +346,10 @@ def install_malcolm_files(self, malcolm_install_file):
 
             # extract runtime files
             if installPath and os.path.isdir(installPath):
+                MalcolmPath = installPath
                 if self.debug:
                     eprint(f"Created {installPath} for Malcolm runtime files")
+
                 tar = tarfile.open(malcolm_install_file)
                 try:
                     tar.extractall(path=installPath, numeric_owner=True)
@@ -358,6 +365,19 @@ def install_malcolm_files(self, malcolm_install_file):
                         shutil.move(os.path.join(childDir[0], f), installPath)
                     shutil.rmtree(childDir[0], ignore_errors=True)
 
+                # create the config directory for the .env files
+                if default_config_dir:
+                    args.configDir = os.path.join(installPath, 'config')
+                try:
+                    os.makedirs(args.configDir)
+                except OSError as exc:
+                    if (exc.errno == errno.EEXIST) and os.path.isdir(args.configDir):
+                        pass
+                    else:
+                        raise
+                if self.debug:
+                    eprint(f"Created {args.configDir} for Malcolm configuration files")
+
                 # verify the installation worked
                 if os.path.isfile(os.path.join(installPath, "docker-compose.yml")):
                     eprint(f"Malcolm runtime files extracted to {installPath}")
@@ -372,15 +392,7 @@ def install_malcolm_files(self, malcolm_install_file):
         return result, installPath
 
     # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    def tweak_malcolm_runtime(
-        self,
-        malcolm_install_path,
-        expose_opensearch_default=False,
-        expose_logstash_default=False,
-        expose_filebeat_default=False,
-        expose_sftp_default=False,
-        restart_mode_default=False,
-    ):
+    def tweak_malcolm_runtime(self, malcolm_install_path):
         global args
         global dotenv_imported
 
@@ -426,6 +438,7 @@ def tweak_malcolm_runtime(
             puid = defaultUid
             pgid = defaultGid
 
+        loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid UID/GID')
         while (
             (not puid.isdigit())
             or (not pgid.isdigit())
@@ -434,9 +447,13 @@ def tweak_malcolm_runtime(
                     f'Malcolm processes will run as UID {puid} and GID {pgid}. Is this OK?', default=True
                 )
             )
-        ):
-            puid = InstallerAskForString('Enter user ID (UID) for running non-root Malcolm processes')
-            pgid = InstallerAskForString('Enter group ID (GID) for running non-root Malcolm processes')
+        ) and loopBreaker.increment():
+            puid = InstallerAskForString(
+                'Enter user ID (UID) for running non-root Malcolm processes', default=defaultUid
+            )
+            pgid = InstallerAskForString(
+                'Enter group ID (GID) for running non-root Malcolm processes', default=defaultGid
+            )
 
         if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE:
             # guestimate how much memory we should use based on total system memory
@@ -489,6 +506,13 @@ def tweak_malcolm_runtime(
         else:
             lsWorkers = 6
 
+        if args.osMemory:
+            osMemory = args.osMemory
+        if args.lsMemory:
+            lsMemory = args.lsMemory
+        if args.lsWorkers:
+            lsWorkers = args.lsWorkers
+
         opensearchPrimaryRemote = False
         opensearchPrimaryUrl = 'http://opensearch:9200'
         opensearchPrimarySslVerify = False
@@ -499,33 +523,40 @@ def tweak_malcolm_runtime(
 
         opensearchPrimaryRemote = not InstallerYesOrNo(
             'Should Malcolm use and maintain its own OpenSearch instance?',
-            default=True,
+            default=args.ownOpenSearch,
         )
         if opensearchPrimaryRemote:
+            loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch URL')
             opensearchPrimaryUrl = ''
-            while len(opensearchPrimaryUrl) <= 1:
+            while (len(opensearchPrimaryUrl) <= 1) and loopBreaker.increment():
                 opensearchPrimaryUrl = InstallerAskForString(
                     'Enter primary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200)',
+                    default=args.opensearchPrimaryUrl,
                 )
             opensearchPrimarySslVerify = opensearchPrimaryUrl.lower().startswith('https') and InstallerYesOrNo(
                 'Require SSL certificate validation for communication with primary OpenSearch instance?',
-                default=False,
+                default=args.opensearchPrimarySslVerify,
+            )
+            indexSnapshotCompressed = InstallerYesOrNo(
+                'Compress OpenSearch index snapshots?',
+                default=args.indexSnapshotCompressed,
             )
-            indexSnapshotCompressed = InstallerYesOrNo('Compress OpenSearch index snapshots?', default=False)
 
         opensearchSecondaryRemote = InstallerYesOrNo(
             'Forward Logstash logs to a secondary remote OpenSearch instance?',
-            default=False,
+            default=args.opensearchSecondaryRemote,
         )
         if opensearchSecondaryRemote:
+            loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch URL')
             opensearchSecondaryUrl = ''
-            while len(opensearchSecondaryUrl) <= 1:
+            while (len(opensearchSecondaryUrl) <= 1) and loopBreaker.increment():
                 opensearchSecondaryUrl = InstallerAskForString(
                     'Enter secondary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200)',
+                    default=args.opensearchSecondaryUrl,
                 )
             opensearchSecondarySslVerify = opensearchSecondaryUrl.lower().startswith('https') and InstallerYesOrNo(
                 'Require SSL certificate validation for communication with secondary OpenSearch instance?',
-                default=False,
+                default=args.opensearchSecondarySslVerify,
             )
 
         if opensearchPrimaryRemote or opensearchSecondaryRemote:
@@ -533,23 +564,30 @@ def tweak_malcolm_runtime(
                 f'You must run auth_setup after {ScriptName} to store OpenSearch connection credentials.',
             )
 
-        while not InstallerYesOrNo(
-            f'Setting {osMemory} for OpenSearch and {lsMemory} for Logstash. Is this OK?', default=True
+        loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch/LogStash memory setting(s)')
+        while (
+            not InstallerYesOrNo(
+                f'Setting {osMemory} for OpenSearch and {lsMemory} for Logstash. Is this OK?', default=True
+            )
+            and loopBreaker.increment()
         ):
             osMemory = InstallerAskForString('Enter memory for OpenSearch (e.g., 16g, 9500m, etc.)')
             lsMemory = InstallerAskForString('Enter memory for LogStash (e.g., 4g, 2500m, etc.)')
 
-        while (not str(lsWorkers).isdigit()) or (
-            not InstallerYesOrNo(f'Setting {lsWorkers} workers for Logstash pipelines. Is this OK?', default=True)
-        ):
+        loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid LogStash worker setting(s)')
+        while (
+            (not str(lsWorkers).isdigit())
+            or (not InstallerYesOrNo(f'Setting {lsWorkers} workers for Logstash pipelines. Is this OK?', default=True))
+        ) and loopBreaker.increment():
             lsWorkers = InstallerAskForString('Enter number of Logstash workers (e.g., 4, 8, etc.)')
 
         restartMode = None
         allowedRestartModes = ('no', 'on-failure', 'always', 'unless-stopped')
         if (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) and InstallerYesOrNo(
-            'Restart Malcolm upon system or Docker daemon restart?', default=restart_mode_default
+            'Restart Malcolm upon system or Docker daemon restart?', default=args.malcolmAutoRestart
         ):
-            while restartMode not in allowedRestartModes:
+            loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid restart mode')
+            while restartMode not in allowedRestartModes and loopBreaker.increment():
                 restartMode = InstallerChooseOne(
                     'Select Malcolm restart behavior',
                     choices=[(x, '', x == 'unless-stopped') for x in allowedRestartModes],
@@ -559,8 +597,8 @@ def tweak_malcolm_runtime(
         if restartMode == 'no':
             restartMode = '"no"'
 
-        nginxSSL = InstallerYesOrNo('Require encrypted HTTPS connections?', default=True)
-        if not nginxSSL:
+        nginxSSL = InstallerYesOrNo('Require encrypted HTTPS connections?', default=args.nginxSSL)
+        if (not nginxSSL) and (not args.acceptDefaultsNonInteractive):
             nginxSSL = not InstallerYesOrNo('Unencrypted connections are NOT recommended. Are you sure?', default=False)
 
         behindReverseProxy = False
@@ -572,32 +610,44 @@ def tweak_malcolm_runtime(
         traefikResolver = ""
 
         behindReverseProxy = (self.orchMode is OrchestrationFramework.KUBERNETES) or InstallerYesOrNo(
-            'Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)?', default=(not nginxSSL)
+            'Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)?',
+            default=args.behindReverseProxy or (not nginxSSL),
         )
 
         if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE:
             if behindReverseProxy:
-                traefikLabels = InstallerYesOrNo('Configure labels for Traefik?', default=False)
+                traefikLabels = InstallerYesOrNo('Configure labels for Traefik?', default=bool(args.traefikHost))
                 if traefikLabels:
-                    while len(traefikHost) <= 1:
+                    loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik request domain')
+                    while (len(traefikHost) <= 1) and loopBreaker.increment():
                         traefikHost = InstallerAskForString(
-                            'Enter request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)'
+                            'Enter request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)',
+                            default=args.traefikHost,
                         )
-                    while (len(traefikOpenSearchHost) <= 1) or (traefikOpenSearchHost == traefikHost):
+                    loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik OpenSearch request domain')
+                    while (
+                        (len(traefikOpenSearchHost) <= 1) or (traefikOpenSearchHost == traefikHost)
+                    ) and loopBreaker.increment():
                         traefikOpenSearchHost = InstallerAskForString(
-                            f'Enter request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.{traefikHost})'
+                            f'Enter request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.{traefikHost})',
+                            default=args.traefikOpenSearchHost,
                         )
-                    while len(traefikEntrypoint) <= 1:
+                    loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik router entrypoint')
+                    while (len(traefikEntrypoint) <= 1) and loopBreaker.increment():
                         traefikEntrypoint = InstallerAskForString(
-                            'Enter Traefik router entrypoint (e.g., websecure)', default="websecure"
+                            'Enter Traefik router entrypoint (e.g., websecure)',
+                            default=args.traefikEntrypoint,
                         )
-                    while len(traefikResolver) <= 1:
+                    loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik router resolver')
+                    while (len(traefikResolver) <= 1) and loopBreaker.increment():
                         traefikResolver = InstallerAskForString(
-                            'Enter Traefik router resolver (e.g., myresolver)', default="myresolver"
+                            'Enter Traefik router resolver (e.g., myresolver)',
+                            default=args.traefikResolver,
                         )
 
             dockerNetworkExternalName = InstallerAskForString(
-                'Specify external Docker network name (or leave blank for default networking)', default=""
+                'Specify external Docker network name (or leave blank for default networking)',
+                default=args.dockerNetworkName,
             )
 
         allowedAuthModes = {
@@ -606,24 +656,30 @@ def tweak_malcolm_runtime(
             'None': 'no_authentication',
         }
         authMode = None
-        while authMode not in list(allowedAuthModes.keys()):
+        loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid authentication method')
+        while authMode not in list(allowedAuthModes.keys()) and loopBreaker.increment():
             authMode = InstallerChooseOne(
                 'Select authentication method',
-                choices=[(x, '', x == 'Basic') for x in list(allowedAuthModes.keys())],
+                choices=[
+                    (x, '', x == ('Lightweight Directory Access Protocol (LDAP)' if args.authModeLDAP else 'Basic'))
+                    for x in list(allowedAuthModes.keys())
+                ],
             )
 
         ldapStartTLS = False
-        ldapServerType = 'winldap'
+        ldapServerTypeDefault = args.ldapServerType if args.ldapServerType else 'winldap'
+        ldapServerType = ldapServerTypeDefault
         if 'ldap' in authMode.lower():
             allowedLdapModes = ('winldap', 'openldap')
-            ldapServerType = None
-            while ldapServerType not in allowedLdapModes:
+            ldapServerType = args.ldapServerType if args.ldapServerType else None
+            loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid LDAP server compatibility type')
+            while ldapServerType not in allowedLdapModes and loopBreaker.increment():
                 ldapServerType = InstallerChooseOne(
                     'Select LDAP server compatibility type',
-                    choices=[(x, '', x == 'winldap') for x in allowedLdapModes],
+                    choices=[(x, '', x == ldapServerTypeDefault) for x in allowedLdapModes],
                 )
             ldapStartTLS = InstallerYesOrNo(
-                'Use StartTLS (rather than LDAPS) for LDAP connection security?', default=False
+                'Use StartTLS (rather than LDAPS) for LDAP connection security?', default=args.ldapStartTLS
             )
             try:
                 with open(
@@ -663,15 +719,16 @@ def tweak_malcolm_runtime(
         if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE:
             if not InstallerYesOrNo(
                 'Store PCAP, log and index files locally under {}?'.format(malcolm_install_path),
-                default=True,
+                default=not args.acceptDefaultsNonInteractive,
             ):
                 # PCAP directory
                 if not InstallerYesOrNo(
                     'Store PCAP files locally in {}?'.format(pcapDirDefault),
-                    default=True,
+                    default=not bool(args.pcapDir),
                 ):
-                    while True:
-                        pcapDir = InstallerAskForString('Enter PCAP directory')
+                    loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid PCAP directory')
+                    while loopBreaker.increment():
+                        pcapDir = InstallerAskForString('Enter PCAP directory', default=args.pcapDir)
                         if (len(pcapDir) > 1) and os.path.isdir(pcapDir):
                             pcapDirFull = os.path.realpath(pcapDir)
                             pcapDir = (
@@ -684,10 +741,11 @@ def tweak_malcolm_runtime(
                 # Zeek log directory
                 if not InstallerYesOrNo(
                     'Store Zeek logs locally in {}?'.format(zeekLogDirDefault),
-                    default=True,
+                    default=not bool(args.zeekLogDir),
                 ):
-                    while True:
-                        zeekLogDir = InstallerAskForString('Enter Zeek log directory')
+                    loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Zeek directory')
+                    while loopBreaker.increment():
+                        zeekLogDir = InstallerAskForString('Enter Zeek log directory', default=args.zeekLogDir)
                         if (len(zeekLogDir) > 1) and os.path.isdir(zeekLogDir):
                             zeekLogDirFull = os.path.realpath(zeekLogDir)
                             zeekLogDir = (
@@ -700,10 +758,13 @@ def tweak_malcolm_runtime(
                 # Suricata log directory
                 if not InstallerYesOrNo(
                     'Store Suricata logs locally in {}?'.format(suricataLogDirDefault),
-                    default=True,
+                    default=not bool(args.suricataLogDir),
                 ):
-                    while True:
-                        suricataLogDir = InstallerAskForString('Enter Suricata log directory')
+                    loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Suricata directory')
+                    while loopBreaker.increment():
+                        suricataLogDir = InstallerAskForString(
+                            'Enter Suricata log directory', default=args.suricataLogDir
+                        )
                         if (len(suricataLogDir) > 1) and os.path.isdir(suricataLogDir):
                             suricataLogDirFull = os.path.realpath(suricataLogDir)
                             suricataLogDir = (
@@ -717,10 +778,11 @@ def tweak_malcolm_runtime(
                     # opensearch index directory
                     if not InstallerYesOrNo(
                         'Store OpenSearch indices locally in {}?'.format(indexDirDefault),
-                        default=True,
+                        default=not bool(args.indexDir),
                     ):
-                        while True:
-                            indexDir = InstallerAskForString('Enter OpenSearch index directory')
+                        loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch index directory')
+                        while loopBreaker.increment():
+                            indexDir = InstallerAskForString('Enter OpenSearch index directory', default=args.indexDir)
                             if (len(indexDir) > 1) and os.path.isdir(indexDir):
                                 indexDirFull = os.path.realpath(indexDir)
                                 indexDir = (
@@ -733,10 +795,13 @@ def tweak_malcolm_runtime(
                     # opensearch snapshot repository directory and compression
                     if not InstallerYesOrNo(
                         'Store OpenSearch index snapshots locally in {}?'.format(indexSnapshotDirDefault),
-                        default=True,
+                        default=not bool(args.indexSnapshotDir),
                     ):
-                        while True:
-                            indexSnapshotDir = InstallerAskForString('Enter OpenSearch index snapshot directory')
+                        loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch snapshots directory')
+                        while loopBreaker.increment():
+                            indexSnapshotDir = InstallerAskForString(
+                                'Enter OpenSearch index snapshot directory', default=args.indexSnapshotDir
+                            )
                             if (len(indexSnapshotDir) > 1) and os.path.isdir(indexSnapshotDir):
                                 indexSnapshotDirFull = os.path.realpath(indexSnapshotDir)
                                 indexSnapshotDir = (
@@ -776,44 +841,81 @@ def tweak_malcolm_runtime(
                 except Exception as e:
                     eprint(f"Creating {pathToCreate} failed: {e}")
 
-        # delete oldest indexes based on index pattern size
+        # storage management (deleting oldest indices and/or PCAP files)
         indexPruneSizeLimit = '0'
         indexPruneNameSort = False
-        if not opensearchPrimaryRemote:
-            if InstallerYesOrNo('Delete the oldest indices when the database exceeds a certain size?', default=False):
-                indexPruneSizeLimit = ''
-                while (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) and (
-                    indexPruneSizeLimit != '0'
+        arkimeManagePCAP = False
+
+        if InstallerYesOrNo(
+            'Should Malcolm delete the oldest database indices and/or PCAP files based on available storage?'
+            if not opensearchPrimaryRemote
+            else 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?',
+            default=args.arkimeManagePCAP or bool(args.indexPruneSizeLimit),
+        ):
+            # delete oldest indexes based on index pattern size
+            if not opensearchPrimaryRemote:
+                if InstallerYesOrNo(
+                    'Delete the oldest indices when the database exceeds a certain size?',
+                    default=bool(args.indexPruneSizeLimit),
                 ):
-                    indexPruneSizeLimit = InstallerAskForString('Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)')
-                indexPruneNameSort = InstallerYesOrNo(
-                    'Determine oldest indices by name (instead of creation time)?', default=True
-                )
+                    indexPruneSizeLimit = ''
+                    loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid index threshold')
+                    while (
+                        (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE))
+                        and (indexPruneSizeLimit != '0')
+                        and loopBreaker.increment()
+                    ):
+                        indexPruneSizeLimit = InstallerAskForString(
+                            'Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)', default=args.indexPruneSizeLimit
+                        )
+                    indexPruneNameSort = InstallerYesOrNo(
+                        'Determine oldest indices by name (instead of creation time)?', default=True
+                    )
 
-        # let Arkime delete old PCAP files based on available storage
-        arkimeManagePCAP = InstallerYesOrNo(
-            'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?',
-            default=False,
-        )
+            # let Arkime delete old PCAP files based on available storage
+            arkimeManagePCAP = opensearchPrimaryRemote or InstallerYesOrNo(
+                'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?',
+                default=args.arkimeManagePCAP,
+            )
 
-        autoSuricata = InstallerYesOrNo('Automatically analyze all PCAP files with Suricata?', default=True)
+        autoSuricata = InstallerYesOrNo(
+            'Automatically analyze all PCAP files with Suricata?', default=args.autoSuricata
+        )
         suricataRuleUpdate = autoSuricata and InstallerYesOrNo(
-            'Download updated Suricata signatures periodically?', default=False
+            'Download updated Suricata signatures periodically?', default=args.suricataRuleUpdate
         )
-        autoZeek = InstallerYesOrNo('Automatically analyze all PCAP files with Zeek?', default=True)
-        zeekICSBestGuess = autoZeek and InstallerYesOrNo(
-            'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', default=False
+        autoZeek = InstallerYesOrNo('Automatically analyze all PCAP files with Zeek?', default=args.autoZeek)
+
+        zeekIcs = InstallerYesOrNo(
+            'Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network?',
+            default=args.zeekIcs,
+        )
+
+        zeekICSBestGuess = (
+            autoZeek
+            and zeekIcs
+            and InstallerYesOrNo(
+                'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?',
+                default=args.zeekICSBestGuess,
+            )
         )
+
         reverseDns = InstallerYesOrNo(
-            'Perform reverse DNS lookup locally for source and destination IP addresses in logs?', default=False
+            'Perform reverse DNS lookup locally for source and destination IP addresses in logs?',
+            default=args.reverseDns,
         )
-        autoOui = InstallerYesOrNo('Perform hardware vendor OUI lookups for MAC addresses?', default=True)
-        autoFreq = InstallerYesOrNo('Perform string randomness scoring on some fields?', default=True)
+        autoOui = InstallerYesOrNo('Perform hardware vendor OUI lookups for MAC addresses?', default=args.autoOui)
+        autoFreq = InstallerYesOrNo('Perform string randomness scoring on some fields?', default=args.autoFreq)
 
-        openPortsSelection = 'unset'
+        openPortsSelection = (
+            'c'
+            if (args.exposeLogstash or args.exposeOpenSearch or args.exposeFilebeatTcp or args.exposeSFTP)
+            else 'unset'
+        )
         if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE:
             openPortsOptions = ('no', 'yes', 'customize')
-            while openPortsSelection not in [x[0] for x in openPortsOptions]:
+            loopBreaker = CountUntilException(MaxAskForValueCount)
+            while openPortsSelection not in [x[0] for x in openPortsOptions] and loopBreaker.increment():
                 openPortsSelection = InstallerChooseOne(
                     'Should Malcolm accept logs and metrics from a Hedgehog Linux sensor or other forwarder?',
                     choices=[(x, '', x == openPortsOptions[0]) for x in openPortsOptions],
@@ -829,13 +931,11 @@ def tweak_malcolm_runtime(
             else:
                 openPortsSelection = 'c'
                 opensearchOpen = (not opensearchPrimaryRemote) and InstallerYesOrNo(
-                    'Expose OpenSearch port to external hosts?', default=expose_opensearch_default
-                )
-                logstashOpen = InstallerYesOrNo(
-                    'Expose Logstash port to external hosts?', default=expose_logstash_default
+                    'Expose OpenSearch port to external hosts?', default=args.exposeOpenSearch
                 )
+                logstashOpen = InstallerYesOrNo('Expose Logstash port to external hosts?', default=args.exposeLogstash)
                 filebeatTcpOpen = InstallerYesOrNo(
-                    'Expose Filebeat TCP port to external hosts?', default=expose_filebeat_default
+                    'Expose Filebeat TCP port to external hosts?', default=args.exposeFilebeatTcp
                 )
         else:
             opensearchOpen = not opensearchPrimaryRemote
@@ -855,7 +955,8 @@ def tweak_malcolm_runtime(
         ):
             allowedFilebeatTcpFormats = ('json', 'raw')
             filebeatTcpFormat = 'unset'
-            while filebeatTcpFormat not in allowedFilebeatTcpFormats:
+            loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid log format')
+            while filebeatTcpFormat not in allowedFilebeatTcpFormats and loopBreaker.increment():
                 filebeatTcpFormat = InstallerChooseOne(
                     'Select log format for messages sent to Filebeat TCP listener',
                     choices=[(x, '', x == allowedFilebeatTcpFormats[0]) for x in allowedFilebeatTcpFormats],
@@ -881,7 +982,7 @@ def tweak_malcolm_runtime(
         sftpOpen = (
             (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE)
             and (openPortsSelection == 'c')
-            and InstallerYesOrNo('Expose SFTP server (for PCAP upload) to external hosts?', default=expose_sftp_default)
+            and InstallerYesOrNo('Expose SFTP server (for PCAP upload) to external hosts?', default=args.exposeSFTP)
         )
 
         # input file extraction parameters
@@ -889,7 +990,9 @@ def tweak_malcolm_runtime(
         allowedFilePreserveModes = ('quarantined', 'all', 'none')
 
         fileCarveMode = None
+        fileCarveModeDefault = args.fileCarveMode.lower() if args.fileCarveMode else None
         filePreserveMode = None
+        filePreserveModeDefault = args.filePreserveMode.lower() if args.filePreserveMode else None
         vtotApiKey = '0'
         yaraScan = False
         capaScan = False
@@ -898,37 +1001,56 @@ def tweak_malcolm_runtime(
         fileCarveHttpServer = False
         fileCarveHttpServeEncryptKey = ''
 
-        if InstallerYesOrNo('Enable file extraction with Zeek?', default=False):
-            while fileCarveMode not in allowedFileCarveModes:
+        if InstallerYesOrNo('Enable file extraction with Zeek?', default=bool(fileCarveModeDefault)):
+            loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file extraction behavior')
+            while fileCarveMode not in allowedFileCarveModes and loopBreaker.increment():
                 fileCarveMode = InstallerChooseOne(
                     'Select file extraction behavior',
-                    choices=[(x, '', x == allowedFileCarveModes[0]) for x in allowedFileCarveModes],
-                )
-            while filePreserveMode not in allowedFilePreserveModes:
-                filePreserveMode = InstallerChooseOne(
-                    'Select file preservation behavior',
-                    choices=[(x, '', x == allowedFilePreserveModes[0]) for x in allowedFilePreserveModes],
+                    choices=[
+                        (x, '', x == fileCarveModeDefault if fileCarveModeDefault else allowedFileCarveModes[0])
+                        for x in allowedFileCarveModes
+                    ],
                 )
-            fileCarveHttpServer = InstallerYesOrNo(
-                'Expose web interface for downloading preserved files?', default=False
-            )
-            if fileCarveHttpServer:
-                fileCarveHttpServeEncryptKey = InstallerAskForString(
-                    'Enter AES-256-CBC encryption password for downloaded preserved files (or leave blank for unencrypted)'
-                )
-            if fileCarveMode is not None:
-                if InstallerYesOrNo('Scan extracted files with ClamAV?', default=True):
-                    clamAvScan = True
-                if InstallerYesOrNo('Scan extracted files with Yara?', default=True):
-                    yaraScan = True
-                if InstallerYesOrNo('Scan extracted PE files with Capa?', default=True):
-                    capaScan = True
-                if InstallerYesOrNo('Lookup extracted file hashes with VirusTotal?', default=False):
-                    while len(vtotApiKey) <= 1:
-                        vtotApiKey = InstallerAskForString('Enter VirusTotal API key')
-                fileScanRuleUpdate = InstallerYesOrNo(
-                    'Download updated file scanner signatures periodically?', default=False
+            if fileCarveMode and (fileCarveMode != 'none'):
+                loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file preservation behavior')
+                while filePreserveMode not in allowedFilePreserveModes and loopBreaker.increment():
+                    filePreserveMode = InstallerChooseOne(
+                        'Select file preservation behavior',
+                        choices=[
+                            (
+                                x,
+                                '',
+                                x == filePreserveModeDefault
+                                if filePreserveModeDefault
+                                else allowedFilePreserveModes[0],
+                            )
+                            for x in allowedFilePreserveModes
+                        ],
+                    )
+                fileCarveHttpServer = InstallerYesOrNo(
+                    'Expose web interface for downloading preserved files?', default=args.fileCarveHttpServer
                 )
+                if fileCarveHttpServer:
+                    fileCarveHttpServeEncryptKey = InstallerAskForString(
+                        'Enter AES-256-CBC encryption password for downloaded preserved files (or leave blank for unencrypted)',
+                        default=args.fileCarveHttpServeEncryptKey,
+                    )
+                if fileCarveMode is not None:
+                    if InstallerYesOrNo('Scan extracted files with ClamAV?', default=args.clamAvScan):
+                        clamAvScan = True
+                    if InstallerYesOrNo('Scan extracted files with Yara?', default=args.yaraScan):
+                        yaraScan = True
+                    if InstallerYesOrNo('Scan extracted PE files with Capa?', default=args.capaScan):
+                        capaScan = True
+                    if InstallerYesOrNo(
+                        'Lookup extracted file hashes with VirusTotal?', default=(len(args.vtotApiKey) > 1)
+                    ):
+                        loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid VirusTotal API key')
+                        while (len(vtotApiKey) <= 1) and loopBreaker.increment():
+                            vtotApiKey = InstallerAskForString('Enter VirusTotal API key', default=args.vtotApiKey)
+                    fileScanRuleUpdate = InstallerYesOrNo(
+                        'Download updated file scanner signatures periodically?', default=args.fileScanRuleUpdate
+                    )
 
         if fileCarveMode not in allowedFileCarveModes:
             fileCarveMode = allowedFileCarveModes[0]
@@ -940,27 +1062,29 @@ def tweak_malcolm_runtime(
         # NetBox
         netboxEnabled = InstallerYesOrNo(
             'Should Malcolm run and maintain an instance of NetBox, an infrastructure resource modeling tool?',
-            default=False,
+            default=args.netboxEnabled,
         )
         netboxLogstashEnrich = netboxEnabled and InstallerYesOrNo(
             'Should Malcolm enrich network traffic using NetBox?',
-            default=netboxEnabled,
+            default=args.netboxLogstashEnrich,
         )
         netboxLogstashAutoPopulate = (
             netboxEnabled
             and InstallerYesOrNo(
                 'Should Malcolm automatically populate NetBox inventory based on observed network traffic?',
-                default=False,
+                default=args.netboxLogstashAutoPopulate,
             )
-            and InstallerYesOrNo(
-                "Autopopulating NetBox's inventory is not recommended. Are you sure?",
-                default=False,
+            and (
+                InstallerYesOrNo(
+                    "Autopopulating NetBox's inventory is not recommended. Are you sure?",
+                    default=args.netboxLogstashAutoPopulate,
+                )
             )
         )
         netboxSiteName = (
             InstallerAskForString(
                 'Specify default NetBox site name',
-                default='',
+                default=args.netboxSiteName,
             )
             if netboxEnabled
             else ''
@@ -976,42 +1100,68 @@ def tweak_malcolm_runtime(
         pcapIface = 'lo'
         tweakIface = False
         pcapFilter = ''
+        captureSelection = (
+            'c' if (args.pcapNetSniff or args.pcapTcpDump or args.liveZeek or args.liveSuricata) else 'unset'
+        )
 
         if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE:
-            if InstallerYesOrNo(
-                'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', default=False
-            ):
-                pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=True)
-                if not pcapNetSniff:
-                    pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=True)
+            captureOptions = ('no', 'yes', 'customize')
+            loopBreaker = CountUntilException(MaxAskForValueCount)
+            while captureSelection not in [x[0] for x in captureOptions] and loopBreaker.increment():
+                captureSelection = InstallerChooseOne(
+                    'Should Malcolm capture live network traffic?',
+                    choices=[(x, '', x == captureOptions[0]) for x in captureOptions],
+                )[0]
+            if captureSelection == 'y':
+                pcapNetSniff = True
+                liveSuricata = True
+                liveZeek = True
+            elif captureSelection == 'c':
+                if InstallerYesOrNo(
+                    'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?',
+                    default=args.pcapNetSniff or args.pcapTcpDump,
+                ):
+                    pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=args.pcapNetSniff)
+                    if not pcapNetSniff:
+                        pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=args.pcapTcpDump)
                 liveSuricata = InstallerYesOrNo(
-                    'Should Malcolm analyze live network traffic with Suricata?', default=False
+                    'Should Malcolm analyze live network traffic with Suricata?', default=args.liveSuricata
+                )
+                liveZeek = InstallerYesOrNo(
+                    'Should Malcolm analyze live network traffic with Zeek?', default=args.liveZeek
                 )
-                liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=False)
+                if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata:
+                    pcapFilter = InstallerAskForString(
+                        'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)',
+                        default=args.pcapFilter,
+                    )
+                    tweakIface = InstallerYesOrNo(
+                        'Disable capture interface hardware offloading and adjust ring buffer sizes?',
+                        default=args.tweakIface,
+                    )
 
         if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata:
             pcapIface = ''
-            while len(pcapIface) <= 0:
-                pcapIface = InstallerAskForString('Specify capture interface(s) (comma-separated)')
-            pcapFilter = InstallerAskForString(
-                'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)', default=''
-            )
-            tweakIface = InstallerYesOrNo(
-                'Disable capture interface hardware offloading and adjust ring buffer sizes?', default=False
-            )
+            loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid capture interface(s)')
+            while (len(pcapIface) <= 0) and loopBreaker.increment():
+                pcapIface = InstallerAskForString(
+                    'Specify capture interface(s) (comma-separated)', default=args.pcapIface
+                )
 
-        dashboardsDarkMode = InstallerYesOrNo('Enable dark mode for OpenSearch Dashboards?', default=True)
+        dashboardsDarkMode = InstallerYesOrNo(
+            'Enable dark mode for OpenSearch Dashboards?', default=args.dashboardsDarkMode
+        )
 
         # modify values in .env files in args.configDir
 
         # first, if the args.configDir is completely empty, then populate from defaults
-        defaultConfigDir = os.path.join(malcolm_install_path, 'config')
+        examplesConfigDir = os.path.join(malcolm_install_path, 'config')
         if (
-            os.path.isdir(defaultConfigDir)
-            and (not same_file_or_dir(defaultConfigDir, args.configDir))
+            os.path.isdir(examplesConfigDir)
+            and (not same_file_or_dir(examplesConfigDir, args.configDir))
             and (not os.listdir(args.configDir))
         ):
-            for defaultEnvExampleFile in glob.glob(os.path.join(defaultConfigDir, '*.env.example')):
+            for defaultEnvExampleFile in glob.glob(os.path.join(examplesConfigDir, '*.env.example')):
                 shutil.copy2(defaultEnvExampleFile, args.configDir)
 
         # if a specific config/*.env file doesn't exist, use the *.example.env files as defaults
@@ -1348,6 +1498,12 @@ def tweak_malcolm_runtime(
                 'EXTRACTED_FILE_UPDATE_RULES',
                 TrueOrFalseNoQuote(fileScanRuleUpdate),
             ),
+            # disable/enable ICS analyzers
+            EnvValue(
+                os.path.join(args.configDir, 'zeek.env'),
+                'ZEEK_DISABLE_ICS_ALL',
+                '' if zeekIcs else TrueOrFalseNoQuote(not zeekIcs),
+            ),
             # disable/enable ICS best guess
             EnvValue(
                 os.path.join(args.configDir, 'zeek.env'),
@@ -2649,113 +2805,690 @@ def main():
         description='Malcolm install script', add_help=False, usage=f'{ScriptName} <arguments>'
     )
     parser.add_argument(
-        '-v', '--verbose', dest='debug', type=str2bool, nargs='?', const=True, default=False, help="Verbose output"
+        '-v',
+        '--verbose',
+        dest='debug',
+        type=str2bool,
+        nargs='?',
+        metavar="true|false",
+        const=True,
+        default=False,
+        help="Verbose output",
+    )
+    parser.add_argument(
+        '-d',
+        '--defaults',
+        dest='acceptDefaultsNonInteractive',
+        type=str2bool,
+        nargs='?',
+        metavar="true|false",
+        const=True,
+        default=False,
+        help="Accept defaults to prompts without user interaction",
     )
     parser.add_argument(
+        '-c',
+        '--configure',
+        dest='configOnly',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Only do configuration (not installation)",
+    )
+
+    configDomainArgGroup = parser.add_argument_group('Configuration files')
+    configDomainArgGroup.add_argument(
+        '-f',
+        '--configure-file',
+        required=False,
+        dest='configFile',
+        metavar='<string>',
+        type=str,
+        default='',
+        help='YAML file (docker-compose file to configure or kubeconfig file)',
+    )
+    configDomainArgGroup.add_argument(
+        '-e',
+        '--environment-dir',
+        required=False,
+        dest='configDir',
+        metavar='<string>',
+        type=str,
+        default=None,
+        help="Directory containing Malcolm's .env files",
+    )
+
+    installFilesArgGroup = parser.add_argument_group('Installation files')
+    installFilesArgGroup.add_argument(
         '-m',
         '--malcolm-file',
         required=False,
         dest='mfile',
-        metavar='<STR>',
+        metavar='<string>',
         type=str,
         default='',
         help='Malcolm .tar.gz file for installation',
     )
-    parser.add_argument(
+    installFilesArgGroup.add_argument(
         '-i',
         '--image-file',
         required=False,
         dest='ifile',
-        metavar='<STR>',
+        metavar='<string>',
         type=str,
         default='',
         help='Malcolm docker images .tar.gz file for installation',
     )
-    parser.add_argument(
-        '-c',
-        '--configure',
-        dest='configOnly',
+
+    authencOptionsArgGroup = parser.add_argument_group('Runtime options')
+    authencOptionsArgGroup.add_argument(
+        '--dark-mode',
+        dest='dashboardsDarkMode',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help="Enable dark mode for OpenSearch Dashboards",
+    )
+
+    authencOptionsArgGroup = parser.add_argument_group('Entryption and authentication options')
+    authencOptionsArgGroup.add_argument(
+        '--https',
+        dest='nginxSSL',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help="Require encrypted HTTPS connections",
+    )
+    authencOptionsArgGroup.add_argument(
+        '--ldap',
+        dest='authModeLDAP',
         type=str2bool,
+        metavar="true|false",
         nargs='?',
         const=True,
         default=False,
-        help="Only do configuration (not installation)",
+        help="Use Lightweight Directory Access Protocol (LDAP)",
     )
-    parser.add_argument(
-        '-f',
-        '--configure-file',
+    authencOptionsArgGroup.add_argument(
+        '--ldap-mode',
+        dest='ldapServerType',
         required=False,
-        dest='configFile',
-        metavar='<STR>',
+        metavar='<openldap|winldap>',
+        type=str,
+        default=None,
+        help='LDAP server compatibility type',
+    )
+    authencOptionsArgGroup.add_argument(
+        '--ldap-start-tls',
+        dest='ldapStartTLS',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Use StartTLS (rather than LDAPS) for LDAP connection security",
+    )
+
+    dockerOptionsArgGroup = parser.add_argument_group('Docker options')
+    dockerOptionsArgGroup.add_argument(
+        '-r',
+        '--restart-malcolm',
+        dest='malcolmAutoRestart',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Restart Malcolm on system restart (unless-stopped)",
+    )
+    dockerOptionsArgGroup.add_argument(
+        '--reverse-proxied',
+        dest='behindReverseProxy',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Malcolm will be running behind another reverse proxy (Traefik, Caddy, etc.)",
+    )
+    dockerOptionsArgGroup.add_argument(
+        '--traefik-host',
+        dest='traefikHost',
+        required=False,
+        metavar='<string>',
         type=str,
         default='',
-        help='YAML file (docker-compose file to configure or kubeconfig file)',
+        help='Request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)',
     )
-    parser.add_argument(
-        '-e',
-        '--environment-dir',
+    dockerOptionsArgGroup.add_argument(
+        '--traefik-host-opensearch',
+        dest='traefikOpenSearchHost',
         required=False,
-        dest='configDir',
-        metavar='<STR>',
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.malcolm.example.org)',
+    )
+    dockerOptionsArgGroup.add_argument(
+        '--traefik-entrypoint',
+        dest='traefikEntrypoint',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='websecure',
+        help='Traefik router entrypoint (e.g., websecure)',
+    )
+    dockerOptionsArgGroup.add_argument(
+        '--traefik-resolver',
+        dest='traefikResolver',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='myresolver',
+        help='Traefik router resolver (e.g., myresolver)',
+    )
+    dockerOptionsArgGroup.add_argument(
+        '--docker-network-name',
+        dest='dockerNetworkName',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='External Docker network name (or leave blank for default networking)',
+    )
+
+    opensearchArgGroup = parser.add_argument_group('OpenSearch options')
+    opensearchArgGroup.add_argument(
+        '--opensearch',
+        dest='ownOpenSearch',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help="Malcolm should use and maintain its own OpenSearch instance",
+    )
+    opensearchArgGroup.add_argument(
+        '--opensearch-memory',
+        dest='osMemory',
+        required=False,
+        metavar='<string>',
         type=str,
         default=None,
-        help="Directory containing Malcolm's .env files",
+        help='Memory for OpenSearch (e.g., 16g, 9500m, etc.)',
     )
-    parser.add_argument(
-        '-d',
-        '--defaults',
-        dest='acceptDefaultsNonInteractive',
+    opensearchArgGroup.add_argument(
+        '--opensearch-primary-url',
+        dest='opensearchPrimaryUrl',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Primary remote OpenSearch connection URL',
+    )
+    opensearchArgGroup.add_argument(
+        '--opensearch-primary-ssl-verify',
+        dest='opensearchPrimarySslVerify',
         type=str2bool,
+        metavar="true|false",
         nargs='?',
         const=True,
         default=False,
-        help="Accept defaults to prompts without user interaction",
+        help="Require SSL certificate validation for communication with primary OpenSearch instance",
     )
-    parser.add_argument(
+    opensearchArgGroup.add_argument(
+        '--opensearch-compress-snapshots',
+        dest='indexSnapshotCompressed',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Compress OpenSearch index snapshots",
+    )
+    opensearchArgGroup.add_argument(
+        '--opensearch-secondary-remote',
+        dest='opensearchSecondaryRemote',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Forward Logstash logs to a secondary remote OpenSearch instance",
+    )
+    opensearchArgGroup.add_argument(
+        '--opensearch-secondary-url',
+        dest='opensearchSecondaryUrl',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Secondary remote OpenSearch connection URL',
+    )
+    opensearchArgGroup.add_argument(
+        '--opensearch-secondary-ssl-verify',
+        dest='opensearchSecondarySslVerify',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Require SSL certificate validation for communication with secondary OpenSearch instance",
+    )
+
+    logstashArgGroup = parser.add_argument_group('LogStash options')
+    logstashArgGroup.add_argument(
+        '--logstash-memory',
+        dest='lsMemory',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default=None,
+        help='Memory for LogStash (e.g., 4g, 2500m, etc.)',
+    )
+    logstashArgGroup.add_argument(
+        '--logstash-workers',
+        dest='lsWorkers',
+        required=False,
+        metavar='<integer>',
+        type=int,
+        default=None,
+        help='Number of Logstash workers (e.g., 4, 8, etc.)',
+    )
+
+    openPortsArgGroup = parser.add_argument_group('Expose ports')
+    openPortsArgGroup.add_argument(
         '--logstash-expose',
         dest='exposeLogstash',
         type=str2bool,
+        metavar="true|false",
         nargs='?',
         const=True,
         default=False,
         help="Expose Logstash port to external hosts",
     )
-    parser.add_argument(
+    openPortsArgGroup.add_argument(
         '--opensearch-expose',
         dest='exposeOpenSearch',
         type=str2bool,
+        metavar="true|false",
         nargs='?',
         const=True,
         default=False,
         help="Expose OpenSearch port to external hosts",
     )
-    parser.add_argument(
+    openPortsArgGroup.add_argument(
         '--filebeat-tcp-expose',
         dest='exposeFilebeatTcp',
         type=str2bool,
+        metavar="true|false",
         nargs='?',
         const=True,
         default=False,
         help="Expose Filebeat TCP port to external hosts",
     )
-    parser.add_argument(
+    openPortsArgGroup.add_argument(
         '--sftp-expose',
         dest='exposeSFTP',
         type=str2bool,
+        metavar="true|false",
         nargs='?',
         const=True,
         default=False,
         help="Expose SFTP server (for PCAP upload) to external hosts",
     )
-    parser.add_argument(
-        '-r',
-        '--restart-malcolm',
-        dest='malcolmAutoRestart',
+
+    storageArgGroup = parser.add_argument_group('Storage options')
+    storageArgGroup.add_argument(
+        '--pcap-path',
+        dest='pcapDir',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='PCAP storage directory',
+    )
+    storageArgGroup.add_argument(
+        '--zeek-path',
+        dest='zeekLogDir',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Zeek log storage directory',
+    )
+    storageArgGroup.add_argument(
+        '--suricata-path',
+        dest='suricataLogDir',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Suricata log storage directory',
+    )
+    storageArgGroup.add_argument(
+        '--opensearch-path',
+        dest='indexDir',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='OpenSearch index directory',
+    )
+    storageArgGroup.add_argument(
+        '--opensearch-snapshot-path',
+        dest='indexSnapshotDir',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='OpenSearch snapshot directory',
+    )
+    storageArgGroup.add_argument(
+        '--delete-old-pcap',
+        dest='arkimeManagePCAP',
         type=str2bool,
+        metavar="true|false",
         nargs='?',
         const=True,
         default=False,
-        help="Restart Malcolm on system restart (unless-stopped)",
+        help="Arkime should delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)",
+    )
+    storageArgGroup.add_argument(
+        '--delete-index-threshold',
+        dest='indexPruneSizeLimit',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help=f'Delete the oldest indices when the database exceeds this threshold (e.g., 250GB, 1TB, 60٪, etc.)',
+    )
+
+    analysisArgGroup = parser.add_argument_group('Analysis options')
+    analysisArgGroup.add_argument(
+        '--auto-suricata',
+        dest='autoSuricata',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help="Automatically analyze all PCAP files with Suricata",
+    )
+    analysisArgGroup.add_argument(
+        '--suricata-rule-update',
+        dest='suricataRuleUpdate',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Automatically analyze all PCAP files with Suricata",
+    )
+    analysisArgGroup.add_argument(
+        '--auto-zeek',
+        dest='autoZeek',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help="Automatically analyze all PCAP files with Zeek",
+    )
+    analysisArgGroup.add_argument(
+        '--zeek-ics',
+        dest='zeekIcs',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Malcolm is being used to monitor an Industrial Control Systems (ICS) or Operational Technology (OT) network",
+    )
+    analysisArgGroup.add_argument(
+        '--zeek-ics-best-guess',
+        dest='zeekICSBestGuess',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help='Use "best guess" to identify potential OT/ICS traffic with Zeek',
+    )
+    analysisArgGroup.add_argument(
+        '--reverse-dns',
+        dest='reverseDns',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help='Perform reverse DNS lookup locally for source and destination IP addresses in logs',
+    )
+    analysisArgGroup.add_argument(
+        '--auto-oui',
+        dest='autoOui',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help='Perform hardware vendor OUI lookups for MAC addresses',
+    )
+    analysisArgGroup.add_argument(
+        '--auto-freq',
+        dest='autoFreq',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help='Perform string randomness scoring on some fields',
+    )
+
+    fileCarveArgGroup = parser.add_argument_group('File extraction options')
+    fileCarveArgGroup.add_argument(
+        '--file-extraction',
+        dest='fileCarveMode',
+        required=False,
+        metavar='<none|known|mapped|all|interesting>',
+        type=str,
+        default='none',
+        help='Zeek file extraction behavior',
+    )
+    fileCarveArgGroup.add_argument(
+        '--file-preservation',
+        dest='filePreserveMode',
+        required=False,
+        metavar='<none|quarantined|all>',
+        type=str,
+        default='none',
+        help='Zeek file preservation behavior',
+    )
+    fileCarveArgGroup.add_argument(
+        '--extracted-file-server',
+        dest='fileCarveHttpServer',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help='Expose web interface for downloading preserved files',
+    )
+    fileCarveArgGroup.add_argument(
+        '--extracted-file-server-password',
+        dest='fileCarveHttpServeEncryptKey',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default=None,
+        help='AES-256-CBC encryption password for downloaded preserved files (blank for unencrypted)',
+    )
+    fileCarveArgGroup.add_argument(
+        '--extracted-file-clamav',
+        dest='clamAvScan',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help='Scan extracted files with ClamAV',
+    )
+    fileCarveArgGroup.add_argument(
+        '--extracted-file-yara',
+        dest='yaraScan',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help='Scan extracted files with Yara',
+    )
+    fileCarveArgGroup.add_argument(
+        '--extracted-file-capa',
+        dest='capaScan',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help='Scan extracted files with Capa',
+    )
+    fileCarveArgGroup.add_argument(
+        '--virustotal-api-key',
+        dest='vtotApiKey',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='VirusTotal API key to scan extracted files with VirusTotal',
+    )
+    fileCarveArgGroup.add_argument(
+        '--file-scan-rule-update',
+        dest='fileScanRuleUpdate',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Download updated file scanner signatures periodically",
+    )
+
+    netboxArgGroup = parser.add_argument_group('NetBox options')
+    netboxArgGroup.add_argument(
+        '--netbox',
+        dest='netboxEnabled',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Run and maintain an instance of NetBox",
+    )
+    netboxArgGroup.add_argument(
+        '--netbox-enrich',
+        dest='netboxLogstashEnrich',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=True,
+        help="Enrich network traffic using NetBox",
+    )
+    netboxArgGroup.add_argument(
+        '--netbox-autopopulate',
+        dest='netboxLogstashAutoPopulate',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Automatically populate NetBox inventory based on observed network traffic",
+    )
+    netboxArgGroup.add_argument(
+        '--netbox-site-name',
+        dest='netboxSiteName',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Default NetBox site name',
+    )
+
+    captureArgGroup = parser.add_argument_group('Live traffic capture options')
+    captureArgGroup.add_argument(
+        '--live-capture-iface',
+        dest='pcapIface',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Capture interface(s) (comma-separated)',
+    )
+    captureArgGroup.add_argument(
+        '--live-capture-filter',
+        dest='pcapFilter',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help='Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)',
+    )
+    captureArgGroup.add_argument(
+        '--live-capture-iface-tweak',
+        dest='tweakIface',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Disable capture interface hardware offloading and adjust ring buffer sizes",
+    )
+    captureArgGroup.add_argument(
+        '--live-capture-arkime',
+        dest='pcapNetSniff',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Capture live network traffic with netsniff-ng for Arkime",
+    )
+    captureArgGroup.add_argument(
+        '--live-capture-arkime-tcpdump',
+        dest='pcapTcpDump',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Capture live network traffic with tcpdump for Arkime",
+    )
+    captureArgGroup.add_argument(
+        '--live-capture-zeek',
+        dest='liveZeek',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Capture live network traffic with Zeek",
+    )
+    captureArgGroup.add_argument(
+        '--live-capture-suricata',
+        dest='liveSuricata',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Capture live network traffic with Suricata",
     )
 
     try:
@@ -2850,6 +3583,8 @@ def main():
             success = installer.tweak_system_files()
         if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_docker_images'):
             success = installer.install_docker_images(imageFile)
+        if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_malcolm_files'):
+            success, installPath = installer.install_malcolm_files(malcolmFile, args.configDir is None)
 
     # if .env directory is unspecified, use the default ./config directory
     if args.configDir is None:
@@ -2860,7 +3595,9 @@ def main():
         if (exc.errno == errno.EEXIST) and os.path.isdir(args.configDir):
             pass
         else:
-            raise
+            eprint(f"Creating {args.configDir} failed: {exc}, attempting to continue anyway")
+    except Exception as e:
+        eprint(f"Creating {args.configDir} failed: {e}, attempting to continue anyway")
 
     if orchMode is OrchestrationFramework.KUBERNETES:
         kube_imported = KubernetesDynamic(debug=args.debug)
@@ -2896,18 +3633,8 @@ def main():
         if args.debug:
             eprint(f"Malcolm installation detected at {installPath}")
 
-    elif hasattr(installer, 'install_malcolm_files'):
-        success, installPath = installer.install_malcolm_files(malcolmFile)
-
     if (installPath is not None) and os.path.isdir(installPath) and hasattr(installer, 'tweak_malcolm_runtime'):
-        installer.tweak_malcolm_runtime(
-            installPath,
-            expose_opensearch_default=args.exposeOpenSearch,
-            expose_logstash_default=args.exposeLogstash,
-            expose_filebeat_default=args.exposeFilebeatTcp,
-            expose_sftp_default=args.exposeSFTP,
-            restart_mode_default=args.malcolmAutoRestart,
-        )
+        installer.tweak_malcolm_runtime(installPath)
         eprint(f"\nMalcolm has been installed to {installPath}. See README.md for more information.")
         eprint(
             f"Scripts for starting and stopping Malcolm and changing authentication-related settings can be found in {os.path.join(installPath, 'scripts')}."
diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py
index 94bcd4438..4ec293067 100644
--- a/scripts/malcolm_common.py
+++ b/scripts/malcolm_common.py
@@ -278,10 +278,18 @@ def AskForString(
 # get interactive password (without echoing)
 def AskForPassword(
     prompt,
+    default=None,
+    defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt,
     uiMode=UserInterfaceMode.InteractionDialog | UserInterfaceMode.InteractionInput,
     clearScreen=False,
 ):
-    if (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None):
+    if (default is not None) and (
+        (defaultBehavior & UserInputDefaultsBehavior.DefaultsAccept)
+        and (defaultBehavior & UserInputDefaultsBehavior.DefaultsNonInteractive)
+    ):
+        reply = default
+
+    elif (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None):
         code, reply = MainDialog.passwordbox(prompt, insecure=True)
         if (code == Dialog.CANCEL) or (code == Dialog.ESC):
             raise RuntimeError("Operation cancelled")
@@ -685,6 +693,7 @@ def DownloadToFile(url, local_filename, debug=False):
   | GET\s+/(netbox/api|_cat/health|api/status|sessions2-|arkime_\w+).+HTTP/[\d\.].+\b200\b
   | GET\s+/\s+.+\b200\b.+ELB-HealthChecker
   | loaded\s+config\s+'/etc/netbox/config/
+  | LOG:\s+checkpoint\s+(complete|starting)
   | "netbox"\s+application\s+started
   | \[notice\].+app\s+process\s+\d+\s+exited\s+with\s+code\s+0\b
   | kube-probe/
diff --git a/scripts/malcolm_utils.py b/scripts/malcolm_utils.py
index 9da10f0e9..18d6d3c50 100644
--- a/scripts/malcolm_utils.py
+++ b/scripts/malcolm_utils.py
@@ -65,6 +65,21 @@ def __exit__(self, type, value, traceback):
         return self.decrement()
 
 
+###################################################################################################
+# increment until we hit a limit, then raise an exception
+class CountUntilException:
+    def __init__(self, max=100, err=None):
+        self.val = 0
+        self.max = max
+        self.err = err if err else 'Invalid value'
+
+    def increment(self):
+        self.val += 1
+        if self.val >= self.max:
+            raise ValueError(self.err)
+        return True
+
+
 ###################################################################################################
 # if a string starts with 'base64:', decode it, otherwise return it as-is
 def base64_decode_if_prefixed(s: str):
diff --git a/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml b/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml
new file mode 100644
index 000000000..b0371b948
--- /dev/null
+++ b/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml
@@ -0,0 +1,49 @@
+version = 1
+
+[[steps]]
+[steps.shell]
+script = '''
+echo "Installing system packages..."
+sudo apt-get -y -q update
+sudo apt-get -y -q --no-install-recommends install \
+    bash \
+    bat \
+    bc \
+    bzip2 \
+    ca-certificates \
+    curl \
+    detox \
+    dialog \
+    direnv \
+    dtrx \
+    fd-find \
+    file \
+    git \
+    gpg \
+    iproute2 \
+    iputils-ping \
+    jq \
+    less \
+    lz4 \
+    moreutils \
+    ncat \
+    netcat-openbsd \
+    p7zip-full \
+    procps \
+    psmisc \
+    pv \
+    python3-dialog \
+    python3-dotenv \
+    python3-requests \
+    ripgrep \
+    rsync \
+    socat \
+    tmux \
+    unzip \
+    vim-tiny \
+    xz-utils \
+    yq \
+    zip \
+    zlib1g
+sudo ln -s -r /usr/bin/batcat /usr/bin/bat
+'''
diff --git a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
new file mode 100644
index 000000000..f071df6a6
--- /dev/null
+++ b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
@@ -0,0 +1,72 @@
+version = 1
+
+[[steps]]
+[steps.shell]
+script = '''
+echo "Downloading external utilities..."
+
+mkdir -p "$HOME"/.local/bin "$HOME"/.config
+[[ -z "$GITHUB_OAUTH_TOKEN" ]] && [[ -n "$GITHUB_TOKEN" ]] && export GITHUB_OAUTH_TOKEN="$GITHUB_TOKEN"
+
+cd /tmp
+FETCH_URL="https://github.com/gruntwork-io/fetch/releases/latest/download/fetch_linux_amd64"
+curl -fsSL -o /tmp/fetch "$FETCH_URL"
+chmod 755 /tmp/fetch
+/tmp/fetch --version >/dev/null 2>&1 && cp -f /tmp/fetch "$HOME"/.local/bin/fetch
+rm -rf /tmp/fetch
+
+if "$HOME"/.local/bin/fetch --version >/dev/null 2>&1; then
+
+  ASSETS=(
+    "https://github.com/aptible/supercronic|^supercronic-linux-amd64$|"$HOME"/.local/bin/supercronic|755"
+    "https://github.com/boringproxy/boringproxy|^boringproxy-linux-x86_64$|"$HOME"/.local/bin/boringproxy|755"
+    "https://github.com/FiloSottile/age|^age-v.+-linux-amd64\.tar\.gz$|/tmp/age.tar.gz"
+    "https://github.com/schollz/croc|^croc_.+_Linux-64bit\.tar\.gz$|/tmp/croc.tar.gz"
+    "https://github.com/smallstep/cli|^step_linux_.+_amd64\.tar\.gz$|/tmp/step.tar.gz"
+    "https://github.com/starship/starship|^starship-x86_64-unknown-linux-gnu\.tar\.gz$|/tmp/starship.tar.gz"
+  )
+
+  for i in ${ASSETS[@]}; do
+    REPO="$(echo "$i" | cut -d'|' -f1)"
+    ASSET_REGEX="$(echo "$i" | cut -d'|' -f2)"
+    OUTPUT_FILE="$(echo "$i" | cut -d'|' -f3)"
+    OUTPUT_FILE_PERMS="$(echo "$i" | cut -d'|' -f4)"
+    echo "" >&2
+    echo "Downloading asset for $REPO..." >&2
+    FETCH_DIR="$(mktemp -d)"
+    "$HOME"/.local/bin/fetch --log-level warn \
+      --repo="$REPO" \
+      --tag=">=0.0.0" \
+      --release-asset="$ASSET_REGEX" \
+      "$FETCH_DIR"
+    mv "$FETCH_DIR"/* "$OUTPUT_FILE"
+    rm -rf "$FETCH_DIR"
+    if [[ -f "$OUTPUT_FILE" ]]; then
+      chmod "${OUTPUT_FILE_PERMS:-644}" "$OUTPUT_FILE"
+      if [[ "$OUTPUT_FILE" == *.tar.gz ]] || [[ "$OUTPUT_FILE" == *.tgz ]]; then
+        UNPACK_DIR="$(mktemp -d)"
+        tar xzf "$OUTPUT_FILE" -C "$UNPACK_DIR"
+      elif [[ "$OUTPUT_FILE" == *.tar.xz ]] || [[ "$OUTPUT_FILE" == *.xz ]]; then
+        UNPACK_DIR="$(mktemp -d)"
+        tar xJf "$OUTPUT_FILE" -C "$UNPACK_DIR" --strip-components 1
+      elif [[ "$OUTPUT_FILE" == *.zip ]]; then
+        UNPACK_DIR="$(mktemp -d)"
+        unzip -q "$OUTPUT_FILE" -d "$UNPACK_DIR"
+      else
+        UNPACK_DIR=
+      fi
+      if [[ -d "$UNPACK_DIR" ]]; then
+        find "$UNPACK_DIR" -type f -exec file --mime-type "{}" \; | \
+          grep -P ":\s+application/.*executable" | \
+          cut -d: -f 1 | xargs -I XXX -r mv "XXX" "$HOME"/.local/bin
+        rm -rf "$UNPACK_DIR" "$OUTPUT_FILE"
+      fi
+    fi
+  done
+
+else
+  echo "Could not download and/or execute fetch"
+  rm -f "$HOME"/.local/bin/fetch
+  exit 1
+fi
+'''
diff --git a/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml
new file mode 100644
index 000000000..297e537da
--- /dev/null
+++ b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml
@@ -0,0 +1,77 @@
+version = 1
+
+[env]
+MALCOLM_REPO_OWNER = "idaholab"
+MALCOLM_REPO_NAME = "Malcolm"
+MALCOLM_REPO_BRANCH = "main"
+
+[[steps]]
+[steps.shell]
+script = '''
+echo "Setting up Malcolm..."
+
+pushd "$HOME"
+touch "$HOME"/.hushlogin
+mkdir -p "$HOME"/.local/bin "$HOME"/.config/procps "$HOME"/.config/systemd/user
+
+git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules -b "$MALCOLM_REPO_BRANCH" "https://github.com/$MALCOLM_REPO_OWNER/$MALCOLM_REPO_NAME"
+
+rm -f "$HOME"/.bashrc \
+      "$HOME"/.bash_aliases \
+      "$HOME"/.bash_functions \
+      "$HOME"/.config/procps/toprc \
+      "$HOME"/.selected_editor \
+      "$HOME"/.tmux.conf \
+      "$HOME"/.vimrc
+ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/bash.bash_aliases "$HOME"/.bash_aliases
+ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/bash.bash_functions "$HOME"/.bash_functions
+ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.bashrc "$HOME"/.bashrc
+ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.config/procps/toprc "$HOME"/.config/procps/toprc
+ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.selected_editor "$HOME"/.selected_editor
+ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.tmux.conf "$HOME"/.tmux.conf
+ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.vimrc "$HOME"/.vimrc
+ln -s -r -f "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.config/systemd/user/*.service "$HOME"/.config/systemd/user/
+
+pushd Malcolm
+python3 ./scripts/install.py --defaults --restart-malcolm
+sudo usermod -a -G docker "$USER"
+sudo loginctl enable-linger "$USER"
+sudo ln -s -r /usr/libexec/docker/cli-plugins/docker-compose /usr/local/bin/docker-compose
+sudo sysctl --system
+rm -f ~/Malcolm/.configured
+
+popd
+    cat << 'EOF' >> "$HOME"/.bashrc
+
+# Configure Malcolm on first login
+if [[ $- == *i* ]] && [[ -d ~/Malcolm ]] &&  [[ ! -f ~/Malcolm/.configured ]]; then
+    pushd ~/Malcolm >/dev/null 2>&1
+    ./scripts/configure
+    ./scripts/auth_setup
+    popd >/dev/null 2>&1
+    clear
+    cat << 'EOT'
+
+To start, stop, restart, etc. Malcolm:
+  Use the control scripts in the "~/Malcolm/scripts/" directory:
+   - start         (start Malcolm)
+   - stop          (stop Malcolm)
+   - restart       (restart Malcolm)
+   - logs          (monitor Malcolm logs)
+   - wipe          (stop Malcolm and clear its database)
+   - auth_setup    (change authentication-related settings)
+
+A minute or so after starting Malcolm, the following services will be accessible:
+  - Arkime: https://<IP or hostname>/
+  - OpenSearch Dashboards: https://<IP or hostname>/dashboards/
+  - PCAP upload (web): https://<IP or hostname>/upload/
+  - NetBox: https://<IP or hostname>/netbox/
+  - Account management: https://<IP or hostname>/auth/
+  - Documentation: https://<IP or hostname>/readme/
+
+EOT
+fi
+EOF
+
+popd
+'''
diff --git a/scripts/third-party-environments/virter/malcolm-setup-03-pull.toml b/scripts/third-party-environments/virter/malcolm-setup-03-pull.toml
new file mode 100644
index 000000000..bd764787f
--- /dev/null
+++ b/scripts/third-party-environments/virter/malcolm-setup-03-pull.toml
@@ -0,0 +1,11 @@
+version = 1
+
+[[steps]]
+[steps.shell]
+script = '''
+echo "Pulling Malcolm container images..."
+pushd "$HOME"/Malcolm
+./scripts/github_image_helper.sh "$(./scripts/github_image_helper.sh 99999 2>&1 | grep PullAndTagGithubWorkflowImages | awk '{print $1}')"
+popd
+docker images
+'''
diff --git a/scripts/third-party-environments/virter/malcolm-virter.sh b/scripts/third-party-environments/virter/malcolm-virter.sh
new file mode 100755
index 000000000..5a3cc5999
--- /dev/null
+++ b/scripts/third-party-environments/virter/malcolm-virter.sh
@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -u
+shopt -s nocasematch
+ENCODING="utf-8"
+
+SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+MALCOLM_REPO_OWNER=idaholab
+MALCOLM_REPO_NAME=Malcolm
+MALCOLM_REPO_BRANCH=main
+GITHUB_TOKEN=${GITHUB_TOKEN:-}
+
+MALCOLM_CPU=${QEMU_CPU:-4}
+MALCOLM_RAM=${QEMU_RAM:-16384}
+MALCOLM_DISK=${QEMU_DISK:-50G}
+
+MALCOLM_IMAGE=${QEMU_IMAGE:-debian-12}
+MALCOLM_IMAGE_USER=${QEMU_USER:-debian}
+
+VM_ID=$((120 + $RANDOM % 80))
+VM_NAME="malcolm-${VM_ID}"
+RM_AFTER_EXEC=
+
+while getopts 'rvo:b:c:m:d:i:u:n:g:' OPTION; do
+  case "$OPTION" in
+
+    r)
+      RM_AFTER_EXEC=0
+      ;;
+
+    v)
+      set -x
+      ;;
+
+    o)
+      MALCOLM_REPO_OWNER="$OPTARG"
+      ;;
+
+    b)
+      MALCOLM_REPO_BRANCH="$OPTARG"
+      ;;
+
+    g)
+      GITHUB_TOKEN="$OPTARG"
+      ;;
+
+    c)
+      MALCOLM_CPU="$OPTARG"
+      ;;
+
+    m)
+      MALCOLM_RAM="$OPTARG"
+      ;;
+
+    d)
+      MALCOLM_DISK="$OPTARG"
+      ;;
+
+    i)
+      MALCOLM_IMAGE="$OPTARG"
+      ;;
+
+    n)
+      VM_NAME="$OPTARG"
+      ;;
+
+    u)
+      MALCOLM_IMAGE_USER="$OPTARG"
+      ;;
+
+    ?)
+      echo -e "\nscript usage: $(basename $0) OPTIONS"
+      echo -e "Options:\n\t[-v (verbose)]\n\t[-c <CPUs>]\n\t[-m <RAM mebibytes>]\n\t[-d <disk size and units>]\n\t[-i <image name>]\n\t[-n <VM name>]\n\t[-u <default user>]\n\t[-o <Malcolm repo owner>]\n\t[-b <Malcolm repo branch>]\n\t[-g <GitHub token>]\n\t[-r (remove VM upon completion)]\n" >&2
+      exit 1
+      ;;
+
+  esac
+done
+shift "$(($OPTIND -1))"
+
+unset SSH_AUTH_SOCK
+
+virter vm run "${MALCOLM_IMAGE}" \
+  --id ${VM_ID} \
+  --name "${VM_NAME}" \
+  --vcpus ${MALCOLM_CPU} \
+  --memory ${MALCOLM_RAM}MiB \
+  --bootcapacity "${MALCOLM_DISK}" \
+  --user "${MALCOLM_IMAGE_USER}" \
+  --wait-ssh \
+  "$@"
+
+pushd "$SCRIPT_PATH" >/dev/null 2>&1
+for SETUPFILE in malcolm-setup*.toml; do
+    virter vm exec "${VM_NAME}" \
+      --set "env.MALCOLM_REPO_OWNER=$MALCOLM_REPO_OWNER" \
+      --set "env.MALCOLM_REPO_BRANCH=$MALCOLM_REPO_BRANCH" \
+      --set "env.MALCOLM_REPO_NAME=$MALCOLM_REPO_NAME" \
+      --set "env.GITHUB_TOKEN=$GITHUB_TOKEN" \
+      --provision "${SETUPFILE}"
+done
+popd >/dev/null 2>&1
+
+[[ -n "$RM_AFTER_EXEC" ]] && virter vm rm "${VM_NAME}"
diff --git a/scripts/third-party-logs/fluent-bit-setup.ps1 b/scripts/third-party-logs/fluent-bit-setup.ps1
index 04a70aeb9..7a0ada791 100644
--- a/scripts/third-party-logs/fluent-bit-setup.ps1
+++ b/scripts/third-party-logs/fluent-bit-setup.ps1
@@ -9,7 +9,7 @@
 ###############################################################################
 
 $fluent_bit_version = '2.1'
-$fluent_bit_full_version = '2.1.8'
+$fluent_bit_full_version = '2.1.9'
 
 ###############################################################################
 # select an item from a menu provided in an array
diff --git a/sensor-iso/arkime/Dockerfile b/sensor-iso/arkime/Dockerfile
index e2fa621d3..60f727617 100644
--- a/sensor-iso/arkime/Dockerfile
+++ b/sensor-iso/arkime/Dockerfile
@@ -6,7 +6,7 @@ LABEL maintainer="malcolm@inl.gov"
 
 ENV DEBIAN_FRONTEND noninteractive
 
-ENV ARKIME_VERSION "4.4.0"
+ENV ARKIME_VERSION "4.5.0"
 ENV ARKIME_DIR "/opt/arkime"
 
 RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sources && \
diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh
index 34524c4e5..8fcf57468 100755
--- a/sensor-iso/build.sh
+++ b/sensor-iso/build.sh
@@ -5,11 +5,7 @@ IMAGE_PUBLISHER=cisagov
 IMAGE_VERSION=1.0.0
 IMAGE_DISTRIBUTION=bookworm
 
-ZEEK_DISTRO=Debian_12
-ZEEK_VER=5.2.2-0
-ZEEK_LTS=
-
-BEATS_VER="8.9.0"
+BEATS_VER="8.10.0"
 BEATS_OSS="-oss"
 
 BUILD_ERROR_CODE=1
@@ -147,27 +143,14 @@ if [ -d "$WORKDIR" ]; then
 
   # download deb files to be installed during installation
   pushd ./config/packages.chroot/ >/dev/null 2>&1
-
-  # zeek
-  if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS
-  curl -sSL --remote-name-all \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VER}_amd64.deb" \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VER}_amd64.deb" \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VER}_amd64.deb" \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VER}_amd64.deb" \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeek${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VER}_amd64.deb" \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-client_${ZEEK_VER}_all.deb" \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VER}_all.deb" \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-btest_${ZEEK_VER}_all.deb" \
-    "https://download.zeek.org/binary-packages/${ZEEK_DISTRO}/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VER}_all.deb"
-
+  # none for now
   popd >/dev/null 2>&1
 
   # clone and build yara .deb package in its own clean environment (rather than in hooks/)
   bash "$SCRIPT_PATH/yara/build-docker-image.sh"
   docker run --rm -v "$SCRIPT_PATH"/yara:/build yara-build:latest -o /build
   mv "$SCRIPT_PATH/yara"/*.deb ./config/packages.chroot/
+  docker rmi -f yara-build:latest
 
   # grab maxmind geoip database files, iana ipv4 address ranges, wireshark oui lists, etc.
   mkdir -p "$SCRIPT_PATH/arkime/etc"
@@ -192,6 +175,16 @@ if [ -d "$WORKDIR" ]; then
   bash "$SCRIPT_PATH/arkime/build-docker-image.sh"
   docker run --rm -v "$SCRIPT_PATH"/arkime:/build arkime-build:latest -o /build
   mv "$SCRIPT_PATH/arkime"/*.deb ./config/packages.chroot/
+  docker rmi -f arkime-build:latest
+
+  # clone and build Zeek .deb package in its own clean environment (rather than in hooks/)
+  bash "$SCRIPT_PATH/zeek/build-docker-image.sh"
+  docker run --rm -v "$SCRIPT_PATH"/zeek:/build zeek-build:latest -o /build -j "${BUILD_JOBS:-0}"
+  mv "$SCRIPT_PATH/zeek"/*.deb ./config/packages.chroot/
+  docker rmi -f zeek-build:latest
+
+  # reclaim some space
+  docker system prune --volumes --force
 
   # save these extra debs off into hedgehog_install_artifacts
   mkdir -p ./config/includes.chroot/opt/hedgehog_install_artifacts
diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
index f1e5b234b..df0280d07 100755
--- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
+++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
@@ -13,9 +13,6 @@ GITHUB_API_CURL_ARGS+=( -H )
 GITHUB_API_CURL_ARGS+=( "Accept: application/vnd.github.v3+json" )
 [[ -n "$GITHUB_TOKEN" ]] && GITHUB_API_CURL_ARGS+=( -H ) && GITHUB_API_CURL_ARGS+=( "Authorization: token $GITHUB_TOKEN" )
 
-ZEEK_DIR="/opt/zeek"
-export PATH="${ZEEK_DIR}"/bin:$PATH
-
 SURICATA_RULES_DIR="/etc/suricata/rules"
 
 CAPA_RELEASE_URL="https://api.github.com/repos/fireeye/capa/releases/latest"
@@ -28,9 +25,8 @@ YARA_RULES_DIR="/opt/yara-rules"
 mkdir -p /opt/hedgehog_install_artifacts/
 
 # Download and install spicy and 3rd-party zeek plugins
-mkdir -p "${CCACHE_DIR}"
-
-# zeek plugins
+ZEEK_DIR="/opt/zeek"
+export PATH="${ZEEK_DIR}"/bin:$PATH
 cd /tmp
 zkg autoconfig --force
 bash /usr/local/bin/zeek_install_plugins.sh
diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot
index 5464579c9..609068bc6 100755
--- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot
+++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot
@@ -4,6 +4,7 @@
 
 # remove development packages not necessary for building dynamic Zeek plugins
 apt-get -y --purge remove \
+  checkinstall \
   gdb \
   libc6-dbg \
   ninja-build \
diff --git a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot
index e3a7712f3..2a462a350 100755
--- a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot
+++ b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot
@@ -129,12 +129,12 @@ sed -r -i "s/(network_failure_action\s*=\s*).*/\1 syslog/" /etc/audit/audisp-rem
 [[ -e /etc/apparmor.d/local/usr.sbin.clamd ]] && ln -srf /etc/apparmor.d/local/usr.sbin.clamd /etc/apparmor.d/disable/
 
 # disable ntp for now, and disable servers, but it could be turned back on later
-systemctl disable ntp || true
-sed -i "s/^\(pool \)/# \1/" /etc/ntp.conf
-sed -i "s/^\(restrict -6\)/# \1/" /etc/ntp.conf
-sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntp.conf
-sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntp
-usermod -d /var/lib/ntp ntp
+systemctl disable ntpsec || true
+sed -i "s/^\(pool \)/# \1/" /etc/ntpsec/ntp.conf
+sed -i "s/^\(restrict -6\)/# \1/" /etc/ntpsec/ntp.conf
+sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntpsec/ntp.conf
+sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntpsec
+usermod -d /var/lib/ntpsec ntpsec
 
 # disable htpdate service, we're going to use cron instead
 systemctl disable htpdate || true
@@ -144,6 +144,9 @@ sed -i "s/#[[:space:]]*HTP_DAEMON=.*/HTP_DAEMON=no/" /etc/default/htpdate
 # disable default fluentbit configuration
 systemctl disable fluent-bit || true
 
+# logrotate doesn't need to worry about arkime as we're running it under supervisord
+rm -f /etc/logrotate.d/arkime
+
 # add fluentbit logfmt parser
 cat << 'EOF' >> /etc/fluent-bit/parsers.conf
 
diff --git a/sensor-iso/config/includes.binary/live/filesystem.packages-remove b/sensor-iso/config/includes.binary/live/filesystem.packages-remove
new file mode 100644
index 000000000..e69de29bb
diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
index 67b969077..2dd092e0b 100644
--- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
+++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -11,6 +11,7 @@ global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == ""
 global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T;
 global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ? F : T;
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
+global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 
 global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
 global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
@@ -23,6 +24,19 @@ global disable_spicy_tailscale = (getenv("ZEEK_DISABLE_SPICY_TAILSCALE") == "")
 global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
 global disable_spicy_wireguard = (getenv("ZEEK_DISABLE_SPICY_WIREGUARD") == "") ? F : T;
 
+global disable_ics_all = (getenv("ZEEK_DISABLE_ICS_ALL") == "") ? F : T;
+global disable_ics_bacnet = (getenv("ZEEK_DISABLE_ICS_BACNET") == "") ? F : T;
+global disable_ics_bsap = (getenv("ZEEK_DISABLE_ICS_BSAP") == "") ? F : T;
+global disable_ics_dnp3 = (getenv("ZEEK_DISABLE_ICS_DNP3") == "") ? F : T;
+global disable_ics_enip = (getenv("ZEEK_DISABLE_ICS_ENIP") == "") ? F : T;
+global disable_ics_ethercat = (getenv("ZEEK_DISABLE_ICS_ETHERCAT") == "") ? F : T;
+global disable_ics_genisys = (getenv("ZEEK_DISABLE_ICS_GENISYS") == "") ? F : T;
+global disable_ics_opcua_binary = (getenv("ZEEK_DISABLE_ICS_OPCUA_BINARY") == "") ? F : T;
+global disable_ics_modbus = (getenv("ZEEK_DISABLE_ICS_MODBUS") == "") ? F : T;
+global disable_ics_profinet = (getenv("ZEEK_DISABLE_ICS_PROFINET") == "") ? F : T;
+global disable_ics_s7comm = (getenv("ZEEK_DISABLE_ICS_S7COMM") == "") ? F : T;
+global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == "") ? F : T;
+
 redef Broker::default_listen_address = "127.0.0.1";
 redef ignore_checksums = T;
 
@@ -67,13 +81,50 @@ redef ignore_checksums = T;
 @load ./login.zeek
 
 @if (!disable_best_guess_ics)
-  @load ./guess.zeek
+ @load ./guess.zeek
 @endif
 
 @load packages
 @load /opt/sensor/sensor_ctl/zeek/intel
 
 event zeek_init() &priority=-5 {
+
+  if (disable_ics_all || disable_ics_bacnet) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET);
+  }
+  if (disable_ics_all || disable_ics_bsap) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_BSAP);
+  }
+  if (disable_ics_all || disable_ics_dnp3) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_TCP);
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_UDP);
+  }
+  if (disable_ics_all || disable_ics_enip) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_ENIP_TCP);
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_ENIP_UDP);
+  }
+  if (disable_ics_all || disable_ics_ethercat) {
+    PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT);
+  }
+  if (disable_ics_all || disable_ics_genisys) {
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP);
+  }
+  if (disable_ics_all || disable_ics_opcua_binary) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY);
+  }
+  if (disable_ics_all || disable_ics_modbus) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_MODBUS);
+  }
+  if (disable_ics_all || disable_ics_profinet) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_PROFINET);
+  }
+  if (disable_ics_all || disable_ics_s7comm) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP);
+  }
+  if (disable_ics_all || disable_ics_synchrophasor) {
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP);
+  }
   if (disable_spicy_dhcp) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);
   }
@@ -117,8 +168,8 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD);
   }
 
-  # register additional ports for Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_...
-  if (synchrophasor_ports_str != "") {
+  # register additional ports for Analyzers
+  if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_ports_str != "")) {
     local synchrophasor_ports = split_string(synchrophasor_ports_str, /,/);
     if (|synchrophasor_ports| > 0) {
       local synch_ports_tcp: set[port] = {};
@@ -140,6 +191,22 @@ event zeek_init() &priority=-5 {
       }
     }
   }
+  if ((!disable_ics_all) && (!disable_ics_genisys) && (genisys_ports_str != "")) {
+    local genisys_ports = split_string(genisys_ports_str, /,/);
+    if (|genisys_ports| > 0) {
+      local gen_ports_tcp: set[port] = {};
+      for (gen_port_idx in genisys_ports) {
+        local gen_port = to_port(genisys_ports[gen_port_idx]);
+        local gen_prot = get_port_transport_proto(gen_port);
+        if (gen_prot == tcp) {
+          add gen_ports_tcp[gen_port];
+        }
+      }
+      if (|gen_ports_tcp| > 0) {
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_GENISYS_TCP, gen_ports_tcp);
+      }
+    }
+  }
 
 }
 
@@ -153,7 +220,7 @@ event zeek_init() &priority=-5 {
 redef LDAP::default_log_search_attributes = F;
 redef SNIFFPASS::notice_log_enable = F;
 redef CVE_2021_44228::log = F;
-@if (synchrophasor_detailed)
+@if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_detailed))
   redef SYNCHROPHASOR::log_data_frame = T;
   redef SYNCHROPHASOR::log_data_detail = T;
   redef SYNCHROPHASOR::log_cfg_detail = T;
diff --git a/sensor-iso/config/package-lists/build.list.chroot b/sensor-iso/config/package-lists/build.list.chroot
index b0ee3b83c..e0e6692e9 100644
--- a/sensor-iso/config/package-lists/build.list.chroot
+++ b/sensor-iso/config/package-lists/build.list.chroot
@@ -1,27 +1,19 @@
 bison
 ccache
+checkinstall
 cmake
-gcc
 g++
+gcc
 git
-google-perftools
 libfl-dev
-libfl2
-libgoogle-perftools4
+libgoogle-perftools-dev
 libjansson-dev
-libjansson4
 libmagic-dev
-libmagic1
 libmaxminddb-dev
-libmaxminddb0
 libnl-3-dev
 libpcap-dev
-libpcap0.8
 libsodium-dev
-libsodium23
 libssl-dev
-libssl3
-libtcmalloc-minimal4
 locales-all
 make
 ninja-build
diff --git a/sensor-iso/config/package-lists/desktopmanager.list.chroot b/sensor-iso/config/package-lists/desktopmanager.list.chroot
index ad2156d0f..e16b4b132 100644
--- a/sensor-iso/config/package-lists/desktopmanager.list.chroot
+++ b/sensor-iso/config/package-lists/desktopmanager.list.chroot
@@ -1,5 +1,4 @@
 arandr
-bc
 clamav
 clamav-daemon
 clamav-freshclam
diff --git a/sensor-iso/config/package-lists/net.list.chroot b/sensor-iso/config/package-lists/net.list.chroot
index 511f0fb59..3236dc115 100644
--- a/sensor-iso/config/package-lists/net.list.chroot
+++ b/sensor-iso/config/package-lists/net.list.chroot
@@ -14,7 +14,7 @@ libssh2-1
 macchanger
 netcat-openbsd
 netsniff-ng
-ntp
+ntpsec
 openssh-client
 openssh-server
 openvpn
diff --git a/sensor-iso/config/package-lists/system.list.chroot b/sensor-iso/config/package-lists/system.list.chroot
index b1cb7cc67..49f26efda 100644
--- a/sensor-iso/config/package-lists/system.list.chroot
+++ b/sensor-iso/config/package-lists/system.list.chroot
@@ -28,7 +28,6 @@ cryptsetup
 cryptsetup-bin
 cryptsetup-initramfs
 cryptsetup-run
-curl
 debsums
 dialog
 dmidecode
@@ -55,11 +54,11 @@ ghostscript-x
 gnupg
 gnupg1
 gnupg2
+google-perftools
 gpart
 gparted
 grep
 gvfs
-gvfs-backends
 gvfs-daemons
 gvfs-fuse
 gzip
@@ -74,10 +73,15 @@ jq
 less
 libatomic1
 libffi8
+libfl2
+libgoogle-perftools4
 libgtk2.0-bin
+libjansson4
 libjson-perl
 libkrb5-3
 liblsan0
+libmagic1
+libmaxminddb0
 libmhash2
 libnl-3-200
 libnl-genl-3-200
@@ -87,6 +91,9 @@ libpcre2-16-0
 libpcre2-32-0
 libpcre2-8-0
 libpcre3
+libsodium23
+libssl3
+libtcmalloc-minimal4
 libtool
 libtsan0
 libubsan1
diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf
index f185799a0..973754439 100644
--- a/sensor-iso/interface/sensor_ctl/control_vars.conf
+++ b/sensor-iso/interface/sensor_ctl/control_vars.conf
@@ -54,7 +54,6 @@ export ZEEK_DISABLE_HASH_ALL_FILES=
 export ZEEK_DISABLE_LOG_PASSWORDS=
 export ZEEK_DISABLE_SSL_VALIDATE_CERTS=
 export ZEEK_DISABLE_TRACK_ALL_ASSETS=
-export ZEEK_DISABLE_BEST_GUESS_ICS=true
 export ZEEK_DISABLE_SPICY_DHCP=true
 export ZEEK_DISABLE_SPICY_DNS=true
 export ZEEK_DISABLE_SPICY_HTTP=true
@@ -65,7 +64,22 @@ export ZEEK_DISABLE_SPICY_STUN=
 export ZEEK_DISABLE_SPICY_TAILSCALE=
 export ZEEK_DISABLE_SPICY_TFTP=
 export ZEEK_DISABLE_SPICY_WIREGUARD=
+export ZEEK_DISABLE_ICS_ALL=
+export ZEEK_DISABLE_ICS_BACNET=
+export ZEEK_DISABLE_ICS_BSAP=
+export ZEEK_DISABLE_ICS_DNP3=
+export ZEEK_DISABLE_ICS_ENIP=
+export ZEEK_DISABLE_ICS_ETHERCAT=
+export ZEEK_DISABLE_ICS_GENISYS=
+export ZEEK_DISABLE_ICS_OPCUA_BINARY=
+export ZEEK_DISABLE_ICS_MODBUS=
+export ZEEK_DISABLE_ICS_PROFINET=
+export ZEEK_DISABLE_ICS_S7COMM=
+export ZEEK_DISABLE_ICS_SYNCHROPHASOR=
+export ZEEK_SYNCHROPHASOR_PORTS=
 export ZEEK_SYNCHROPHASOR_DETAILED=
+export ZEEK_GENISYS_PORTS=
+export ZEEK_DISABLE_BEST_GUESS_ICS=true
 
 # Suricata
 export SURICATA_CUSTOM_RULES_ONLY=false
diff --git a/sensor-iso/zeek/Dockerfile b/sensor-iso/zeek/Dockerfile
new file mode 100644
index 000000000..751463747
--- /dev/null
+++ b/sensor-iso/zeek/Dockerfile
@@ -0,0 +1,43 @@
+FROM debian:12-slim
+
+# Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
+
+LABEL maintainer="malcolm@inl.gov"
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV TERM xterm
+
+RUN apt-get -q update && \
+    apt-get -y -q --no-install-recommends upgrade && \
+    apt-get install -q -y --no-install-recommends \
+        bison \
+        ca-certificates \
+        ccache \
+        checkinstall \
+        cmake \
+        curl \
+        flex \
+        g++ \
+        gcc \
+        libfl-dev \
+        libgoogle-perftools4 \
+        libgoogle-perftools-dev \
+        libkrb5-3 \
+        libkrb5-dev \
+        libmaxminddb-dev \
+        libpcap-dev \
+        libssl-dev \
+        libtcmalloc-minimal4 \
+        make \
+        ninja-build \
+        python3 \
+        python3-dev \
+        python3-git \
+        python3-semantic-version \
+        sudo \
+        swig \
+        zlib1g-dev
+
+ADD build-zeek-deb.sh /usr/local/bin/
+
+ENTRYPOINT [ "/bin/bash", "/usr/local/bin/build-zeek-deb.sh" ]
\ No newline at end of file
diff --git a/sensor-iso/zeek/build-docker-image.sh b/sensor-iso/zeek/build-docker-image.sh
new file mode 100755
index 000000000..320226c35
--- /dev/null
+++ b/sensor-iso/zeek/build-docker-image.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
+
+# force-navigate to script directory
+SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+pushd "$SCRIPT_PATH" >/dev/null 2>&1
+
+docker build -t zeek-build:latest .
+
+popd >/dev/null 2>&1
diff --git a/sensor-iso/zeek/build-zeek-deb.sh b/sensor-iso/zeek/build-zeek-deb.sh
new file mode 100755
index 000000000..104b7bbee
--- /dev/null
+++ b/sensor-iso/zeek/build-zeek-deb.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
+
+export CCACHE_DIR=/var/spool/ccache
+export CCACHE_COMPRESS=1
+export PYTHONDONTWRITEBYTECODE=1
+export PYTHONUNBUFFERED=1
+
+ZEEK_URL=https://github.com/zeek/zeek.git
+ZEEK_VERSION=6.0.1
+ZEEK_DIR=/opt/zeek
+BUILD_JOBS=0
+OUTPUT_DIR=/tmp
+unset VERBOSE
+
+while getopts b:p:o:j:v opts; do
+   case ${opts} in
+      b) ZEEK_VERSION=${OPTARG} ;;
+      p) ZEEK_DIR=${OPTARG} ;;
+      o) OUTPUT_DIR=${OPTARG} ;;
+      j) BUILD_JOBS=${OPTARG} ;;
+      v) VERBOSE=1 ;;
+   esac
+done
+
+set -e
+if [[ -n $VERBOSE ]]; then
+  set -x
+fi
+
+cd /tmp
+mkdir ./"zeek-v${ZEEK_VERSION}"
+curl -sSL "https://download.zeek.org/zeek-${ZEEK_VERSION}.tar.gz" | tar xzf - -C ./"zeek-v${ZEEK_VERSION}" --strip-components 1
+
+mkdir -p "${CCACHE_DIR}"
+pushd /tmp/"zeek-v${ZEEK_VERSION}" >/dev/null 2>&1
+./configure --prefix="${ZEEK_DIR}" --generator=Ninja --ccache --enable-perftools
+mkdir -p build
+pushd build >/dev/null 2>&1
+ninja -j "${BUILD_JOBS}"
+checkinstall -y -D --strip=yes --stripso=yes --install=no --fstrans=no --pkgname="zeek" --pkgversion="$ZEEK_VERSION" --pkgarch="amd64" --pkgsource="$ZEEK_URL" ninja install
+ls -l *.deb && mv -v *.deb "$OUTPUT_DIR"/
+popd >/dev/null 2>&1
+popd >/dev/null 2>&1
+
+if [[ -n $VERBOSE ]]; then
+  set +x
+fi
+set +e
diff --git a/shared/bin/configure-capture.py b/shared/bin/configure-capture.py
index e43e3bead..b9cb7255e 100755
--- a/shared/bin/configure-capture.py
+++ b/shared/bin/configure-capture.py
@@ -138,6 +138,10 @@ class Constants:
     MSG_IDENTIFY_NICS = 'Do you need help identifying network interfaces?'
     MSG_BACKGROUND_TITLE = 'Sensor Configuration'
     MSG_CONFIG_AUTOSTARTS = 'Specify autostart processes'
+    MSG_CONFIG_ICS_ANALYZERS = (
+        'Is the sensor being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network?'
+    )
+    MSG_CONFIG_ICS_BEST_GUESS = 'Should the sensor use "best guess" to identify potential OT/ICS traffic with Zeek?'
     MSG_CONFIG_ZEEK_CARVED_SCANNERS = 'Specify scanners for Zeek-carved files'
     MSG_CONFIG_ZEEK_CARVING = 'Specify Zeek file carving mode'
     MSG_CONFIG_ZEEK_CARVING_MIMES = 'Specify file types to carve'
@@ -526,6 +530,8 @@ def main():
                 zeek_carve_override_re = re.compile(r"(\bZEEK_EXTRACTOR_OVERRIDE_FILE)\s*=\s*.*?$")
                 zeek_file_watch_re = re.compile(r"(\bZEEK_FILE_WATCH)\s*=\s*.+?$")
                 zeek_file_scanner_re = re.compile(r"(\bZEEK_FILE_SCAN_\w+)\s*=\s*.+?$")
+                disable_ics_all_re = re.compile(r"(\bZEEK_DISABLE_ICS_ALL)\s*=\s*.+?$")
+                ics_best_guess_re = re.compile(r"(\bZEEK_DISABLE_BEST_GUESS_ICS)\s*=\s*.+?$")
 
                 # get paths for captured PCAP and Zeek files
                 while True:
@@ -552,6 +558,10 @@ def main():
                     else:
                         code = d.msgbox(text=Constants.MSG_ERROR_DIR_NOT_FOUND)
 
+                # enable/disable ICs
+                ics_network = d.yesno(Constants.MSG_CONFIG_ICS_ANALYZERS) == Dialog.OK
+                ics_best_guess = ics_network and (d.yesno(Constants.MSG_CONFIG_ICS_BEST_GUESS) == Dialog.OK)
+
                 # configure file carving
                 code, zeek_carve_mode = d.radiolist(
                     Constants.MSG_CONFIG_ZEEK_CARVING,
@@ -727,6 +737,8 @@ def main():
                 capture_config_dict["ZEEK_LOG_PATH"] = path_values[1]
                 capture_config_dict["ZEEK_EXTRACTOR_MODE"] = zeek_carve_mode
                 capture_config_dict["EXTRACTED_FILE_PRESERVATION"] = zeek_carved_file_preservation
+                capture_config_dict["ZEEK_DISABLE_ICS_ALL"] = '' if ics_network else 'true'
+                capture_config_dict["ZEEK_DISABLE_BEST_GUESS_ICS"] = '' if ics_best_guess else 'true'
 
                 # get confirmation from user that we really want to do this
                 code = d.yesno(
@@ -769,6 +781,16 @@ def main():
                                 print(zeek_path_re.sub(r'\1="%s"' % capture_config_dict["ZEEK_LOG_PATH"], line))
                             elif zeek_file_watch_re.search(line) is not None:
                                 print(zeek_file_watch_re.sub(r"\1=%s" % capture_config_dict["ZEEK_FILE_WATCH"], line))
+                            elif disable_ics_all_re.search(line) is not None:
+                                print(
+                                    disable_ics_all_re.sub(r'\1=%s' % capture_config_dict["ZEEK_DISABLE_ICS_ALL"], line)
+                                )
+                            elif ics_best_guess_re.search(line) is not None:
+                                print(
+                                    ics_best_guess_re.sub(
+                                        r'\1=%s' % capture_config_dict["ZEEK_DISABLE_BEST_GUESS_ICS"], line
+                                    )
+                                )
                             else:
                                 zeek_file_scanner_match = zeek_file_scanner_re.search(line)
                                 if zeek_file_scanner_match is not None:
diff --git a/shared/bin/configure-interfaces.py b/shared/bin/configure-interfaces.py
index 23f061756..49e59115d 100755
--- a/shared/bin/configure-interfaces.py
+++ b/shared/bin/configure-interfaces.py
@@ -54,7 +54,7 @@ class Constants:
     TIME_SYNC_HTPDATE_CRON = '/etc/cron.d/htpdate'
     TIME_SYNC_HTPDATE_TEST_COMMAND = '/usr/sbin/htpdate -4 -a -d'
     TIME_SYNC_HTPDATE_COMMAND = '/usr/sbin/htpdate -4 -a -l -s'
-    TIME_SYNC_NTP_CONFIG = '/etc/ntp.conf'
+    TIME_SYNC_NTP_CONFIG = '/etc/ntpsec/ntp.conf'
 
     SSHD_CONFIG_FILE = "/etc/ssh/sshd_config"
 
@@ -344,8 +344,8 @@ def main():
                         raise CancelledError
 
                     # stop and disable the ntp process
-                    run_subprocess('/bin/systemctl stop ntp')
-                    run_subprocess('/bin/systemctl disable ntp')
+                    run_subprocess('/bin/systemctl stop ntpsec')
+                    run_subprocess('/bin/systemctl disable ntpsec')
 
                     # write out htpdate file for cron
                     with open(Constants.TIME_SYNC_HTPDATE_CRON, 'w+') as f:
@@ -398,9 +398,9 @@ def main():
                                 print(line)
 
                     # enable and start the ntp process
-                    run_subprocess('/bin/systemctl stop ntp')
-                    run_subprocess('/bin/systemctl enable ntp')
-                    ecode, start_output = run_subprocess('/bin/systemctl start ntp', stderr=True)
+                    run_subprocess('/bin/systemctl stop ntpsec')
+                    run_subprocess('/bin/systemctl enable ntpsec')
+                    ecode, start_output = run_subprocess('/bin/systemctl start ntpsec', stderr=True)
                     if ecode == 0:
                         code = d.msgbox(text=f"{Constants.MSG_TIME_SYNC_CONFIG_SUCCESS}")
                     else:
diff --git a/shared/bin/opensearch_status.sh b/shared/bin/opensearch_status.sh
index 04b048151..e702977ce 100755
--- a/shared/bin/opensearch_status.sh
+++ b/shared/bin/opensearch_status.sh
@@ -14,7 +14,8 @@ ENCODING="utf-8"
 # opensearch connection parameters are read from environment variables
 
 WAIT_FOR_LOG_DATA=0
-while getopts 'vw' OPTION; do
+WAIT_FOR_TEMPLATE=
+while getopts 'vwt:' OPTION; do
   case "$OPTION" in
     v)
       set -x
@@ -24,8 +25,12 @@ while getopts 'vw' OPTION; do
       WAIT_FOR_LOG_DATA=1
       ;;
 
+    t)
+      WAIT_FOR_TEMPLATE=${OPTARG}
+      ;;
+
     ?)
-      echo "script usage: $(basename $0) [-v] [-w]" >&2
+      echo "script usage: $(basename $0) [-v] [-w] [-t <template name>]" >&2
       exit 1
       ;;
   esac
@@ -46,7 +51,7 @@ else
 fi
 
 # wait for the ES HTTP server to respond at all
-until $(curl "${CURL_CONFIG_PARAMS[@]}" --output /dev/null --silent --head --fail "$OPENSEARCH_URL"); do
+until curl "${CURL_CONFIG_PARAMS[@]}" --output /dev/null --silent --head --fail "$OPENSEARCH_URL" >/dev/null 2>&1; do
   # printf '.' >&2
   sleep 1
 done
@@ -65,6 +70,16 @@ done
 
 echo "OpenSearch is up and healthy at "$OPENSEARCH_URL"" >&2
 
+if [[ -n "$WAIT_FOR_TEMPLATE" ]]; then
+  sleep 1
+  echo "Waiting until OpenSearch has index template \"$WAIT_FOR_TEMPLATE\"..." >&2
+  until ( curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_index_template/$WAIT_FOR_TEMPLATE" 2>/dev/null | grep -q index_templates ); do
+    sleep 5
+  done
+  echo "OpenSearch index template \"$WAIT_FOR_TEMPLATE\" exists" >&2
+  sleep 5
+fi
+
 if (( $WAIT_FOR_LOG_DATA == 1 )); then
   sleep 1
 
diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
index b4660a1ed..4cb5e7565 100755
--- a/shared/bin/zeek_install_plugins.sh
+++ b/shared/bin/zeek_install_plugins.sh
@@ -66,8 +66,8 @@ ZKG_GITHUB_URLS=(
   "https://github.com/0xl3x1/zeek-EternalSafety"
   "https://github.com/0xxon/cve-2020-0601"
   "https://github.com/0xxon/cve-2020-13777"
-  "https://github.com/amzn/zeek-plugin-profinet|master"
-  "https://github.com/amzn/zeek-plugin-tds|master"
+  "https://github.com/mmguero-dev/zeek-plugin-profinet|master"
+  "https://github.com/mmguero-dev/zeek-plugin-tds|master"
   "https://github.com/cisagov/icsnpp-bacnet"
   "https://github.com/cisagov/icsnpp-bsap"
   "https://github.com/cisagov/icsnpp-dnp3"
@@ -105,7 +105,7 @@ ZKG_GITHUB_URLS=(
   "https://github.com/ncsa/bro-is-darknet"
   "https://github.com/ncsa/bro-simple-scan"
   "https://github.com/precurse/zeek-httpattacks"
-  "https://github.com/salesforce/GQUIC_Protocol_Analyzer"
+  "https://github.com/mmguero-dev/GQUIC_Protocol_Analyzer"
   "https://github.com/salesforce/hassh"
   "https://github.com/salesforce/ja3"
   "https://github.com/zeek/spicy-dhcp"
diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
index d5d6f49c2..28582fca6 100644
--- a/zeek/config/local.zeek
+++ b/zeek/config/local.zeek
@@ -11,6 +11,7 @@ global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == ""
 global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T;
 global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ? F : T;
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
+global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 
 global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
 global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
@@ -23,6 +24,19 @@ global disable_spicy_tailscale = (getenv("ZEEK_DISABLE_SPICY_TAILSCALE") == "")
 global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
 global disable_spicy_wireguard = (getenv("ZEEK_DISABLE_SPICY_WIREGUARD") == "") ? F : T;
 
+global disable_ics_all = (getenv("ZEEK_DISABLE_ICS_ALL") == "") ? F : T;
+global disable_ics_bacnet = (getenv("ZEEK_DISABLE_ICS_BACNET") == "") ? F : T;
+global disable_ics_bsap = (getenv("ZEEK_DISABLE_ICS_BSAP") == "") ? F : T;
+global disable_ics_dnp3 = (getenv("ZEEK_DISABLE_ICS_DNP3") == "") ? F : T;
+global disable_ics_enip = (getenv("ZEEK_DISABLE_ICS_ENIP") == "") ? F : T;
+global disable_ics_ethercat = (getenv("ZEEK_DISABLE_ICS_ETHERCAT") == "") ? F : T;
+global disable_ics_genisys = (getenv("ZEEK_DISABLE_ICS_GENISYS") == "") ? F : T;
+global disable_ics_opcua_binary = (getenv("ZEEK_DISABLE_ICS_OPCUA_BINARY") == "") ? F : T;
+global disable_ics_modbus = (getenv("ZEEK_DISABLE_ICS_MODBUS") == "") ? F : T;
+global disable_ics_profinet = (getenv("ZEEK_DISABLE_ICS_PROFINET") == "") ? F : T;
+global disable_ics_s7comm = (getenv("ZEEK_DISABLE_ICS_S7COMM") == "") ? F : T;
+global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == "") ? F : T;
+
 redef Broker::default_listen_address = "127.0.0.1";
 redef ignore_checksums = T;
 
@@ -67,13 +81,50 @@ redef ignore_checksums = T;
 @load ./login.zeek
 
 @if (!disable_best_guess_ics)
-  @load ./guess.zeek
+ @load ./guess.zeek
 @endif
 
 @load packages
 @load intel
 
 event zeek_init() &priority=-5 {
+
+  if (disable_ics_all || disable_ics_bacnet) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET);
+  }
+  if (disable_ics_all || disable_ics_bsap) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_BSAP);
+  }
+  if (disable_ics_all || disable_ics_dnp3) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_TCP);
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_UDP);
+  }
+  if (disable_ics_all || disable_ics_enip) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_ENIP_TCP);
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_ENIP_UDP);
+  }
+  if (disable_ics_all || disable_ics_ethercat) {
+    PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT);
+  }
+  if (disable_ics_all || disable_ics_genisys) {
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP);
+  }
+  if (disable_ics_all || disable_ics_opcua_binary) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY);
+  }
+  if (disable_ics_all || disable_ics_modbus) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_MODBUS);
+  }
+  if (disable_ics_all || disable_ics_profinet) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_PROFINET);
+  }
+  if (disable_ics_all || disable_ics_s7comm) {
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP);
+  }
+  if (disable_ics_all || disable_ics_synchrophasor) {
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP);
+  }
   if (disable_spicy_dhcp) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);
   }
@@ -117,8 +168,8 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD);
   }
 
-  # register additional ports for Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_...
-  if (synchrophasor_ports_str != "") {
+  # register additional ports for Analyzers
+  if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_ports_str != "")) {
     local synchrophasor_ports = split_string(synchrophasor_ports_str, /,/);
     if (|synchrophasor_ports| > 0) {
       local synch_ports_tcp: set[port] = {};
@@ -140,6 +191,22 @@ event zeek_init() &priority=-5 {
       }
     }
   }
+  if ((!disable_ics_all) && (!disable_ics_genisys) && (genisys_ports_str != "")) {
+    local genisys_ports = split_string(genisys_ports_str, /,/);
+    if (|genisys_ports| > 0) {
+      local gen_ports_tcp: set[port] = {};
+      for (gen_port_idx in genisys_ports) {
+        local gen_port = to_port(genisys_ports[gen_port_idx]);
+        local gen_prot = get_port_transport_proto(gen_port);
+        if (gen_prot == tcp) {
+          add gen_ports_tcp[gen_port];
+        }
+      }
+      if (|gen_ports_tcp| > 0) {
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_GENISYS_TCP, gen_ports_tcp);
+      }
+    }
+  }
 
 }
 
@@ -153,7 +220,7 @@ event zeek_init() &priority=-5 {
 redef LDAP::default_log_search_attributes = F;
 redef SNIFFPASS::notice_log_enable = F;
 redef CVE_2021_44228::log = F;
-@if (synchrophasor_detailed)
+@if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_detailed))
   redef SYNCHROPHASOR::log_data_frame = T;
   redef SYNCHROPHASOR::log_data_detail = T;
   redef SYNCHROPHASOR::log_cfg_detail = T;