From 91faa93ebde5600baee879397a44381dee4ca7a5 Mon Sep 17 00:00:00 2001
From: Ben Northway <northben@pixelchef.net>
Date: Wed, 12 Feb 2020 15:44:57 -0800
Subject: [PATCH] add filter for security_related and cim_status, along with
 example in the lookup file

---
 .../data/ui/views/data_dictionary_explorer.xml       | 12 ++++++++++++
 amelia/lookups/amelia_data_dictionary_lookup.csv     |  4 ++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/amelia/default/data/ui/views/data_dictionary_explorer.xml b/amelia/default/data/ui/views/data_dictionary_explorer.xml
index 923bcb6..ac373e5 100644
--- a/amelia/default/data/ui/views/data_dictionary_explorer.xml
+++ b/amelia/default/data/ui/views/data_dictionary_explorer.xml
@@ -7,6 +7,7 @@
       | tstats min(_time) as first_event max(_time) as last_event count where index=* by index sourcetype
       | search NOT index IN(assetsummary, cim_modactions, csvsummary, endpoint_summary, firedalerts, notable, risk, summary, threat_activity)
       | lookup amelia_data_dictionary_lookup index sourcetype
+      | $filter$
     </query>
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>
@@ -49,6 +50,17 @@
       </search>
       <default></default>
     </input>
+    <input type="radio" token="filter" searchWhenChanged="true">
+      <label>Filter</label>
+      <choice value="*">All</choice>
+      <choice value="security_related=&quot;yes&quot;">Is security related</choice>
+      <choice value="security_related=&quot;no&quot;">Not security related</choice>
+      <choice value="NOT security_related=*">Not security defined</choice>
+      <choice value="cim_status=&quot;expected&quot;">Is CIM expected</choice>
+      <choice value="NOT cim_status=*">Not CIM defined</choice>
+      <prefix>search </prefix>
+      <default>*</default>
+    </input>
   </fieldset>
   <row>
     <panel>
diff --git a/amelia/lookups/amelia_data_dictionary_lookup.csv b/amelia/lookups/amelia_data_dictionary_lookup.csv
index d3ffabd..32db129 100644
--- a/amelia/lookups/amelia_data_dictionary_lookup.csv
+++ b/amelia/lookups/amelia_data_dictionary_lookup.csv
@@ -1,2 +1,2 @@
-index,sourcetype,description,owner,business purpose
-*,*,Example description. Use * for wildcard in index/sourcetype.,,
+index,sourcetype,description,owner,business purpose,security_related,cim_status
+*,*,Example description. Use * for wildcard in index/sourcetype.,,,yes,expected