Aller au contenu

Config

Assemblyline Deployment Configuration

Field Type Description Required Default
auth Auth Authentication module configuration
Yes
See Auth for more details.
core Core Core component configuration
Yes
See Core for more details.
datastore Datastore Datastore configuration
Yes
See Datastore for more details.
datasources Mapping [String, Datasource] Datasources configuration
Yes
See Datasource for more details.
filestore Filestore Filestore configuration
Yes
See Filestore for more details.
logging Logging Logging configuration
Yes
See Logging for more details.
retrohunt Retrohunt Retrohunt configuration for the frontend and server.
Yes
See Retrohunt for more details.
services Services Service configuration
Yes
See Services for more details.
submission Submission Options for how submissions will be processed
Yes
See Submission for more details.
system System System configuration
Yes
See System for more details.
ui UI UI configuration parameters
Yes
See UI for more details.

Auth

Authentication Methods

Field Type Description Required Default
allow_2fa Boolean Allow 2FA?
Yes
True
allow_apikeys Boolean Allow API keys?
Yes
True
allow_extended_apikeys Boolean Allow extended API keys?
Yes
True
allow_security_tokens Boolean Allow security tokens?
Yes
True
internal Internal Internal authentication settings
Yes
See Internal for more details.
ldap LDAP LDAP settings
Yes
See LDAP for more details.
oauth OAuth OAuth settings
Yes
See OAuth for more details.
saml SAML SAML settings
Yes
See SAML for more details.

Internal

Internal Authentication Configuration

Field Type Description Required Default
enabled Boolean Internal authentication allowed?
Yes
True
failure_ttl Integer How long to wait after max_failures before re-attempting login?
Yes
60
max_failures Integer Maximum number of fails allowed before timeout
Yes
5
password_requirements PasswordRequirement Password requirements
Yes
See PasswordRequirement for more details.
signup Signup Signup method
Yes
See Signup for more details.

PasswordRequirement

Password Requirement

Field Type Description Required Default
lower Boolean Password must contain lowercase letters
Yes
False
number Boolean Password must contain numbers
Yes
False
special Boolean Password must contain special characters
Yes
False
upper Boolean Password must contain uppercase letters
Yes
False
min_length Integer Minimum password length
Yes
12

Signup

Signup Configuration

Field Type Description Required Default
enabled Boolean Can a user automatically signup for the system
Yes
False
smtp SMTP Signup via SMTP
Yes
See SMTP for more details.
notify Notify Signup via GC Notify
Yes
See Notify for more details.
valid_email_patterns List [Keyword] Email patterns that will be allowed to automatically signup for an account
Yes
['.*', '.*@localhost']
Notify

Configuration block for GC Notify signup and password reset

Field Type Description Required Default
base_url Keyword Base URL
Optional
None
api_key Keyword API key
Optional
None
registration_template Keyword Registration template
Optional
None
password_reset_template Keyword Password reset template
Optional
None
authorization_template Keyword Authorization template
Optional
None
activated_template Keyword Activated Template
Optional
None
SMTP

Configuration block for SMTP signup and password reset

Field Type Description Required Default
from_adr Keyword Email address used for sender
Optional
None
host Keyword SMTP host
Optional
None
password Keyword Password for SMTP server
Optional
None
port Integer Port of SMTP server
Yes
587
tls Boolean Should we communicate with SMTP server via TLS?
Yes
True
user Keyword User to authenticate to the SMTP server
Optional
None

LDAP

LDAP Configuration

Field Type Description Required Default
enabled Boolean Should LDAP be enabled or not?
Yes
False
admin_dn Keyword DN of the group or the user who will get admin privileges
Optional
None
bind_user Keyword User use to query the LDAP server
Optional
None
bind_pass Keyword Password used to query the LDAP server
Optional
None
auto_create Boolean Auto-create users if they are missing
Yes
True
auto_sync Boolean Should we automatically sync with LDAP server on each login?
Yes
True
auto_properties List [AutoProperty] Automatic role and classification assignments
Yes
[]
base Keyword Base DN for the users
Yes
ou=people,dc=assemblyline,dc=local
classification_mappings Any Classification mapping
Yes
None
email_field Keyword Name of the field containing the email address
Yes
mail
group_lookup_query Keyword How the group lookup is queried
Yes
(&(objectClass=Group)(member=%s))
group_lookup_with_uid Boolean Use username/uid instead of dn for group lookup
Yes
False
image_field Keyword Name of the field containing the user's avatar
Yes
jpegPhoto
image_format Keyword Type of image used to store the avatar
Yes
jpeg
name_field Keyword Name of the field containing the user's name
Yes
cn
signature_importer_dn Keyword DN of the group or the user who will get signature_importer role
Optional
None
signature_manager_dn Keyword DN of the group or the user who will get signature_manager role
Optional
None
uid_field Keyword Field name for the UID
Yes
uid
uri Keyword URI to the LDAP server
Yes
ldap://localhost:389

AutoProperty

None

Field Type Description Required Default
field Keyword Field to apply pattern to
Yes
None
pattern Keyword Regex pattern for auto-prop assignment
Yes
None
type Enum Type of property assignment on pattern match
Supported values are:
"access", "api_daily_quota", "api_quota", "classification", "group", "multi_group", "remove_role", "role", "submission_async_quota", "submission_daily_quota", "submission_quota", "type"
Yes
None
value List [Keyword] Assigned property value
Yes
[]

OAuth

OAuth Configuration

Field Type Description Required Default
enabled Boolean Enable use of OAuth?
Yes
False
gravatar_enabled Boolean Enable gravatar?
Yes
True
providers Mapping [String, OAuthProvider] OAuth provider configuration
Yes
See OAuthProvider for more details.

OAuthProvider

OAuth Provider Configuration

Field Type Description Required Default
auto_create Boolean Auto-create users if they are missing
Yes
True
auto_sync Boolean Should we automatically sync with OAuth provider?
Yes
False
auto_properties List [AutoProperty] Automatic role and classification assignments
Yes
[]
app_provider AppProvider None
Optional
None
uid_randomize Boolean Should we generate a random username for the authenticated user?
Yes
False
uid_randomize_digits Integer How many digits should we add at the end of the username?
Yes
0
uid_randomize_delimiter Keyword What is the delimiter used by the random name generator?
Yes
-
uid_regex Keyword Regex used to parse an email address and capture parts to create a user ID out of it
Optional
None
uid_format Keyword Format of the user ID based on the captured parts from the regex
Optional
None
client_id Keyword ID of your application to authenticate to the OAuth provider
Optional
None
client_secret Keyword Password to your application to authenticate to the OAuth provider
Optional
None
redirect_uri Keyword URI to redirect to after authentication with OAuth provider
Optional
None
request_token_url Keyword URL to request token
Optional
None
request_token_params Mapping [String, Keyword] Parameters to request token
Optional
None
access_token_url Keyword URL to get access token
Optional
None
access_token_params Mapping [String, Keyword] Parameters to get access token
Optional
None
authorize_url Keyword URL used to authorize access to a resource
Optional
None
authorize_params Mapping [String, Keyword] Parameters used to authorize access to a resource
Optional
None
api_base_url Keyword Base URL for downloading the user's and groups info
Optional
None
client_kwargs Mapping [String, Keyword] Keyword arguments passed to the different URLs
Optional
None
jwks_uri Keyword URL used to verify if a returned JWKS token is valid
Optional
None
jwt_token_alg Keyword Algorythm use the validate JWT OBO tokens
Yes
RS256
uid_field Keyword Name of the field that will contain the user ID
Optional
None
user_get Keyword Path from the base_url to fetch the user info
Optional
None
user_groups Keyword Path from the base_url to fetch the group info
Optional
None
user_groups_data_field Keyword Field return by the group info API call that contains the list of groups
Optional
None
user_groups_name_field Keyword Name of the field in the list of groups that contains the name of the group
Optional
None
use_new_callback_format Boolean Should we use the new callback method?
Yes
False
allow_external_tokens Boolean Should token provided to the login API directly be use for authentication?
Yes
False
external_token_alternate_audiences List [Keyword] List of valid alternate audiences for the external token.
Yes
[]
email_fields List [Keyword] List of fields in the claim to get the email from
Yes
['email', 'emails', 'extension_selectedEmailAddress', 'otherMails', 'preferred_username', 'upn']
username_field Keyword Name of the field that will contain the username
Yes
uname
validate_token_with_secret Boolean Should we send the client secret while validating the access token?
Yes
False
AppProvider

App provider

Field Type Description Required Default
access_token_url Keyword URL used to get the access token
Yes
None
user_get Keyword Path from the base_url to fetch the user info
Optional
None
group_get Keyword Path from the base_url to fetch the group info
Optional
None
scope Keyword None
Yes
None
client_id Keyword ID of your application to authenticate to the OAuth
Optional
None
client_secret Keyword Password to your application to authenticate to the OAuth provider
Optional
None
AutoProperty

None

Field Type Description Required Default
field Keyword Field to apply pattern to
Yes
None
pattern Keyword Regex pattern for auto-prop assignment
Yes
None
type Enum Type of property assignment on pattern match
Supported values are:
"access", "api_daily_quota", "api_quota", "classification", "group", "multi_group", "remove_role", "role", "submission_async_quota", "submission_daily_quota", "submission_quota", "type"
Yes
None
value List [Keyword] Assigned property value
Yes
[]

SAML

SAML Configuration

Field Type Description Required Default
enabled Boolean Enable use of SAML?
Yes
False
auto_create Boolean Auto-create users if they are missing
Yes
True
auto_sync Boolean Should we automatically sync with SAML server on each login?
Yes
True
lowercase_urlencoding Boolean Enable lowercase encoding if using ADFS as IdP
Yes
False
attributes SAMLAttributes SAML attributes
Yes
See SAMLAttributes for more details.
settings SAMLSettings SAML settings method
Yes
See SAMLSettings for more details.

SAMLAttributes

SAML Attributes

Field Type Description Required Default
username_attribute Keyword SAML attribute name for AL username
Optional
uid
email_attribute Keyword SAML attribute name for a user's email address
Yes
email
fullname_attribute Keyword SAML attribute name for a user's first name
Yes
name
groups_attribute Keyword SAML attribute name for the groups
Yes
groups
roles_attribute Keyword SAML attribute name for the roles
Yes
roles
group_type_mapping Mapping [String, Keyword] SAML group to role mapping
Yes
{}

SAMLSettings

SAML Settings

Field Type Description Required Default
strict Boolean Should we be strict in our SAML checks?
Yes
False
debug Boolean Should we be in debug mode?
Yes
False
sp SAMLServiceProvider SP settings
Yes
None
idp SAMLIdentityProvider IDP settings
Yes
None
security SAMLSecurity Security settings
Optional
None
contact_person SAMLContacts Contact settings
Optional
None
organization Mapping [String, SAMLOrganization] Organization settings
Optional
None
SAMLContacts

SAML Contacts

Field Type Description Required Default
technical SAMLContactPerson Technical Contact
Yes
None
support SAMLContactPerson Support Contact
Yes
None
SAMLContactPerson

SAML Contact Entry

Field Type Description Required Default
given_name Keyword Given Name
Yes
None
email_address Keyword Email Address
Yes
None
SAMLIdentityProvider

SAML Identity Provider

Field Type Description Required Default
entity_id Keyword Entity ID
Yes
None
single_sign_on_service SAMLSingleSignOnService Single Sign On Service
Yes
None
x509cert Keyword X509 Certificate
Optional
None
SAMLSingleSignOnService

SAML Single Sign On Service

Field Type Description Required Default
url Keyword URL
Yes
None
binding Keyword Binding
Yes
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
SAMLOrganization

SAML Organization

Field Type Description Required Default
name Keyword Name
Yes
None
display_name Keyword Display Name
Yes
None
url Keyword URL
Yes
None
SAMLSecurity

SAML Security

Field Type Description Required Default
name_id_encrypted Boolean Name ID Encrypted
Optional
None
authn_requests_signed Boolean Authn Requests Signed
Optional
None
logout_request_signed Boolean Logout Request Signed
Optional
None
logout_response_signed Boolean Logout Response Signed
Optional
None
sign_metadata Boolean Sign Metadata
Optional
None
want_messages_signed Boolean Want Messages Signed
Optional
None
want_assertions_signed Boolean Want Assertions Signed
Optional
None
want_assertions_encrypted Boolean Want Assertions Encrypted
Optional
None
want_name_id Boolean Want Name ID
Optional
None
want_name_id_encrypted Boolean Want Name ID Encrypted
Optional
None
want_attribute_statement Boolean Want Attribute Statement
Optional
None
requested_authn_context Boolean Requested Authn Context
Optional
None
requested_authn_context_comparison Keyword Requested Authn Context Comparison
Optional
None
fail_on_authn_context_mismatch Boolean Fail On Authn Context Mismatch
Optional
None
metadata_valid_until Keyword Metadata Valid Until
Optional
None
metadata_cache_duration Keyword Metadata Cache Duration
Optional
None
allow_single_label_domains Boolean Allow Single Label Domains
Optional
None
signature_algorithm Keyword Signature Algorithm
Optional
None
digest_algorithm Keyword Digest Algorithm
Optional
None
allow_repeat_attribute_name Boolean Allow Repeat Attribute Name
Optional
None
reject_deprecated_algorithm Boolean Reject Deprecated Algorithm
Optional
None
SAMLServiceProvider

SAML Service Provider

Field Type Description Required Default
entity_id Keyword Entity ID
Yes
None
assertion_consumer_service SAMLAssertionConsumerService Assertion Consumer Service
Yes
None
attribute_consuming_service SAMLAttributeConsumingService Attribute Consuming Service
Optional
None
name_id_format Keyword Name ID Format
Yes
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
x509cert Keyword X509 Certificate
Optional
None
private_key Keyword Private Key
Optional
None
SAMLAssertionConsumerService

SAML Assertion Consumer Service

Field Type Description Required Default
url Keyword URL
Yes
None
binding Keyword Binding
Yes
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SAMLAttributeConsumingService

SAML Attribute Consuming Service

Field Type Description Required Default
service_name Keyword Service Name
Yes
None
service_description Keyword Service Description
Yes
None
requested_attributes List [SAMLRequestedAttribute] Requested Attributes
Yes
[]
# SAMLRequestedAttribute

SAML Attribute

Field Type Description Required Default
name Keyword Name
Yes
None
is_required Boolean Is required?
Yes
False
name_format Keyword Name Format
Yes
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
friendly_name Keyword Friendly Name
Yes
``
attribute_value List [Keyword] Attribute Value
Yes
[]

Core

Core Component Configuration

Field Type Description Required Default
alerter Alerter Configuration for Alerter
Yes
See Alerter for more details.
archiver Archiver Configuration for the permanent submission archive
Yes
See Archiver for more details.
dispatcher Dispatcher Configuration for Dispatcher
Yes
See Dispatcher for more details.
expiry Expiry Configuration for Expiry
Yes
See Expiry for more details.
ingester Ingester Configuration for Ingester
Yes
See Ingester for more details.
metrics Metrics Configuration for Metrics Collection
Yes
See Metrics for more details.
plumber Plumber Configuration for system cleanup
Yes
See Plumber for more details.
redis Redis Configuration for Redis instances
Yes
See Redis for more details.
scaler Scaler Configuration for Scaler
Yes
See Scaler for more details.
updater Updater Configuration for Updater
Yes
See Updater for more details.
vacuum Vacuum Configuration for Vacuum
Yes
See Vacuum for more details.

Alerter

Alerter Configuration

Field Type Description Required Default
alert_ttl Integer Time to live (days) for an alert in the system
Yes
90
constant_alert_fields List [Keyword] List of fields that should not change during an alert update
This behavior is no longer configurable
Yes
[]
constant_ignore_keys List [Keyword] List of keys to ignore in the constant alert fields.
This behavior is no longer configurable
Yes
[]
default_group_field Keyword Default field used for alert grouping view
Yes
file.sha256
delay Integer Time in seconds that we give extended scans and workflow to complete their work before we start showing alerts in the alert viewer.
Yes
300
filtering_group_fields List [Keyword] List of group fields that when selected will ignore certain alerts where this field is missing.
Yes
['file.name', 'status', 'priority']
non_filtering_group_fields List [Keyword] List of group fields that are sure to be present in all alerts.
Yes
['file.md5', 'file.sha1', 'file.sha256']
process_alert_message Keyword Python path to the function that will process an alert message.
Yes
assemblyline_core.alerter.processing.process_alert_message
threshold Integer Minimum score to reach for a submission to be considered an alert.
Yes
500

Archiver

Malware Archive Configuration

Field Type Description Required Default
alternate_dtl Integer Alternate number of days to keep the data in the malware archive. (0: Disabled, will keep data forever)
Yes
0
metadata Mapping [String, ArchiverMetadata] Proxy configuration that is passed to Python Requests
The configuration for the archive metadata validation and requirements has moved tosubmission.metadata.archive.
Yes
None
minimum_required_services List [Keyword] List of minimum required service before archiving takes place
Yes
[]
webhook Webhook Webhook to call before triggering the archiving process
Optional
None
use_metadata Boolean Should the UI ask form metadata to be filed out when archiving
This field is no longer required...
Yes
False
use_webhook Boolean None
Optional
False

ArchiverMetadata

Malware Archive Configuration

Field Type Description Required Default
default Keyword None
Optional
None
editable Boolean Can the user provide a custom value
Yes
False
values List [Keyword] List of possible values to pick from
Yes
[]

Webhook

Webhook Configuration

Field Type Description Required Default
password Keyword Password used to authenticate with source
Optional
``
ca_cert Keyword CA cert for source
Optional
``
ssl_ignore_errors Boolean Ignore SSL errors when reaching out to source?
Yes
False
proxy Keyword Proxy server for source
Optional
``
method Keyword HTTP method used to access webhook
Yes
POST
uri Keyword URI to source
Yes
None
username Keyword Username used to authenticate with source
Optional
``
headers List [NamedValue] Headers
Yes
[]
retries Integer None
Yes
3
NamedValue

Named Value

Field Type Description Required Default
name Keyword Name
Yes
None
value Keyword Value
Yes
None

Dispatcher

Dispatcher Configuration

Field Type Description Required Default
timeout Integer Time between re-dispatching attempts, as long as some action (submission or any task completion) happens before this timeout ends, the timeout resets.
Yes
900
max_inflight Integer Maximum submissions allowed to be in-flight
Yes
1000

Expiry

None

Field Type Description Required Default
batch_delete Boolean Perform expiry in batches?
Delete queries are rounded by day therefore all delete operation happen at the same time at midnight
Yes
False
delay Integer Delay, in hours, that will be applied to the expiry query so we can keepdata longer then previously set or we can offset deletion during non busy hours
Yes
0
delete_storage Boolean Should we also cleanup the file storage?
Yes
True
sleep_time Integer Time, in seconds, to sleep in between each expiry run
Yes
15
workers Integer Number of concurrent workers
Yes
20
delete_workers Integer Worker processes for file storage deletes.
Yes
2
iteration_max_tasks Integer How many query chunks get run per iteration.
Yes
50
delete_batch_size Integer How large a batch get deleted per iteration.
Yes
2000
safelisted_tag_dtl Integer The default period, in days, before tags expire from Safelist
Yes
0
badlisted_tag_dtl Integer The default period, in days, before tags expire from Badlist
Yes
0

Ingester

Ingester Configuration

Field Type Description Required Default
always_create_submission Boolean Always create submissions even on cache hit?
Yes
False
default_user Keyword Default user for bulk ingestion and unattended submissions
Yes
internal
default_services List [Keyword] Default service selection
Yes
[]
default_resubmit_services List [Keyword] Default service selection for resubmits
Yes
[]
description_prefix Keyword A prefix for descriptions. When a description is automatically generated, it will be the hash prefixed by this string
Yes
Bulk
is_low_priority Keyword Path to a callback function filtering ingestion tasks that should have their priority forcefully reset to low
Yes
assemblyline.common.null.always_false
get_whitelist_verdict Keyword None
Yes
assemblyline.common.signaturing.drop
whitelist Keyword None
Yes
assemblyline.common.null.whitelist
default_max_extracted Integer How many extracted files may be added to a Submission. Overrideable via submission parameters.
Yes
100
default_max_supplementary Integer How many supplementary files may be added to a Submission. Overrideable via submission parameters
Yes
100
expire_after Integer Period, in seconds, in which a task should be expired
Yes
1296000
stale_after_seconds Integer Drop a task altogether after this many seconds
Yes
86400
incomplete_expire_after_seconds Integer How long should scores be kept before expiry
Yes
3600
incomplete_stale_after_seconds Integer How long should scores be cached in the ingester
Yes
1800
sampling_at Mapping [String, Integer] Thresholds at certain buckets before sampling
Yes
None
max_inflight Integer How long can a queue get before we start dropping files
Yes
500
cache_dtl Integer How long are files results cached
Yes
2

Metrics

Metrics Configuration

Field Type Description Required Default
apm_server APMServer APM server configuration
Yes
See APMServer for more details.
elasticsearch ESMetrics Where to export metrics?
Yes
See ESMetrics for more details.
export_interval Integer How often should we be exporting metrics?
Yes
5
redis RedisServer Redis for Dashboard metrics
Yes
See RedisServer for more details.

APMServer

None

Field Type Description Required Default
server_url Keyword URL to API server
Optional
None
token Keyword Authentication token for server
Optional
None

ESMetrics

None

Field Type Description Required Default
hosts List [Keyword] Elasticsearch hosts
Optional
None
host_certificates Keyword Host certificates
Optional
None
warm Integer How long, per unit of time, should a document remain in the 'warm' tier?
Yes
2
cold Integer How long, per unit of time, should a document remain in the 'cold' tier?
Yes
30
delete Integer How long, per unit of time, should a document remain before being deleted?
Yes
90
unit Enum Unit of time used by warm, cold, delete phases
Supported values are:
"d", "h", "m"
Yes
d

RedisServer

Redis Service configuration

Field Type Description Required Default
host Keyword Hostname of Redis instance
Yes
127.0.0.1
port Integer Port of Redis instance
Yes
6379

Plumber

Plumber Configuration

Field Type Description Required Default
notification_queue_interval Integer Interval at which the notification queue cleanup should run
Yes
1800
notification_queue_max_age Integer Max age in seconds notification queue messages can be
Yes
86400

Redis

Redis Configuration

Field Type Description Required Default
nonpersistent RedisServer A volatile Redis instance
Yes
See RedisServer for more details.
persistent RedisServer A persistent Redis instance
Yes
See RedisServer for more details.

RedisServer

Redis Service configuration

Field Type Description Required Default
host Keyword Hostname of Redis instance
Yes
127.0.0.1
port Integer Port of Redis instance
Yes
6379

Scaler

None

Field Type Description Required Default
service_defaults ScalerServiceDefaults Defaults Scaler will assign to a service.
Yes
None
cpu_overallocation Float Percentage of CPU overallocation
Yes
1
memory_overallocation Float Percentage of RAM overallocation
Yes
1
overallocation_node_limit Integer None
Optional
None
additional_labels List [Text] Additional labels to be applied to services('=' delimited)
Optional
None
privileged_services_additional_labels List [Text] Additional labels to be applied to privileged services only('=' delimited)
Optional
None
linux_node_selector Selector Selector for linux nodes under kubernetes
Yes
None
cluster_pod_list Boolean Sets if scaler list pods for all namespaces. Disabling this lets you use stricter cluster roles but will make cluster resource usage less accurate, setting a namespace resource quota might be needed.
Yes
True

ScalerServiceDefaults

A set of default values to be used running a service when no other value is set

Field Type Description Required Default
growth Integer Period, in seconds, to wait before scaling up a service deployment
Yes
None
shrink Integer Period, in seconds, to wait before scaling down a service deployment
Yes
None
backlog Integer Backlog threshold that dictates scaling adjustments
Yes
None
min_instances Integer The minimum number of service instances to be running
Yes
None
environment List [EnvironmentVariable] Environment variables to pass onto services
Yes
[]
mounts List [Mount] A list of volume mounts for every service
Yes
[]
tolerations List [Toleration] Toleration to apply to service pods.
Reference: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
Yes
[]
Mount

A configuration for mounting existing volumes to a container

Field Type Description Required Default
name Keyword Name of volume mount
Yes
None
path Text Target mount path
Yes
None
read_only Boolean Should this be mounted as read-only?
Yes
True
privileged_only Boolean Should this mount only be available for privileged services?
Yes
False
resource_type Enum Type of mountable Kubernetes resource
Supported values are:
"configmap", "secret", "volume"
Yes
volume
resource_name Keyword Name of resource (Kubernetes only)
Optional
None
resource_key Keyword Key of ConfigMap/Secret (Kubernetes only)
Optional
None
config_map Keyword Name of ConfigMap (Kubernetes only)
Use resource_type: configmap and fill in the resource_name & resource_key fields to mount ConfigMaps
Deprecated
None
key Keyword Key of ConfigMap (Kubernetes only)
Use resource_type: configmap and fill in the resource_name & resource_key fields to mount ConfigMaps
Deprecated
None
Toleration

Limit a set of kubernetes objects based on a label query.

Field Type Description Required Default
key Keyword The taint key that the toleration applies to
Optional
None
operator Enum Relationship between taint key and value
Supported values are:
"Equal", "Exists"
Yes
Equal
value Keyword Taint value the toleration matches to
Optional
None
effect Enum The taint effect to match.
Supported values are:
"NoExecute", "NoSchedule", "PreferNoSchedule"
Optional
None
toleration_seconds Integer The period of time the toleration tolerates the taint
Optional
None

Selector

None

Field Type Description Required Default
field List [FieldSelector] Field selector for resource under kubernetes
Yes
[]
label List [LabelSelector] Label selector for resource under kubernetes
Yes
[]
FieldSelector

Limit a set of kubernetes objects based on a field query.

Field Type Description Required Default
key Keyword Name of a field to select on.
Yes
None
equal Boolean When true key must equal value, when false it must not
Yes
True
value Keyword Value to compare field to.
Yes
None
LabelSelector

Limit a set of kubernetes objects based on a label query.

Field Type Description Required Default
key Keyword Name of label to select on.
Yes
None
operator Enum Operation to select label with.
Supported values are:
"DoesNotExist", "Exists", "In", "NotIn"
Yes
None
values List [Keyword] Value list to compare label to.
Yes
None

Updater

None

Field Type Description Required Default
job_dockerconfig DockerConfigDelta Container configuration used for service registration/updates
Yes
None
registry_configs List [RegistryConfiguration] Configurations to be used with container registries
Yes
[{'name': 'registry.hub.docker.com', 'proxies': {}}]

RegistryConfiguration

None

Field Type Description Required Default
name Text Name of container registry
Yes
None
proxies Mapping [String, Text] Proxy configuration that is passed to Python Requests
Optional
None
token_server Text Token server name to facilitate anonymous pull access
Optional
None

Vacuum

None

Field Type Description Required Default
list_cache_directory Keyword None
Yes
/cache/
worker_cache_directory Keyword None
Yes
/memory/
data_directories List [Keyword] None
Yes
[]
file_directories List [Keyword] None
Yes
[]
assemblyline_user Keyword None
Yes
vacuum-service-account
department_map_url Keyword None
Optional
None
department_map_init Keyword None
Optional
None
stream_map_url Keyword None
Optional
None
stream_map_init Keyword None
Optional
None
safelist List [VacuumSafelistItem] None
Yes
[]
worker_threads Integer None
Yes
50
worker_rollover Integer None
Yes
1000
minimum_classification Keyword None
Yes
U
ingest_type Keyword None
Yes
VACUUM

VacuumSafelistItem

None

Field Type Description Required Default
name Keyword None
Yes
None
conditions Mapping [String, Keyword] None
Yes
None

Datasource

Datasource Configuration

Field Type Description Required Default
classpath Keyword None
Yes
None
config Mapping [String, Keyword] None
Yes
None

Datastore

Datastore Configuration

Field Type Description Required Default
hosts List [Keyword] List of hosts used for the datastore
Yes
['http://elastic:devpass@localhost:9200']
archive Archive Datastore Archive feature configuration
Yes
See Archive for more details.
cache_dtl Integer Default cache lenght for computed indices (submission_tree, submission_summary...
Yes
5
type Enum Type of application used for the datastore
Supported values are:
"elasticsearch"
Yes
elasticsearch

Archive

Datastore Archive feature configuration

Field Type Description Required Default
enabled Boolean Are we enabling Achiving features across indices?
Yes
False
indices List [Keyword] List of indices the ILM Applies to
Yes
['file', 'submission', 'result']

Filestore

Filestore Configuration

Field Type Description Required Default
archive List [Keyword] List of filestores used for malware archive
Yes
['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-archive&use_ssl=False']
cache List [Keyword] List of filestores used for caching
Yes
['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-cache&use_ssl=False']
storage List [Keyword] List of filestores used for storage
Yes
['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-storage&use_ssl=False']

Logging

Model Definition for the Logging Configuration

Field Type Description Required Default
log_level Enum What level of logging should we have?
Supported values are:
"CRITICAL", "DEBUG", "DISABLED", "ERROR", "INFO", "WARNING"
Yes
INFO
log_to_console Boolean Should we log to console?
Yes
True
log_to_file Boolean Should we log to files on the server?
Yes
False
log_directory Keyword If log_to_file: true, what is the directory to store logs?
Yes
/var/log/assemblyline/
log_to_syslog Boolean Should logs be sent to a syslog server?
Yes
False
syslog_host Keyword If log_to_syslog: true, provide hostname/IP of the syslog server?
Yes
localhost
syslog_port Integer If log_to_syslog: true, provide port of the syslog server?
Yes
514
export_interval Integer How often, in seconds, should counters log their values?
Yes
5
log_as_json Boolean Log in JSON format?
Yes
True
heartbeat_file Keyword Add a health check to core components.
If true, core components will touch this path regularly to tell the container environment it is healthy
Optional
/tmp/heartbeat

Retrohunt

Configuration for connecting to a retrohunt service.

Field Type Description Required Default
enabled Boolean Is the Retrohunt functionnality enabled on the frontend
Yes
False
dtl Integer Number of days retrohunt jobs will remain in the system by default
Yes
30
max_dtl Integer Maximum number of days retrohunt jobs will remain in the system
Yes
0
url Keyword Base URL for service API
Yes
https://hauntedhouse:4443
api_key Keyword Service API Key
Yes
ChangeThisDefaultRetroHuntAPIKey!
tls_verify Boolean Should tls certificates be verified
Yes
True

Services

Services Configuration

Field Type Description Required Default
categories List [Keyword] List of categories a service can be assigned to
Yes
['Antivirus', 'Dynamic Analysis', 'External', 'Extraction', 'Filtering', 'Internet Connected', 'Networking', 'Static Analysis']
default_timeout Integer Default service timeout time in seconds
Yes
60
stages List [Keyword] List of execution stages a service can be assigned to
Yes
['FILTER', 'EXTRACT', 'CORE', 'SECONDARY', 'POST', 'REVIEW']
image_variables Mapping [String, Keyword] Substitution variables for image paths (for custom registry support)
Yes
None
update_image_variables Mapping [String, Keyword] Similar to image_variables but only applied to the updater. Intended for use with local registries.
Yes
None
preferred_update_channel Keyword Default update channel to be used for new services
Yes
stable
allow_insecure_registry Boolean Allow fetching container images from insecure registries
Yes
False
preferred_registry_type Enum Global registry type to be used for fetching updates for a service (overridable by a service)
Supported values are:
"docker", "harbor"
Yes
docker
prefer_service_privileged Boolean Global preference that controls if services should be privileged to communicate with core infrastucture
Yes
False
cpu_reservation Float How much CPU do we want to reserve relative to the service's request?
At 1, a service's full CPU request will be reserved for them.
At 0 (only for very small appliances/dev boxes), the service's CPU will be limited but no CPU will be reserved allowing for more flexible scheduling of containers.
Yes
0.25
safelist ServiceSafelist None
Yes
None
registries List [ServiceRegistry] Global set of registries for services
Optional
[]
service_account Keyword Service account to use for pods in kubernetewhere the service does not have one configured.
Use helm values to specify service accounts settings for (non-)privileged services: privilegedServiceAccountName, unprivilegedServiceAccountName
Deprecated
None

ServiceRegistry

Pre-Configured Registry Details for Services

Field Type Description Required Default
name Keyword Name of container registry
Yes
None
type Enum Type of container registry
Supported values are:
"docker", "harbor"
Yes
docker
username Keyword None
Optional
None
password Keyword None
Optional
None
use_fic Boolean Use federated identity credential token instead of user/passwords combinaison (ACR Only)
Yes
False

ServiceSafelist

Service's Safelisting Configuration

Field Type Description Required Default
enabled Boolean Should services be allowed to check extracted files against safelist?
Yes
True
hash_types List [Enum] Types of file hashes used for safelist checks
Yes
['sha1', 'sha256']
enforce_safelist_service Boolean Should the Safelist service always run on extracted files?
Yes
False

Submission

Default values for parameters for submissions that may be overridden on a per submission basis

Field Type Description Required Default
default_max_extracted Integer How many extracted files may be added to a submission?
Yes
500
default_max_supplementary Integer How many supplementary files may be added to a submission?
Yes
500
dtl Integer Number of days submissions will remain in the system by default
Yes
30
emptyresult_dtl Integer Number of days emptyresult will remain in the system
Yes
5
max_dtl Integer Maximum number of days submissions will remain in the system
Yes
0
max_extraction_depth Integer Maximum files extraction depth
Yes
6
max_file_size Integer Maximum size for files submitted in the system
Yes
104857600
max_metadata_length Integer Maximum length for each metadata values
Yes
4096
max_temp_data_length Integer Maximum length for each temporary data values
Yes
4096
metadata MetadataConfig Metadata compliance rules
Yes
See MetadataConfig for more details.
sha256_sources List [Sha256Source] List of external source to fetch file via their SHA256 hashes
Use submission.file_sources which is an extension of this configuration
Yes
[]
file_sources List [FileSource] List of external source to fetch file
Yes
[]
tag_types TagTypes Tag types that show up in the submission summary
Yes
See TagTypes for more details.
verdicts Verdicts Minimum score value to get the specified verdict.
Yes
See Verdicts for more details.
default_temporary_keys Mapping [String, Enum] temporary_keys values for well known services.
Yes
None
temporary_keys Mapping [String, Enum] Set the operation that will be used to update values using this key in the temporary submission data.
Yes
None

FileSource

A file source entry for remote fetching via string

Field Type Description Required Default
name Keyword Name of the sha256 source
Yes
None
auto_select Boolean Should we force the source to be auto-selected for the user ?
Yes
False
download_from_url Boolean Should we download from the resulting URL or create an Assemblyline URI file for it ?
Yes
True
hash_types List [Keyword] Method(s) of fetching file from source by string input(ie. ['sha256', 'sha1', 'md5', 'tlsh', 'ssdeep']). This also supports custom types.
Yes
['sha256']
hash_patterns Mapping [String, Text] Custom types to regex pattern definition for input detection/validation
Optional
None
classification ClassificationString None
Optional
None
data Keyword None
Optional
None
failure_pattern Keyword None
Optional
None
method Enum Method used to call the URL
Supported values are:
"GET", "POST"
Yes
GET
url Keyword Url to fetch the file via SHA256 from (Uses replace pattern)
Yes
None
replace_pattern Keyword Pattern to replace in the URL with the SHA256
Yes
None
headers Mapping [String, Keyword] Headers used to connect to the URL
Yes
{}
proxies Mapping [String, Keyword] Proxy used to connect to the URL
Yes
{}
select_services List [Keyword] List of services that will be auto-selected when using this source.
Yes
[]
verify Boolean Should the download function Verify SSL connections?
Yes
True

MetadataConfig

Configuration for metadata compliance with APIs

Field Type Description Required Default
archive Mapping [String, Metadata] Metadata specification for archiving
Yes
None
submit Mapping [String, Metadata] Metadata specification for submission
Yes
None
ingest Mapping [String, Mapping [String, Metadata]] Metadata specification for certain ingestion based on ingest_type
Yes
None
strict_schemes List [Keyword] A list of metadata schemes with strict rules (ie. no extra/unknown metadata). Values can be: archive, submit, or one of the schemes under ingest.
Yes
[]

Metadata

Metadata configuration

Field Type Description Required Default
validator_type Enum Type of validation to apply to metadata value
Supported values are:
"boolean", "date", "domain", "email", "enum", "float", "integer", "ip", "keyword", "list", "regex", "text", "uri"
Yes
str
validator_params Mapping [String, Any] Configuration parameters to apply to validator
Yes
{}
suggestions List [Keyword] List of suggestions for this field
Yes
[]
suggestion_key Keyword Key in redis where to get the suggestions from
Optional
None
default Keyword None
Optional
None
required Boolean Is this field required?
Yes
False
aliases List [Keyword] Field name aliases that map over to the field.
Yes
[]

Sha256Source

A source entry for the sha256 downloader

Field Type Description Required Default
name Keyword Name of the sha256 source
Yes
None
classification ClassificationString None
Optional
None
data Keyword None
Optional
None
failure_pattern Keyword None
Optional
None
method Enum Method used to call the URL
Supported values are:
"GET", "POST"
Yes
GET
url Keyword Url to fetch the file via SHA256 from (Uses replace pattern)
Yes
None
replace_pattern Keyword Pattern to replace in the URL with the SHA256
Yes
None
headers Mapping [String, Keyword] Headers used to connect to the URL
Yes
{}
proxies Mapping [String, Keyword] Proxy used to connect to the URL
Yes
{}
verify Boolean Should the download function Verify SSL connections?
Yes
True

TagTypes

None

Field Type Description Required Default
attribution List [Keyword] Attibution tags
Yes
['attribution.actor', 'attribution.campaign', 'attribution.exploit', 'attribution.implant', 'attribution.family', 'attribution.network', 'av.virus_name', 'file.config', 'technique.obfuscation']
behavior List [Keyword] Behaviour tags
Yes
['file.behavior']
ioc List [Keyword] IOC tags
Yes
['network.email.address', 'network.static.ip', 'network.static.domain', 'network.static.uri', 'network.dynamic.ip', 'network.dynamic.domain', 'network.dynamic.uri']

Verdicts

Minimum score value to get the specified verdict, otherwise the file is considered safe.

Field Type Description Required Default
info Integer Minimum score for the verdict to be Informational.
Yes
0
suspicious Integer Minimum score for the verdict to be Suspicious.
Yes
300
highly_suspicious Integer Minimum score for the verdict to be Highly Suspicious.
Yes
700
malicious Integer Minimum score for the verdict to be Malicious.
Yes
1000

System

System Configuration

Field Type Description Required Default
constants Keyword Module path to the assemblyline constants
Yes
assemblyline.common.constants
organisation Text Organisation acronym used for signatures
Yes
ACME
type Enum Type of system
Supported values are:
"development", "production", "staging"
Yes
production

UI

UI Configuration

Field Type Description Required Default
ai AI AI support for the UI
Yes
See AI for more details.
ai_backends AIBackends AI Multi-backends support for the UI
Yes
See AIBackends for more details.
alerting_meta AlertingMeta Alerting metadata fields
Yes
See AlertingMeta for more details.
allow_malicious_hinting Boolean Allow user to tell in advance the system that a file is malicious?
Yes
False
allow_raw_downloads Boolean Allow user to download raw files?
Yes
True
allow_zip_downloads Boolean Allow user to download files as password protected ZIPs?
Yes
True
allow_replay Boolean Allow users to request replay on another server?
Yes
False
allow_url_submissions Boolean Allow file submissions via url?
Yes
True
api_proxies Mapping [String, APIProxies] Proxy requests to the configured API target and add headers
Yes
See APIProxies for more details.
audit Boolean Should API calls be audited and saved to a separate log file?
Yes
True
audit_login Boolean Should login successes and failures be part of the audit log as well?
Yes
False
banner Mapping [String, Keyword] Banner message display on the main page (format: {: message})
Optional
None
banner_level Enum Banner message level
Supported values are:
"error", "info", "success", "warning"
Yes
info
debug Boolean Enable debugging?
Yes
False
default_quotas Quotas Default API quotas values
Yes
See Quotas for more details.
discover_url Keyword Discover URL
Optional
None
download_encoding Enum Which encoding will be used for downloads?
Supported values are:
"cart", "raw", "zip"
Yes
cart
default_zip_password Text Default user-defined password for creating password protected ZIPs when downloading files
Optional
infected
email Email Assemblyline admins email address
Optional
None
enforce_quota Boolean Enforce the user's quotas?
Yes
True
external_links List [ExternalLinks] List of external pivot links
Yes
[]
external_sources List [ExternalSource] List of external sources to query
Yes
[]
fqdn Text Fully qualified domain name to use for the 2-factor authentication validation
Yes
localhost
ingest_max_priority Integer Maximum priority for ingest API
Yes
250
read_only Boolean Turn on read only mode in the UI
Yes
False
read_only_offset Keyword Offset of the read only mode for all paging and searches
Yes
``
rss_feeds List [Keyword] List of RSS feeds to display on the UI
Yes
['https://alpytest.blob.core.windows.net/pytest/stable.json', 'https://alpytest.blob.core.windows.net/pytest/services.json', 'https://alpytest.blob.core.windows.net/pytest/community.json', 'https://alpytest.blob.core.windows.net/pytest/blog.json']
services_feed Keyword Feed of all the services built by the Assemblyline Team
Yes
https://alpytest.blob.core.windows.net/pytest/services.json
community_feed Keyword Feed of all the services built by the Assemblyline community.
Yes
https://alpytest.blob.core.windows.net/pytest/community.json
secret_key Keyword Flask secret key to store cookies, etc.
Yes
This is the default flask secret key... you should change this!
session_duration Integer Duration of the user session before the user has to login again
Yes
3600
statistics Statistics Statistics configuration
Yes
See Statistics for more details.
tos Text Terms of service
Optional
None
tos_lockout Boolean Lock out user after accepting the terms of service?
Yes
False
tos_lockout_notify List [Keyword] List of admins to notify when a user gets locked out
Optional
None
url_submission_auto_service_selection List [Keyword] List of services auto-selected by the UI when submitting URLs
Yes
['URLDownloader']
url_submission_headers Mapping [String, Keyword] Headers used by the url_download method
Optional
None
url_submission_proxies Mapping [String, Keyword] Proxy used by the url_download method
Optional
None
url_submission_timeout Integer Request timeout for fetching URLs
Yes
15
validate_session_ip Boolean Validate if the session IP matches the IP the session was created from
Yes
True
validate_session_useragent Boolean Validate if the session useragent matches the useragent the session was created with
Yes
True

AI

AI support configuration block

Field Type Description Required Default
chat_url Keyword URL to the AI API
Yes
https://api.openai.com/v1/chat/completions
api_type Enum Type of chat API we are communicating with
Supported values are:
"cohere", "openai"
Yes
openai
assistant AIQueryParams Parameters used for Assamblyline Assistant
Yes
None
code AIQueryParams Parameters used for code analysis
Yes
None
detailed_report AIQueryParams Parameters used for detailed reports
Yes
None
executive_summary AIQueryParams Parameters used for executive summaries
Yes
None
enabled Boolean Is AI support enabled?
Yes
False
headers Mapping [String, Keyword] Headers used by the _call_ai_backend method
Optional
None
model_name Keyword Name of the model to be used for the AI analysis.
Yes
gpt-3.5-turbo
verify Boolean Should the SSL connection to the AI API be verified.
Yes
True
proxies Mapping [String, Keyword] Proxies used by the _call_ai_backend method
Optional
None

AIQueryParams

Parameters used during a AI query

Field Type Description Required Default
system_message Keyword System message used for the query.
Yes
None
task Keyword Task description sent to the AI
Yes
``
max_tokens Integer Maximum ammount of token used for the response.
Yes
None
options Mapping [String, Any] Other kwargs options directly passed to the API.
Optional
None

AIBackends

AI Multi-Backend support configuration block

Field Type Description Required Default
enabled Boolean Is AI support enabled?
Yes
False
api_connections List [AIConnection] List of API definitions use in the API Pool
Yes
[{'chat_url': 'https://api.openai.com/v1/chat/completions', 'api_type': 'openai', 'headers': {'Content-Type': 'application/json'}, 'model_name': 'gpt-3.5-turbo', 'proxies': None, 'verify': True}, {'chat_url': 'https://api.openai.com/v1/chat/completions', 'api_type': 'openai', 'headers': {'Content-Type': 'application/json'}, 'model_name': 'gpt-4', 'proxies': None, 'verify': True}]
function_params AIFunctionParameters Definition of each parameters used in the different AI functions
Yes
None

AIConnection

Connection information to an AI backend

Field Type Description Required Default
api_type Enum Type of chat API we are communicating with
Supported values are:
"cohere", "openai"
Yes
None
chat_url Keyword URL to the AI API
Yes
None
headers Mapping [String, Keyword] Headers used by the _call_ai_backend method
Optional
{}
model_name Keyword Name of the model to be used for the AI analysis.
Yes
None
proxies Mapping [String, Keyword] Proxies used by the _call_ai_backend method
Optional
None
use_fic Boolean Use Federated Identity Credentials to login
Yes
False
verify Boolean Should the SSL connection to the AI API be verified.
Yes
True

AIFunctionParameters

Definition of each parameters used in the different AI functions

Field Type Description Required Default
assistant AIQueryParams Parameters used for Assamblyline Assistant
Yes
None
code AIQueryParams Parameters used for code analysis
Yes
None
detailed_report AIQueryParams Parameters used for detailed reports
Yes
None
executive_summary AIQueryParams Parameters used for executive summaries
Yes
None
AIQueryParams

Parameters used during a AI query

Field Type Description Required Default
system_message Keyword System message used for the query.
Yes
None
task Keyword Task description sent to the AI
Yes
``
max_tokens Integer Maximum ammount of token used for the response.
Yes
None
options Mapping [String, Any] Other kwargs options directly passed to the API.
Optional
None

APIProxies

Configuration for connecting to a retrohunt service.

Field Type Description Required Default
url Keyword URL to redirect to
Yes
None
verify Boolean Should we verify the cert or not
Yes
True
headers List [HeaderValue] Headers to add to the request
Yes
[]
public Mapping [String, Any] Parameters to be sent to the Frontend.
Optional
None

HeaderValue

Header value

Field Type Description Required Default
name Keyword Name of the header
Yes
None
value Keyword None
Optional
None
key Keyword None
Optional
None

AlertingMeta

Alerting Metadata

Field Type Description Required Default
important List [Keyword] Metadata keys that are considered important
Yes
['original_source', 'protocol', 'subject', 'submitted_url', 'source_url', 'url', 'web_url', 'from', 'to', 'cc', 'bcc', 'ip_src', 'ip_dst', 'source']
subject List [Keyword] Metadata keys that refer to an email's subject
Yes
['subject']
url List [Keyword] Metadata keys that refer to a URL
Yes
['submitted_url', 'source_url', 'url', 'web_url']

External links that specific metadata and tags can pivot to

Field Type Description Required Default
allow_bypass Boolean If the classification of the item is higher than the max_classificaiton, can we let the user bypass the check and still query the external link?
Yes
False
name Keyword Name of the link
Yes
None
double_encode Boolean Should the replaced value be double encoded?
Yes
False
classification ClassificationString None
Optional
None
max_classification ClassificationString None
Optional
None
replace_pattern Keyword Pattern that will be replaced in the URL with the metadata or tag value
Yes
None
targets List [ExternalLinksTargets] List of external sources to query
Yes
[]
url Keyword URL to redirect to
Yes
None

ExternalLinksTargets

Target definition of an external link

Field Type Description Required Default
type Enum Type of external link target
Supported values are:
"hash", "metadata", "tag"
Yes
None
key Keyword Key that it can be used against
Yes
None

ExternalSource

Connection details for external systems/data sources.

Field Type Description Required Default
name Keyword Name of the source.
Yes
None
classification ClassificationString None
Optional
None
max_classification ClassificationString None
Optional
None
url Keyword URL of the upstream source's lookup service.
Yes
None

Quotas

Default API and submission quota values for the system

Field Type Description Required Default
concurrent_api_calls Integer Maximum concurrent API Calls that can be running for a user.
Yes
10
concurrent_submissions Integer Maximum concurrent Submission that can be running for a user.
Yes
5
concurrent_async_submissions Integer Maximum concurrent asynchroneous Submission that can be running for a user.
Yes
0
daily_api_calls Integer Maximum daily API calls a user can issue.
Yes
0
daily_submissions Integer Maximum daily submission a user can do.
Yes
0

Statistics

Statistics

Field Type Description Required Default
alert List [Keyword] Fields used to generate statistics in the Alerts page
Yes
['al.attrib', 'al.av', 'al.behavior', 'al.domain', 'al.ip', 'al.yara', 'file.name', 'file.md5', 'owner']
submission List [Keyword] Fields used to generate statistics in the Submissions page
Yes
['params.submitter']