Config¶
Assemblyline Deployment Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
auth | Auth | Authentication module configuration | Yes |
See Auth for more details. |
core | Core | Core component configuration | Yes |
See Core for more details. |
datastore | Datastore | Datastore configuration | Yes |
See Datastore for more details. |
datasources | Mapping [String, Datasource] | Datasources configuration | Yes |
See Datasource for more details. |
filestore | Filestore | Filestore configuration | Yes |
See Filestore for more details. |
logging | Logging | Logging configuration | Yes |
See Logging for more details. |
retrohunt | Retrohunt | Retrohunt configuration for the frontend and server. | Yes |
See Retrohunt for more details. |
services | Services | Service configuration | Yes |
See Services for more details. |
submission | Submission | Options for how submissions will be processed | Yes |
See Submission for more details. |
system | System | System configuration | Yes |
See System for more details. |
ui | UI | UI configuration parameters | Yes |
See UI for more details. |
Auth¶
Authentication Methods
Field | Type | Description | Required | Default |
---|---|---|---|---|
allow_2fa | Boolean | Allow 2FA? | Yes |
True |
allow_apikeys | Boolean | Allow API keys? | Yes |
True |
allow_extended_apikeys | Boolean | Allow extended API keys? | Yes |
True |
allow_security_tokens | Boolean | Allow security tokens? | Yes |
True |
internal | Internal | Internal authentication settings | Yes |
See Internal for more details. |
ldap | LDAP | LDAP settings | Yes |
See LDAP for more details. |
oauth | OAuth | OAuth settings | Yes |
See OAuth for more details. |
saml | SAML | SAML settings | Yes |
See SAML for more details. |
Internal¶
Internal Authentication Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
enabled | Boolean | Internal authentication allowed? | Yes |
True |
failure_ttl | Integer | How long to wait after max_failures before re-attempting login? |
Yes |
60 |
max_failures | Integer | Maximum number of fails allowed before timeout | Yes |
5 |
password_requirements | PasswordRequirement | Password requirements | Yes |
See PasswordRequirement for more details. |
signup | Signup | Signup method | Yes |
See Signup for more details. |
PasswordRequirement¶
Password Requirement
Field | Type | Description | Required | Default |
---|---|---|---|---|
lower | Boolean | Password must contain lowercase letters | Yes |
False |
number | Boolean | Password must contain numbers | Yes |
False |
special | Boolean | Password must contain special characters | Yes |
False |
upper | Boolean | Password must contain uppercase letters | Yes |
False |
min_length | Integer | Minimum password length | Yes |
12 |
Signup¶
Signup Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
enabled | Boolean | Can a user automatically signup for the system | Yes |
False |
smtp | SMTP | Signup via SMTP | Yes |
See SMTP for more details. |
notify | Notify | Signup via GC Notify | Yes |
See Notify for more details. |
valid_email_patterns | List [Keyword] | Email patterns that will be allowed to automatically signup for an account | Yes |
['.*', '.*@localhost'] |
Notify¶
Configuration block for GC Notify signup and password reset
Field | Type | Description | Required | Default |
---|---|---|---|---|
base_url | Keyword | Base URL | Optional |
None |
api_key | Keyword | API key | Optional |
None |
registration_template | Keyword | Registration template | Optional |
None |
password_reset_template | Keyword | Password reset template | Optional |
None |
authorization_template | Keyword | Authorization template | Optional |
None |
activated_template | Keyword | Activated Template | Optional |
None |
SMTP¶
Configuration block for SMTP signup and password reset
Field | Type | Description | Required | Default |
---|---|---|---|---|
from_adr | Keyword | Email address used for sender | Optional |
None |
host | Keyword | SMTP host | Optional |
None |
password | Keyword | Password for SMTP server | Optional |
None |
port | Integer | Port of SMTP server | Yes |
587 |
tls | Boolean | Should we communicate with SMTP server via TLS? | Yes |
True |
user | Keyword | User to authenticate to the SMTP server | Optional |
None |
LDAP¶
LDAP Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
enabled | Boolean | Should LDAP be enabled or not? | Yes |
False |
admin_dn | Keyword | DN of the group or the user who will get admin privileges | Optional |
None |
bind_user | Keyword | User use to query the LDAP server | Optional |
None |
bind_pass | Keyword | Password used to query the LDAP server | Optional |
None |
auto_create | Boolean | Auto-create users if they are missing | Yes |
True |
auto_sync | Boolean | Should we automatically sync with LDAP server on each login? | Yes |
True |
auto_properties | List [AutoProperty] | Automatic role and classification assignments | Yes |
[] |
base | Keyword | Base DN for the users | Yes |
ou=people,dc=assemblyline,dc=local |
classification_mappings | Any | Classification mapping | Yes |
None |
email_field | Keyword | Name of the field containing the email address | Yes |
mail |
group_lookup_query | Keyword | How the group lookup is queried | Yes |
(&(objectClass=Group)(member=%s)) |
group_lookup_with_uid | Boolean | Use username/uid instead of dn for group lookup | Yes |
False |
image_field | Keyword | Name of the field containing the user's avatar | Yes |
jpegPhoto |
image_format | Keyword | Type of image used to store the avatar | Yes |
jpeg |
name_field | Keyword | Name of the field containing the user's name | Yes |
cn |
signature_importer_dn | Keyword | DN of the group or the user who will get signature_importer role | Optional |
None |
signature_manager_dn | Keyword | DN of the group or the user who will get signature_manager role | Optional |
None |
uid_field | Keyword | Field name for the UID | Yes |
uid |
uri | Keyword | URI to the LDAP server | Yes |
ldap://localhost:389 |
AutoProperty¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
field | Keyword | Field to apply pattern to |
Yes |
None |
pattern | Keyword | Regex pattern for auto-prop assignment | Yes |
None |
type | Enum | Type of property assignment on pattern match Supported values are: "access", "api_daily_quota", "api_quota", "classification", "group", "multi_group", "remove_role", "role", "submission_async_quota", "submission_daily_quota", "submission_quota", "type" |
Yes |
None |
value | List [Keyword] | Assigned property value | Yes |
[] |
OAuth¶
OAuth Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
enabled | Boolean | Enable use of OAuth? | Yes |
False |
gravatar_enabled | Boolean | Enable gravatar? | Yes |
True |
providers | Mapping [String, OAuthProvider] | OAuth provider configuration | Yes |
See OAuthProvider for more details. |
OAuthProvider¶
OAuth Provider Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
auto_create | Boolean | Auto-create users if they are missing | Yes |
True |
auto_sync | Boolean | Should we automatically sync with OAuth provider? | Yes |
False |
auto_properties | List [AutoProperty] | Automatic role and classification assignments | Yes |
[] |
app_provider | AppProvider | None | Optional |
None |
uid_randomize | Boolean | Should we generate a random username for the authenticated user? | Yes |
False |
uid_randomize_digits | Integer | How many digits should we add at the end of the username? | Yes |
0 |
uid_randomize_delimiter | Keyword | What is the delimiter used by the random name generator? | Yes |
- |
uid_regex | Keyword | Regex used to parse an email address and capture parts to create a user ID out of it | Optional |
None |
uid_format | Keyword | Format of the user ID based on the captured parts from the regex | Optional |
None |
client_id | Keyword | ID of your application to authenticate to the OAuth provider | Optional |
None |
client_secret | Keyword | Password to your application to authenticate to the OAuth provider | Optional |
None |
redirect_uri | Keyword | URI to redirect to after authentication with OAuth provider | Optional |
None |
request_token_url | Keyword | URL to request token | Optional |
None |
request_token_params | Mapping [String, Keyword] | Parameters to request token | Optional |
None |
access_token_url | Keyword | URL to get access token | Optional |
None |
access_token_params | Mapping [String, Keyword] | Parameters to get access token | Optional |
None |
authorize_url | Keyword | URL used to authorize access to a resource | Optional |
None |
authorize_params | Mapping [String, Keyword] | Parameters used to authorize access to a resource | Optional |
None |
api_base_url | Keyword | Base URL for downloading the user's and groups info | Optional |
None |
client_kwargs | Mapping [String, Keyword] | Keyword arguments passed to the different URLs | Optional |
None |
jwks_uri | Keyword | URL used to verify if a returned JWKS token is valid | Optional |
None |
jwt_token_alg | Keyword | Algorythm use the validate JWT OBO tokens | Yes |
RS256 |
uid_field | Keyword | Name of the field that will contain the user ID | Optional |
None |
user_get | Keyword | Path from the base_url to fetch the user info | Optional |
None |
user_groups | Keyword | Path from the base_url to fetch the group info | Optional |
None |
user_groups_data_field | Keyword | Field return by the group info API call that contains the list of groups | Optional |
None |
user_groups_name_field | Keyword | Name of the field in the list of groups that contains the name of the group | Optional |
None |
use_new_callback_format | Boolean | Should we use the new callback method? | Yes |
False |
allow_external_tokens | Boolean | Should token provided to the login API directly be use for authentication? | Yes |
False |
external_token_alternate_audiences | List [Keyword] | List of valid alternate audiences for the external token. | Yes |
[] |
email_fields | List [Keyword] | List of fields in the claim to get the email from | Yes |
['email', 'emails', 'extension_selectedEmailAddress', 'otherMails', 'preferred_username', 'upn'] |
username_field | Keyword | Name of the field that will contain the username | Yes |
uname |
validate_token_with_secret | Boolean | Should we send the client secret while validating the access token? | Yes |
False |
AppProvider¶
App provider
Field | Type | Description | Required | Default |
---|---|---|---|---|
access_token_url | Keyword | URL used to get the access token | Yes |
None |
user_get | Keyword | Path from the base_url to fetch the user info | Optional |
None |
group_get | Keyword | Path from the base_url to fetch the group info | Optional |
None |
scope | Keyword | None | Yes |
None |
client_id | Keyword | ID of your application to authenticate to the OAuth | Optional |
None |
client_secret | Keyword | Password to your application to authenticate to the OAuth provider | Optional |
None |
AutoProperty¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
field | Keyword | Field to apply pattern to |
Yes |
None |
pattern | Keyword | Regex pattern for auto-prop assignment | Yes |
None |
type | Enum | Type of property assignment on pattern match Supported values are: "access", "api_daily_quota", "api_quota", "classification", "group", "multi_group", "remove_role", "role", "submission_async_quota", "submission_daily_quota", "submission_quota", "type" |
Yes |
None |
value | List [Keyword] | Assigned property value | Yes |
[] |
SAML¶
SAML Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
enabled | Boolean | Enable use of SAML? | Yes |
False |
auto_create | Boolean | Auto-create users if they are missing | Yes |
True |
auto_sync | Boolean | Should we automatically sync with SAML server on each login? | Yes |
True |
lowercase_urlencoding | Boolean | Enable lowercase encoding if using ADFS as IdP | Yes |
False |
attributes | SAMLAttributes | SAML attributes | Yes |
See SAMLAttributes for more details. |
settings | SAMLSettings | SAML settings method | Yes |
See SAMLSettings for more details. |
SAMLAttributes¶
SAML Attributes
Field | Type | Description | Required | Default |
---|---|---|---|---|
username_attribute | Keyword | SAML attribute name for AL username | Optional |
uid |
email_attribute | Keyword | SAML attribute name for a user's email address | Yes |
email |
fullname_attribute | Keyword | SAML attribute name for a user's first name | Yes |
name |
groups_attribute | Keyword | SAML attribute name for the groups | Yes |
groups |
roles_attribute | Keyword | SAML attribute name for the roles | Yes |
roles |
group_type_mapping | Mapping [String, Keyword] | SAML group to role mapping | Yes |
{} |
SAMLSettings¶
SAML Settings
Field | Type | Description | Required | Default |
---|---|---|---|---|
strict | Boolean | Should we be strict in our SAML checks? | Yes |
False |
debug | Boolean | Should we be in debug mode? | Yes |
False |
sp | SAMLServiceProvider | SP settings | Yes |
None |
idp | SAMLIdentityProvider | IDP settings | Yes |
None |
security | SAMLSecurity | Security settings | Optional |
None |
contact_person | SAMLContacts | Contact settings | Optional |
None |
organization | Mapping [String, SAMLOrganization] | Organization settings | Optional |
None |
SAMLContacts¶
SAML Contacts
Field | Type | Description | Required | Default |
---|---|---|---|---|
technical | SAMLContactPerson | Technical Contact | Yes |
None |
support | SAMLContactPerson | Support Contact | Yes |
None |
SAMLContactPerson¶
SAML Contact Entry
Field | Type | Description | Required | Default |
---|---|---|---|---|
given_name | Keyword | Given Name | Yes |
None |
email_address | Keyword | Email Address | Yes |
None |
SAMLIdentityProvider¶
SAML Identity Provider
Field | Type | Description | Required | Default |
---|---|---|---|---|
entity_id | Keyword | Entity ID | Yes |
None |
single_sign_on_service | SAMLSingleSignOnService | Single Sign On Service | Yes |
None |
x509cert | Keyword | X509 Certificate | Optional |
None |
SAMLSingleSignOnService¶
SAML Single Sign On Service
Field | Type | Description | Required | Default |
---|---|---|---|---|
url | Keyword | URL | Yes |
None |
binding | Keyword | Binding | Yes |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
SAMLOrganization¶
SAML Organization
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name | Yes |
None |
display_name | Keyword | Display Name | Yes |
None |
url | Keyword | URL | Yes |
None |
SAMLSecurity¶
SAML Security
Field | Type | Description | Required | Default |
---|---|---|---|---|
name_id_encrypted | Boolean | Name ID Encrypted | Optional |
None |
authn_requests_signed | Boolean | Authn Requests Signed | Optional |
None |
logout_request_signed | Boolean | Logout Request Signed | Optional |
None |
logout_response_signed | Boolean | Logout Response Signed | Optional |
None |
sign_metadata | Boolean | Sign Metadata | Optional |
None |
want_messages_signed | Boolean | Want Messages Signed | Optional |
None |
want_assertions_signed | Boolean | Want Assertions Signed | Optional |
None |
want_assertions_encrypted | Boolean | Want Assertions Encrypted | Optional |
None |
want_name_id | Boolean | Want Name ID | Optional |
None |
want_name_id_encrypted | Boolean | Want Name ID Encrypted | Optional |
None |
want_attribute_statement | Boolean | Want Attribute Statement | Optional |
None |
requested_authn_context | Boolean | Requested Authn Context | Optional |
None |
requested_authn_context_comparison | Keyword | Requested Authn Context Comparison | Optional |
None |
fail_on_authn_context_mismatch | Boolean | Fail On Authn Context Mismatch | Optional |
None |
metadata_valid_until | Keyword | Metadata Valid Until | Optional |
None |
metadata_cache_duration | Keyword | Metadata Cache Duration | Optional |
None |
allow_single_label_domains | Boolean | Allow Single Label Domains | Optional |
None |
signature_algorithm | Keyword | Signature Algorithm | Optional |
None |
digest_algorithm | Keyword | Digest Algorithm | Optional |
None |
allow_repeat_attribute_name | Boolean | Allow Repeat Attribute Name | Optional |
None |
reject_deprecated_algorithm | Boolean | Reject Deprecated Algorithm | Optional |
None |
SAMLServiceProvider¶
SAML Service Provider
Field | Type | Description | Required | Default |
---|---|---|---|---|
entity_id | Keyword | Entity ID | Yes |
None |
assertion_consumer_service | SAMLAssertionConsumerService | Assertion Consumer Service | Yes |
None |
attribute_consuming_service | SAMLAttributeConsumingService | Attribute Consuming Service | Optional |
None |
name_id_format | Keyword | Name ID Format | Yes |
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
x509cert | Keyword | X509 Certificate | Optional |
None |
private_key | Keyword | Private Key | Optional |
None |
SAMLAssertionConsumerService¶
SAML Assertion Consumer Service
Field | Type | Description | Required | Default |
---|---|---|---|---|
url | Keyword | URL | Yes |
None |
binding | Keyword | Binding | Yes |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
SAMLAttributeConsumingService¶
SAML Attribute Consuming Service
Field | Type | Description | Required | Default |
---|---|---|---|---|
service_name | Keyword | Service Name | Yes |
None |
service_description | Keyword | Service Description | Yes |
None |
requested_attributes | List [SAMLRequestedAttribute] | Requested Attributes | Yes |
[] |
# SAMLRequestedAttribute¶
SAML Attribute
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name | Yes |
None |
is_required | Boolean | Is required? | Yes |
False |
name_format | Keyword | Name Format | Yes |
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified |
friendly_name | Keyword | Friendly Name | Yes |
`` |
attribute_value | List [Keyword] | Attribute Value | Yes |
[] |
Core¶
Core Component Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
alerter | Alerter | Configuration for Alerter | Yes |
See Alerter for more details. |
archiver | Archiver | Configuration for the permanent submission archive | Yes |
See Archiver for more details. |
dispatcher | Dispatcher | Configuration for Dispatcher | Yes |
See Dispatcher for more details. |
expiry | Expiry | Configuration for Expiry | Yes |
See Expiry for more details. |
ingester | Ingester | Configuration for Ingester | Yes |
See Ingester for more details. |
metrics | Metrics | Configuration for Metrics Collection | Yes |
See Metrics for more details. |
plumber | Plumber | Configuration for system cleanup | Yes |
See Plumber for more details. |
redis | Redis | Configuration for Redis instances | Yes |
See Redis for more details. |
scaler | Scaler | Configuration for Scaler | Yes |
See Scaler for more details. |
updater | Updater | Configuration for Updater | Yes |
See Updater for more details. |
vacuum | Vacuum | Configuration for Vacuum | Yes |
See Vacuum for more details. |
Alerter¶
Alerter Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
alert_ttl | Integer | Time to live (days) for an alert in the system | Yes |
90 |
constant_alert_fields | List [Keyword] | List of fields that should not change during an alert update This behavior is no longer configurable |
Yes |
[] |
constant_ignore_keys | List [Keyword] | List of keys to ignore in the constant alert fields. This behavior is no longer configurable |
Yes |
[] |
default_group_field | Keyword | Default field used for alert grouping view | Yes |
file.sha256 |
delay | Integer | Time in seconds that we give extended scans and workflow to complete their work before we start showing alerts in the alert viewer. | Yes |
300 |
filtering_group_fields | List [Keyword] | List of group fields that when selected will ignore certain alerts where this field is missing. | Yes |
['file.name', 'status', 'priority'] |
non_filtering_group_fields | List [Keyword] | List of group fields that are sure to be present in all alerts. | Yes |
['file.md5', 'file.sha1', 'file.sha256'] |
process_alert_message | Keyword | Python path to the function that will process an alert message. | Yes |
assemblyline_core.alerter.processing.process_alert_message |
threshold | Integer | Minimum score to reach for a submission to be considered an alert. | Yes |
500 |
Archiver¶
Malware Archive Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
alternate_dtl | Integer | Alternate number of days to keep the data in the malware archive. (0: Disabled, will keep data forever) | Yes |
0 |
metadata | Mapping [String, ArchiverMetadata] | Proxy configuration that is passed to Python Requests The configuration for the archive metadata validation and requirements has moved to submission.metadata.archive . |
Yes |
None |
minimum_required_services | List [Keyword] | List of minimum required service before archiving takes place | Yes |
[] |
webhook | Webhook | Webhook to call before triggering the archiving process | Optional |
None |
use_metadata | Boolean | Should the UI ask form metadata to be filed out when archiving This field is no longer required... |
Yes |
False |
use_webhook | Boolean | None | Optional |
False |
ArchiverMetadata¶
Malware Archive Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
default | Keyword | None | Optional |
None |
editable | Boolean | Can the user provide a custom value | Yes |
False |
values | List [Keyword] | List of possible values to pick from | Yes |
[] |
Webhook¶
Webhook Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
password | Keyword | Password used to authenticate with source | Optional |
`` |
ca_cert | Keyword | CA cert for source | Optional |
`` |
ssl_ignore_errors | Boolean | Ignore SSL errors when reaching out to source? | Yes |
False |
proxy | Keyword | Proxy server for source | Optional |
`` |
method | Keyword | HTTP method used to access webhook | Yes |
POST |
uri | Keyword | URI to source | Yes |
None |
username | Keyword | Username used to authenticate with source | Optional |
`` |
headers | List [NamedValue] | Headers | Yes |
[] |
retries | Integer | None | Yes |
3 |
NamedValue¶
Named Value
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name | Yes |
None |
value | Keyword | Value | Yes |
None |
Dispatcher¶
Dispatcher Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
timeout | Integer | Time between re-dispatching attempts, as long as some action (submission or any task completion) happens before this timeout ends, the timeout resets. | Yes |
900 |
max_inflight | Integer | Maximum submissions allowed to be in-flight | Yes |
1000 |
Expiry¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
batch_delete | Boolean | Perform expiry in batches? Delete queries are rounded by day therefore all delete operation happen at the same time at midnight |
Yes |
False |
delay | Integer | Delay, in hours, that will be applied to the expiry query so we can keepdata longer then previously set or we can offset deletion during non busy hours | Yes |
0 |
delete_storage | Boolean | Should we also cleanup the file storage? | Yes |
True |
sleep_time | Integer | Time, in seconds, to sleep in between each expiry run | Yes |
15 |
workers | Integer | Number of concurrent workers | Yes |
20 |
delete_workers | Integer | Worker processes for file storage deletes. | Yes |
2 |
iteration_max_tasks | Integer | How many query chunks get run per iteration. | Yes |
50 |
delete_batch_size | Integer | How large a batch get deleted per iteration. | Yes |
2000 |
safelisted_tag_dtl | Integer | The default period, in days, before tags expire from Safelist | Yes |
0 |
badlisted_tag_dtl | Integer | The default period, in days, before tags expire from Badlist | Yes |
0 |
Ingester¶
Ingester Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
always_create_submission | Boolean | Always create submissions even on cache hit? | Yes |
False |
default_user | Keyword | Default user for bulk ingestion and unattended submissions | Yes |
internal |
default_services | List [Keyword] | Default service selection | Yes |
[] |
default_resubmit_services | List [Keyword] | Default service selection for resubmits | Yes |
[] |
description_prefix | Keyword | A prefix for descriptions. When a description is automatically generated, it will be the hash prefixed by this string | Yes |
Bulk |
is_low_priority | Keyword | Path to a callback function filtering ingestion tasks that should have their priority forcefully reset to low | Yes |
assemblyline.common.null.always_false |
get_whitelist_verdict | Keyword | None | Yes |
assemblyline.common.signaturing.drop |
whitelist | Keyword | None | Yes |
assemblyline.common.null.whitelist |
default_max_extracted | Integer | How many extracted files may be added to a Submission. Overrideable via submission parameters. | Yes |
100 |
default_max_supplementary | Integer | How many supplementary files may be added to a Submission. Overrideable via submission parameters | Yes |
100 |
expire_after | Integer | Period, in seconds, in which a task should be expired | Yes |
1296000 |
stale_after_seconds | Integer | Drop a task altogether after this many seconds | Yes |
86400 |
incomplete_expire_after_seconds | Integer | How long should scores be kept before expiry | Yes |
3600 |
incomplete_stale_after_seconds | Integer | How long should scores be cached in the ingester | Yes |
1800 |
sampling_at | Mapping [String, Integer] | Thresholds at certain buckets before sampling | Yes |
None |
max_inflight | Integer | How long can a queue get before we start dropping files | Yes |
500 |
cache_dtl | Integer | How long are files results cached | Yes |
2 |
Metrics¶
Metrics Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
apm_server | APMServer | APM server configuration | Yes |
See APMServer for more details. |
elasticsearch | ESMetrics | Where to export metrics? | Yes |
See ESMetrics for more details. |
export_interval | Integer | How often should we be exporting metrics? | Yes |
5 |
redis | RedisServer | Redis for Dashboard metrics | Yes |
See RedisServer for more details. |
APMServer¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
server_url | Keyword | URL to API server | Optional |
None |
token | Keyword | Authentication token for server | Optional |
None |
ESMetrics¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
hosts | List [Keyword] | Elasticsearch hosts | Optional |
None |
host_certificates | Keyword | Host certificates | Optional |
None |
warm | Integer | How long, per unit of time, should a document remain in the 'warm' tier? | Yes |
2 |
cold | Integer | How long, per unit of time, should a document remain in the 'cold' tier? | Yes |
30 |
delete | Integer | How long, per unit of time, should a document remain before being deleted? | Yes |
90 |
unit | Enum | Unit of time used by warm , cold , delete phasesSupported values are: "d", "h", "m" |
Yes |
d |
RedisServer¶
Redis Service configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
host | Keyword | Hostname of Redis instance | Yes |
127.0.0.1 |
port | Integer | Port of Redis instance | Yes |
6379 |
Plumber¶
Plumber Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
notification_queue_interval | Integer | Interval at which the notification queue cleanup should run | Yes |
1800 |
notification_queue_max_age | Integer | Max age in seconds notification queue messages can be | Yes |
86400 |
Redis¶
Redis Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
nonpersistent | RedisServer | A volatile Redis instance | Yes |
See RedisServer for more details. |
persistent | RedisServer | A persistent Redis instance | Yes |
See RedisServer for more details. |
RedisServer¶
Redis Service configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
host | Keyword | Hostname of Redis instance | Yes |
127.0.0.1 |
port | Integer | Port of Redis instance | Yes |
6379 |
Scaler¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
service_defaults | ScalerServiceDefaults | Defaults Scaler will assign to a service. | Yes |
None |
cpu_overallocation | Float | Percentage of CPU overallocation | Yes |
1 |
memory_overallocation | Float | Percentage of RAM overallocation | Yes |
1 |
overallocation_node_limit | Integer | None | Optional |
None |
additional_labels | List [Text] | Additional labels to be applied to services('=' delimited) | Optional |
None |
privileged_services_additional_labels | List [Text] | Additional labels to be applied to privileged services only('=' delimited) | Optional |
None |
linux_node_selector | Selector | Selector for linux nodes under kubernetes | Yes |
None |
cluster_pod_list | Boolean | Sets if scaler list pods for all namespaces. Disabling this lets you use stricter cluster roles but will make cluster resource usage less accurate, setting a namespace resource quota might be needed. | Yes |
True |
ScalerServiceDefaults¶
A set of default values to be used running a service when no other value is set
Field | Type | Description | Required | Default |
---|---|---|---|---|
growth | Integer | Period, in seconds, to wait before scaling up a service deployment | Yes |
None |
shrink | Integer | Period, in seconds, to wait before scaling down a service deployment | Yes |
None |
backlog | Integer | Backlog threshold that dictates scaling adjustments | Yes |
None |
min_instances | Integer | The minimum number of service instances to be running | Yes |
None |
environment | List [EnvironmentVariable] | Environment variables to pass onto services | Yes |
[] |
mounts | List [Mount] | A list of volume mounts for every service | Yes |
[] |
tolerations | List [Toleration] | Toleration to apply to service pods. | ||
Reference: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | Yes |
[] |
Mount¶
A configuration for mounting existing volumes to a container
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name of volume mount | Yes |
None |
path | Text | Target mount path | Yes |
None |
read_only | Boolean | Should this be mounted as read-only? | Yes |
True |
privileged_only | Boolean | Should this mount only be available for privileged services? | Yes |
False |
resource_type | Enum | Type of mountable Kubernetes resource Supported values are: "configmap", "secret", "volume" |
Yes |
volume |
resource_name | Keyword | Name of resource (Kubernetes only) | Optional |
None |
resource_key | Keyword | Key of ConfigMap/Secret (Kubernetes only) | Optional |
None |
config_map | Keyword | Name of ConfigMap (Kubernetes only) Use resource_type: configmap and fill in the resource_name & resource_key fields to mount ConfigMaps |
Deprecated |
None |
key | Keyword | Key of ConfigMap (Kubernetes only) Use resource_type: configmap and fill in the resource_name & resource_key fields to mount ConfigMaps |
Deprecated |
None |
Toleration¶
Limit a set of kubernetes objects based on a label query.
Field | Type | Description | Required | Default |
---|---|---|---|---|
key | Keyword | The taint key that the toleration applies to | Optional |
None |
operator | Enum | Relationship between taint key and value Supported values are: "Equal", "Exists" |
Yes |
Equal |
value | Keyword | Taint value the toleration matches to | Optional |
None |
effect | Enum | The taint effect to match. Supported values are: "NoExecute", "NoSchedule", "PreferNoSchedule" |
Optional |
None |
toleration_seconds | Integer | The period of time the toleration tolerates the taint | Optional |
None |
Selector¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
field | List [FieldSelector] | Field selector for resource under kubernetes | Yes |
[] |
label | List [LabelSelector] | Label selector for resource under kubernetes | Yes |
[] |
FieldSelector¶
Limit a set of kubernetes objects based on a field query.
Field | Type | Description | Required | Default |
---|---|---|---|---|
key | Keyword | Name of a field to select on. | Yes |
None |
equal | Boolean | When true key must equal value, when false it must not | Yes |
True |
value | Keyword | Value to compare field to. | Yes |
None |
LabelSelector¶
Limit a set of kubernetes objects based on a label query.
Field | Type | Description | Required | Default |
---|---|---|---|---|
key | Keyword | Name of label to select on. | Yes |
None |
operator | Enum | Operation to select label with. Supported values are: "DoesNotExist", "Exists", "In", "NotIn" |
Yes |
None |
values | List [Keyword] | Value list to compare label to. | Yes |
None |
Updater¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
job_dockerconfig | DockerConfigDelta | Container configuration used for service registration/updates | Yes |
None |
registry_configs | List [RegistryConfiguration] | Configurations to be used with container registries | Yes |
[{'name': 'registry.hub.docker.com', 'proxies': {}}] |
RegistryConfiguration¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Text | Name of container registry | Yes |
None |
proxies | Mapping [String, Text] | Proxy configuration that is passed to Python Requests | Optional |
None |
token_server | Text | Token server name to facilitate anonymous pull access | Optional |
None |
Vacuum¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
list_cache_directory | Keyword | None | Yes |
/cache/ |
worker_cache_directory | Keyword | None | Yes |
/memory/ |
data_directories | List [Keyword] | None | Yes |
[] |
file_directories | List [Keyword] | None | Yes |
[] |
assemblyline_user | Keyword | None | Yes |
vacuum-service-account |
department_map_url | Keyword | None | Optional |
None |
department_map_init | Keyword | None | Optional |
None |
stream_map_url | Keyword | None | Optional |
None |
stream_map_init | Keyword | None | Optional |
None |
safelist | List [VacuumSafelistItem] | None | Yes |
[] |
worker_threads | Integer | None | Yes |
50 |
worker_rollover | Integer | None | Yes |
1000 |
minimum_classification | Keyword | None | Yes |
U |
ingest_type | Keyword | None | Yes |
VACUUM |
VacuumSafelistItem¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | None | Yes |
None |
conditions | Mapping [String, Keyword] | None | Yes |
None |
Datasource¶
Datasource Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
classpath | Keyword | None | Yes |
None |
config | Mapping [String, Keyword] | None | Yes |
None |
Datastore¶
Datastore Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
hosts | List [Keyword] | List of hosts used for the datastore | Yes |
['http://elastic:devpass@localhost:9200'] |
archive | Archive | Datastore Archive feature configuration | Yes |
See Archive for more details. |
cache_dtl | Integer | Default cache lenght for computed indices (submission_tree, submission_summary... | Yes |
5 |
type | Enum | Type of application used for the datastore Supported values are: "elasticsearch" |
Yes |
elasticsearch |
Archive¶
Datastore Archive feature configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
enabled | Boolean | Are we enabling Achiving features across indices? | Yes |
False |
indices | List [Keyword] | List of indices the ILM Applies to | Yes |
['file', 'submission', 'result'] |
Filestore¶
Filestore Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
archive | List [Keyword] | List of filestores used for malware archive | Yes |
['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-archive&use_ssl=False'] |
cache | List [Keyword] | List of filestores used for caching | Yes |
['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-cache&use_ssl=False'] |
storage | List [Keyword] | List of filestores used for storage | Yes |
['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-storage&use_ssl=False'] |
Logging¶
Model Definition for the Logging Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
log_level | Enum | What level of logging should we have? Supported values are: "CRITICAL", "DEBUG", "DISABLED", "ERROR", "INFO", "WARNING" |
Yes |
INFO |
log_to_console | Boolean | Should we log to console? | Yes |
True |
log_to_file | Boolean | Should we log to files on the server? | Yes |
False |
log_directory | Keyword | If log_to_file: true , what is the directory to store logs? |
Yes |
/var/log/assemblyline/ |
log_to_syslog | Boolean | Should logs be sent to a syslog server? | Yes |
False |
syslog_host | Keyword | If log_to_syslog: true , provide hostname/IP of the syslog server? |
Yes |
localhost |
syslog_port | Integer | If log_to_syslog: true , provide port of the syslog server? |
Yes |
514 |
export_interval | Integer | How often, in seconds, should counters log their values? | Yes |
5 |
log_as_json | Boolean | Log in JSON format? | Yes |
True |
heartbeat_file | Keyword | Add a health check to core components. If true , core components will touch this path regularly to tell the container environment it is healthy |
Optional |
/tmp/heartbeat |
Retrohunt¶
Configuration for connecting to a retrohunt service.
Field | Type | Description | Required | Default |
---|---|---|---|---|
enabled | Boolean | Is the Retrohunt functionnality enabled on the frontend | Yes |
False |
dtl | Integer | Number of days retrohunt jobs will remain in the system by default | Yes |
30 |
max_dtl | Integer | Maximum number of days retrohunt jobs will remain in the system | Yes |
0 |
url | Keyword | Base URL for service API | Yes |
https://hauntedhouse:4443 |
api_key | Keyword | Service API Key | Yes |
ChangeThisDefaultRetroHuntAPIKey! |
tls_verify | Boolean | Should tls certificates be verified | Yes |
True |
Services¶
Services Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
categories | List [Keyword] | List of categories a service can be assigned to | Yes |
['Antivirus', 'Dynamic Analysis', 'External', 'Extraction', 'Filtering', 'Internet Connected', 'Networking', 'Static Analysis'] |
default_timeout | Integer | Default service timeout time in seconds | Yes |
60 |
stages | List [Keyword] | List of execution stages a service can be assigned to | Yes |
['FILTER', 'EXTRACT', 'CORE', 'SECONDARY', 'POST', 'REVIEW'] |
image_variables | Mapping [String, Keyword] | Substitution variables for image paths (for custom registry support) | Yes |
None |
update_image_variables | Mapping [String, Keyword] | Similar to image_variables but only applied to the updater. Intended for use with local registries. |
Yes |
None |
preferred_update_channel | Keyword | Default update channel to be used for new services | Yes |
stable |
allow_insecure_registry | Boolean | Allow fetching container images from insecure registries | Yes |
False |
preferred_registry_type | Enum | Global registry type to be used for fetching updates for a service (overridable by a service) Supported values are: "docker", "harbor" |
Yes |
docker |
prefer_service_privileged | Boolean | Global preference that controls if services should be privileged to communicate with core infrastucture | Yes |
False |
cpu_reservation | Float | How much CPU do we want to reserve relative to the service's request? At 1 , a service's full CPU request will be reserved for them.At 0 (only for very small appliances/dev boxes), the service's CPU will be limited but no CPU will be reserved allowing for more flexible scheduling of containers. |
Yes |
0.25 |
safelist | ServiceSafelist | None | Yes |
None |
registries | List [ServiceRegistry] | Global set of registries for services | Optional |
[] |
service_account | Keyword | Service account to use for pods in kubernetewhere the service does not have one configured. Use helm values to specify service accounts settings for (non-)privileged services: privilegedServiceAccountName , unprivilegedServiceAccountName |
Deprecated |
None |
ServiceRegistry¶
Pre-Configured Registry Details for Services
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name of container registry | Yes |
None |
type | Enum | Type of container registry Supported values are: "docker", "harbor" |
Yes |
docker |
username | Keyword | None | Optional |
None |
password | Keyword | None | Optional |
None |
use_fic | Boolean | Use federated identity credential token instead of user/passwords combinaison (ACR Only) | Yes |
False |
ServiceSafelist¶
Service's Safelisting Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
enabled | Boolean | Should services be allowed to check extracted files against safelist? | Yes |
True |
hash_types | List [Enum] | Types of file hashes used for safelist checks | Yes |
['sha1', 'sha256'] |
enforce_safelist_service | Boolean | Should the Safelist service always run on extracted files? | Yes |
False |
Submission¶
Default values for parameters for submissions that may be overridden on a per submission basis
Field | Type | Description | Required | Default |
---|---|---|---|---|
default_max_extracted | Integer | How many extracted files may be added to a submission? | Yes |
500 |
default_max_supplementary | Integer | How many supplementary files may be added to a submission? | Yes |
500 |
dtl | Integer | Number of days submissions will remain in the system by default | Yes |
30 |
emptyresult_dtl | Integer | Number of days emptyresult will remain in the system | Yes |
5 |
max_dtl | Integer | Maximum number of days submissions will remain in the system | Yes |
0 |
max_extraction_depth | Integer | Maximum files extraction depth | Yes |
6 |
max_file_size | Integer | Maximum size for files submitted in the system | Yes |
104857600 |
max_metadata_length | Integer | Maximum length for each metadata values | Yes |
4096 |
max_temp_data_length | Integer | Maximum length for each temporary data values | Yes |
4096 |
metadata | MetadataConfig | Metadata compliance rules | Yes |
See MetadataConfig for more details. |
sha256_sources | List [Sha256Source] | List of external source to fetch file via their SHA256 hashes Use submission.file_sources which is an extension of this configuration |
Yes |
[] |
file_sources | List [FileSource] | List of external source to fetch file | Yes |
[] |
tag_types | TagTypes | Tag types that show up in the submission summary | Yes |
See TagTypes for more details. |
verdicts | Verdicts | Minimum score value to get the specified verdict. | Yes |
See Verdicts for more details. |
default_temporary_keys | Mapping [String, Enum] | temporary_keys values for well known services. | Yes |
None |
temporary_keys | Mapping [String, Enum] | Set the operation that will be used to update values using this key in the temporary submission data. | Yes |
None |
FileSource¶
A file source entry for remote fetching via string
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name of the sha256 source | Yes |
None |
auto_select | Boolean | Should we force the source to be auto-selected for the user ? | Yes |
False |
download_from_url | Boolean | Should we download from the resulting URL or create an Assemblyline URI file for it ? | Yes |
True |
hash_types | List [Keyword] | Method(s) of fetching file from source by string input(ie. ['sha256', 'sha1', 'md5', 'tlsh', 'ssdeep']). This also supports custom types. | Yes |
['sha256'] |
hash_patterns | Mapping [String, Text] | Custom types to regex pattern definition for input detection/validation | Optional |
None |
classification | ClassificationString | None | Optional |
None |
data | Keyword | None | Optional |
None |
failure_pattern | Keyword | None | Optional |
None |
method | Enum | Method used to call the URL Supported values are: "GET", "POST" |
Yes |
GET |
url | Keyword | Url to fetch the file via SHA256 from (Uses replace pattern) | Yes |
None |
replace_pattern | Keyword | Pattern to replace in the URL with the SHA256 | Yes |
None |
headers | Mapping [String, Keyword] | Headers used to connect to the URL | Yes |
{} |
proxies | Mapping [String, Keyword] | Proxy used to connect to the URL | Yes |
{} |
select_services | List [Keyword] | List of services that will be auto-selected when using this source. | Yes |
[] |
verify | Boolean | Should the download function Verify SSL connections? | Yes |
True |
MetadataConfig¶
Configuration for metadata compliance with APIs
Field | Type | Description | Required | Default |
---|---|---|---|---|
archive | Mapping [String, Metadata] | Metadata specification for archiving | Yes |
None |
submit | Mapping [String, Metadata] | Metadata specification for submission | Yes |
None |
ingest | Mapping [String, Mapping [String, Metadata]] | Metadata specification for certain ingestion based on ingest_type | Yes |
None |
strict_schemes | List [Keyword] | A list of metadata schemes with strict rules (ie. no extra/unknown metadata). Values can be: archive , submit , or one of the schemes under ingest . |
Yes |
[] |
Metadata¶
Metadata configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
validator_type | Enum | Type of validation to apply to metadata value Supported values are: "boolean", "date", "domain", "email", "enum", "float", "integer", "ip", "keyword", "list", "regex", "text", "uri" |
Yes |
str |
validator_params | Mapping [String, Any] | Configuration parameters to apply to validator | Yes |
{} |
suggestions | List [Keyword] | List of suggestions for this field | Yes |
[] |
suggestion_key | Keyword | Key in redis where to get the suggestions from | Optional |
None |
default | Keyword | None | Optional |
None |
required | Boolean | Is this field required? | Yes |
False |
aliases | List [Keyword] | Field name aliases that map over to the field. | Yes |
[] |
Sha256Source¶
A source entry for the sha256 downloader
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name of the sha256 source | Yes |
None |
classification | ClassificationString | None | Optional |
None |
data | Keyword | None | Optional |
None |
failure_pattern | Keyword | None | Optional |
None |
method | Enum | Method used to call the URL Supported values are: "GET", "POST" |
Yes |
GET |
url | Keyword | Url to fetch the file via SHA256 from (Uses replace pattern) | Yes |
None |
replace_pattern | Keyword | Pattern to replace in the URL with the SHA256 | Yes |
None |
headers | Mapping [String, Keyword] | Headers used to connect to the URL | Yes |
{} |
proxies | Mapping [String, Keyword] | Proxy used to connect to the URL | Yes |
{} |
verify | Boolean | Should the download function Verify SSL connections? | Yes |
True |
TagTypes¶
None
Field | Type | Description | Required | Default |
---|---|---|---|---|
attribution | List [Keyword] | Attibution tags | Yes |
['attribution.actor', 'attribution.campaign', 'attribution.exploit', 'attribution.implant', 'attribution.family', 'attribution.network', 'av.virus_name', 'file.config', 'technique.obfuscation'] |
behavior | List [Keyword] | Behaviour tags | Yes |
['file.behavior'] |
ioc | List [Keyword] | IOC tags | Yes |
['network.email.address', 'network.static.ip', 'network.static.domain', 'network.static.uri', 'network.dynamic.ip', 'network.dynamic.domain', 'network.dynamic.uri'] |
Verdicts¶
Minimum score value to get the specified verdict, otherwise the file is considered safe.
Field | Type | Description | Required | Default |
---|---|---|---|---|
info | Integer | Minimum score for the verdict to be Informational. | Yes |
0 |
suspicious | Integer | Minimum score for the verdict to be Suspicious. | Yes |
300 |
highly_suspicious | Integer | Minimum score for the verdict to be Highly Suspicious. | Yes |
700 |
malicious | Integer | Minimum score for the verdict to be Malicious. | Yes |
1000 |
System¶
System Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
constants | Keyword | Module path to the assemblyline constants | Yes |
assemblyline.common.constants |
organisation | Text | Organisation acronym used for signatures | Yes |
ACME |
type | Enum | Type of system Supported values are: "development", "production", "staging" |
Yes |
production |
UI¶
UI Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
ai | AI | AI support for the UI | Yes |
See AI for more details. |
ai_backends | AIBackends | AI Multi-backends support for the UI | Yes |
See AIBackends for more details. |
alerting_meta | AlertingMeta | Alerting metadata fields | Yes |
See AlertingMeta for more details. |
allow_malicious_hinting | Boolean | Allow user to tell in advance the system that a file is malicious? | Yes |
False |
allow_raw_downloads | Boolean | Allow user to download raw files? | Yes |
True |
allow_zip_downloads | Boolean | Allow user to download files as password protected ZIPs? | Yes |
True |
allow_replay | Boolean | Allow users to request replay on another server? | Yes |
False |
allow_url_submissions | Boolean | Allow file submissions via url? | Yes |
True |
api_proxies | Mapping [String, APIProxies] | Proxy requests to the configured API target and add headers | Yes |
See APIProxies for more details. |
audit | Boolean | Should API calls be audited and saved to a separate log file? | Yes |
True |
audit_login | Boolean | Should login successes and failures be part of the audit log as well? | Yes |
False |
banner | Mapping [String, Keyword] | Banner message display on the main page (format: { |
Optional |
None |
banner_level | Enum | Banner message level Supported values are: "error", "info", "success", "warning" |
Yes |
info |
debug | Boolean | Enable debugging? | Yes |
False |
default_quotas | Quotas | Default API quotas values | Yes |
See Quotas for more details. |
discover_url | Keyword | Discover URL | Optional |
None |
download_encoding | Enum | Which encoding will be used for downloads? Supported values are: "cart", "raw", "zip" |
Yes |
cart |
default_zip_password | Text | Default user-defined password for creating password protected ZIPs when downloading files | Optional |
infected |
Assemblyline admins email address | Optional |
None |
||
enforce_quota | Boolean | Enforce the user's quotas? | Yes |
True |
external_links | List [ExternalLinks] | List of external pivot links | Yes |
[] |
external_sources | List [ExternalSource] | List of external sources to query | Yes |
[] |
fqdn | Text | Fully qualified domain name to use for the 2-factor authentication validation | Yes |
localhost |
ingest_max_priority | Integer | Maximum priority for ingest API | Yes |
250 |
read_only | Boolean | Turn on read only mode in the UI | Yes |
False |
read_only_offset | Keyword | Offset of the read only mode for all paging and searches | Yes |
`` |
rss_feeds | List [Keyword] | List of RSS feeds to display on the UI | Yes |
['https://alpytest.blob.core.windows.net/pytest/stable.json', 'https://alpytest.blob.core.windows.net/pytest/services.json', 'https://alpytest.blob.core.windows.net/pytest/community.json', 'https://alpytest.blob.core.windows.net/pytest/blog.json'] |
services_feed | Keyword | Feed of all the services built by the Assemblyline Team | Yes |
https://alpytest.blob.core.windows.net/pytest/services.json |
community_feed | Keyword | Feed of all the services built by the Assemblyline community. | Yes |
https://alpytest.blob.core.windows.net/pytest/community.json |
secret_key | Keyword | Flask secret key to store cookies, etc. | Yes |
This is the default flask secret key... you should change this! |
session_duration | Integer | Duration of the user session before the user has to login again | Yes |
3600 |
statistics | Statistics | Statistics configuration | Yes |
See Statistics for more details. |
tos | Text | Terms of service | Optional |
None |
tos_lockout | Boolean | Lock out user after accepting the terms of service? | Yes |
False |
tos_lockout_notify | List [Keyword] | List of admins to notify when a user gets locked out | Optional |
None |
url_submission_auto_service_selection | List [Keyword] | List of services auto-selected by the UI when submitting URLs | Yes |
['URLDownloader'] |
url_submission_headers | Mapping [String, Keyword] | Headers used by the url_download method | Optional |
None |
url_submission_proxies | Mapping [String, Keyword] | Proxy used by the url_download method | Optional |
None |
url_submission_timeout | Integer | Request timeout for fetching URLs | Yes |
15 |
validate_session_ip | Boolean | Validate if the session IP matches the IP the session was created from | Yes |
True |
validate_session_useragent | Boolean | Validate if the session useragent matches the useragent the session was created with | Yes |
True |
AI¶
AI support configuration block
Field | Type | Description | Required | Default |
---|---|---|---|---|
chat_url | Keyword | URL to the AI API | Yes |
https://api.openai.com/v1/chat/completions |
api_type | Enum | Type of chat API we are communicating with Supported values are: "cohere", "openai" |
Yes |
openai |
assistant | AIQueryParams | Parameters used for Assamblyline Assistant | Yes |
None |
code | AIQueryParams | Parameters used for code analysis | Yes |
None |
detailed_report | AIQueryParams | Parameters used for detailed reports | Yes |
None |
executive_summary | AIQueryParams | Parameters used for executive summaries | Yes |
None |
enabled | Boolean | Is AI support enabled? | Yes |
False |
headers | Mapping [String, Keyword] | Headers used by the _call_ai_backend method | Optional |
None |
model_name | Keyword | Name of the model to be used for the AI analysis. | Yes |
gpt-3.5-turbo |
verify | Boolean | Should the SSL connection to the AI API be verified. | Yes |
True |
proxies | Mapping [String, Keyword] | Proxies used by the _call_ai_backend method | Optional |
None |
AIQueryParams¶
Parameters used during a AI query
Field | Type | Description | Required | Default |
---|---|---|---|---|
system_message | Keyword | System message used for the query. | Yes |
None |
task | Keyword | Task description sent to the AI | Yes |
`` |
max_tokens | Integer | Maximum ammount of token used for the response. | Yes |
None |
options | Mapping [String, Any] | Other kwargs options directly passed to the API. | Optional |
None |
AIBackends¶
AI Multi-Backend support configuration block
Field | Type | Description | Required | Default |
---|---|---|---|---|
enabled | Boolean | Is AI support enabled? | Yes |
False |
api_connections | List [AIConnection] | List of API definitions use in the API Pool | Yes |
[{'chat_url': 'https://api.openai.com/v1/chat/completions', 'api_type': 'openai', 'headers': {'Content-Type': 'application/json'}, 'model_name': 'gpt-3.5-turbo', 'proxies': None, 'verify': True}, {'chat_url': 'https://api.openai.com/v1/chat/completions', 'api_type': 'openai', 'headers': {'Content-Type': 'application/json'}, 'model_name': 'gpt-4', 'proxies': None, 'verify': True}] |
function_params | AIFunctionParameters | Definition of each parameters used in the different AI functions | Yes |
None |
AIConnection¶
Connection information to an AI backend
Field | Type | Description | Required | Default |
---|---|---|---|---|
api_type | Enum | Type of chat API we are communicating with Supported values are: "cohere", "openai" |
Yes |
None |
chat_url | Keyword | URL to the AI API | Yes |
None |
headers | Mapping [String, Keyword] | Headers used by the _call_ai_backend method | Optional |
{} |
model_name | Keyword | Name of the model to be used for the AI analysis. | Yes |
None |
proxies | Mapping [String, Keyword] | Proxies used by the _call_ai_backend method | Optional |
None |
use_fic | Boolean | Use Federated Identity Credentials to login | Yes |
False |
verify | Boolean | Should the SSL connection to the AI API be verified. | Yes |
True |
AIFunctionParameters¶
Definition of each parameters used in the different AI functions
Field | Type | Description | Required | Default |
---|---|---|---|---|
assistant | AIQueryParams | Parameters used for Assamblyline Assistant | Yes |
None |
code | AIQueryParams | Parameters used for code analysis | Yes |
None |
detailed_report | AIQueryParams | Parameters used for detailed reports | Yes |
None |
executive_summary | AIQueryParams | Parameters used for executive summaries | Yes |
None |
AIQueryParams¶
Parameters used during a AI query
Field | Type | Description | Required | Default |
---|---|---|---|---|
system_message | Keyword | System message used for the query. | Yes |
None |
task | Keyword | Task description sent to the AI | Yes |
`` |
max_tokens | Integer | Maximum ammount of token used for the response. | Yes |
None |
options | Mapping [String, Any] | Other kwargs options directly passed to the API. | Optional |
None |
APIProxies¶
Configuration for connecting to a retrohunt service.
Field | Type | Description | Required | Default |
---|---|---|---|---|
url | Keyword | URL to redirect to | Yes |
None |
verify | Boolean | Should we verify the cert or not | Yes |
True |
headers | List [HeaderValue] | Headers to add to the request | Yes |
[] |
public | Mapping [String, Any] | Parameters to be sent to the Frontend. | Optional |
None |
HeaderValue¶
Header value
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name of the header | Yes |
None |
value | Keyword | None | Optional |
None |
key | Keyword | None | Optional |
None |
AlertingMeta¶
Alerting Metadata
Field | Type | Description | Required | Default |
---|---|---|---|---|
important | List [Keyword] | Metadata keys that are considered important | Yes |
['original_source', 'protocol', 'subject', 'submitted_url', 'source_url', 'url', 'web_url', 'from', 'to', 'cc', 'bcc', 'ip_src', 'ip_dst', 'source'] |
subject | List [Keyword] | Metadata keys that refer to an email's subject | Yes |
['subject'] |
url | List [Keyword] | Metadata keys that refer to a URL | Yes |
['submitted_url', 'source_url', 'url', 'web_url'] |
ExternalLinks¶
External links that specific metadata and tags can pivot to
Field | Type | Description | Required | Default |
---|---|---|---|---|
allow_bypass | Boolean | If the classification of the item is higher than the max_classificaiton, can we let the user bypass the check and still query the external link? | Yes |
False |
name | Keyword | Name of the link | Yes |
None |
double_encode | Boolean | Should the replaced value be double encoded? | Yes |
False |
classification | ClassificationString | None | Optional |
None |
max_classification | ClassificationString | None | Optional |
None |
replace_pattern | Keyword | Pattern that will be replaced in the URL with the metadata or tag value | Yes |
None |
targets | List [ExternalLinksTargets] | List of external sources to query | Yes |
[] |
url | Keyword | URL to redirect to | Yes |
None |
ExternalLinksTargets¶
Target definition of an external link
Field | Type | Description | Required | Default |
---|---|---|---|---|
type | Enum | Type of external link target Supported values are: "hash", "metadata", "tag" |
Yes |
None |
key | Keyword | Key that it can be used against | Yes |
None |
ExternalSource¶
Connection details for external systems/data sources.
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name of the source. | Yes |
None |
classification | ClassificationString | None | Optional |
None |
max_classification | ClassificationString | None | Optional |
None |
url | Keyword | URL of the upstream source's lookup service. | Yes |
None |
Quotas¶
Default API and submission quota values for the system
Field | Type | Description | Required | Default |
---|---|---|---|---|
concurrent_api_calls | Integer | Maximum concurrent API Calls that can be running for a user. | Yes |
10 |
concurrent_submissions | Integer | Maximum concurrent Submission that can be running for a user. | Yes |
5 |
concurrent_async_submissions | Integer | Maximum concurrent asynchroneous Submission that can be running for a user. | Yes |
0 |
daily_api_calls | Integer | Maximum daily API calls a user can issue. | Yes |
0 |
daily_submissions | Integer | Maximum daily submission a user can do. | Yes |
0 |
Statistics¶
Statistics
Field | Type | Description | Required | Default |
---|---|---|---|---|
alert | List [Keyword] | Fields used to generate statistics in the Alerts page | Yes |
['al.attrib', 'al.av', 'al.behavior', 'al.domain', 'al.ip', 'al.yara', 'file.name', 'file.md5', 'owner'] |
submission | List [Keyword] | Fields used to generate statistics in the Submissions page | Yes |
['params.submitter'] |