Skip to content

Config

Assemblyline Deployment Configuration

Field Type Description Required Default
auth Auth Authentication module configuration
Yes
 See Auth for more details.
core Core Core component configuration
Yes
 See Core for more details.
datastore Datastore Datastore configuration
Yes
 See Datastore for more details.
datasources Mapping [String, Datasource] Datasources configuration
Yes
 See Datasource for more details.
filestore Filestore Filestore configuration
Yes
 See Filestore for more details.
logging Logging Logging configuration
Yes
 See Logging for more details.
retrohunt Retrohunt Retrohunt configuration for the frontend and server.
Yes
 See Retrohunt for more details.
services Services Service configuration
Yes
 See Services for more details.
submission Submission Options for how submissions will be processed
Yes
 See Submission for more details.
system System System configuration
Yes
 See System for more details.
ui UI UI configuration parameters
Yes
 See UI for more details.

Auth

Authentication Methods

Field Type Description Required Default
allow_2fa Boolean Allow 2FA?
Yes
 True
allow_apikeys Boolean Allow API keys?
Yes
 True
apikey_max_dtl Integer None
Optional
 None
allow_extended_apikeys Boolean Allow extended API keys?
Yes
 True
allow_security_tokens Boolean Allow security tokens?
Yes
 True
internal Internal Internal authentication settings
Yes
 See Internal for more details.
ldap LDAP LDAP settings
Yes
 See LDAP for more details.
oauth OAuth OAuth settings
Yes
 See OAuth for more details.
saml SAML SAML settings
Yes
 See SAML for more details.

Internal

Internal Authentication Configuration

Field Type Description Required Default
enabled Boolean Internal authentication allowed?
Yes
 True
failure_ttl Integer How long to wait after max_failures before re-attempting login?
Yes
 60
max_failures Integer Maximum number of fails allowed before timeout
Yes
 5
password_requirements PasswordRequirement Password requirements
Yes
 See PasswordRequirement for more details.
signup Signup Signup method
Yes
 See Signup for more details.

PasswordRequirement

Password Requirement

Field Type Description Required Default
lower Boolean Password must contain lowercase letters
Yes
 False
number Boolean Password must contain numbers
Yes
 False
special Boolean Password must contain special characters
Yes
 False
upper Boolean Password must contain uppercase letters
Yes
 False
min_length Integer Minimum password length
Yes
 12

Signup

Signup Configuration

Field Type Description Required Default
enabled Boolean Can a user automatically signup for the system
Yes
 False
smtp SMTP Signup via SMTP
Yes
 See SMTP for more details.
notify Notify Signup via GC Notify
Yes
 See Notify for more details.
valid_email_patterns List [Keyword] Email patterns that will be allowed to automatically signup for an account
Yes
 ['.*', '.*@localhost']
Notify

Configuration block for GC Notify signup and password reset

Field Type Description Required Default
base_url Keyword Base URL
Optional
 None
api_key Keyword API key
Optional
 None
registration_template Keyword Registration template
Optional
 None
password_reset_template Keyword Password reset template
Optional
 None
authorization_template Keyword Authorization template
Optional
 None
activated_template Keyword Activated Template
Optional
 None
SMTP

Configuration block for SMTP signup and password reset

Field Type Description Required Default
from_adr Keyword Email address used for sender
Optional
 None
host Keyword SMTP host
Optional
 None
password Keyword Password for SMTP server
Optional
 None
port Integer Port of SMTP server
Yes
 587
tls Boolean Should we communicate with SMTP server via TLS?
Yes
 True
user Keyword User to authenticate to the SMTP server
Optional
 None

LDAP

LDAP Configuration

Field Type Description Required Default
enabled Boolean Should LDAP be enabled or not?
Yes
 False
admin_dn Keyword DN of the group or the user who will get admin privileges
Optional
 None
bind_user Keyword User use to query the LDAP server
Optional
 None
bind_pass Keyword Password used to query the LDAP server
Optional
 None
auto_create Boolean Auto-create users if they are missing
Yes
 True
auto_sync Boolean Should we automatically sync with LDAP server on each login?
Yes
 True
auto_properties List [AutoProperty] Automatic role and classification assignments
Yes
 []
base Keyword Base DN for the users
Yes
 ou=people,dc=assemblyline,dc=local
classification_mappings Any Classification mapping
Yes
 None
email_field Keyword Name of the field containing the email address
Yes
 mail
group_lookup_query Keyword How the group lookup is queried
Yes
 (&(objectClass=Group)(member=%s))
group_lookup_with_uid Boolean Use username/uid instead of dn for group lookup
Yes
 False
image_field Keyword Name of the field containing the user's avatar
Yes
 jpegPhoto
image_format Keyword Type of image used to store the avatar
Yes
 jpeg
name_field Keyword Name of the field containing the user's name
Yes
 cn
signature_importer_dn Keyword DN of the group or the user who will get signature_importer role
Optional
 None
signature_manager_dn Keyword DN of the group or the user who will get signature_manager role
Optional
 None
uid_field Keyword Field name for the UID
Yes
 uid
uri Keyword URI to the LDAP server
Yes
 ldap://localhost:389

AutoProperty

None

Field Type Description Required Default
field Keyword Field to apply pattern to
Yes
 None
pattern Keyword Regex pattern for auto-prop assignment
Yes
 None
type Enum Type of property assignment on pattern match
Supported values are:
"access", "api_daily_quota", "api_quota", "classification", "group", "multi_group", "remove_role", "role", "submission_async_quota", "submission_daily_quota", "submission_quota", "type"
Yes
 None
value List [Keyword] Assigned property value
Yes
 []

OAuth

OAuth Configuration

Field Type Description Required Default
enabled Boolean Enable use of OAuth?
Yes
 False
gravatar_enabled Boolean Enable gravatar?
Yes
 True
providers Mapping [String, OAuthProvider] OAuth provider configuration
Yes
 See OAuthProvider for more details.

OAuthProvider

OAuth Provider Configuration

Field Type Description Required Default
auto_create Boolean Auto-create users if they are missing
Yes
 True
auto_sync Boolean Should we automatically sync with OAuth provider?
Yes
 False
auto_properties List [AutoProperty] Automatic role and classification assignments
Yes
 []
app_provider AppProvider None
Optional
 None
uid_randomize Boolean Should we generate a random username for the authenticated user?
Yes
 False
uid_randomize_digits Integer How many digits should we add at the end of the username?
Yes
 0
uid_randomize_delimiter Keyword What is the delimiter used by the random name generator?
Yes
 -
uid_regex Keyword Regex used to parse an email address and capture parts to create a user ID out of it
Optional
 None
uid_format Keyword Format of the user ID based on the captured parts from the regex
Optional
 None
client_id Keyword ID of your application to authenticate to the OAuth provider
Optional
 None
client_secret Keyword Password to your application to authenticate to the OAuth provider
Optional
 None
redirect_uri Keyword URI to redirect to after authentication with OAuth provider
Optional
 None
request_token_url Keyword URL to request token
Optional
 None
request_token_params Mapping [String, Keyword] Parameters to request token
Optional
 None
access_token_url Keyword URL to get access token
Optional
 None
access_token_params Mapping [String, Keyword] Parameters to get access token
Optional
 None
authorize_url Keyword URL used to authorize access to a resource
Optional
 None
authorize_params Mapping [String, Keyword] Parameters used to authorize access to a resource
Optional
 None
api_base_url Keyword Base URL for downloading the user's and groups info
Optional
 None
client_kwargs Mapping [String, Keyword] Keyword arguments passed to the different URLs
Optional
 None
jwks_uri Keyword URL used to verify if a returned JWKS token is valid
Optional
 None
jwt_token_alg Keyword Algorythm use the validate JWT OBO tokens
Yes
 RS256
uid_field Keyword Name of the field that will contain the user ID
Optional
 None
user_get Keyword Path from the base_url to fetch the user info
Optional
 None
user_groups Keyword Path from the base_url to fetch the group info
Optional
 None
user_groups_data_field Keyword Field return by the group info API call that contains the list of groups
Optional
 None
user_groups_name_field Keyword Name of the field in the list of groups that contains the name of the group
Optional
 None
use_new_callback_format Boolean Should we use the new callback method?
Yes
 False
allow_external_tokens Boolean Should token provided to the login API directly be use for authentication?
Yes
 False
external_token_alternate_audiences List [Keyword] List of valid alternate audiences for the external token.
Yes
 []
email_fields List [Keyword] List of fields in the claim to get the email from
Yes
 ['email', 'emails', 'extension_selectedEmailAddress', 'otherMails', 'preferred_username', 'upn']
username_field Keyword Name of the field that will contain the username
Yes
 uname
validate_token_with_secret Boolean Should we send the client secret while validating the access token?
Yes
 False
identity_id_field Keyword Field to fetch the managed identity ID from.
Yes
 oid
AppProvider

App provider

Field Type Description Required Default
access_token_url Keyword URL used to get the access token
Yes
 None
user_get Keyword Path from the base_url to fetch the user info
Optional
 None
group_get Keyword Path from the base_url to fetch the group info
Optional
 None
scope Keyword None
Yes
 None
client_id Keyword ID of your application to authenticate to the OAuth
Optional
 None
client_secret Keyword Password to your application to authenticate to the OAuth provider
Optional
 None
AutoProperty

None

Field Type Description Required Default
field Keyword Field to apply pattern to
Yes
 None
pattern Keyword Regex pattern for auto-prop assignment
Yes
 None
type Enum Type of property assignment on pattern match
Supported values are:
"access", "api_daily_quota", "api_quota", "classification", "group", "multi_group", "remove_role", "role", "submission_async_quota", "submission_daily_quota", "submission_quota", "type"
Yes
 None
value List [Keyword] Assigned property value
Yes
 []

SAML

SAML Configuration

Field Type Description Required Default
enabled Boolean Enable use of SAML?
Yes
 False
auto_create Boolean Auto-create users if they are missing
Yes
 True
auto_sync Boolean Should we automatically sync with SAML server on each login?
Yes
 True
lowercase_urlencoding Boolean Enable lowercase encoding if using ADFS as IdP
Yes
 False
attributes SAMLAttributes SAML attributes
Yes
 See SAMLAttributes for more details.
settings SAMLSettings SAML settings method
Yes
 See SAMLSettings for more details.

SAMLAttributes

SAML Attributes

Field Type Description Required Default
username_attribute Keyword SAML attribute name for AL username
Optional
 uid
email_attribute Keyword SAML attribute name for a user's email address
Yes
 email
fullname_attribute Keyword SAML attribute name for a user's first name
Yes
 name
groups_attribute Keyword SAML attribute name for the groups
Yes
 groups
roles_attribute Keyword SAML attribute name for the roles
Yes
 roles
group_type_mapping Mapping [String, Keyword] SAML group to role mapping
Yes
 {}

SAMLSettings

SAML Settings

Field Type Description Required Default
strict Boolean Should we be strict in our SAML checks?
Yes
 False
debug Boolean Should we be in debug mode?
Yes
 False
sp SAMLServiceProvider SP settings
Yes
 None
idp SAMLIdentityProvider IDP settings
Yes
 None
security SAMLSecurity Security settings
Optional
 None
contact_person SAMLContacts Contact settings
Optional
 None
organization Mapping [String, SAMLOrganization] Organization settings
Optional
 None
SAMLContacts

SAML Contacts

Field Type Description Required Default
technical SAMLContactPerson Technical Contact
Yes
 None
support SAMLContactPerson Support Contact
Yes
 None
SAMLContactPerson

SAML Contact Entry

Field Type Description Required Default
given_name Keyword Given Name
Yes
 None
email_address Keyword Email Address
Yes
 None
SAMLIdentityProvider

SAML Identity Provider

Field Type Description Required Default
entity_id Keyword Entity ID
Yes
 None
single_sign_on_service SAMLSingleSignOnService Single Sign On Service
Yes
 None
x509cert Keyword X509 Certificate
Optional
 None
SAMLSingleSignOnService

SAML Single Sign On Service

Field Type Description Required Default
url Keyword URL
Yes
 None
binding Keyword Binding
Yes
 urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
SAMLOrganization

SAML Organization

Field Type Description Required Default
name Keyword Name
Yes
 None
display_name Keyword Display Name
Yes
 None
url Keyword URL
Yes
 None
SAMLSecurity

SAML Security

Field Type Description Required Default
name_id_encrypted Boolean Name ID Encrypted
Optional
 None
authn_requests_signed Boolean Authn Requests Signed
Optional
 None
logout_request_signed Boolean Logout Request Signed
Optional
 None
logout_response_signed Boolean Logout Response Signed
Optional
 None
sign_metadata Boolean Sign Metadata
Optional
 None
want_messages_signed Boolean Want Messages Signed
Optional
 None
want_assertions_signed Boolean Want Assertions Signed
Optional
 None
want_assertions_encrypted Boolean Want Assertions Encrypted
Optional
 None
want_name_id Boolean Want Name ID
Optional
 None
want_name_id_encrypted Boolean Want Name ID Encrypted
Optional
 None
want_attribute_statement Boolean Want Attribute Statement
Optional
 None
requested_authn_context Boolean Requested Authn Context
Optional
 None
requested_authn_context_comparison Keyword Requested Authn Context Comparison
Optional
 None
fail_on_authn_context_mismatch Boolean Fail On Authn Context Mismatch
Optional
 None
metadata_valid_until Keyword Metadata Valid Until
Optional
 None
metadata_cache_duration Keyword Metadata Cache Duration
Optional
 None
allow_single_label_domains Boolean Allow Single Label Domains
Optional
 None
signature_algorithm Keyword Signature Algorithm
Optional
 None
digest_algorithm Keyword Digest Algorithm
Optional
 None
allow_repeat_attribute_name Boolean Allow Repeat Attribute Name
Optional
 None
reject_deprecated_algorithm Boolean Reject Deprecated Algorithm
Optional
 None
SAMLServiceProvider

SAML Service Provider

Field Type Description Required Default
entity_id Keyword Entity ID
Yes
 None
assertion_consumer_service SAMLAssertionConsumerService Assertion Consumer Service
Yes
 None
attribute_consuming_service SAMLAttributeConsumingService Attribute Consuming Service
Optional
 None
name_id_format Keyword Name ID Format
Yes
 urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
x509cert Keyword X509 Certificate
Optional
 None
private_key Keyword Private Key
Optional
 None
SAMLAssertionConsumerService

SAML Assertion Consumer Service

Field Type Description Required Default
url Keyword URL
Yes
 None
binding Keyword Binding
Yes
 urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SAMLAttributeConsumingService

SAML Attribute Consuming Service

Field Type Description Required Default
service_name Keyword Service Name
Yes
 None
service_description Keyword Service Description
Yes
 None
requested_attributes List [SAMLRequestedAttribute] Requested Attributes
Yes
 []
# SAMLRequestedAttribute

SAML Attribute

Field Type Description Required Default
name Keyword Name
Yes
 None
is_required Boolean Is required?
Yes
 False
name_format Keyword Name Format
Yes
 urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
friendly_name Keyword Friendly Name
Yes
 ``
attribute_value List [Keyword] Attribute Value
Yes
 []

Core

Core Component Configuration

Field Type Description Required Default
alerter Alerter Configuration for Alerter
Yes
 See Alerter for more details.
archiver Archiver Configuration for the permanent submission archive
Yes
 See Archiver for more details.
dispatcher Dispatcher Configuration for Dispatcher
Yes
 See Dispatcher for more details.
expiry Expiry Configuration for Expiry
Yes
 See Expiry for more details.
ingester Ingester Configuration for Ingester
Yes
 See Ingester for more details.
metrics Metrics Configuration for Metrics Collection
Yes
 See Metrics for more details.
plumber Plumber Configuration for system cleanup
Yes
 See Plumber for more details.
redis Redis Configuration for Redis instances
Yes
 See Redis for more details.
scaler Scaler Configuration for Scaler
Yes
 See Scaler for more details.
updater Updater Configuration for Updater
Yes
 See Updater for more details.
vacuum Vacuum Configuration for Vacuum
Yes
 See Vacuum for more details.

Alerter

Alerter Configuration

Field Type Description Required Default
alert_ttl Integer Time to live (days) for an alert in the system
Yes
 90
default_group_field Keyword Default field used for alert grouping view
Yes
 file.sha256
delay Integer Time in seconds that we give extended scans and workflow to complete their work before we start showing alerts in the alert viewer.
Yes
 300
filtering_group_fields List [Keyword] List of group fields that when selected will ignore certain alerts where this field is missing.
Yes
 ['file.name', 'status', 'priority']
non_filtering_group_fields List [Keyword] List of group fields that are sure to be present in all alerts.
Yes
 ['file.md5', 'file.sha1', 'file.sha256']
process_alert_message Keyword Python path to the function that will process an alert message.
Yes
 assemblyline_core.alerter.processing.process_alert_message
threshold Integer Minimum score to reach for a submission to be considered an alert.
Yes
 500

Archiver

Malware Archive Configuration

Field Type Description Required Default
alternate_dtl Integer Alternate number of days to keep the data in the malware archive. (0: Disabled, will keep data forever)
Yes
 0
minimum_required_services List [Keyword] List of minimum required service before archiving takes place
Yes
 []
webhook Webhook Webhook to call before triggering the archiving process
Optional
 None
use_webhook Boolean None
Optional
 False

Webhook

Webhook Configuration

Field Type Description Required Default
password Keyword Password used to authenticate with source
Optional
 ``
ca_cert Keyword CA cert for source
Optional
 ``
ssl_ignore_errors Boolean Ignore SSL errors when reaching out to source?
Yes
 False
proxy Keyword Proxy server for source
Optional
 ``
method Keyword HTTP method used to access webhook
Yes
 POST
uri Keyword URI to source
Yes
 None
username Keyword Username used to authenticate with source
Optional
 ``
headers List [NamedValue] Headers
Yes
 []
retries Integer None
Yes
 3
NamedValue

Named Value

Field Type Description Required Default
name Keyword Name
Yes
 None
value Keyword Value
Yes
 None

Dispatcher

Dispatcher Configuration

Field Type Description Required Default
timeout Integer Time between re-dispatching attempts, as long as some action (submission or any task completion) happens before this timeout ends, the timeout resets.
Yes
 900
max_inflight Integer Maximum submissions allowed to be in-flight
Yes
 1000

Expiry

None

Field Type Description Required Default
batch_delete Boolean Perform expiry in batches?
Delete queries are rounded by day therefore all delete operation happen at the same time at midnight
Yes
 False
delay Integer Delay, in hours, that will be applied to the expiry query so we can keepdata longer then previously set or we can offset deletion during non busy hours
Yes
 0
delete_storage Boolean Should we also cleanup the file storage?
Yes
 True
sleep_time Integer Time, in seconds, to sleep in between each expiry run
Yes
 15
workers Integer Number of concurrent workers
Yes
 20
delete_workers Integer Worker processes for file storage deletes.
Yes
 2
iteration_max_tasks Integer How many query chunks get run per iteration.
Yes
 50
delete_batch_size Integer How large a batch get deleted per iteration.
Yes
 2000
safelisted_tag_dtl Integer The default period, in days, before tags expire from Safelist
Yes
 0
badlisted_tag_dtl Integer The default period, in days, before tags expire from Badlist
Yes
 0

Ingester

Ingester Configuration

Field Type Description Required Default
always_create_submission Boolean Always create submissions even on cache hit?
Yes
 False
default_user Keyword Default user for bulk ingestion and unattended submissions
Yes
 internal
default_services List [Keyword] Default service selection
Yes
 []
default_resubmit_services List [Keyword] Default service selection for resubmits
Yes
 []
description_prefix Keyword A prefix for descriptions. When a description is automatically generated, it will be the hash prefixed by this string
Yes
 Bulk
is_low_priority Keyword Path to a callback function filtering ingestion tasks that should have their priority forcefully reset to low
Yes
 assemblyline.common.null.always_false
get_whitelist_verdict Keyword None
Yes
 assemblyline.common.signaturing.drop
whitelist Keyword None
Yes
 assemblyline.common.null.whitelist
default_max_extracted Integer How many extracted files may be added to a Submission. Overrideable via submission parameters.
Yes
 100
default_max_supplementary Integer How many supplementary files may be added to a Submission. Overrideable via submission parameters
Yes
 100
expire_after Integer Period, in seconds, in which a task should be expired
Yes
 1296000
stale_after_seconds Integer Drop a task altogether after this many seconds
Yes
 86400
incomplete_expire_after_seconds Integer How long should scores be kept before expiry
Yes
 3600
incomplete_stale_after_seconds Integer How long should scores be cached in the ingester
Yes
 1800
sampling_at Mapping [String, Integer] Thresholds at certain buckets before sampling
Yes
 None
max_inflight Integer How long can a queue get before we start dropping files
Yes
 500
cache_dtl Integer How long are files results cached
Yes
 2

Metrics

Metrics Configuration

Field Type Description Required Default
apm_server APMServer APM server configuration
Yes
 See APMServer for more details.
elasticsearch ESMetrics Where to export metrics?
Yes
 See ESMetrics for more details.
export_interval Integer How often should we be exporting metrics?
Yes
 5
redis RedisServer Redis for Dashboard metrics
Yes
 See RedisServer for more details.

APMServer

None

Field Type Description Required Default
server_url Keyword URL to API server
Optional
 None
token Keyword Authentication token for server
Optional
 None

ESMetrics

None

Field Type Description Required Default
hosts List [Keyword] Elasticsearch hosts
Optional
 None
host_certificates Keyword Host certificates
Optional
 None
warm Integer How long, per unit of time, should a document remain in the 'warm' tier?
Yes
 2
cold Integer How long, per unit of time, should a document remain in the 'cold' tier?
Yes
 30
delete Integer How long, per unit of time, should a document remain before being deleted?
Yes
 90
unit Enum Unit of time used by warm, cold, delete phases
Supported values are:
"d", "h", "m"
Yes
 d

RedisServer

Redis Service configuration

Field Type Description Required Default
host Keyword Hostname of Redis instance
Yes
 127.0.0.1
port Integer Port of Redis instance
Yes
 6379

Plumber

Plumber Configuration

Field Type Description Required Default
notification_queue_interval Integer Interval at which the notification queue cleanup should run
Yes
 1800
notification_queue_max_age Integer Max age in seconds notification queue messages can be
Yes
 86400

Redis

Redis Configuration

Field Type Description Required Default
nonpersistent RedisServer A volatile Redis instance
Yes
 See RedisServer for more details.
persistent RedisServer A persistent Redis instance
Yes
 See RedisServer for more details.

RedisServer

Redis Service configuration

Field Type Description Required Default
host Keyword Hostname of Redis instance
Yes
 127.0.0.1
port Integer Port of Redis instance
Yes
 6379

Scaler

None

Field Type Description Required Default
service_defaults ScalerServiceDefaults Defaults Scaler will assign to a service.
Yes
 None
cpu_overallocation Float Percentage of CPU overallocation
Yes
 1
memory_overallocation Float Percentage of RAM overallocation
Yes
 1
overallocation_node_limit Integer None
Optional
 None
additional_labels List [Text] Additional labels to be applied to services('=' delimited)
Optional
 None
privileged_services_additional_labels List [Text] Additional labels to be applied to privileged services only('=' delimited)
Optional
 None
linux_node_selector Selector Selector for linux nodes under kubernetes
Yes
 None
cluster_pod_list Boolean Sets if scaler list pods for all namespaces. Disabling this lets you use stricter cluster roles but will make cluster resource usage less accurate, setting a namespace resource quota might be needed.
Yes
 True
enable_pod_security Boolean Launch all containers in compliance with the 'Restricted' pod security standard.
Yes
 False

ScalerServiceDefaults

A set of default values to be used running a service when no other value is set

Field Type Description Required Default
growth Integer Period, in seconds, to wait before scaling up a service deployment
Yes
 None
shrink Integer Period, in seconds, to wait before scaling down a service deployment
Yes
 None
backlog Integer Backlog threshold that dictates scaling adjustments
Yes
 None
min_instances Integer The minimum number of service instances to be running
Yes
 None
environment List [EnvironmentVariable] Environment variables to pass onto services
Yes
 []
mounts List [Mount] A list of volume mounts for every service
Yes
 []
tolerations List [Toleration] Toleration to apply to service pods.
Reference: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
Yes
 []
Mount

A configuration for mounting existing volumes to a container

Field Type Description Required Default
name Keyword Name of volume mount
Yes
 None
path Text Target mount path
Yes
 None
read_only Boolean Should this be mounted as read-only?
Yes
 True
privileged_only Boolean Should this mount only be available for privileged services?
Yes
 False
resource_type Enum Type of mountable Kubernetes resource
Supported values are:
"configmap", "secret", "volume"
Yes
 volume
resource_name Keyword Name of resource (Kubernetes only)
Optional
 None
resource_key Keyword Key of ConfigMap/Secret (Kubernetes only)
Optional
 None
Toleration

Limit a set of kubernetes objects based on a label query.

Field Type Description Required Default
key Keyword The taint key that the toleration applies to
Optional
 None
operator Enum Relationship between taint key and value
Supported values are:
"Equal", "Exists"
Yes
 Equal
value Keyword Taint value the toleration matches to
Optional
 None
effect Enum The taint effect to match.
Supported values are:
"NoExecute", "NoSchedule", "PreferNoSchedule"
Optional
 None
toleration_seconds Integer The period of time the toleration tolerates the taint
Optional
 None

Selector

None

Field Type Description Required Default
field List [FieldSelector] Field selector for resource under kubernetes
Yes
 []
label List [LabelSelector] Label selector for resource under kubernetes
Yes
 []
FieldSelector

Limit a set of kubernetes objects based on a field query.

Field Type Description Required Default
key Keyword Name of a field to select on.
Yes
 None
equal Boolean When true key must equal value, when false it must not
Yes
 True
value Keyword Value to compare field to.
Yes
 None
LabelSelector

Limit a set of kubernetes objects based on a label query.

Field Type Description Required Default
key Keyword Name of label to select on.
Yes
 None
operator Enum Operation to select label with.
Supported values are:
"DoesNotExist", "Exists", "In", "NotIn"
Yes
 None
values List [Keyword] Value list to compare label to.
Yes
 None

Updater

None

Field Type Description Required Default
job_dockerconfig DockerConfigDelta Container configuration used for service registration/updates
Yes
 None
registry_configs List [RegistryConfiguration] Configurations to be used with container registries
Yes
 [{'name': 'registry.hub.docker.com', 'proxies': {}}]

RegistryConfiguration

None

Field Type Description Required Default
name Text Name of container registry
Yes
 None
proxies Mapping [String, Text] Proxy configuration that is passed to Python Requests
Optional
 None
token_server Text Token server name to facilitate anonymous pull access
Optional
 None

Vacuum

None

Field Type Description Required Default
list_cache_directory Keyword None
Yes
 /cache/
worker_cache_directory Keyword None
Yes
 /memory/
data_directories List [Keyword] None
Yes
 []
file_directories List [Keyword] None
Yes
 []
assemblyline_user Keyword None
Yes
 vacuum-service-account
department_map_url Keyword None
Optional
 None
department_map_init Keyword None
Optional
 None
stream_map_url Keyword None
Optional
 None
stream_map_init Keyword None
Optional
 None
safelist List [VacuumSafelistItem] None
Yes
 []
worker_threads Integer None
Yes
 50
worker_rollover Integer None
Yes
 1000
minimum_classification Keyword None
Yes
 U
ingest_type Keyword None
Yes
 VACUUM

VacuumSafelistItem

None

Field Type Description Required Default
name Keyword None
Yes
 None
conditions Mapping [String, Keyword] None
Yes
 None

Datasource

Datasource Configuration

Field Type Description Required Default
classpath Keyword None
Yes
 None
config Mapping [String, Keyword] None
Yes
 None

Datastore

Datastore Configuration

Field Type Description Required Default
hosts List [Keyword] List of hosts used for the datastore
Yes
 ['http://elastic:devpass@localhost:9200']
archive Archive Datastore Archive feature configuration
Yes
 See Archive for more details.
cache_dtl Integer Default cache lenght for computed indices (submission_tree, submission_summary...
Yes
 5
type Enum Type of application used for the datastore
Supported values are:
"elasticsearch"
Yes
 elasticsearch

Archive

Datastore Archive feature configuration

Field Type Description Required Default
enabled Boolean Are we enabling Achiving features across indices?
Yes
 False
indices List [Keyword] List of indices the ILM Applies to
Yes
 ['file', 'submission', 'result']

Filestore

Filestore Configuration

Field Type Description Required Default
archive List [Keyword] List of filestores used for malware archive
Yes
 ['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-archive&use_ssl=False']
cache List [Keyword] List of filestores used for caching
Yes
 ['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-cache&use_ssl=False']
storage List [Keyword] List of filestores used for storage
Yes
 ['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-storage&use_ssl=False']

Logging

Model Definition for the Logging Configuration

Field Type Description Required Default
log_level Enum What level of logging should we have?
Supported values are:
"CRITICAL", "DEBUG", "DISABLED", "ERROR", "INFO", "WARNING"
Yes
 INFO
log_to_console Boolean Should we log to console?
Yes
 True
log_to_file Boolean Should we log to files on the server?
Yes
 False
log_directory Keyword If log_to_file: true, what is the directory to store logs?
Yes
 /var/log/assemblyline/
log_to_syslog Boolean Should logs be sent to a syslog server?
Yes
 False
syslog_host Keyword If log_to_syslog: true, provide hostname/IP of the syslog server?
Yes
 localhost
syslog_port Integer If log_to_syslog: true, provide port of the syslog server?
Yes
 514
export_interval Integer How often, in seconds, should counters log their values?
Yes
 5
log_as_json Boolean Log in JSON format?
Yes
 True
heartbeat_file Keyword Add a health check to core components.
If true, core components will touch this path regularly to tell the container environment it is healthy
Optional
 /tmp/heartbeat

Retrohunt

Configuration for connecting to a retrohunt service.

Field Type Description Required Default
enabled Boolean Is the Retrohunt functionnality enabled on the frontend
Yes
 False
dtl Integer Number of days retrohunt jobs will remain in the system by default
Yes
 30
max_dtl Integer Maximum number of days retrohunt jobs will remain in the system
Yes
 0
url Keyword Base URL for service API
Yes
 https://hauntedhouse:4443
api_key Keyword Service API Key
Yes
 ChangeThisDefaultRetroHuntAPIKey!
tls_verify Boolean Should tls certificates be verified
Yes
 True

Services

Services Configuration

Field Type Description Required Default
categories List [Keyword] List of categories a service can be assigned to
Yes
 ['Antivirus', 'Dynamic Analysis', 'External', 'Extraction', 'Filtering', 'Internet Connected', 'Networking', 'Static Analysis']
default_auto_update Boolean Should services be auto-updated?
Yes
 False
default_timeout Integer Default service timeout time in seconds
Yes
 60
stages List [Keyword] List of execution stages a service can be assigned to
Yes
 ['FILTER', 'EXTRACT', 'CORE', 'SECONDARY', 'POST', 'REVIEW']
image_variables Mapping [String, Keyword] Substitution variables for image paths (for custom registry support)
Yes
 None
update_image_variables Mapping [String, Keyword] Similar to image_variables but only applied to the updater. Intended for use with local registries.
Yes
 None
preferred_update_channel Keyword Default update channel to be used for new services
Yes
 stable
allow_insecure_registry Boolean Allow fetching container images from insecure registries
Yes
 False
preferred_registry_type Enum Global registry type to be used for fetching updates for a service (overridable by a service)
Supported values are:
"docker", "harbor"
Yes
 docker
prefer_service_privileged Boolean Global preference that controls if services should be privileged to communicate with core infrastucture
Yes
 False
cpu_reservation Float How much CPU do we want to reserve relative to the service's request?
At 1, a service's full CPU request will be reserved for them.
At 0 (only for very small appliances/dev boxes), the service's CPU will be limited but no CPU will be reserved allowing for more flexible scheduling of containers.
Yes
 0.25
safelist ServiceSafelist None
Yes
 None
registries List [ServiceRegistry] Global set of registries for services
Optional
 []

ServiceRegistry

Pre-Configured Registry Details for Services

Field Type Description Required Default
name Keyword Name of container registry
Yes
 None
type Enum Type of container registry
Supported values are:
"docker", "harbor"
Yes
 docker
username Keyword None
Optional
 None
password Keyword None
Optional
 None
use_fic Boolean Use federated identity credential token instead of user/passwords combinaison (ACR Only)
Yes
 False

ServiceSafelist

Service's Safelisting Configuration

Field Type Description Required Default
enabled Boolean Should services be allowed to check extracted files against safelist?
Yes
 True
hash_types List [Enum] Types of file hashes used for safelist checks
Yes
 ['sha1', 'sha256']
enforce_safelist_service Boolean Should the Safelist service always run on extracted files?
Yes
 False

Submission

Default values for parameters for submissions that may be overridden on a per submission basis

Field Type Description Required Default
default_max_extracted Integer How many extracted files may be added to a submission?
Yes
 500
default_max_supplementary Integer How many supplementary files may be added to a submission?
Yes
 500
dtl Integer Number of days submissions will remain in the system by default
Yes
 30
emptyresult_dtl Integer Number of days emptyresult will remain in the system
Yes
 5
max_dtl Integer Maximum number of days submissions will remain in the system
Yes
 0
max_extraction_depth Integer Maximum files extraction depth
Yes
 6
max_file_size Long Maximum size for files submitted in the system
Yes
 104857600
max_metadata_length Integer Maximum length for each metadata values
Yes
 4096
max_temp_data_length Integer Maximum length for each temporary data values
Yes
 4096
metadata MetadataConfig Metadata compliance rules
Yes
 See MetadataConfig for more details.
sha256_sources List [Sha256Source] List of external source to fetch file via their SHA256 hashes
Use submission.file_sources which is an extension of this configuration
Yes
 []
file_sources List [FileSource] List of external source to fetch file
Yes
 []
tag_types TagTypes Tag types that show up in the submission summary
Yes
 See TagTypes for more details.
verdicts Verdicts Minimum score value to get the specified verdict.
Yes
 See Verdicts for more details.
default_temporary_keys Mapping [String, Enum] temporary_keys values for well known services.
Yes
 None
temporary_keys Mapping [String, Enum] Set the operation that will be used to update values using this key in the temporary submission data.
Yes
 None
profiles List [SubmissionProfile] Submission profiles with preset submission parameters
Yes
 [{'name': 'static', 'display_name': 'Static Analysis', 'params': {'services': {'excluded': ['Dynamic Analysis', 'Internet Connected'], 'selected': ['Filtering', 'Antivirus', 'Static Analysis', 'Extraction', 'Networking']}}, 'description': 'Analyze files using static analysis techniques and extract information from the file without executing it, such as metadata, strings, and structural information.'}, {'name': 'static_with_dynamic', 'display_name': 'Static + Dynamic Analysis', 'params': {'services': {'excluded': ['Internet Connected'], 'selected': ['Filtering', 'Antivirus', 'Static Analysis', 'Extraction', 'Networking', 'Dynamic Analysis']}}, 'description': 'Analyze files using static analysis techniques along with executing them in a controlled environment to observe their behavior and capture runtime activities, interactions with the system, network communications, and any malicious behavior exhibited by the file during execution.'}, {'name': 'static_with_internet', 'display_name': 'Internet-Connected Static Analysis', 'params': {'services': {'excluded': ['Dynamic Analysis'], 'selected': ['Filtering', 'Antivirus', 'Static Analysis', 'Extraction', 'Networking', 'Internet Connected']}}, 'description': 'Combine traditional static analysis techniques with internet-connected services to gather additional information and context about the file being analyzed.'}]

FileSource

A file source entry for remote fetching via string

Field Type Description Required Default
name Keyword Name of the sha256 source
Yes
 None
auto_select Boolean Should we force the source to be auto-selected for the user ?
Yes
 False
download_from_url Boolean Should we download from the resulting URL or create an Assemblyline URI file for it ?
Yes
 True
hash_types List [Keyword] Method(s) of fetching file from source by string input(ie. ['sha256', 'sha1', 'md5', 'tlsh', 'ssdeep']). This also supports custom types.
Yes
 ['sha256']
hash_patterns Mapping [String, Text] Custom types to regex pattern definition for input detection/validation
Optional
 None
classification ClassificationString None
Optional
 None
data Keyword None
Optional
 None
failure_pattern Keyword None
Optional
 None
method Enum Method used to call the URL
Supported values are:
"GET", "POST"
Yes
 GET
url Keyword Url to fetch the file via SHA256 from (Uses replace pattern)
Yes
 None
replace_pattern Keyword Pattern to replace in the URL with the SHA256
Yes
 None
headers Mapping [String, Keyword] Headers used to connect to the URL
Yes
 {}
proxies Mapping [String, Keyword] Proxy used to connect to the URL
Yes
 {}
select_services List [Keyword] List of services that will be auto-selected when using this source.
Yes
 []
verify Boolean Should the download function Verify SSL connections?
Yes
 True

MetadataConfig

Configuration for metadata compliance with APIs

Field Type Description Required Default
archive Mapping [String, Metadata] Metadata specification for archiving
Yes
 None
submit Mapping [String, Metadata] Metadata specification for submission
Yes
 None
ingest Mapping [String, Mapping [String, Metadata]] Metadata specification for certain ingestion based on ingest_type
Yes
 None
strict_schemes List [Keyword] A list of metadata schemes with strict rules (ie. no extra/unknown metadata). Values can be: archive, submit, or one of the schemes under ingest.
Yes
 []

Metadata

Metadata configuration

Field Type Description Required Default
validator_type Enum Type of validation to apply to metadata value
Supported values are:
"boolean", "date", "domain", "email", "enum", "float", "integer", "ip", "keyword", "list", "regex", "text", "uri"
Yes
 str
validator_params Mapping [String, Any] Configuration parameters to apply to validator
Yes
 {}
suggestions List [Keyword] List of suggestions for this field
Yes
 []
suggestion_key Keyword Key in redis where to get the suggestions from
Optional
 None
default Keyword None
Optional
 None
required Boolean Is this field required?
Yes
 False
aliases List [Keyword] Field name aliases that map over to the field.
Yes
 []

Sha256Source

A source entry for the sha256 downloader

Field Type Description Required Default
name Keyword Name of the sha256 source
Yes
 None
classification ClassificationString None
Optional
 None
data Keyword None
Optional
 None
failure_pattern Keyword None
Optional
 None
method Enum Method used to call the URL
Supported values are:
"GET", "POST"
Yes
 GET
url Keyword Url to fetch the file via SHA256 from (Uses replace pattern)
Yes
 None
replace_pattern Keyword Pattern to replace in the URL with the SHA256
Yes
 None
headers Mapping [String, Keyword] Headers used to connect to the URL
Yes
 {}
proxies Mapping [String, Keyword] Proxy used to connect to the URL
Yes
 {}
verify Boolean Should the download function Verify SSL connections?
Yes
 True

SubmissionProfile

Configuration for defining submission profiles for basic users

Field Type Description Required Default
name Text Submission profile name
Yes
 None
display_name Text Submission profile display name
Yes
 None
classification ClassificationString Submission profile classification
Yes
 TLP:C
params SubmissionProfileParams Default submission parameters for profile
Yes
 None
restricted_params Mapping [String, List [Text]] A list of parameters that can be configured for this profile. The keys are the service names or "submission" and the values are the parameters that cannot be configured by limited users.
Yes
 {'submission': ['ignore_recursion_prevention'], 'APKaye': ['resubmit_apk_as_jar'], 'AVClass': ['include_malpedia_dataset'], 'CAPE': ['specific_image', 'dll_function', 'dump_memory', 'force_sleepskip', 'no_monitor', 'simulate_user', 'reboot', 'arguments', 'custom_options', 'clock', 'package', 'specific_machine', 'platform', 'routing', 'ignore_cape_cache', 'hh_args', 'monitored_and_unmonitored'], 'ConfigExtractor': ['include_empty_config'], 'DeobfuScripter': ['extract_original_iocs', 'max_file_size'], 'DocumentPreview': ['load_email_images', 'save_ocr_output'], 'EmlParser': ['extract_body_text', 'save_emlparser_output'], 'Extract': ['extract_executable_sections', 'continue_after_extract', 'use_custom_safelisting', 'score_failed_password'], 'FrankenStrings': ['max_file_size', 'max_string_length'], 'JsJaws': ['tool_timeout', 'add_supplementary', 'static_signatures', 'display_iocs', 'static_analysis_only', 'ignore_stdout_limit', 'no_shell_error', 'browser', 'wscript_only', 'throw_http_exc', 'download_payload', 'extract_function_calls', 'extract_eval_calls', 'log_errors', 'override_eval', 'file_always_exists', 'enable_synchrony'], 'Overpower': ['tool_timeout', 'add_supplementary', 'fake_web_download'], 'PDFId': ['carved_obj_size_limit'], 'Pixaxe': ['save_ocr_output', 'extract_ocr_uri'], 'Suricata': ['extract_files'], 'URLDownloader': ['regex_extract_filetype', 'regex_supplementary_filetype', 'extract_unmatched_filetype'], 'XLMMacroDeobfuscator': ['start point']}
description Text A description of what the profile does
Optional
 None

SubmissionProfileParams

Submission Parameters for profile

Field Type Description Required Default
classification Classification Original classification of the submission
Optional
 None
deep_scan Boolean Should a deep scan be performed?
Optional
 None
generate_alert Boolean Should this submission generate an alert?
Optional
 None
ignore_cache Boolean Ignore the cached service results?
Optional
 None
ignore_recursion_prevention Boolean Should we ignore recursion prevention?
Optional
 None
ignore_filtering Boolean Should we ignore filtering services?
Optional
 None
ignore_size Boolean Ignore the file size limits?
Optional
 None
max_extracted Integer Max number of extracted files
Optional
 None
max_supplementary Integer Max number of supplementary files
Optional
 None
priority Integer Priority of the scan
Optional
 None
services ServiceSelection Service selection
Optional
 None
service_spec Mapping [String, Mapping [String, Any]] Service-specific parameters
Optional
 None
auto_archive Boolean Does the submission automatically goes into the archive when completed?
Optional
 None
delete_after_archive Boolean When the submission is archived, should we delete it from hot storage right away?
Optional
 None
ttl Integer Time, in days, to live for this submission
Optional
 None
type Keyword Type of submission
Optional
 None
use_archive_alternate_dtl Boolean Should we use the alternate dtl while archiving?
Optional
 None

TagTypes

None

Field Type Description Required Default
attribution List [Keyword] Attibution tags
Yes
 ['attribution.actor', 'attribution.campaign', 'attribution.exploit', 'attribution.implant', 'attribution.family', 'attribution.network', 'av.virus_name', 'file.config', 'technique.obfuscation']
behavior List [Keyword] Behaviour tags
Yes
 ['file.behavior']
ioc List [Keyword] IOC tags
Yes
 ['network.email.address', 'network.static.ip', 'network.static.domain', 'network.static.uri', 'network.dynamic.ip', 'network.dynamic.domain', 'network.dynamic.uri']

Verdicts

Minimum score value to get the specified verdict, otherwise the file is considered safe.

Field Type Description Required Default
info Integer Minimum score for the verdict to be Informational.
Yes
 0
suspicious Integer Minimum score for the verdict to be Suspicious.
Yes
 300
highly_suspicious Integer Minimum score for the verdict to be Highly Suspicious.
Yes
 700
malicious Integer Minimum score for the verdict to be Malicious.
Yes
 1000

System

System Configuration

Field Type Description Required Default
constants Keyword Module path to the assemblyline constants
Yes
 assemblyline.common.constants
organisation Text Organisation acronym used for signatures
Yes
 ACME
type Enum Type of system
Supported values are:
"development", "production", "staging"
Yes
 production

UI

UI Configuration

Field Type Description Required Default
ai_backends AIBackends AI Multi-backends support for the UI
Yes
 See AIBackends for more details.
alerting_meta AlertingMeta Alerting metadata fields
Yes
 See AlertingMeta for more details.
allow_malicious_hinting Boolean Allow user to tell in advance the system that a file is malicious?
Yes
 False
allow_raw_downloads Boolean Allow user to download raw files?
Yes
 True
allow_zip_downloads Boolean Allow user to download files as password protected ZIPs?
Yes
 True
allow_replay Boolean Allow users to request replay on another server?
Yes
 False
allow_url_submissions Boolean Allow file submissions via url?
Yes
 True
api_proxies Mapping [String, APIProxies] Proxy requests to the configured API target and add headers
Yes
 See APIProxies for more details.
audit Boolean Should API calls be audited and saved to a separate log file?
Yes
 True
audit_login Boolean Should login successes and failures be part of the audit log as well?
Yes
 False
banner Mapping [String, Keyword] Banner message display on the main page (format: {: message})
Optional
 None
banner_level Enum Banner message level
Supported values are:
"error", "info", "success", "warning"
Yes
 info
debug Boolean Enable debugging?
Yes
 False
default_quotas Quotas Default API quotas values
Yes
 See Quotas for more details.
discover_url Keyword Discover URL
Optional
 None
download_encoding Enum Which encoding will be used for downloads?
Supported values are:
"cart", "raw", "zip"
Yes
 cart
default_zip_password Text Default user-defined password for creating password protected ZIPs when downloading files
Optional
 infected
email Email Assemblyline admins email address
Optional
 None
enforce_quota Boolean Enforce the user's quotas?
Yes
 True
external_links List [ExternalLinks] List of external pivot links
Yes
 []
external_sources List [ExternalSource] List of external sources to query
Yes
 []
fqdn Text Fully qualified domain name to use for the 2-factor authentication validation
Yes
 localhost
ingest_max_priority Integer Maximum priority for ingest API
Yes
 250
read_only Boolean Turn on read only mode in the UI
Yes
 False
read_only_offset Keyword Offset of the read only mode for all paging and searches
Yes
 ``
rss_feeds List [Keyword] List of RSS feeds to display on the UI
Yes
 ['https://alpytest.blob.core.windows.net/pytest/stable.json', 'https://alpytest.blob.core.windows.net/pytest/services.json', 'https://alpytest.blob.core.windows.net/pytest/community.json', 'https://alpytest.blob.core.windows.net/pytest/blog.json']
services_feed Keyword Feed of all the services built by the Assemblyline Team
Yes
 https://alpytest.blob.core.windows.net/pytest/services.json
community_feed Keyword Feed of all the services built by the Assemblyline community.
Yes
 https://alpytest.blob.core.windows.net/pytest/community.json
secret_key Keyword Flask secret key to store cookies, etc.
Yes
 This is the default flask secret key... you should change this!
session_duration Integer Duration of the user session before the user has to login again
Yes
 3600
statistics Statistics Statistics configuration
Yes
 See Statistics for more details.
tos Text Terms of service
Optional
 None
tos_lockout Boolean Lock out user after accepting the terms of service?
Yes
 False
tos_lockout_notify List [Keyword] List of admins to notify when a user gets locked out
Optional
 None
url_submission_auto_service_selection List [Keyword] List of services auto-selected by the UI when submitting URLs
Yes
 ['URLDownloader']
url_submission_headers Mapping [String, Keyword] Headers used by the url_download method
Optional
 None
url_submission_proxies Mapping [String, Keyword] Proxy used by the url_download method
Optional
 None
url_submission_timeout Integer Request timeout for fetching URLs
Yes
 15
validate_session_ip Boolean Validate if the session IP matches the IP the session was created from
Yes
 True
validate_session_useragent Boolean Validate if the session useragent matches the useragent the session was created with
Yes
 True

AIBackends

AI Multi-Backend support configuration block

Field Type Description Required Default
enabled Boolean Is AI support enabled?
Yes
 False
api_connections List [AIConnection] List of API definitions use in the API Pool
Yes
 [{'chat_url': 'https://api.openai.com/v1/chat/completions', 'api_type': 'openai', 'headers': {'Content-Type': 'application/json'}, 'model_name': 'gpt-3.5-turbo', 'proxies': None, 'verify': True}, {'chat_url': 'https://api.openai.com/v1/chat/completions', 'api_type': 'openai', 'headers': {'Content-Type': 'application/json'}, 'model_name': 'gpt-4', 'proxies': None, 'verify': True}]
function_params AIFunctionParameters Definition of each parameters used in the different AI functions
Yes
 None

AIConnection

Connection information to an AI backend

Field Type Description Required Default
api_type Enum Type of chat API we are communicating with
Supported values are:
"cohere", "openai"
Yes
 None
chat_url Keyword URL to the AI API
Yes
 None
headers Mapping [String, Keyword] Headers used by the _call_ai_backend method
Optional
 {}
model_name Keyword Name of the model to be used for the AI analysis.
Yes
 None
proxies Mapping [String, Keyword] Proxies used by the _call_ai_backend method
Optional
 None
use_fic Boolean Use Federated Identity Credentials to login
Yes
 False
verify Boolean Should the SSL connection to the AI API be verified.
Yes
 True

AIFunctionParameters

Definition of each parameters used in the different AI functions

Field Type Description Required Default
assistant AIQueryParams Parameters used for Assamblyline Assistant
Yes
 None
code AIQueryParams Parameters used for code analysis
Yes
 None
detailed_report AIQueryParams Parameters used for detailed reports
Yes
 None
executive_summary AIQueryParams Parameters used for executive summaries
Yes
 None
AIQueryParams

Parameters used during a AI query

Field Type Description Required Default
system_message Keyword System message used for the query.
Yes
 None
task Keyword Task description sent to the AI
Yes
 ``
max_tokens Integer Maximum ammount of token used for the response.
Yes
 None
options Mapping [String, Any] Other kwargs options directly passed to the API.
Optional
 None

APIProxies

Configuration for connecting to a retrohunt service.

Field Type Description Required Default
url Keyword URL to redirect to
Yes
 None
verify Boolean Should we verify the cert or not
Yes
 True
headers List [HeaderValue] Headers to add to the request
Yes
 []
public Mapping [String, Any] Parameters to be sent to the Frontend.
Optional
 None

HeaderValue

Header value

Field Type Description Required Default
name Keyword Name of the header
Yes
 None
value Keyword None
Optional
 None
key Keyword None
Optional
 None

AlertingMeta

Alerting Metadata

Field Type Description Required Default
important List [Keyword] Metadata keys that are considered important
Yes
 ['original_source', 'protocol', 'subject', 'submitted_url', 'source_url', 'url', 'web_url', 'from', 'to', 'cc', 'bcc', 'ip_src', 'ip_dst', 'source']
subject List [Keyword] Metadata keys that refer to an email's subject
Yes
 ['subject']
url List [Keyword] Metadata keys that refer to a URL
Yes
 ['submitted_url', 'source_url', 'url', 'web_url']

External links that specific metadata and tags can pivot to

Field Type Description Required Default
allow_bypass Boolean If the classification of the item is higher than the max_classificaiton, can we let the user bypass the check and still query the external link?
Yes
 False
name Keyword Name of the link
Yes
 None
double_encode Boolean Should the replaced value be double encoded?
Yes
 False
classification ClassificationString None
Optional
 None
max_classification ClassificationString None
Optional
 None
replace_pattern Keyword Pattern that will be replaced in the URL with the metadata or tag value
Yes
 None
targets List [ExternalLinksTargets] List of external sources to query
Yes
 []
url Keyword URL to redirect to
Yes
 None

ExternalLinksTargets

Target definition of an external link

Field Type Description Required Default
type Enum Type of external link target
Supported values are:
"hash", "metadata", "tag"
Yes
 None
key Keyword Key that it can be used against
Yes
 None

ExternalSource

Connection details for external systems/data sources.

Field Type Description Required Default
name Keyword Name of the source.
Yes
 None
classification ClassificationString None
Optional
 None
max_classification ClassificationString None
Optional
 None
url Keyword URL of the upstream source's lookup service.
Yes
 None

Quotas

Default API and submission quota values for the system

Field Type Description Required Default
concurrent_api_calls Integer Maximum concurrent API Calls that can be running for a user.
Yes
 10
concurrent_submissions Integer Maximum concurrent Submission that can be running for a user.
Yes
 5
concurrent_async_submissions Integer Maximum concurrent asynchroneous Submission that can be running for a user.
Yes
 0
daily_api_calls Integer Maximum daily API calls a user can issue.
Yes
 0
daily_submissions Integer Maximum daily submission a user can do.
Yes
 0

Statistics

Statistics

Field Type Description Required Default
alert List [Keyword] Fields used to generate statistics in the Alerts page
Yes
 ['al.attrib', 'al.av', 'al.behavior', 'al.domain', 'al.ip', 'al.yara', 'file.name', 'file.md5', 'owner']
submission List [Keyword] Fields used to generate statistics in the Submissions page
Yes
 ['params.submitter']

ArchiverMetadata

Malware Archive Configuration

Field Type Description Required Default
default Keyword None
Optional
 None
editable Boolean Can the user provide a custom value
Yes
 False
values List [Keyword] List of possible values to pick from
Yes
 []

AI

AI support configuration block

Field Type Description Required Default
chat_url Keyword URL to the AI API
Yes
 None
api_type Enum Type of chat API we are communicating with
Supported values are:
"cohere", "openai"
Yes
 None
assistant AIQueryParams Parameters used for Assamblyline Assistant
Yes
 None
code AIQueryParams Parameters used for code analysis
Yes
 None
detailed_report AIQueryParams Parameters used for detailed reports
Yes
 None
executive_summary AIQueryParams Parameters used for executive summaries
Yes
 None
enabled Boolean Is AI support enabled?
Yes
 None
headers Mapping [String, Keyword] Headers used by the _call_ai_backend method
Optional
 None
model_name Keyword Name of the model to be used for the AI analysis.
Yes
 None
verify Boolean Should the SSL connection to the AI API be verified.
Yes
 None
proxies Mapping [String, Keyword] Proxies used by the _call_ai_backend method
Optional
 None

AIQueryParams

Parameters used during a AI query

Field Type Description Required Default
system_message Keyword System message used for the query.
Yes
 None
task Keyword Task description sent to the AI
Yes
 ``
max_tokens Integer Maximum ammount of token used for the response.
Yes
 None
options Mapping [String, Any] Other kwargs options directly passed to the API.
Optional
 None