Config¶
Assemblyline Deployment Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| auth | Auth | Authentication module configuration | Yes |
See Auth for more details. |
| core | Core | Core component configuration | Yes |
See Core for more details. |
| datastore | Datastore | Datastore configuration | Yes |
See Datastore for more details. |
| datasources | Mapping [String, Datasource] | Datasources configuration | Yes |
See Datasource for more details. |
| filestore | Filestore | Filestore configuration | Yes |
See Filestore for more details. |
| logging | Logging | Logging configuration | Yes |
See Logging for more details. |
| retrohunt | Retrohunt | Retrohunt configuration for the frontend and server. | Yes |
See Retrohunt for more details. |
| services | Services | Service configuration | Yes |
See Services for more details. |
| system | System | System configuration | Yes |
See System for more details. |
| ui | UI | UI configuration parameters | Yes |
See UI for more details. |
| submission | Submission | Options for how submissions will be processed | Yes |
See Submission for more details. |
Auth¶
Authentication Methods
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| allow_2fa | Boolean | Allow 2FA? | Yes |
True |
| allow_apikeys | Boolean | Allow API keys? | Yes |
True |
| allow_extended_apikeys | Boolean | Allow extended API keys? | Yes |
True |
| allow_security_tokens | Boolean | Allow security tokens? | Yes |
True |
| internal | Internal | Internal authentication settings | Yes |
See Internal for more details. |
| ldap | LDAP | LDAP settings | Yes |
See LDAP for more details. |
| oauth | OAuth | OAuth settings | Yes |
See OAuth for more details. |
Internal¶
Internal Authentication Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| enabled | Boolean | Internal authentication allowed? | Yes |
True |
| failure_ttl | Integer | How long to wait after max_failures before re-attempting login? |
Yes |
60 |
| max_failures | Integer | Maximum number of fails allowed before timeout | Yes |
5 |
| password_requirements | PasswordRequirement | Password requirements | Yes |
See PasswordRequirement for more details. |
| signup | Signup | Signup method | Yes |
See Signup for more details. |
PasswordRequirement¶
Password Requirement
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| lower | Boolean | Password must contain lowercase letters | Yes |
False |
| number | Boolean | Password must contain numbers | Yes |
False |
| special | Boolean | Password must contain special characters | Yes |
False |
| upper | Boolean | Password must contain uppercase letters | Yes |
False |
| min_length | Integer | Minimum password length | Yes |
12 |
Signup¶
Signup Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| enabled | Boolean | Can a user automatically signup for the system | Yes |
False |
| smtp | SMTP | Signup via SMTP | Yes |
See SMTP for more details. |
| notify | Notify | Signup via GC Notify | Yes |
See Notify for more details. |
| valid_email_patterns | List [Keyword] | Email patterns that will be allowed to automatically signup for an account | Yes |
['.*', '.*@localhost'] |
Notify¶
Configuration block for GC Notify signup and password reset
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| base_url | Keyword | Base URL | Optional |
None |
| api_key | Keyword | API key | Optional |
None |
| registration_template | Keyword | Registration template | Optional |
None |
| password_reset_template | Keyword | Password reset template | Optional |
None |
| authorization_template | Keyword | Authorization template | Optional |
None |
| activated_template | Keyword | Activated Template | Optional |
None |
SMTP¶
Configuration block for SMTP signup and password reset
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| from_adr | Keyword | Email address used for sender | Optional |
None |
| host | Keyword | SMTP host | Optional |
None |
| password | Keyword | Password for SMTP server | Optional |
None |
| port | Integer | Port of SMTP server | Yes |
587 |
| tls | Boolean | Should we communicate with SMTP server via TLS? | Yes |
True |
| user | Keyword | User to authenticate to the SMTP server | Optional |
None |
LDAP¶
LDAP Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| enabled | Boolean | Should LDAP be enabled or not? | Yes |
False |
| admin_dn | Keyword | DN of the group or the user who will get admin privileges | Optional |
None |
| bind_user | Keyword | User use to query the LDAP server | Optional |
None |
| bind_pass | Keyword | Password used to query the LDAP server | Optional |
None |
| auto_create | Boolean | Auto-create users if they are missing | Yes |
True |
| auto_sync | Boolean | Should we automatically sync with LDAP server on each login? | Yes |
True |
| auto_properties | List [AutoProperty] | Automatic role and classification assignments | Yes |
[] |
| base | Keyword | Base DN for the users | Yes |
ou=people,dc=assemblyline,dc=local |
| classification_mappings | Any | Classification mapping | Yes |
None |
| email_field | Keyword | Name of the field containing the email address | Yes |
mail |
| group_lookup_query | Keyword | How the group lookup is queried | Yes |
(&(objectClass=Group)(member=%s)) |
| group_lookup_with_uid | Boolean | Use username/uid instead of dn for group lookup | Yes |
False |
| image_field | Keyword | Name of the field containing the user's avatar | Yes |
jpegPhoto |
| image_format | Keyword | Type of image used to store the avatar | Yes |
jpeg |
| name_field | Keyword | Name of the field containing the user's name | Yes |
cn |
| signature_importer_dn | Keyword | DN of the group or the user who will get signature_importer role | Optional |
None |
| signature_manager_dn | Keyword | DN of the group or the user who will get signature_manager role | Optional |
None |
| uid_field | Keyword | Field name for the UID | Yes |
uid |
| uri | Keyword | URI to the LDAP server | Yes |
ldap://localhost:389 |
AutoProperty¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| field | Keyword | Field to apply pattern to |
Yes |
None |
| pattern | Keyword | Regex pattern for auto-prop assignment | Yes |
None |
| type | Enum | Type of property assignment on pattern match Values: "access", "classification", "group", "multi_group", "remove_role", "role", "type" |
Yes |
None |
| value | List [Keyword] | Assigned property value | Yes |
[] |
OAuth¶
OAuth Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| enabled | Boolean | Enable use of OAuth? | Yes |
False |
| gravatar_enabled | Boolean | Enable gravatar? | Yes |
True |
| providers | Mapping [String, OAuthProvider] | OAuth provider configuration | Yes |
See OAuthProvider for more details. |
OAuthProvider¶
OAuth Provider Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| auto_create | Boolean | Auto-create users if they are missing | Yes |
True |
| auto_sync | Boolean | Should we automatically sync with OAuth provider? | Yes |
False |
| auto_properties | List [AutoProperty] | Automatic role and classification assignments | Yes |
[] |
| app_provider | AppProvider | None | Optional |
None |
| uid_randomize | Boolean | Should we generate a random username for the authenticated user? | Yes |
False |
| uid_randomize_digits | Integer | How many digits should we add at the end of the username? | Yes |
0 |
| uid_randomize_delimiter | Keyword | What is the delimiter used by the random name generator? | Yes |
- |
| uid_regex | Keyword | Regex used to parse an email address and capture parts to create a user ID out of it | Optional |
None |
| uid_format | Keyword | Format of the user ID based on the captured parts from the regex | Optional |
None |
| client_id | Keyword | ID of your application to authenticate to the OAuth provider | Optional |
None |
| client_secret | Keyword | Password to your application to authenticate to the OAuth provider | Optional |
None |
| redirect_uri | Keyword | URI to redirect to after authentication with OAuth provider | Optional |
None |
| request_token_url | Keyword | URL to request token | Optional |
None |
| request_token_params | Keyword | Parameters to request token | Optional |
None |
| access_token_url | Keyword | URL to get access token | Optional |
None |
| access_token_params | Keyword | Parameters to get access token | Optional |
None |
| authorize_url | Keyword | URL used to authorize access to a resource | Optional |
None |
| authorize_params | Keyword | Parameters used to authorize access to a resource | Optional |
None |
| api_base_url | Keyword | Base URL for downloading the user's and groups info | Optional |
None |
| client_kwargs | Mapping [String, Keyword] | Keyword arguments passed to the different URLs | Optional |
None |
| jwks_uri | Keyword | URL used to verify if a returned JWKS token is valid | Optional |
None |
| jwt_token_alg | Keyword | Algorythm use the validate JWT OBO tokens | Yes |
RS256 |
| uid_field | Keyword | Name of the field that will contain the user ID | Optional |
None |
| user_get | Keyword | Path from the base_url to fetch the user info | Optional |
None |
| user_groups | Keyword | Path from the base_url to fetch the group info | Optional |
None |
| user_groups_data_field | Keyword | Field return by the group info API call that contains the list of groups | Optional |
None |
| user_groups_name_field | Keyword | Name of the field in the list of groups that contains the name of the group | Optional |
None |
| use_new_callback_format | Boolean | Should we use the new callback method? | Yes |
False |
| allow_external_tokens | Boolean | Should token provided to the login API directly be use for authentication? | Yes |
False |
| external_token_alternate_audiences | List [Keyword] | List of valid alternate audiences for the external token. | Yes |
[] |
| email_fields | List [Keyword] | List of fields in the claim to get the email from | Yes |
['email', 'emails', 'extension_selectedEmailAddress', 'otherMails', 'preferred_username', 'upn'] |
| username_field | Keyword | Name of the field that will contain the username | Yes |
uname |
AppProvider¶
App provider
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| access_token_url | Keyword | URL used to get the access token | Yes |
None |
| user_get | Keyword | Path from the base_url to fetch the user info | Optional |
None |
| group_get | Keyword | Path from the base_url to fetch the group info | Optional |
None |
| scope | Keyword | None | Yes |
None |
| client_id | Keyword | ID of your application to authenticate to the OAuth | Optional |
None |
| client_secret | Keyword | Password to your application to authenticate to the OAuth provider | Optional |
None |
AutoProperty¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| field | Keyword | Field to apply pattern to |
Yes |
None |
| pattern | Keyword | Regex pattern for auto-prop assignment | Yes |
None |
| type | Enum | Type of property assignment on pattern match Values: "access", "classification", "group", "multi_group", "remove_role", "role", "type" |
Yes |
None |
| value | List [Keyword] | Assigned property value | Yes |
[] |
Core¶
Core Component Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| alerter | Alerter | Configuration for Alerter | Yes |
See Alerter for more details. |
| archiver | Archiver | Configuration for the permanent submission archive | Yes |
See Archiver for more details. |
| dispatcher | Dispatcher | Configuration for Dispatcher | Yes |
See Dispatcher for more details. |
| expiry | Expiry | Configuration for Expiry | Yes |
See Expiry for more details. |
| ingester | Ingester | Configuration for Ingester | Yes |
See Ingester for more details. |
| metrics | Metrics | Configuration for Metrics Collection | Yes |
See Metrics for more details. |
| plumber | Plumber | Configuration for system cleanup | Yes |
See Plumber for more details. |
| redis | Redis | Configuration for Redis instances | Yes |
See Redis for more details. |
| scaler | Scaler | Configuration for Scaler | Yes |
See Scaler for more details. |
| updater | Updater | Configuration for Updater | Yes |
See Updater for more details. |
| vacuum | Vacuum | Configuration for Vacuum | Yes |
See Vacuum for more details. |
Alerter¶
Alerter Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| alert_ttl | Integer | Time to live (days) for an alert in the system | Yes |
90 |
| constant_alert_fields | List [Keyword] | List of fields that should not change during an alert update This behavior is no longer configurable |
Yes |
[] |
| constant_ignore_keys | List [Keyword] | List of keys to ignore in the constant alert fields. This behavior is no longer configurable |
Yes |
[] |
| default_group_field | Keyword | Default field used for alert grouping view | Yes |
file.sha256 |
| delay | Integer | Time in seconds that we give extended scans and workflow to complete their work before we start showing alerts in the alert viewer. | Yes |
300 |
| filtering_group_fields | List [Keyword] | List of group fields that when selected will ignore certain alerts where this field is missing. | Yes |
['file.name', 'status', 'priority'] |
| non_filtering_group_fields | List [Keyword] | List of group fields that are sure to be present in all alerts. | Yes |
['file.md5', 'file.sha1', 'file.sha256'] |
| process_alert_message | Keyword | Python path to the function that will process an alert message. | Yes |
assemblyline_core.alerter.processing.process_alert_message |
| threshold | Integer | Minimum score to reach for a submission to be considered an alert. | Yes |
500 |
Archiver¶
Malware Archive Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| minimum_required_services | List [Keyword] | List of minimum required service before archiving takes place | Yes |
[] |
Dispatcher¶
Dispatcher Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| timeout | Integer | Time between re-dispatching attempts, as long as some action (submission or any task completion) happens before this timeout ends, the timeout resets. | Yes |
900 |
| max_inflight | Integer | Maximum submissions allowed to be in-flight | Yes |
1000 |
Expiry¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| batch_delete | Boolean | Perform expiry in batches? Delete queries are rounded by day therefore all delete operation happen at the same time at midnight |
Yes |
False |
| delay | Integer | Delay, in hours, that will be applied to the expiry query so we can keepdata longer then previously set or we can offset deletion during non busy hours | Yes |
0 |
| delete_storage | Boolean | Should we also cleanup the file storage? | Yes |
True |
| sleep_time | Integer | Time, in seconds, to sleep in between each expiry run | Yes |
15 |
| workers | Integer | Number of concurrent workers | Yes |
20 |
| delete_workers | Integer | Worker processes for file storage deletes. | Yes |
2 |
| iteration_max_tasks | Integer | How many query chunks get run per iteration. | Yes |
20 |
| delete_batch_size | Integer | How large a batch get deleted per iteration. | Yes |
2000 |
| safelisted_tag_dtl | Integer | The default period, in days, before tags expire from Safelist | Yes |
0 |
| badlisted_tag_dtl | Integer | The default period, in days, before tags expire from Badlist | Yes |
0 |
Ingester¶
Ingester Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| default_user | Keyword | Default user for bulk ingestion and unattended submissions | Yes |
internal |
| default_services | List [Keyword] | Default service selection | Yes |
[] |
| default_resubmit_services | List [Keyword] | Default service selection for resubmits | Yes |
[] |
| description_prefix | Keyword | A prefix for descriptions. When a description is automatically generated, it will be the hash prefixed by this string | Yes |
Bulk |
| is_low_priority | Keyword | Path to a callback function filtering ingestion tasks that should have their priority forcefully reset to low | Yes |
assemblyline.common.null.always_false |
| get_whitelist_verdict | Keyword | None | Yes |
assemblyline.common.signaturing.drop |
| whitelist | Keyword | None | Yes |
assemblyline.common.null.whitelist |
| default_max_extracted | Integer | How many extracted files may be added to a Submission. Overrideable via submission parameters. | Yes |
100 |
| default_max_supplementary | Integer | How many supplementary files may be added to a Submission. Overrideable via submission parameters | Yes |
100 |
| expire_after | Integer | Period, in seconds, in which a task should be expired | Yes |
1296000 |
| stale_after_seconds | Integer | Drop a task altogether after this many seconds | Yes |
86400 |
| incomplete_expire_after_seconds | Integer | How long should scores be kept before expiry | Yes |
3600 |
| incomplete_stale_after_seconds | Integer | How long should scores be cached in the ingester | Yes |
1800 |
| sampling_at | Mapping [String, Integer] | Thresholds at certain buckets before sampling | Yes |
None |
| max_inflight | Integer | How long can a queue get before we start dropping files | Yes |
500 |
| cache_dtl | Integer | How long are files results cached | Yes |
2 |
Metrics¶
Metrics Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| apm_server | APMServer | APM server configuration | Yes |
See APMServer for more details. |
| elasticsearch | ESMetrics | Where to export metrics? | Yes |
See ESMetrics for more details. |
| export_interval | Integer | How often should we be exporting metrics? | Yes |
5 |
| redis | RedisServer | Redis for Dashboard metrics | Yes |
See RedisServer for more details. |
APMServer¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| server_url | Keyword | URL to API server | Optional |
None |
| token | Keyword | Authentication token for server | Optional |
None |
ESMetrics¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| hosts | List [Keyword] | Elasticsearch hosts | Optional |
None |
| host_certificates | Keyword | Host certificates | Optional |
None |
| warm | Integer | How long, per unit of time, should a document remain in the 'warm' tier? | Yes |
2 |
| cold | Integer | How long, per unit of time, should a document remain in the 'cold' tier? | Yes |
30 |
| delete | Integer | How long, per unit of time, should a document remain before being deleted? | Yes |
90 |
| unit | Enum | Unit of time used by warm, cold, delete phasesValues: "d", "h", "m" |
Yes |
d |
RedisServer¶
Redis Service configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| host | Keyword | Hostname of Redis instance | Yes |
127.0.0.1 |
| port | Integer | Port of Redis instance | Yes |
6379 |
Plumber¶
Plumber Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| notification_queue_interval | Integer | Interval at which the notification queue cleanup should run | Yes |
1800 |
| notification_queue_max_age | Integer | Max age in seconds notification queue messages can be | Yes |
86400 |
Redis¶
Redis Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| nonpersistent | RedisServer | A volatile Redis instance | Yes |
See RedisServer for more details. |
| persistent | RedisServer | A persistent Redis instance | Yes |
See RedisServer for more details. |
RedisServer¶
Redis Service configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| host | Keyword | Hostname of Redis instance | Yes |
127.0.0.1 |
| port | Integer | Port of Redis instance | Yes |
6379 |
Scaler¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| service_defaults | ScalerServiceDefaults | Defaults Scaler will assign to a service. | Yes |
None |
| cpu_overallocation | Float | Percentage of CPU overallocation | Yes |
1 |
| memory_overallocation | Float | Percentage of RAM overallocation | Yes |
1 |
| overallocation_node_limit | Integer | None | Optional |
None |
| additional_labels | List [Text] | Additional labels to be applied to services('=' delimited) | Optional |
None |
| linux_node_selector | Selector | Selector for linux nodes under kubernetes | Yes |
None |
| cluster_pod_list | Boolean | Sets if scaler list pods for all namespaces. Disabling this lets you use stricter cluster roles but will make cluster resource usage less accurate, setting a namespace resource quota might be needed. | Yes |
True |
ScalerServiceDefaults¶
A set of default values to be used running a service when no other value is set
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| growth | Integer | Period, in seconds, to wait before scaling up a service deployment | Yes |
None |
| shrink | Integer | Period, in seconds, to wait before scaling down a service deployment | Yes |
None |
| backlog | Integer | Backlog threshold that dictates scaling adjustments | Yes |
None |
| min_instances | Integer | The minimum number of service instances to be running | Yes |
None |
| environment | List [EnvironmentVariable] | Environment variables to pass onto services | Yes |
[] |
| mounts | List [Mount] | A list of volume mounts for every service | Yes |
[] |
Mount¶
A configuration for mounting existing volumes to a container
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of volume mount | Yes |
None |
| path | Text | Target mount path | Yes |
None |
| read_only | Boolean | Should this be mounted as read-only? | Yes |
True |
| privileged_only | Boolean | Should this mount only be available for privileged services? | Yes |
False |
| resource_type | Enum | Type of mountable Kubernetes resource Values: "configmap", "secret", "volume" |
Yes |
volume |
| resource_name | Keyword | Name of resource (Kubernetes only) | Optional |
None |
| resource_key | Keyword | Key of ConfigMap/Secret (Kubernetes only) | Optional |
None |
| config_map | Keyword | Name of ConfigMap (Kubernetes only) Use resource_type: configmap and fill in the resource_name & resource_key fields to mount ConfigMaps |
Deprecated |
None |
| key | Keyword | Key of ConfigMap (Kubernetes only) Use resource_type: configmap and fill in the resource_name & resource_key fields to mount ConfigMaps |
Deprecated |
None |
Selector¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| field | List [FieldSelector] | Field selector for resource under kubernetes | Yes |
[] |
| label | List [LabelSelector] | Label selector for resource under kubernetes | Yes |
[] |
FieldSelector¶
Limit a set of kubernetes objects based on a field query.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| key | Keyword | Name of a field to select on. | Yes |
None |
| equal | Boolean | When true key must equal value, when false it must not | Yes |
True |
| value | Keyword | Value to compare field to. | Yes |
None |
LabelSelector¶
Limit a set of kubernetes objects based on a label query.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| key | Keyword | Name of label to select on. | Yes |
None |
| operator | Enum | Operation to select label with. Values: "DoesNotExist", "Exists", "In", "NotIn" |
Yes |
None |
| values | List [Keyword] | Value list to compare label to. | Yes |
None |
Updater¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| job_dockerconfig | DockerConfigDelta | Container configuration used for service registration/updates | Yes |
None |
| registry_configs | List [RegistryConfiguration] | Configurations to be used with container registries | Yes |
[{'name': 'registry.hub.docker.com', 'proxies': {}}] |
RegistryConfiguration¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Text | Name of container registry | Yes |
None |
| proxies | Mapping [String, Text] | Proxy configuration that is passed to Python Requests | Optional |
None |
| token_server | Text | Token server name to facilitate anonymous pull access | Optional |
None |
Vacuum¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| list_cache_directory | Keyword | None | Yes |
/cache/ |
| worker_cache_directory | Keyword | None | Yes |
/memory/ |
| data_directories | List [Keyword] | None | Yes |
[] |
| file_directories | List [Keyword] | None | Yes |
[] |
| assemblyline_user | Keyword | None | Yes |
vacuum-service-account |
| department_map_url | Keyword | None | Optional |
None |
| department_map_init | Keyword | None | Optional |
None |
| stream_map_url | Keyword | None | Optional |
None |
| stream_map_init | Keyword | None | Optional |
None |
| safelist | List [VacuumSafelistItem] | None | Yes |
[] |
| worker_threads | Integer | None | Yes |
50 |
| worker_rollover | Integer | None | Yes |
1000 |
| minimum_classification | Keyword | None | Yes |
U |
| ingest_type | Keyword | None | Yes |
VACUUM |
VacuumSafelistItem¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | None | Yes |
None |
| conditions | Mapping [String, Keyword] | None | Yes |
None |
Datasource¶
Datasource Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| classpath | Keyword | None | Yes |
None |
| config | Mapping [String, Keyword] | None | Yes |
None |
Datastore¶
Datastore Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| hosts | List [Keyword] | List of hosts used for the datastore | Yes |
['http://elastic:devpass@localhost:9200'] |
| archive | Archive | Datastore Archive feature configuration | Yes |
See Archive for more details. |
| cache_dtl | Integer | Default cache lenght for computed indices (submission_tree, submission_summary... | Yes |
5 |
| type | Enum | Type of application used for the datastore Values: "elasticsearch" |
Yes |
elasticsearch |
Archive¶
Datastore Archive feature configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| enabled | Boolean | Are we enabling Achiving features across indices? | Yes |
False |
| indices | List [Keyword] | List of indices the ILM Applies to | Yes |
['file', 'submission', 'result'] |
Filestore¶
Filestore Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| archive | List [Keyword] | List of filestores used for malware archive | Yes |
['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-archive&use_ssl=False'] |
| cache | List [Keyword] | List of filestores used for caching | Yes |
['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-cache&use_ssl=False'] |
| storage | List [Keyword] | List of filestores used for storage | Yes |
['s3://al_storage_key:Ch@ngeTh!sPa33w0rd@localhost:9000?s3_bucket=al-storage&use_ssl=False'] |
Logging¶
Model Definition for the Logging Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| log_level | Enum | What level of logging should we have? Values: "CRITICAL", "DEBUG", "DISABLED", "ERROR", "INFO", "WARNING" |
Yes |
INFO |
| log_to_console | Boolean | Should we log to console? | Yes |
True |
| log_to_file | Boolean | Should we log to files on the server? | Yes |
False |
| log_directory | Keyword | If log_to_file: true, what is the directory to store logs? |
Yes |
/var/log/assemblyline/ |
| log_to_syslog | Boolean | Should logs be sent to a syslog server? | Yes |
False |
| syslog_host | Keyword | If log_to_syslog: true, provide hostname/IP of the syslog server? |
Yes |
localhost |
| syslog_port | Integer | If log_to_syslog: true, provide port of the syslog server? |
Yes |
514 |
| export_interval | Integer | How often, in seconds, should counters log their values? | Yes |
5 |
| log_as_json | Boolean | Log in JSON format? | Yes |
True |
| heartbeat_file | Keyword | Add a health check to core components. If true, core components will touch this path regularly to tell the container environment it is healthy |
Optional |
/tmp/heartbeat |
Retrohunt¶
Configuration for connecting to a retrohunt service.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| enabled | Boolean | Is the Retrohunt functionnality enabled on the frontend | Yes |
False |
| dtl | Integer | Number of days retrohunt jobs will remain in the system by default | Yes |
30 |
| max_dtl | Integer | Maximum number of days retrohunt jobs will remain in the system | Yes |
0 |
| url | Keyword | Base URL for service API | Yes |
https://hauntedhouse:4443 |
| api_key | Keyword | Service API Key | Yes |
ChangeThisDefaultRetroHuntAPIKey! |
| tls_verify | Boolean | Should tls certificates be verified | Yes |
True |
Services¶
Services Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| categories | List [Keyword] | List of categories a service can be assigned to | Yes |
['Antivirus', 'Dynamic Analysis', 'External', 'Extraction', 'Filtering', 'Internet Connected', 'Networking', 'Static Analysis'] |
| default_timeout | Integer | Default service timeout time in seconds | Yes |
60 |
| stages | List [Keyword] | List of execution stages a service can be assigned to | Yes |
['FILTER', 'EXTRACT', 'CORE', 'SECONDARY', 'POST', 'REVIEW'] |
| image_variables | Mapping [String, Keyword] | Substitution variables for image paths (for custom registry support) | Yes |
None |
| update_image_variables | Mapping [String, Keyword] | Similar to image_variables but only applied to the updater. Intended for use with local registries. |
Yes |
None |
| preferred_update_channel | Keyword | Default update channel to be used for new services | Yes |
stable |
| allow_insecure_registry | Boolean | Allow fetching container images from insecure registries | Yes |
False |
| preferred_registry_type | Enum | Global registry type to be used for fetching updates for a service (overridable by a service) Values: "docker", "harbor" |
Yes |
docker |
| prefer_service_privileged | Boolean | Global preference that controls if services should be privileged to communicate with core infrastucture | Yes |
False |
| cpu_reservation | Float | How much CPU do we want to reserve relative to the service's request? At 1, a service's full CPU request will be reserved for them.At 0 (only for very small appliances/dev boxes), the service's CPU will be limited but no CPU will be reserved allowing for more flexible scheduling of containers. |
Yes |
0.25 |
| safelist | ServiceSafelist | None | Yes |
None |
| registries | List [ServiceRegistry] | Global set of registries for services | Optional |
[] |
| service_account | Keyword | Service account to use for pods in kubernetewhere the service does not have one configured. Use helm values to specify service accounts settings for (non-)privileged services: privilegedServiceAccountName, unprivilegedServiceAccountName |
Deprecated |
None |
ServiceRegistry¶
Pre-Configured Registry Details for Services
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of container registry | Yes |
None |
| type | Enum | Type of container registry Values: "docker", "harbor" |
Yes |
docker |
| username | Keyword | Username for container registry | Yes |
None |
| password | Keyword | Password for container registry | Yes |
None |
ServiceSafelist¶
Service's Safelisting Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| enabled | Boolean | Should services be allowed to check extracted files against safelist? | Yes |
True |
| hash_types | List [Enum] | Types of file hashes used for safelist checks | Yes |
['sha1', 'sha256'] |
| enforce_safelist_service | Boolean | Should the Safelist service always run on extracted files? | Yes |
False |
Submission¶
Default values for parameters for submissions that may be overridden on a per submission basis
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| default_max_extracted | Integer | How many extracted files may be added to a submission? | Yes |
500 |
| default_max_supplementary | Integer | How many supplementary files may be added to a submission? | Yes |
500 |
| dtl | Integer | Number of days submissions will remain in the system by default | Yes |
30 |
| emptyresult_dtl | Integer | Number of days emptyresult will remain in the system | Yes |
5 |
| max_dtl | Integer | Maximum number of days submissions will remain in the system | Yes |
0 |
| max_extraction_depth | Integer | Maximum files extraction depth | Yes |
6 |
| max_file_size | Integer | Maximum size for files submitted in the system | Yes |
104857600 |
| max_metadata_length | Integer | Maximum length for each metadata values | Yes |
4096 |
| max_temp_data_length | Integer | Maximum length for each temporary data values | Yes |
4096 |
| sha256_sources | List [Sha256Source] | List of external source to fetch file via their SHA256 hashes | Yes |
[] |
| tag_types | TagTypes | Tag types that show up in the submission summary | Yes |
See TagTypes for more details. |
| verdicts | Verdicts | Minimum score value to get the specified verdict. | Yes |
See Verdicts for more details. |
Sha256Source¶
A source entry for the sha256 downloader
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of the sha256 source | Yes |
None |
| classification | ClassificationString | None | Optional |
None |
| data | Keyword | None | Optional |
None |
| failure_pattern | Keyword | None | Optional |
None |
| method | Enum | Method used to call the URL Values: "GET", "POST" |
Yes |
GET |
| url | Keyword | Url to fetch the file via SHA256 from (Uses replace pattern) | Yes |
None |
| replace_pattern | Keyword | Pattern to replace in the URL with the SHA256 | Yes |
None |
| headers | Mapping [String, Keyword] | Headers used to connect to the URL | Yes |
{} |
| proxies | Mapping [String, Keyword] | Proxy used to connect to the URL | Yes |
{} |
| verify | Boolean | Should the download function Verify SSL connections? | Yes |
True |
TagTypes¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| attribution | List [Keyword] | Attibution tags | Yes |
['attribution.actor', 'attribution.campaign', 'attribution.exploit', 'attribution.implant', 'attribution.family', 'attribution.network', 'av.virus_name', 'file.config', 'technique.obfuscation'] |
| behavior | List [Keyword] | Behaviour tags | Yes |
['file.behavior'] |
| ioc | List [Keyword] | IOC tags | Yes |
['network.email.address', 'network.static.ip', 'network.static.domain', 'network.static.uri', 'network.dynamic.ip', 'network.dynamic.domain', 'network.dynamic.uri'] |
Verdicts¶
Minimum score value to get the specified verdict, otherwise the file is considered safe.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| info | Integer | Minimum score for the verdict to be Informational. | Yes |
0 |
| suspicious | Integer | Minimum score for the verdict to be Suspicious. | Yes |
300 |
| highly_suspicious | Integer | Minimum score for the verdict to be Highly Suspicious. | Yes |
700 |
| malicious | Integer | Minimum score for the verdict to be Malicious. | Yes |
1000 |
System¶
System Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| constants | Keyword | Module path to the assemblyline constants | Yes |
assemblyline.common.constants |
| organisation | Text | Organisation acronym used for signatures | Yes |
ACME |
| type | Enum | Type of system Values: "development", "production", "staging" |
Yes |
production |
UI¶
UI Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| ai | AI | AI support for the UI | Yes |
See AI for more details. |
| alerting_meta | AlertingMeta | Alerting metadata fields | Yes |
See AlertingMeta for more details. |
| allow_malicious_hinting | Boolean | Allow user to tell in advance the system that a file is malicious? | Yes |
False |
| allow_raw_downloads | Boolean | Allow user to download raw files? | Yes |
True |
| allow_zip_downloads | Boolean | Allow user to download files as password protected ZIPs? | Yes |
True |
| allow_replay | Boolean | Allow users to request replay on another server? | Yes |
False |
| allow_url_submissions | Boolean | Allow file submissions via url? | Yes |
True |
| audit | Boolean | Should API calls be audited and saved to a separate log file? | Yes |
True |
| banner | Mapping [String, Keyword] | Banner message display on the main page (format: { |
Optional |
None |
| banner_level | Enum | Banner message level Values: "error", "info", "success", "warning" |
Yes |
info |
| debug | Boolean | Enable debugging? | Yes |
False |
| discover_url | Keyword | Discover URL | Optional |
None |
| download_encoding | Enum | Which encoding will be used for downloads? Values: "cart", "raw" |
Yes |
cart |
| Assemblyline admins email address | Optional |
None |
||
| enforce_quota | Boolean | Enforce the user's quotas? | Yes |
True |
| external_links | List [ExternalLinks] | List of external pivot links | Yes |
[] |
| external_sources | List [ExternalSource] | List of external sources to query | Yes |
[] |
| fqdn | Text | Fully qualified domain name to use for the 2-factor authentication validation | Yes |
localhost |
| ingest_max_priority | Integer | Maximum priority for ingest API | Yes |
250 |
| read_only | Boolean | Turn on read only mode in the UI | Yes |
False |
| read_only_offset | Keyword | Offset of the read only mode for all paging and searches | Yes |
`` |
| rss_feeds | List [Keyword] | List of RSS feeds to display on the UI | Yes |
['https://alpytest.blob.core.windows.net/pytest/stable.json', 'https://alpytest.blob.core.windows.net/pytest/services.json', 'https://alpytest.blob.core.windows.net/pytest/community.json', 'https://alpytest.blob.core.windows.net/pytest/blog.json'] |
| services_feed | Keyword | Feed of all the services built by the Assemblyline Team | Yes |
https://alpytest.blob.core.windows.net/pytest/services.json |
| community_feed | Keyword | Feed of all the services built by the Assemblyline community. | Yes |
https://alpytest.blob.core.windows.net/pytest/community.json |
| secret_key | Keyword | Flask secret key to store cookies, etc. | Yes |
This is the default flask secret key... you should change this! |
| session_duration | Integer | Duration of the user session before the user has to login again | Yes |
3600 |
| statistics | Statistics | Statistics configuration | Yes |
See Statistics for more details. |
| tos | Text | Terms of service | Optional |
None |
| tos_lockout | Boolean | Lock out user after accepting the terms of service? | Yes |
False |
| tos_lockout_notify | List [Keyword] | List of admins to notify when a user gets locked out | Optional |
None |
| url_submission_auto_service_selection | List [Keyword] | List of services auto-selected by the UI when submitting URLs | Yes |
['URLDownloader'] |
| url_submission_headers | Mapping [String, Keyword] | Headers used by the url_download method | Optional |
None |
| url_submission_proxies | Mapping [String, Keyword] | Proxy used by the url_download method | Optional |
None |
| url_submission_timeout | Integer | Request timeout for fetching URLs | Yes |
15 |
| validate_session_ip | Boolean | Validate if the session IP matches the IP the session was created from | Yes |
True |
| validate_session_useragent | Boolean | Validate if the session useragent matches the useragent the session was created with | Yes |
True |
AI¶
AI support configuration block
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| chat_url | Keyword | URL to the AI API | Yes |
https://api.openai.com/v1/chat/completions |
| api_type | Enum | Type of chat API we are communicating with Values: "cohere", "openai" |
Yes |
openai |
| assistant | AIQueryParams | Parameters used for Assamblyline Assistant | Yes |
None |
| code | AIQueryParams | Parameters used for code analysis | Yes |
None |
| detailed_report | AIQueryParams | Parameters used for detailed reports | Yes |
None |
| executive_summary | AIQueryParams | Parameters used for executive summaries | Yes |
None |
| enabled | Boolean | Is AI support enabled? | Yes |
False |
| headers | Mapping [String, Keyword] | Headers used by the _call_ai_backend method | Optional |
None |
| model_name | Keyword | Name of the model to be used for the AI analysis. | Yes |
gpt-3.5-turbo |
| verify | Boolean | Should the SSL connection to the AI API be verified. | Yes |
True |
| proxies | Mapping [String, Keyword] | Proxies used by the _call_ai_backend method | Optional |
None |
AIQueryParams¶
Parameters used during a AI query
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| system_message | Keyword | System message used for the query. | Yes |
None |
| max_tokens | Integer | Maximum ammount of token used for the response. | Yes |
None |
| options | Mapping [String, Any] | Other kwargs options directly passed to the API. | Optional |
None |
AlertingMeta¶
Alerting Metadata
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| important | List [Keyword] | Metadata keys that are considered important | Yes |
['original_source', 'protocol', 'subject', 'submitted_url', 'source_url', 'url', 'web_url', 'from', 'to', 'cc', 'bcc', 'ip_src', 'ip_dst', 'source'] |
| subject | List [Keyword] | Metadata keys that refer to an email's subject | Yes |
['subject'] |
| url | List [Keyword] | Metadata keys that refer to a URL | Yes |
['submitted_url', 'source_url', 'url', 'web_url'] |
ExternalLinks¶
External links that specific metadata and tags can pivot to
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| allow_bypass | Boolean | If the classification of the item is higher than the max_classificaiton, can we let the user bypass the check and still query the external link? | Yes |
False |
| name | Keyword | Name of the link | Yes |
None |
| double_encode | Boolean | Should the replaced value be double encoded? | Yes |
False |
| classification | ClassificationString | None | Optional |
None |
| max_classification | ClassificationString | None | Optional |
None |
| replace_pattern | Keyword | Pattern that will be replaced in the URL with the metadata or tag value | Yes |
None |
| targets | List [ExternalLinksTargets] | List of external sources to query | Yes |
[] |
| url | Keyword | URL to redirect to | Yes |
None |
ExternalLinksTargets¶
Target definition of an external link
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| type | Enum | Type of external link target Values: "hash", "metadata", "tag" |
Yes |
None |
| key | Keyword | Key that it can be used against | Yes |
None |
ExternalSource¶
Connection details for external systems/data sources.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of the source. | Yes |
None |
| classification | ClassificationString | None | Optional |
None |
| max_classification | ClassificationString | None | Optional |
None |
| url | Keyword | URL of the upstream source's lookup service. | Yes |
None |
Statistics¶
Statistics
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| alert | List [Keyword] | Fields used to generate statistics in the Alerts page | Yes |
['al.attrib', 'al.av', 'al.behavior', 'al.domain', 'al.ip', 'al.yara', 'file.name', 'file.md5', 'owner'] |
| submission | List [Keyword] | Fields used to generate statistics in the Submissions page | Yes |
['params.submitter'] |