System Configuration
On the Administration page, click the Configuration icon to access the system configuration settings. The available settings are divided into configuration dialogs, which are described in the following pages. Settings marked with an asterisk (*) are required. To complete the initial configuration of the appliance, all settings marked with an asterisk should be changed.
If the local.yaml configuration file on the appliance contaiindexns some configuration values, a notification will be displayed at the top of the System Configuration page. In case of issues with configuring the appliance, inspect the existing values in the local.yaml file, as they may conflict with the values set in the configuration dialogs.
When done updating the settings, click the Save button in the lower right corner of the page. The appliance will be restarted and begin using the new settings.
note
- Settings marked with an asterisk (*) need to be changed during initial configuration, while other settings can be left with their default values
- ReversingLabs sends Spectra Intelligence settings and credentials to the users separately for enabling full file reputation and classification by the appliance
General
| Setting | Description |
|---|---|
| Appliance domain * | Appliance domain name or IP address, used for creating links back to the appliance. This should not include the protocol (e.g., http) but should include any non-default port. Examples: example.com, 192.168.128.42, 192.168.128.42:8080 |
| Allowed hosts * | A list of strings, one per line, representing the host/domain names that this appliance installation can serve. Values in this list can be fully qualified names (e.g., “www.example.com”), in which case they will be matched against the request’s host header exactly (case-insensitive, not including port). A value beginning with a period can be used as a subdomain wildcard: “.example.com” will match “example.com”, “www.example.com”, and any other subdomain of “example.com”. A value of “*” will match anything. Examples: .reversinglabs.com, 89.201.174.154, 89.201.174.152 |
| Page size | Default number of items per page to use in paged lists (tables); for example, on the Submissions page. Users can manually change this directly on each page. |
| Web server protocol | Configure HTTPS, HTTPS & HTTP, or just HTTP for the protocol by which the appliance can be accessed. There is an additional SSL configuration section for generating a new self-signed SSL certificate or uploading a custom one. The value configured here determines which protocol must be used in requests to Spectra Analyze APIs. |
| File Size Limit | The maximum file size in MB that can be submitted to the appliance. The default and maximum value is 2000 MB. Other file size restrictions still apply. |
| SSL configuration | Displayed as the link next to the Web server protocol option. Click it to open the Update SSL certificate page. |
| Generate new SSL certificate | This option is on the Update SSL certificate page. Select the checkbox and click Submit to generate a new self-signed SSL certificate for the server to use. |
| Upload certificate | This option is on the Update SSL certificate page. Select Choose File to upload a file containing a custom SSL certificate to replace the self-signed certificate generated by Spectra Analyze.Note: Firefox users might encounter issues with custom certificates. The support section explains how to resolve them. |
| Upload certificate private key | This option is on the Update SSL certificate page. Select Choose File to upload a file containing the key that corresponds to the certificate uploaded in the previous option. |
| Reverse proxy configuration | If the appliance is behind a reverse proxy, the following two settings must be configured in order to use the Administration ‣ Configuration ‣ Authentication ‣ Login security ‣ Block login for specific IP address option. |
| HTTP header containing originating IP address | If the appliance is behind a reverse proxy, specify the HTTP header used to identify the originating IP address of a client connecting to the appliance through the reverse proxy. The most commonly used header is “X-Forwarded-For”. |
| Number of trusted reverse proxies | If the appliance is behind a reverse proxy, specify the number of trusted reverse proxies. This setting is used when the originating IP address header is present to identify the correct client IP address. |
| Password list | The appliance uses the passwords defined in this list when attempting to decrypt password-protected compressed files submitted for analysis. Prior to submitting password-protected compressed files to the appliance, users can add the password for each file to this list (one password per line). |
| Enable Root Login via SSH | Select the checkbox to permit SSH root logins to the appliance. Contact ReversingLabs Support for additional information and guidance. |
| Disable SWAP memory | Checking this option will disable the usage of SWAP memory on the appliance. |
SMTP
| Setting | Description |
|---|---|
| Enable SMTP | Select the checkbox to enable the SMTP (Simple Mail Transfer Protocol) service on the appliance. This allows the appliance to send email notifications to a configured email address. If the SMTP service is configured correctly, it will be visible in the External Services Connectivity section on the System Status page. |
| SMTP server | The host to use for sending email. This field is empty by default. For the SMTP service to function properly, the user needs to input the host. |
| SMTP port | Port of the host used for sending email. This field is empty by default. For the SMTP service to function properly, the user needs to input the port. |
| Username | SMTP user name for authentication. |
| Password | SMTP password associated with the specified user name. |
| Default “from” email address | The email address used by the appliance as the “from” address when sending email (for password resets, error alerts…). |
| Use TLS | Select the checkbox to use a secure connection (TLS; Transport Layer Security) when communicating with the SMTP server. |
System Time
| Setting | Description |
|---|---|
| Enable network time synchronization | Select the checkbox to enable server clock synchronization via NTP, which uses port 123. |
| NTP servers | A list of servers, one per line, to use for system clock synchronization. |
Authentication
For authentication options, see Authentication.
Spectra Intelligence
| Setting | Description |
|---|---|
| Spectra Intelligence URL * | The host address for the Spectra Intelligence service. Click Test to check for any connectivity issues. The default URL is https://appliance-api.reversinglabs.com |
| Username * | Spectra Intelligence username for authentication. Every appliance instance must be connected to its own Spectra Intelligence account. Sharing accounts between multiple instances can interfere with the functionality of the appliance (particularly with YARA rule synchronization). |
| Password * | Spectra Intelligence password for authentication. Every appliance instance must be connected to its own Spectra Intelligence account. Sharing accounts between multiple instances can interfere with the functionality of the appliance (particularly with YARA rule synchronization). |
| Timeout | Default Spectra Intelligence service connection timeout in seconds (maximum 1000). It is highly recommended to set this timeout to 1 second in air-gapped networks. |
| Proxy host | Optional proxy host name for routing requests from the appliance to Spectra Intelligence (e.g., 192.168.1.15). If configured, this proxy will also be used by the Local URL crawling method and all integrations on the Spectra Analyze appliance: ReversingLabs Cloud Sandbox and Auxiliary Analysis, Joe Sandbox, FireEye, CAPE, Cuckoo, Cisco Secure Malware Analytics, VMRay. |
| Proxy port | Optional proxy port number (e.g., 1080). |
| Proxy username | Username for proxy authentication (if proxy is configured). |
| Proxy password | Password for proxy authentication (if proxy is configured). |
| Maximum fetch file size | Maximum size of an individual file (in MB) that is allowed to be downloaded from the cloud to Spectra Analyze. The default value is 100 MB, the minimum is 1 MB, and the maximum is 500 MB. Files exceeding the size configured here will have a special indicator icon in the Spectra Analyze interface. This limit also affects URL submissions using the Spectra Intelligence crawling method, where it applies to individual files downloaded from the submitted URL. Files going over this limit will be skipped during URL analysis. |
| Automatic Upload to Spectra Intelligence | Allow files to be automatically uploaded to the cloud whenever they are uploaded to the appliance. |
| Allow Upload of API statistics to Spectra Intelligence | Allows ReversingLabs to collect anonymous API usage statistics related to the cloud. Click Show Example Data to see an example of data being logged and sent. |
T1000 File Reputation Appliance
| Setting | Description |
|---|---|
| T1000 URL * | The host address for the on-premises T1000 File Reputation appliance. |
| Username * | T1000 user name for authentication. Note: this user name needs to be created via the T1000 Web administration application. |
| Password * | T1000 password for authentication. |
| Timeout | Default T1000 service connection timeout in seconds (maximum 1000). |
| Proxy host | Proxy host name for routing request from the appliance to T1000 (e.g., 192.168.1.15). |
| Proxy port | Proxy port number (e.g., 1080). |
| Proxy username | User name for proxy authentication. |
| Proxy password | Password for proxy authentication. |
SNMP
| Setting | Description |
|---|---|
| Enable SNMP service | Select the checkbox to enable the Simple Network Management Protocol service. This must be enabled if the appliance is to be connected to the Spectra Detect Manager. |
| Community | Enter the name of a SNMP community list for authentication. Community is a list of SNMP clients authorized to make requests. The SNMP service will not function properly if this field is not configured. If the appliance is connected to the Spectra Detect Manager, the Manager will not be able to retrieve accurate appliance status information if this field is not configured. |
| Enable trap sink | Select the checkbox to enable sending SNMP traps to the sink server. Traps are asynchronous, unsolicited SNMP messages sent by the SNMP agent to notify about important events on the appliances. The Spectra Analyze appliance supports traps for the events listed in this configuration dialog. |
| Trap community | Enter the SNMP trap community string. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required. |
| Trap sink server | Enter the host name or the IP address of the trap sink server. The sink server is the location to which SNMP traps will be sent. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required. |
| Supported events | A set of configuration fields allowing the user to set the thresholds (values that will trigger an SNMP trap) for supported types of events. Thresholds can be configured for average system load in 1, 5, and 10 minutes (as percentage), used memory and used disk space (as percentage), the size of Spectra Detect queues (maximum value is 20000) and the size of the classifications queue (maximum value is 20000). Read more about SNMP Trap Thresholds. |
System Alerting
| Setting | Description |
|---|---|
| SYSTEM ALERTING | |
| Enable | Select the checkbox to receive alerts about the status of critical system services to the syslog server. Read more about which services are supported in the System Alerting section. |
| Host | Host address of the remote syslog server to send alerts to. |
| Port | Port of the remote syslog server. |
| Protocol | Communication protocol to use when sending alerts to remote syslog server. Options are TCP (default) and UDP. |
| Enable audit logs to be sent to syslog server | Select the checkbox to enable forwarding appliance audit logs to the configured syslog server. This option is disabled by default, which means that audit logs are not automatically sent to syslog until this option is enabled. Enabling it will increase the traffic between the appliance and the syslog server. |
| EMAIL ALERTING | |
| Enable | Select the checkbox to receive alerts about the status of critical system services to the configured email address. |
| Email error alerts to | The appliance administrator’s email address for receiving error alerts. |
Spectra Detect Processing Settings
| Setting | Description |
|---|---|
| Processing Settings | The settings determine which file formats will be unpacked by Spectra Core for detailed analysis. Choose between “Fast”, “Best”, and “Normal”. “Best” fully processes all formats supported by the appliance. “Normal” and “Fast” both process a limited set of file formats, but “Normal” supports more formats than “Fast”. When “Fast” or “Normal” is selected, a list of formats that will not be fully processed is displayed. The Spectra Analyze will display only a basic set of information on the Sample Details page for those file formats. |
| Enable ReversingLabs File Reputation | Allows Spectra Core to retrieve classification information from Spectra Intelligence or T1000 during sample analysis. If both file reputation services are configured on the appliance, T1000 has priority and will be used by Spectra Core to classify samples. When this option is enabled, classification information on the Sample Details > Summary and Sample Details > Timeline pages will indicate that the sample was classified by “Spectra Core Spectra Intelligence”. All samples classified in this way will automatically be assigned a System Tag called cloud. This option is enabled by default. |
| Enable classification propagation | Spectra Core performs file unpacking during analysis, then analyzes and classifies those unpacked (“children”) files along with their “parent” file. When this option is enabled, classification propagation makes it possible to classify parent files based on the content extracted from them. This means that a file containing a malicious/suspicious file will also be considered malicious/suspicious. This option is enabled by default. |
| Maximum duration of temporary report retention period | When sample analysis reports are created on the appliance, they are collected in a queue before storing report metadata in the appliance database. After the metadata is successfully stored, report files are deleted from the appliance. To prevent premature removal of those report files, the report retention period can be configured by adjusting this value. Try increasing this value if large samples fail to process. If disk consumption is high, decrease this value. The value should be configured in minutes. The default is 7200 (5 days). Allowed values: 30 to 20160 (14 days). |
| Classification Scanner Configuration | These technologies work together to determine what the final file classification should be. Enabling/disabling these scanners or suppressing certain low-risk threat types allows fine-tuning of the final classification outcome. Enabling classification detection suppression for any of the threat types will make the engine report the detected threat, but this detection will be ignored during file classification. Should this detection be the only one, with no higher risk detections within the same package, the file will be considered graylisted due to user configuration. |
| Images | Image format threat detection. Spectra Core applies image format specific signatures and heuristics to detect threats. Signatures are applied during format validation to detect known exploits. As opposed to them, heuristics can detect client or server-side code embedded in the image stream or data properties. Heuristics are predictive detection technologies and they refer to both manually written and machine learning algorithms. When a detection is made with this technology, the scanner name will be reported as *Spectra Core /<UnpackerName> Unpacker*. |
| PECOFF | Windows executable format validation and threat detection. PECOFF is a complex executable format for which Spectra Core has a dedicated parser. This technology performs in-depth format validation and is capable of detecting malformations that can be related to threat detection evasion attempts. Existence of such data structures and header values can be sufficient to declare the file as suspicious. However, it is possible that files damaged during transport exhibit the same kind of traits as malformed ones. If there’s a high likelihood of data corruption during file collection this option can be disabled to reduce unwanted detections. When a detection is made with this technology, the scanner name will be reported as Spectra Core PECOFF Validator. |
| Documents | Document format threat detection. Spectra Core applies document format-specific signatures and heuristics to detect threats. Signatures are applied during format validation to detect known exploits. Other types of threats are detected with heuristics. These refer to predictive detection technologies and they cover both manually written and machine learning algorithms. Heuristic algorithms are typically applied to scripts and macros within documents to identify threats that are hard to describe using conventional signatures. When a detection is made with this technology, the scanner name will be reported as Spectra Core Document Classifier. |
| Certificates | Digital certificate validation and threat detection. Certificates are used to sign documents, archives, applications and software packages. Their digital signatures guarantee the origin and integrity of the file they are signing. Spectra Core performs digital certificate chain validation and can both blacklist and whitelist files based on digital signatures. During validation, additional checks are performed to ensure that the certificate is properly formed and that it hasn’t been revoked. Issues that the engine encounters during validation can be translated to classification. For example, if a file fails integrity validation, it will be classified as suspicious due to tampering after it was signed. However, it is possible that files damaged during transport exhibit the same kind of traits as tampered ones. If there’s a high likelihood of data corruption during file collection, this option can be disabled to reduce unwanted detections. When a detection is made using this technology, the scanner name will be reported as Spectra Core Certificate Validator. |
| Hyperlinks | Embedded hyperlink threat detection. Spectra Core performs static analysis to collect embedded hyperlinks from supported file types during extraction. Hyperlinks are identified both generically, from any file type, and specifically, from formats that have dedicated parsers. Collected hyperlinks are then classified with heuristic algorithms that look for spoofed, typosquatted, open redirect risks that could trick the user into visiting misleading websites. In addition to heuristics, Spectra Core has an offline database of blacklisted domains that are used to enhance the hyperlink classification coverage. When a detection is made using this technology, the scanner name will be reported as Spectra Core URL Classifier. |
| Emails | Phishing and email threat detection. Spectra Core applies email content specific heuristics to dangerous messages. These threat detection heuristics look for patterns commonly found in phishing attacks, such as deceptive senders and email bodies that resemble popular service providers. In addition to heuristics, Spectra Core has an offline database of blacklisted domains that are used to enhance the email classification coverage. When a detection is made with this technology, the scanner name will be reported as Spectra Core Email Classifier. |
| Ignore the Following Threat Types | Selected Threat Types will be excluded from final classification decision. Should this skipped detection be the only one, with no higher risk detections within the same package, the file will be considered Goodware, and the classification reason will be Graylisting. |
| Ignore adware | Ignore classification result that matches adware. |
| Ignore packer | Ignore classification result that matches packers. |
| Ignore riskware (PUA) | Ignore classification result that matches riskware. |
| Ignore hacktool | Ignore classification result that matches hacktool. |
| Ignore spyware | Ignore classification result that matches spyware. |
| Ignore spam | Ignore classification result that matches spam. |
| CEF Classification Message Logging | Enable to send sample classification messages to syslog. The hash type to be logged can be MD5, SHA1 or SHA256. |
Resource Usage Limits
| Setting | Description |
|---|---|
| Memory Limit | The percentage of used memory is 90 by default. The minimum percentage is 75, while the maximum is 100. Set this value to 100 to disable the limit entirely. |
| Processing Queue Limit | The number of messages is 50 by default, while the minimum number is 10. Set this value to 0 to disable the limit entirely. |
| Hagent Input Queue Limit | The number of messages is 50 by default, while the minimum number is 10. Set this value to 0 to disable the limit entirely. |
| Collector Queue Limit | The number of messages is 50 by default, while the minimum number is 10. Set this value to 0 to disable the limit entirely. |
| Classifier Queue Limit | The number of messages is 50 by default, while the minimum number is 10. Set this value to 0 to disable the limit entirely. |
| Maximum Percent Usage Limit Cutoff for Uploads | The percent of the disk that can be allocated to uploads. By default, it is 95. The minimum value is 75, the maximum is 99. |
Backup & Purge
| Setting | Description |
|---|---|
| Enable backup & purge | Select the checkbox to enable the Backup & Purge features. When this checkbox is selected, a new icon for Backup & Purge” is visible on the Administration page, allowing access to additional options. By default, the Purge task runs every day at midnight and removes data according to the settings configured here. It is also possible to run the Backup or Purge task at any time and manage database backups from the Backup and Purge page. |
| Purge data older than | Choose the time interval after which the data will be considered old and will be purged automatically. Default is one month; other options are: 1 week, 2 weeks, 3 months, 6 months, and 12 months. The data includes samples stored on Spectra Analyze and the database. |
| Select at least one classification to be purged | When one or more classification statuses are selected here, only the samples with those statuses will be removed from the appliance by the Purge task. It is possible to select any combination of statuses (Malicious, Suspicious, Goodware, Unknown, Error State). By default, all except Malicious and Error State are selected. |
| Purge schedule | This section allows users to schedule how often the Purge task should run (monthly, weekly, daily). Additional options apply depending on the selected frequency (day of the month for monthly purge; day(s) of the week for weekly purge). If available, statistics from previous Purge tasks are displayed to help determine the optimal schedule. |
| Hour of the day (UTC) | Select at which hour of the day the Purge task should run (in UTC). The time selected here also applies to the daily maintenance task. The daily maintenance task will run at the hour selected here if the disk usage exceeds 65% and if it has not been run in the past 24 hours. |
| Backup database before purging | Select the checkbox to enable automatic backups before purging the data. Every new backup overwrites the previous one, so make sure to download and store them separately to a different location. |
Alert Management
| Setting | Description |
|---|---|
| Purge alerts older than | Choose the time interval after which the alerts collected on Spectra Analyze (on the Alerts page) will be removed automatically. Default is 3 months; other supported options are 1 month and 6 months. |
Spectra Detect Worker Store Integration
| Setting | Description |
|---|---|
| Bucket Connection Mappings | Allows the use of up to 10 different mapping groups for different output buckets. Click Add Mapping to add such a mapping. |
| AWS S3 Buckets List | A list of S3 buckets. The bucket name can be between 3 and 63 characters long, and can contain only lower-case characters, numbers, periods, and dashes. Each label in the bucket name must start with a lowercase letter or number. The bucket name cannot contain underscores, end with a dash, have consecutive periods, or use dashes adjacent to periods. The bucket name cannot be formatted as an IP address. |
| AWS S3 Access Key ID | The Access Key ID for AWS S3 account authentication. After providing the Key ID, Access Key, and Endpoint URL values, click Test to verify that the appliance can successfully connect to the configured AWS S3 account. Using a custom root CA certificate can cause the connection to fail. If this happens, the custom certificate file should be uploaded to the appliance. Consult ReversingLabs Support for assistance. In cases where the appliance is hosted by ReversingLabs and Role ARN is used, this value will be provided by ReversingLabs. |
| AWS S3 Secret Access Key | The Secret Access Key for AWS S3 account authentication. In cases where the appliance is hosted by ReversingLabs and Role ARN is used, this value will be provided by ReversingLabs. |
| AWS S3 Endpoint URL | Enter the S3 Endpoint URL to use S3 over HTTP. |
| Enable Role ARN | Enables or disables authentication using an external AWS role. The IAM role will be used to obtain temporary tokens which allow ingesting files from S3 buckets without using the customer secret access key. |
| Role ARN | The role ARN created using the external role ID and an Amazon ID. In other words, the ARN which allows the appliance to obtain a temporary token, which then allows it to connect to S3 buckets without using the customer secret access key. |
| External ID | The external ID of the role that will be assumed. Usually, it’s an ID provided by the entity which uses (but doesn’t own) an S3 bucket. The owner of that bucket takes the external ID and creates an ARN with it. |
| ARN Session Name | Name of the session visible in AWS logs. Can be any string. |
| Token Duration in seconds | How long before the authentication token expires and is refreshed. The minimum value is 900 seconds. |
| Refresh Buffer | Number of seconds defined to fetch a new ARN token before the token timeout is reached. This must be a positive number, and the default value is 5. |
| AWS S3 Region | The default value is us-east-1. |
| AWS S3 Signature | Used to authenticate requests to the S3 service. In most AWS regions, only Signature Version 4 is supported. For AWS regions other than us-east-1 , the value s3v4 must be configured here. |
| AWS S3 Number of Connection Retries | Maximum number of retries when saving a report to an S3-compatible server. |
| Verify the HTTPS connection against the CA bundle | This checkbox enables SSL verification in case of an https connection. |
| CA Path | This is the path on the file system pointing to the certificate of a custom (self-hosted) S3 server. |
| S3 Bucket Folder | Enables specifying and targeting S3 bucket folders. |
| Spectra Detect Worker Store Integration Behavior Options | The options allow storing samples unprotected and uncompressed with the sample SHA1 as the default S3, or storing them as ZIP files optionally protected with a password. |
| Zip password | The password to use for protecting compressed files. This setting is optional and it is applied only when the behavior option with ZIP files is selected in the previous section. |
YARA Cloud Settings
| Setting | Description |
|---|---|
| Enable automatic upload of YARA ruleset to Spectra Intelligence | This option is disabled by default. When it is enabled, new YARA rulesets created on the appliance are automatically synchronized with Spectra Intelligence. Additionally, the “Run ruleset continuously in Spectra Intelligence” checkbox in the YARA ruleset editor is automatically selected. Selecting this checkbox automatically selects the option “Automatic disabling of Cloud enabled YARA rulesets”. |
| Automatic retro run of Cloud enabled YARA rulesets | This option is disabled by default. When it is enabled, YARA rulesets that are synchronized with Spectra Intelligence will be automatically scheduled for a Cloud retro scan. The Cloud retro scan is started after the ruleset is successfully validated. This applies to new rulesets created on the appliance, and to existing rulesets that are edited and synchronized with Spectra Intelligence by selecting the “Run ruleset continuously in Spectra Intelligence” checkbox in the YARA ruleset editor. The option does not apply to Spectra Core rulesets. |
| Automatic disabling of Cloud enabled YARA rulesets | When this option is enabled, YARA rulesets synchronized with Spectra Intelligence will be automatically de-synchronized when they reach the maximum amount of matches (10 000) in the cloud system. They will stop receiving new cloud matches until at least 1000 or more matches are removed by the user from the YARA page. When 1000 matches are removed, the ruleset will automatically synchronize with Spectra Intelligence again and start receiving new matches. This option gets automatically enabled when the first checkbox is selected (“Enable automatic upload of YARA ruleset to Spectra Intelligence”). |
URL Analysis
| Setting | Description |
|---|---|
| Default crawl method | The default crawling method to be used when submitting URLs for analysis: Local or TiCloud. For more information on these options, refer to the Privacy of Submitted Files chapter of the user guide. |
| URL analysis timeout | The time (in seconds) to spend downloading a URL for analysis. This setting applies only to the Local crawl method. |
| Maximum download size | Set the maximum allowed file size (in megabytes) that can be downloaded from each URL submitted to the appliance. The value configured here is not enforced when downloading a single file directly from a URL. It only applies when data is retrieved recursively by crawling links on the submitted URL. The default is 200 MB, and the maximum is 700 MB. When using the Spectra Intelligence crawling method, individual files retrieved from the submitted URL will also be compared against the Maximum Fetch File Size value in Spectra Intelligence settings and skipped if larger. |
| Maximum number of attempts | Set the maximum number of times a file download will be attempted. Fatal errors like ‘File Not Found’ or ‘Connection Refused’ are not retried. This setting applies only to the Local crawl method. |
| Enable user agent | Enabling this option will allow setting a custom user agent string to be used when crawling URLs using the local crawling method. |
Multi-Scanner Tile
| Setting | Description |
|---|---|
| Enterprise AV Scanners | The selected AV scanners will be highlighted on the Sample Summary screen within the Multi Scanner tile, helping users to confirm detection efficacy of locally deployed scanners or scanners of interest |
System Health
| Setting | Description |
|---|---|
| System Health Indicator | |
| CPU Load Percentage Limit | The percentage of CPU usage is set to 95 by default. |
| Free Memory Percent Limit | The percentage of free memory is set to 10 by default. |
| Used Disk Space Percent Limit | The percentage of used disk space is set to 70 by default. All devices are checked and the red indicator is triggered if any of the devices is over the limit. |
| Queue Limits | |
| Classifier Queue Limit | The number of messages is limited to 50 by default. The red indicator is triggered if it contains more than the maximum number of messages. |
| Collector Queue LImit | The number of messages is limited to 50 by default. The red indicator is triggered if it contains more than the maximum number of messages. |
| Hagent Retry Queue LImit | The number of messages is limited to 50 by default. The red indicator is triggered if it contains more than the maximum number of messages. |
| Hagent Input Queue LImit | The number of messages is limited to 50 by default. The red indicator is triggered if it contains more than the maximum number of messages. |
Appliances Search
| Setting | Description |
|---|---|
| Enable Appliances Search | The appliance needs to be connected to and authorized on the Spectra Detect Manager for the Appliances Search to work. Select the checkbox to enable searching for samples on other appliances connected to the same Manager. This feature also allows searching for samples on the current appliance from other instances connected to the same Manager. Samples can be searched by file name, and single or multiple hashes from the Sample Search bar on the Submissions page. |
| Enable Syncing | Select the checkbox to enable YARA ruleset synchronization to other appliances from the current appliance, and vice versa. Appliances need to be connected to the Spectra Detect Manager, and the synchronization needs to be configured on Spectra Detect Manager first. This option is not visible if Spectra Analyze is not connected to a Spectra Detect Manager instance with enabled synchronization. |