| appliance.configMode | string | "STANDARD" | Configuration mode of the appliance. Allowed values: CONFIGMAP (Configuration is provided with configmap), STANDARD (configuration is provided over UI). |
| configuration.a1000 | object | - | Integration with Spectra Analyze appliance. |
| configuration.a1000.host | string | "" | The hostname or IP address of the A1000 appliance associated with the Worker. |
| configuration.adl | object | - | Settings for storing files in an Azure Data Lake container. |
| configuration.adl.container | string | "" | The hostname or IP address of the Azure Data Lake container that will be used for storage. Required when storing files in ADL is enabled. |
| configuration.adl.enabled | bool | false | Enable or disable the storage of processed files. |
| configuration.adl.folder | string | "" | Specify the name of the folder on the container where files will be stored. |
| configuration.apiServer | object | - | Configures a custom Worker IP address which is included in the response when uploading a file to the Worker for processing. |
| configuration.apiServer.host | string | "" | Configures the hostname or IP address of the Worker. Only necessary if the default IP address or network interface is incorrect. |
| configuration.archive | object | - | After processing, files can be zipped before external storage. Available only for S3 and Azure. |
| configuration.archive.fileWrapper | string | "" | Specify whether the files should be compressed as a ZIP archive before uploading to external storage. Supported values are: zip, mzip. If this parameter is left blank, files will be uploaded in their original format. |
| configuration.archive.zipCompress | int | 0 | ZIP compression level to use when storing files in a ZIP file. Allowed range: 0 (no compression) to 9 (maximum compression). |
| configuration.archive.zipMaxfiles | int | 0 | Maximum allowed number of files that can be stored in one ZIP archive. Allowed range: 1-65535. 0 represents unlimited. |
| configuration.authentication | object | - | Authentication settings for Detect Worker |
| configuration.authentication.enabled | bool | false | Enable/disable authentication on Detect Worker ingress APIs |
| configuration.authentication.externalAuthUrl | string | "" | If set, external/custom authentication service will be used for authentication, otherwise simple Token service is deployed which protects paths with tokens defined in the secrets. |
| configuration.aws | object | - | Configuration of integration with AWS or AWS-compatible storage to be used for SNS, and for uploading files and analysis reports to S3. |
| configuration.aws.caPath | string | "" | Path on the file system pointing to the certificate of a custom (self-hosted) S3 server. |
| configuration.aws.endpointUrl | string | "" | Only required in non-AWS setups in order to store files to an S3-compatible server. When this parameter is left blank, the default is https://aws.amazonaws.com. Supported pattern(s): https?://.+". |
| configuration.aws.maxReattempts | int | 5 | Maximum number of retries when saving a report to an S3-compatible server. |
| configuration.aws.payloadSigningEnabled | bool | false | Specifies whether to include an SHA-256 checksum with Amazon Signature Version 4 payloads. |
| configuration.aws.region | string | "us-east-1" | Specify the correct AWS geographical region where the S3 bucket is located. Required parameter, ignored for non-AWS setups. |
| configuration.aws.serverSideEncryption | string | "" | Specify the encryption algorithm used on the target S3 bucket (e.g. aws:kms or AES256). |
| configuration.aws.sslVerify | bool | false | Enable/disable SSL verification. |
| configuration.awsRole | object | - | Configures the AWS IAM roles used to access S3 buckets without sharing secret keys. The IAM role which will be used to obtain temporary tokens has to be created in the AWS console. |
| configuration.awsRole.enableArn | bool | false | Enables or disables this entire feature. |
| configuration.awsRole.externalRoleId | string | "" | The external ID of the role that will be assumed. This can be any string. Usually, it’s an ID provided by the entity which uses (but doesn’t own) an S3 bucket. The owner of that bucket takes that external ID and builds an ARN with it. |
| configuration.awsRole.refreshBuffer | int | 5 | Number of seconds to fetch a new ARN token before the token timeout is reached. |
| configuration.awsRole.roleArn | string | "" | The role ARN created using the external role ID and an Amazon ID. In other words, the ARN which allows a Worker to obtain a temporary token, which then allows it to save to S3 buckets without a secret access key. |
| configuration.awsRole.roleSessionName | string | "" | Name of the session visible in AWS logs. Can be any string. |
| configuration.awsRole.tokenDuration | int | 900 | How long before the authentication token expires and is refreshed. The minimum value is 900 seconds. |
| configuration.azure | object | - | Configures integration with Azure Data Lake Gen2 for the purpose of storing processed files in Azure Data Lake containers. |
| configuration.azure.endpointSuffix | string | "core.windows.net" | Specify the suffix for the address of your Azure Data Lake container. |
| configuration.callback | object | - | Settings for automatically sending file analysis reports via POST request. |
| configuration.callback.advancedFilterEnabled | bool | false | Enable/disable the advanced filter. |
| configuration.callback.advancedFilterName | string | "" | Name of the advanced filter. |
| configuration.callback.caPath | string | "" | If the url parameter is configured to use HTTPS, this parameter can be used to set the path to the certificate file. This automatically enables SSL verification. If this parameter is left blank or not configured, SSL verification will be disabled, and the certificate will not be validated. |
| configuration.callback.enabled | bool | false | Enable/disable connection. |
| configuration.callback.maliciousOnly | bool | false | When set, the report will only contain malicious and suspicious children. |
| configuration.callback.reportType | string | "medium" | Specifies which report_type is returned. By default, or when empty, only the medium (summary) report is provided in the callback response. Set to extended_small, small, medium or large to view results of filtering the full report. |
| configuration.callback.splitReport | bool | false | By default, reports contain information on parent files and all extracted children files. If set to true, reports for extracted files will be separated from the full report and saved as standalone files. If any user-defined data was appended to the analyzed parent file, it will be included in every split child report. |
| configuration.callback.sslVerify | bool | false | Enable/disable SSL verification |
| configuration.callback.timeout | int | 5 | Specify the number of seconds to wait before the POST request times out. In case of failure, the Worker will retry the request up to six times, increasing the waiting time between requests after the second retry has failed. With the default timeout set, the total possible waiting time before a request finally fails is 159 seconds. |
| configuration.callback.topContainerOnly | bool | false | If set to true, the reports will only contain metadata for the top container. Reports for unpacked files will not be generated. |
| configuration.callback.url | string | "" | Specify the full URL that will be used to send the callback POST request. Both HTTP and HTTPS are supported. If this parameter is left blank, reports will not be sent, and the callback feature will be disabled. Supported pattern(s): http?://.+ |
| configuration.callback.view | string | "" | Specifies whether a custom report view should be applied to the report. |
| configuration.cef | object | - | Configures Common Event Format (CEF) settings. CEF is an extensible, text-based logging and auditing format that uses a standard header and a variable extension, formatted as key-value pairs. |
| configuration.cef.cefMsgHashType | string | "md5" | Specify the type of hash that will be included in CEF messages. Supported values are: md5, sha1, sha256. |
| configuration.cef.enableCefMsg | bool | false | Enable or disable sending CEF messages to syslog. Defaults to false to avoid flooding. |
| configuration.classify | object | - | Configure settings for Worker analysis and classification of files using the Spectra Core static analysis engine. |
| configuration.classify.certificates | bool | true | Enable checking whether file certificate passes the certificate validation, in addition to checking certificate whitelists and blacklists. |
| configuration.classify.documents | bool | true | Enable document format threat detection. |
| configuration.classify.emails | bool | true | Enable detection of phishing and other email threats. |
| configuration.classify.hyperlinks | bool | true | Enable embedded hyperlinks detection. |
| configuration.classify.ignoreAdware | bool | false | When set to true, classification results that match adware will be ignored. |
| configuration.classify.ignoreHacktool | bool | false | When set to true, classification results that match hacktool will be ignored. |
| configuration.classify.ignorePacker | bool | false | When set to true, classification results that match packer will be ignored. |
| configuration.classify.ignoreProtestware | bool | false | When set to true, classification results that match protestware will be ignored. |
| configuration.classify.ignoreRiskware | bool | false | When set to true, classification results that match riskware will be ignored. |
| configuration.classify.ignoreSpam | bool | false | When set to true, classification results that match spam will be ignored. |
| configuration.classify.ignoreSpyware | bool | false | When set to true, classification results that match spyware will be ignored. |
| configuration.classify.images | bool | true | When true, the heuristic image classifier for supported file formats is used. |
| configuration.classify.pecoff | bool | true | When true, the heuristic Windows executable classifier for supported PE file formats is used. |
| configuration.cleanup | object | - | Configures how often the Worker file system is cleaned up. |
| configuration.cleanup.fileAgeLimit | int | 1440 | Time before an unprocessed file present on the appliance is deleted, in minutes. |
| configuration.cleanup.taskAgeLimit | int | 90 | Time before analysis reports and records of processed tasks are deleted, in minutes. |
| configuration.cleanup.taskUnprocessedLimit | int | 1440 | Time before an incomplete processing task is canceled, in minutes. |
| configuration.cloud | object | - | Configures integration with the Spectra Intelligence service or a T1000 instance to receive additional classification information. |
| configuration.cloud.enabled | bool | false | Enable/disable connection. |
| configuration.cloud.proxy | object | - | Configure an optional proxy connection. |
| configuration.cloud.proxy.enabled | bool | false | Enable/disable proxy server. |
| configuration.cloud.proxy.port | int | 8080 | Specify the TCP port number if using an HTTP proxy. Allowed range(s): 1 … 65535. Required only if proxy is used. |
| configuration.cloud.proxy.server | string | "" | Proxy hostname or IP address for routing requests from the appliance to Spectra Intelligence. Required only if proxy is used. |
| configuration.cloud.server | string | "https://appliance-api.reversinglabs.com" | Hostname or IP address of the Spectra Intelligence server. Required if Spectra Intelligence integration is enabled. Format: https://<ip_or_hostname>. |
| configuration.cloud.timeout | int | 6 | Specify the number of seconds to wait when connecting to Spectra Intelligence before terminating the connection request. |
| configuration.cloudAutomation | object | - | Configures the Worker to automatically submit files to Spectra Intelligence for antivirus scanning (in addition to local static analysis and remote reputation lookup (from previous antivirus scans)). |
| configuration.cloudAutomation.dataChangeSubscribe | bool | false | Subscribe to the Spectra Intelligence data change notification mechanism. |
| configuration.cloudAutomation.spexUpload | object | - | Scanning settings. |
| configuration.cloudAutomation.spexUpload.enabled | bool | false | Enable/disable this feature. |
| configuration.cloudAutomation.spexUpload.rescanEnabled | bool | true | Enable/disable rescan of files upon submission based on the configured interval to include the latest AV results in the reports. |
| configuration.cloudAutomation.spexUpload.rescanThresholdInDays | int | 3 | Set the interval in days for triggering an AV rescan. If the last scan is older than the specified value, a rescan will be initiated. A value of 0 means files will be rescanned with each submission. |
| configuration.cloudAutomation.spexUpload.scanUnpackedFiles | bool | false | Enable/disable sending unpacked files to Deep Cloud Analysis for scanning. Consumes roughly double the processing resources compared to standard analysis. |
| configuration.cloudAutomation.waitForAvScansTimeoutInMinutes | int | 240 | Sets the maximum wait time (in minutes) for Deep Cloud Analysis to complete. If the timeout is reached, the report will be generated without the latest AV results. |
| configuration.cloudAutomation.waitForAvScansToFinish | bool | false | If set to true, delays report generation until Deep Cloud Analysis completes, ensuring the latest AV results are included. |
| configuration.cloudCache.cacheMaxSizePercentage | float | 6.25 | Maximum cache size expressed as a percentage of the total allocated RAM on the Worker. Allowed range: 5 - 15. |
| configuration.cloudCache.cleanupWindow | int | 10 | How often to run the cache cleanup process, in minutes. It is advisable for this value to be lower, or at least equal to the TTL value. Max: 5 - 60. |
| configuration.cloudCache.enabled | bool | true | Enable or disable the caching feature. |
| configuration.cloudCache.maxIdleUpstreamConnections | int | 50 | The maximum number of idle upstream connections. Allowed range: 10 - 50. |
| configuration.cloudCache.ttl | int | 240 | Time to live for cached records, in minutes. Allowed range: 1 - 7200. |
| configuration.general.maxUploadSizeMb | int | 2048 | The largest file (in MB) that Worker will accept and start processing. Ignored if Spectra Intelligence is connected and file upload limits are set there. |
| configuration.general.postprocessingCheckThresholdMins | int | 720 | How often the postprocessing service will be checked for timeouts. If any issues are detected, the process will be restarted. |
| configuration.general.tsWorkerCheckThresholdMins | int | 720 | How often the processing service will be checked for timeouts. If any issues are detected, the process will be restarted. |
| configuration.general.uploadSizeLimitEnabled | bool | false | Whether or not the upload size filter is active. Ignored if Spectra Intelligence is connected and file upload limits are set there. |
| configuration.hashes | object | - | Spectra Core calculates file hashes during analysis and includes them in the analysis report. The following options configure which additional hash types should be calculated and included in the Worker report. SHA1 and SHA256 are always included and therefore aren’t configurable. Selecting additional hash types (especially SHA384 and SHA512) may slow report generation. |
| configuration.hashes.enableCrc32 | bool | false | Include CRC32 hashes in reports. |
| configuration.hashes.enableMd5 | bool | true | Include MD5 hashes in reports. |
| configuration.hashes.enableSha384 | bool | false | Include SHA384 hashes in reports. |
| configuration.hashes.enableSha512 | bool | false | Include SHA512 hashes in reports. |
| configuration.hashes.enableSsdeep | bool | false | Include SSDEEP hashes in reports. |
| configuration.hashes.enableTlsh | bool | false | Include TLSH hashes in reports. |
| configuration.health | object | - | Configures system health check configuration. |
| configuration.health.disk_high | int | 95 | Threshold for high disk usage |
| configuration.health.enabled | bool | true | Enable/disable system health check. |
| configuration.health.queue_high | int | 2000 | Specify the maximum number of items allowed in the queue. If it exceeds the configured value, the appliance will start rejecting traffic. Allowed range(s): 10+ |
| configuration.logging | object | - | Configures the severity above which events will be logged or sent to a remote syslog server. Severity can be: INFO, WARNING, or ERROR. |
| configuration.logging.tiscaleLogLevel | string | "INFO" | Events below this level will not be saved to logs (/var/log/messages and /var/log/tiscale/*.log). |
| configuration.msGraph.enabled | bool | false | Turns the Microsoft Cloud Storage file integration on or off. |
| configuration.msGraph.folder | string | "" | Folder where samples will be stored in Microsoft Cloud Storage. |
| configuration.msGraphGeneral | object | - | Configures the general options for the Microsoft Cloud Storage integration. |
| configuration.msGraphGeneral.customDomain | string | "" | Application’s custom domain configured in the Azure portal. |
| configuration.msGraphGeneral.siteHostname | string | "" | Used only if storageType is set to SharePoint. This is the SharePoint hostname. |
| configuration.msGraphGeneral.siteRelativePath | string | "" | SharePoint Online site relative path. Only used when storageType is set to SharePoint. |
| configuration.msGraphGeneral.storageType | string | "onedrive" | Specifies the storage type. Supported values are: onedrive or sharepoint. |
| configuration.msGraphGeneral.username | string | "" | Used only if storageType is set to OneDrive. Specifies which user’s drive will be used." |
| configuration.processing | object | - | Configure the Worker file processing capabilities to improve performance and load balancing. |
| configuration.processing.cacheEnabled | bool | false | Enable/disable caching. When enabled, Spectra Core can skip reprocessing the same files (duplicates) if uploaded consecutively in a short period. |
| configuration.processing.cacheTimeToLive | int | 0 | If file processing caching is enabled, specify how long (in seconds) the analysis reports should be preserved in the cache before they expire. A value of 0 uses the default. Default: 600. Maximum: 86400. |
| configuration.processing.depth | int | 0 | Specifies how "deep" a file is unpacked. By default, when set to 0, Workers will unpack files recursively until no more files can be unpacked. Setting a value greater than 0 limits the depth of recursion, which can speed up analyses but provide less detail. |
| configuration.processing.largefileThreshold | int | 100 | If advanced mode is enabled, files larger than this threshold (in MB) will be processed individually, one by one. This parameter is ignored in standard mode. |
| configuration.processing.mode | int | 2 | Configures the Worker processing mode to improve load balancing. Supported modes are standard (1) and advanced (2). |
| configuration.processing.timeout | int | 28800 | Specifies how many seconds the Worker should wait for a file to process before terminating the task. Default: 28800. Maximum: 259200. |
| configuration.propagation | object | - | Configure advanced classification propagation options supported by the Spectra Core static analysis engine. When Spectra Core classifies files, the classification of a child file can be applied to the parent file. |
| configuration.propagation.enabled | bool | true | Enable/disable the classification propagation feature. When propagation is enabled, files can be classified based on the content extracted from them. This means that files containing a malicious or suspicious file will also be considered malicious or suspicious. |
| configuration.propagation.goodwareOverridesEnabled | bool | true | Enable/disable goodware overrides. When enabled, any files extracted from a parent file and whitelisted by certificate, source or user override can no longer be classified as malicious or suspicious. This is an advanced goodware whitelisting technique that can be used to reduce the amount of false positive detections. |
| configuration.propagation.goodwareOverridesFactor | int | 1 | When goodware overrides are enabled, this parameter must be configured to determine the factor to which overrides will be applied. Supported values are 0 to 5, where zero represents the best trust factor (highest confidence that a sample contains goodware). Overrides will apply to files with a trust factor equal to or lower than the value configured here. |
| configuration.report | object | - | Configure the contents of the Spectra Detect file analysis report. |
| configuration.report.firstReportOnly | bool | false | If disabled, the reports for samples with child files will include relationships for all descendant files. Enabling this setting will only include relationship metadata for the root parent file to reduce redundancy. |
| configuration.report.includeStrings | bool | false | When enabled, strings are included in the file analysis report. Spectra Core can extract strings from binaries. This can be useful but may result in extensive metadata. To reduce noise, the types of included strings can be customized in the strings section. |
| configuration.report.networkReputation | bool | false | If enabled, analysis reports include a top-level network_reputation object with reputation information for every extracted network resource. For this feature, Spectra Intelligence must be configured on the Worker, and the ticore.processingMode option must be set to "best". |
| configuration.report.relationships | bool | false | Includes sample relationship metadata in the file analysis report. When enabled, the relationships section lists the hashes of files found within the given file. |
| configuration.reportAdl | object | - | Settings to configure how reports saved to Azure Data Lake are formatted. |
| configuration.reportAdl.archiveSplitReport | bool | true | Enable sending a single, smaller archive of split report files to ADL instead of each file. Relevant only when the 'Split report' option is used. |
| configuration.reportAdl.container | string | "" | Container where reports will be stored. Required when this feature is enabled. |
| configuration.reportAdl.enabled | bool | false | Enable/disable storing file processing reports to ADL. |
| configuration.reportAdl.filenameTimestampFormat | string | "" | File naming pattern for the report itself. A timestamp is appended to the SHA1 hash of the file. The timestamp format must follow the strftime specification and be enclosed in quotation marks. If not specified, the ISO 8601 format is used. |
| configuration.reportAdl.folder | string | "" | Specify the name of a folder where analysis reports will be stored. If the folder name is not provided, files are stored into the root of the configured container. |
| configuration.reportAdl.folderOption | string | "date_based" | Select the naming pattern that will be used when automatically creating subfolders for storing analysis reports. Supported options are: date_based (YYYY/mm/dd/HH), datetime_based (YYYY/mm/dd/HH/MM/SS), and sha1_based (using the first 4 characters of the file hash). |
| configuration.reportAdl.maliciousOnly | bool | false | When set, the report will only contain malicious and suspicious children. |
| configuration.reportAdl.reportType | string | "large" | Specify the report type that should be applied to the Worker analysis report before storing it. Report types are results of filtering the full report. In other words, fields can be included or excluded as required. Report types are stored in the /etc/ts-report/report-types directory. |
| configuration.reportAdl.splitReport | bool | false | By default, reports contain information on parent files and all extracted children files. When this option is enabled, analysis reports for extracted files are separated from their parent file report, and saved as individual report files. |
| configuration.reportAdl.timestampEnabled | bool | true | Enable/disable appending a timestamp to the report name. |
| configuration.reportAdl.topContainerOnly | bool | false | When enabled, the file analysis report will only include metadata for the top container and subreports for unpacked files will not be generated. |
| configuration.reportAdl.view | string | "" | Apply a view for transforming report data to the “large” report type to ensure maximum compatibility. Several existing views are also available as report types, which should be used as a view substitute due to performance gains. Custom views can be defined by placing the scripts in the “/usr/libexec/ts-report-views.d” directory on Spectra Detect Worker. |
| configuration.reportApi | object | - | Configures the settings applied to the file analysis report fetched using the GET endpoint. |
| configuration.reportApi.maliciousOnly | bool | false | Report contains only malicious and suspicious children. |
| configuration.reportApi.reportType | string | "large" | Specify the report type that should be applied to the Worker analysis report before storing it. Report types are results of filtering the full report. In other words, fields can be included or excluded as required. Report types are stored in the /etc/ts-report/report-types directory. |
| configuration.reportApi.topContainerOnly | bool | false | When enabled, thefile analysis report will only include metadata for the top container and subreports for unpacked files will not be generated. |
| configuration.reportApi.view | string | "" | Apply a view for transforming report data to the “large” report type to ensure maximum compatibility. Several existing views are also available as report types, which should be used as a view substitute due to performance gains. Custom views can be defined by placing the scripts in the “/usr/libexec/ts-report-views.d” directory on Spectra Detect Worker. |
| configuration.reportMsGraph | object | - | Settings to configure how reports saved to OneDrive or SharePoint are formatted. |
| configuration.reportMsGraph.archiveSplitReport | bool | true | Enable sending a single, smaller archive of split report files to Microsoft Cloud Storage instead of each file. Relevant only when the "Split Report" option is used. |
| configuration.reportMsGraph.enabled | bool | false | Enable/disable storing file processing reports. |
| configuration.reportMsGraph.filenameTimestampFormat | string | "" | This refers to the naming of the report file itself. A timestamp is appended to the SHA1 hash of the file. The timestamp format must follow the strftime specification and be enclosed in quotation marks. If not specified, the ISO 8601 format is used. |
| configuration.reportMsGraph.folder | string | "" | Folder where report files will be stored on the Microsoft Cloud Storage. If the folder name is not provided, files are stored into the root of the configured container. |
| configuration.reportMsGraph.folderOption | string | "date_based" | Select the naming pattern that will be used when automatically creating subfolders for storing analysis reports. Supported options are: date_based (YYYY/mm/dd/HH), datetime_based (YYYY/mm/dd/HH/MM/SS), and sha1_based (using the first 4 characters of the file hash). |
| configuration.reportMsGraph.maliciousOnly | bool | false | When set, the report will only contain malicious and suspicious children. |
| configuration.reportMsGraph.reportType | string | "large" | Specify the report type that should be applied to the Worker analysis report before storing it. Report types are results of filtering the full report. In other words, fields can be included or excluded as required. Report types are stored in the /etc/ts-report/report-types directory. |
| configuration.reportMsGraph.splitReport | bool | false | By default, reports contain information on parent files and all extracted children files. When this option is enabled, analysis reports for extracted files are separated from their parent file report, and saved as individual report files. |
| configuration.reportMsGraph.topContainerOnly | bool | false | When enabled, file analysis report will only include metadata for the top container, and subreports for unpacked files will not be generated. |
| configuration.reportMsGraph.view | string | "" | Apply a view for transforming report data to the “large” report type to ensure maximum compatibility. Several existing views are also available as report types, which should be used as a view substitute due to performance gains. Custom views can be defined by placing the scripts in the “/usr/libexec/ts-report-views.d” directory on Spectra Detect Worker. |
| configuration.reportS3 | object | - | Settings to configure how reports saved to S3 buckets are formatted. |
| configuration.reportS3.advancedFilterEnabled | bool | false | Enable/disable usage of the advanced filter. |
| configuration.reportS3.advancedFilterName | string | "" | Name of the advanced filter. |
| configuration.reportS3.archiveSplitReport | bool | true | Enable sending a single, smaller archive of split report files to S3 instead of each file. Relevant only when the 'Split report' option is used. |
| configuration.reportS3.bucketName | string | "" | Name of the S3 bucket where processed files will be stored. Required when this feature is enabled. |
| configuration.reportS3.enabled | bool | false | Enable/disable storing file processing reports to S3. |
| configuration.reportS3.filenameTimestampFormat | string | "" | This refers to the naming of the report file itself. A timestamp is appended to the SHA1 hash of the file. The timestamp format must follow the strftime specification and be enclosed in quotation marks. If not specified, the ISO 8601 format is used. |
| configuration.reportS3.folder | string | "" | Folder where report files will be stored in the given S3 bucket. The folder can be up to 1024 bytes long when encoded in UTF-8, and can contain letters, numbers and special characters: "!", "-", "_", ".", "*", "'", "(", ")", "/". It must not start or end with a slash or contain leading or trailing spaces. Consecutive slashes ("//") are not allowed. |
| configuration.reportS3.folderOption | string | "date_based" | Select the naming pattern used when automatically creating subfolders for storing analysis reports. Supported options are: date_based (YYYY/mm/dd/HH), datetime_based (YYYY/mm/dd/HH/MM/SS), and sha1_based (using the first 4 characters of the file hash). |
| configuration.reportS3.maliciousOnly | bool | false | When set, the report will only contain malicious and suspicious children. |
| configuration.reportS3.reportType | string | "large" | Specify the report type that should be applied to the Worker analysis report before storing it. Report types are results of filtering the full report. In other words, fields can be included or excluded as required. Report types are stored in the /etc/ts-report/report-types directory. |
| configuration.reportS3.splitReport | bool | false | By default, reports contain information on parent files and all extracted children files. When this option is enabled, analysis reports for extracted files are separated from their parent file report, and saved as individual report files. |
| configuration.reportS3.timestampEnabled | bool | true | Enable/disable appending a timestamp to the report name. |
| configuration.reportS3.topContainerOnly | bool | false | When enabled, the file analysis report will only include metadata for the top container and subreports for unpacked files will not be generated. |
| configuration.reportS3.view | string | "" | Apply a view for transforming report data to the “large” report type to ensure maximum compatibility. Several existing views are also available as report types, which should be used as a view substitute due to performance gains. Custom views can be defined by placing the scripts in the “/usr/libexec/ts-report-views.d” directory on Spectra Detect Worker. |
| configuration.s3 | object | - | Settings for storing a copy of all files uploaded for analysis on Worker to an S3 or a third-party, S3-compatible server. |
| configuration.s3.advancedFilterEnabled | bool | false | Enable/disable usage of the advanced filter. |
| configuration.s3.advancedFilterName | string | "" | Name of the advanced filter. |
| configuration.s3.bucketName | string | "" | Name of the S3 bucket where processed files will be stored. Required when this feature is enabled. |
| configuration.s3.enabled | bool | false | Enable/disable storing file processed files on S3. |
| configuration.s3.folder | string | "" | Specify the name of a folder where analyzed files will be stored. If the folder name is not provided, files are stored into the root of the configured bucket. |
| configuration.s3.storeMetadata | bool | true | When true, analysis metadata will be stored to the uploaded S3 object. |
| configuration.scaling | object | - | Configures the number of concurrent processes and the number of files analyzed concurrently. Parameters in this section can be used to optimize the file processing performance on Worker. |
| configuration.scaling.postprocessing | int | 1 | Specify how many post-processing instances to run. Post-processing instances will then modify and save reports or upload processed files to external storage. Increasing this value can increase throughput for servers with extra available cores. Maximum: 256. |
| configuration.scaling.preprocessingUnpacker | int | 1 | Specify how many copies of Spectra Core are used to unpack samples for Deep Cloud Analysis. This setting only has effect if Deep Cloud Analysis is enabled with Scan Unpacked Files capability. |
| configuration.scaling.processing | int | 1 | Specify how many copies of Spectra Core engine instances to run. Each instance starts threads to process files. Maximum: 256. |
| configuration.sns | object | - | Configures settings for publishing notifications about file processing status and links the reports to an Amazon SNS (Simple Notification Service) topic. |
| configuration.sns.enabled | bool | false | Enable/disable publishing notifications to Amazon SNS. |
| configuration.sns.topic | string | "" | Specify the SNS topic ARN that the notifications should be published to. Prerequisite: the AWS account in the AWS settings must be given permission to publish to this topic. Required when this feature is enabled. |
| configuration.spectraAnalyzeIntegration | object | - | Configuration settings to upload processed samples to configured Spectra Analyze. |
| configuration.spectraAnalyzeIntegration.address | string | "" | Spectra Analyze address. Required when this feature is enabled. Has to be in the following format: https://<ip_or_hostname>. |
| configuration.spectraAnalyzeIntegration.advancedFilterEnabled | bool | true | Enable/disable the advanced filter. |
| configuration.spectraAnalyzeIntegration.advancedFilterName | string | "default_filter" | Name of the advanced filter. |
| configuration.spectraAnalyzeIntegration.enabled | bool | false | Enable/disable integration with Spectra Analyze. |
| configuration.splunk | object | - | Configures integration with Splunk, a logging server that can receive Spectra Detect file analysis reports. |
| configuration.splunk.caPath | string | "" | Path to the certificate. |
| configuration.splunk.chunkSizeMb | int | 0 | The maximum size (MB) of a single request sent to Splunk. If an analysis report exceeds this size, it will be split into multiple parts. The report is split into its subreports (for child files). A request can contain one or multiple subreports, as long as its total size doesn’t exceed this limit. The report is never split by size alone - instead, complete subreports are always preserved and sent to Splunk. Default: 0 (disabled) |
| configuration.splunk.enabled | bool | false | Enable/disable Splunk integration. |
| configuration.splunk.host | string | "" | Specify the hostname or IP address of the Splunk server that should connect to the Worker appliance. |
| configuration.splunk.https | bool | true | If set to true, HTTPS will be used for sending information to Splunk. If set to false, HTTP is used. |
| configuration.splunk.port | int | 8088 | Specify the TCP port of the Splunk server’s HTTP Event Collector. |
| configuration.splunk.reportType | string | "large" | Specifies which report_type is returned. By default or when empty, only the medium (summary) report is provided in the callback response. Set to small, medium or large to view results of filtering the full report. |
| configuration.splunk.sslVerify | bool | false | If HTTPS is enabled, setting this to true will enable certificate verification." |
| configuration.splunk.timeout | int | 5 | Specify how many seconds to wait for a response from the Splunk server before the request fails. If the request fails, the report will not be uploaded to the Splunk server, and an error will be logged. The timeout value must be greater than or equal to 1, and not greater than 999. |
| configuration.splunk.topContainerOnly | bool | false | Whether or not Splunk should receive the report for the top (parent) file only. If set to true, no subreports will be sent. |
| configuration.splunk.view | string | "" | Specifies whether a custom Report View should be applied to the file analysis report and returned in the response. |
| configuration.strings | object | - | Configure the output of strings extracted from files during Spectra Core static analysis. |
| configuration.strings.enableStringExtraction | bool | false | If set to true, user-provided criteria for string extraction will be used. |
| configuration.strings.maxLength | int | 32768 | Maximum number of characters in strings. |
| configuration.strings.minLength | int | 4 | Minimum number of characters in strings. Strings shorter than this value are not extracted. |
| configuration.strings.unicodePrintable | bool | false | Specify whether strings are Unicode printable or not. |
| configuration.strings.utf16be | bool | true | Allow/disallow extracting UTF-16BE strings. |
| configuration.strings.utf16le | bool | true | Allow/disallow extracting UTF-16LE strings. |
| configuration.strings.utf32be | bool | false | Allow/disallow extracting UTF-32BE strings. |
| configuration.strings.utf32le | bool | false | Allow/disallow extracting UTF-32LE strings. |
| configuration.strings.utf8 | bool | true | Allow/disallow extracting UTF-8 strings. |
| configuration.ticore | object | - | Configures options supported by Spectra Core. |
| configuration.ticore.maxDecompressionFactor | float | 1.0 | Decimal value between 0 and 999.9. If multiple decimals are given, it will be rounded to one decimal. Used to protect the user from intentional or unintentional archive bombs, terminating decompression if size of unpacked content exceeds a set quota. |
| configuration.ticore.mwpExtended | bool | false | Enable/disable information from antivirus engines in Spectra Intelligence. Requires Spectra Intelligence to be configured |
| configuration.ticore.mwpGoodwareFactor | int | 2 | Determines when a file classified as KNOWN in Spectra Intelligence Cloud is classified as Goodware by Spectra Core. By default, all KNOWN cloud classifications are converted to Goodware. Supported values are 0 - 5, where zero represents the best trust factor (highest confidence that a sample contains goodware). Lowering the value reduces the number of samples classified as goodware. Samples with a trust factor above the configured value are considered UNKNOWN. Requires Spectra Intelligence to be configured |
| configuration.ticore.processingMode | string | "best" | Determines which file formats are unpacked by Spectra Core for detailed analysis. "best" fully processes all supported formats; "fast" processes a limited set. |
| configuration.ticore.useXref | bool | false | Enabling XREF service will enrich analysis reports with cross-reference metadata like AV scanner results. Requires Spectra Intelligence to be configured |
| configuration.unpackedAdl | object | - | Settings for storing extracted files in an Azure Data Lake container. |
| configuration.unpackedAdl.archiveUnpacked | bool | true | Enable sending a single, smaller archive of unpacked files to ADL instead of each unpacked file. |
| configuration.unpackedAdl.container | string | "" | Specify the name of the Azure Data Lake container where extracted files will be saved. Required when this feature is enabled. |
| configuration.unpackedAdl.enabled | bool | false | Enable/disable storing extracted files to ADL. |
| configuration.unpackedAdl.folder | string | "" | Specify the name of a folder in the configured Azure container where extracted files will be stored. If the folder name is not provided, files are stored into the root of the configured container. |
| configuration.unpackedAdl.folderOption | string | "date_based" | Select the naming pattern that will be used when automatically creating subfolders for storing analyzed files. Supported options are: date_based (YYYY/mm/dd/HH), datetime_based (YYYY/mm/dd/HH/MM/SS), and sha1_based (using the first 4 characters of the file hash). |
| configuration.unpackedMsGraph | object | - | Settings for storing extracted files to Microsoft Cloud Storage. |
| configuration.unpackedMsGraph.archiveUnpacked | bool | true | Enable sending a single, smaller archive of unpacked files to Microsoft Cloud Storage instead of each unpacked file. |
| configuration.unpackedMsGraph.enabled | bool | false | Enable/disable storing extracted files. |
| configuration.unpackedMsGraph.folder | string | "" | Folder where unpacked files will be stored on the Microsoft Cloud Storage. If the folder name is not provided, files are stored into the root of the configured container. |
| configuration.unpackedMsGraph.folderOption | string | "date_based" | Select the naming pattern that will be used when automatically creating subfolders for storing analyzed files. Supported options are: date_based (YYYY/mm/dd/HH), datetime_based (YYYY/mm/dd/HH/MM/SS), and sha1_based (using the first 4 characters of the file hash). |
| configuration.unpackedS3 | object | - | Settings for storing extracted files to S3 container. |
| configuration.unpackedS3.advancedFilterEnabled | bool | false | Enable/disable the use of advanced filters. |
| configuration.unpackedS3.advancedFilterName | string | "" | Name of the advanced filter. |
| configuration.unpackedS3.archiveUnpacked | bool | true | Enable sending a single, smaller archive of unpacked files to S3 instead of each unpacked file. |
| configuration.unpackedS3.bucketName | string | "" | Specify the name of the S3 container where extracted files will be saved. Required when this feature is enabled. |
| configuration.unpackedS3.enabled | bool | false | Enable/disable storing extracted files in S3. |
| configuration.unpackedS3.folder | string | "" | The name of a folder in the configured S3 container where extracted files will be stored. If the folder name is not provided, files are stored into the root of the configured container. The folder can be up to 1024 bytes long when encoded in UTF-8, and can contain letters, numbers and special characters: "!", "-", "_", ".", "*", "'", "(", ")", "/". It must not start or end with a slash or contain leading or trailing spaces. Consecutive slashes ("//") are not allowed. |
| configuration.unpackedS3.folderOption | string | "date_based" | Select the naming pattern that will be used when automatically creating subfolders for storing analyzed files. Supported options are: date_based (YYYY/mm/dd/HH), datetime_based (YYYY/mm/dd/HH/MM/SS), and sha1_based (using the first 4 characters of the file hash). |
| configuration.wordlist | list | - | List of passwords for protected files. |