Customising for your environment
There are a couple of features which can be customised for your environment.
You can modify statemachine/enrich.asl.json
to change which enrichment functions run. The easiest way to do this is to use the included helper script, which provides a nice wizard to select functions.
make setup
Then run the deploy again to save your changes to AWS.
Don’t have CrowdStrike? No problem, just remove that function! If you want, you can also remove unnecessary functions from template.yaml
to cut down what gets deployed to AWS. If you save the new definition to a filename other than statemachine/enrich.asl.json
, then don’t forget to update template.yaml
accordingly.
If you’re \m/
hardcore \m/
, you can also edit the state machine definition from the AWS Step Functions Workflow Studio in the AWS Console, then export as JSON back into statemachine/enrich.asl.json
.
Squyre will attempt to extract any internal hostnames from your alerts. Most organisations have a convention for endpoints and servers, but they vary considerably. As a result, you need to tell Squyre what your org’s convention is.
Do this via an environment variable in template.yaml
under the ConductorFunction
section, specifying a Go compatible regular expression.
HOST_REGEX: A-[A-Z0-9]{6}
The above example will match hostnames such as A-AB12CD
.
In most cases, you don’t want to enrich your internal domain names or email addresses, you’re only concerned with domains unrelated to your organisation. Again, via an environment variable in template.yaml
in the ConductorFunction
section, you can tell Squyre to ignore your domain.
IGNORE_DOMAIN: your-internal-domain.int