-
Notifications
You must be signed in to change notification settings - Fork 126
/
external_providers.toml
407 lines (248 loc) · 20.6 KB
/
external_providers.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
# This TOML document provides configuration for all of ElectricEye, from credentials to regions to accounts
# as well as global settings, filenames, and other directives that can be used by ElectricEye
title = "ElectricEye Configuration"
[global]
# Match this to [regions_and_accounts.aws.aws_account_targets] to specify if you want to run ElectricEye
# against a list of Accounts, list of Accounts within specific OUs, or every Account in an AWS Organization
aws_multi_account_target_type = "Accounts" # VALID CHOICES: Accounts | OU | Organization
# Specifies the location of where ALL credentials are stored and will be retrieved from
# if you specify "CONFIG_FILE" that means you can provide the value within the parameter itself
credentials_location = "CONFIG_FILE" # VALID CHOICES: AWS_SSM | AWS_SECRETS_MANAGER | CONFIG_FILE
# The location (or actual contents) of your Shodan.io API Key - limits are not respected!!
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then
# the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
shodan_api_key_value = ""
# The location (or actual contents) of your VirusTotal (VT) API Key - limits are not respected!!
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then
# the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
virustotal_api_key_value = ""
[regions_and_accounts]
[regions_and_accounts.aws]
# A list of Accounts, OU ID's, or an Organizations Principal ID - must match global.aws_multi_account_target_type
# if a value is not provided the current Account will be used unless "Organization" is specified
aws_account_targets = []
# If left blank, the *current AWS Region* is used. You can provide a list of AWS Regions or simply "All"
aws_regions_selection = [] # VALID CHOICES: [] | ["All"] | list of regions e.g., ["us-east-1", "us-east-2"]
# The NAME of the AWS IAM Role deployed to aws_account_targets - must be the same for all Accounts
# THIS ALSO NEEDS TO BE SUPPLIED FOR YOUR OWN ACCOUNT
aws_electric_eye_iam_role_name = ""
[regions_and_accounts.gcp]
# Provide a list of GCP Project ID's - your Service Account must be associated with all of the Projects listed
gcp_project_ids = []
[regions_and_accounts.azure]
# Provide a list of Azure Subscription ID's - your Application Registration's service principal must have Access Control (IAM) granted in each Subscription with the proper permissions
azure_subscription_ids = []
[regions_and_accounts.oci]
# Provide your Oracle Cloud Infrastructure Tenancy OCID that is associated with your OCI credentials
oci_tenancy_ocid = ""
# Provide your Oracle Cloud Infrastructure User OCID that is associated with your OCI credentials within your provided tenancy
oci_user_ocid = ""
# Provide the subscribed Region for your Oracle Cloud Infrastructure Tenancy & User
oci_region_name = ""
# Provide a list of Compartment OCIDs that your User has access to, this requires Tenancy-scoped permissions
# to be able to access all Compartments
oci_compartment_ocids = []
[credentials]
# ***IMPORTANT***
# all passwords, API keys, and sensitive credentials (that end with '_value') should match the value
# of [global.credentials_location], for instance, if you specified "AWS_SSM" ensure that the '_value' option is the name
# of an AWS SecureString Parameter that contains the value to be retrieved
########################
# ~~CSPM CREDENTIALS~~ #
########################
[credentials.azure]
# The location (or actual contents) of your Azure Application Registration Client ID this location must match the value
# of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should
# be the name of the AWS Systems Manager Parameter Store SecureString Parameter
azure_ent_app_client_id_value = ""
# The location (or actual contents) of your Azure Application Registration Client Secret Value this location must match the value
# of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should
# be the name of the AWS Systems Manager Parameter Store SecureString Parameter
azure_ent_app_client_secret_id_value = ""
# The location (or actual contents) of your Azure Entra ID tenant ID this location must match the value
# of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should
# be the name of the AWS Systems Manager Parameter Store SecureString Parameter
azure_ent_app_tenant_id_value = ""
[credentials.gcp]
# The location (or actual contents) of your GCP Service Account JSON Key this location must match the value
# of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should
# be the name of the AWS Systems Manager Parameter Store SecureString Parameter
gcp_service_account_json_payload_value = ""
[credentials.oci]
# The location (or actual contents) of your OCI User API Key Fingerprint this location must match the value
# of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should
# be the name of the AWS Systems Manager Parameter Store SecureString Parameter
oci_user_api_key_fingerprint_value = ""
# The location (or actual contents) of your OCI User API Key Private Key PEM. This must be the CONTENTS not the file path
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
oci_user_api_key_private_key_pem_contents_value = ""
########################
# ~~SSPM CREDENTIALS~~ #
########################
[credentials.m365]
# The location (or actual contents) of your M365 Enterprise Application Client ID this location must match the value
# of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should
# be the name of the AWS Systems Manager Parameter Store SecureString Parameter
m365_ent_app_client_id_value = ""
# The location (or actual contents) of your M365 Enterprise Application Secret ID, this must be the VALUE
# of the Secret when you generate the Secret for the App, not the actual "Secret ID" of it
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM"
# then the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
m365_ent_app_client_secret_id_value = ""
# The location (or actual contents) of your M365 Enterprise Application Tenant (Directory) ID this location must match the value
# of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should
# be the name of the AWS Systems Manager Parameter Store SecureString Parameter
m365_ent_app_tenant_id_value = ""
# The country code / location of your M365 tenant. In the future this value will be used to populate API endpoints
# that are regionally co-located for reduced latency - it will totally save tons of milliseconds
# Check it here https://portal.office.com/adminportal#/Settings/OrganizationProfile in Data Location
m365_tenant_location = "EU" # "US" "EU" "US-GOV" ?
[credentials.servicenow]
# The *name* of your Instance, for example, if its URL is "https://dev90210.service-now.com/" the name is "dev90210"
servicenow_instance_name = ""
# Geographic location of your Instance which will be provided to `ProductFields.AssetRegion` within the Electriceye Findings
# this is typically "us", "eu", or "ap" and may differ for Federal instances
servicenow_instance_region = ""
# The name of the ServiceNow User with permissions that will be used by the PySNOW Client
servicenow_sspm_username = ""
# The location (or actual contents) of the Password for the User specified in `servicenow_instance_name`
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then
# the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
servicenow_sspm_password_value = ""
# The threshold for when to create a failing finding for the "Servicenow_Users_Auditor" Check for failed login-in
# attempts by active users in your Instance
servicenow_failed_login_breaching_rate = "5"
[credentials.salesforce]
# The location (or actual contents) of your Salesforce Connected App Client ID this location must match the value
# of `global.credentials_location` e.g., if you specify "AWS_SSM" then the value for this variable should
# be the name of the AWS Systems Manager Parameter Store SecureString Parameter
salesforce_connected_app_client_id_value = ""
# The location (or actual contents) of your Salesforce Connected App Client Secret
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM"
# then the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
salesforce_connected_app_client_secret_value = ""
# The location (or actual contents) of your Salesforce User's Username that has MFA and API access
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM"
# then the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
salesforce_api_enabled_username_value = ""
# The location (or actual contents) of your Salesforce User's Password that has MFA and API access
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM"
# then the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
salesforce_api_enabled_password_value = ""
# The location (or actual contents) of your Salesforce User's Security Token that has MFA and API access
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM"
# then the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
salesforce_api_enabled_security_token_value = ""
# The Country Code OR the Instance Identifier Code (e.g., NA224, CS87, CS102, NA214, etc.) of your Salesforce Instance
# this is found under Company Settings -> Company Information either ADDRESS or INSTANCE
# refer here for possible instance identifiers: https://help.salesforce.com/s/articleView?id=000382217&type=1
salesforce_instance_location = "NA224"
# The threshold for when to create a failing finding for the "Salesforce_Users_Auditor" Check for failed login-in
# (Check ID: `salesforce_user_failed_logins_above_limit_check`) attempts by active users in your Instance
salesforce_failed_login_breaching_rate = "5"
# The Salesforce API Version you will want to use, as of 27 JUNE 2023 ElectricEye uses v58.0
salesforce_api_version = "v58.0"
[credentials.snowflake]
# Username for your Snowflake Account, this should be a user with the ability to read all tables and views in the default schemas
snowflake_username = ""
# The location (or actual contents) of the Password for the User specified in `snowflake_account_id`
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then
# the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
snowflake_password_value = ""
# The Account ID for your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., VULEDAR-MR69420
snowflake_account_id = ""
# The name of the warehouse you use for querying data in Snowflake, this should be a warehouse that has the ability to run queries
snowflake_warehouse_name = ""
# The Region of your Snowflake Account, this is found in the URL when you login to your Snowflake Account, e.g., us-east-1
snowflake_region = ""
# OPTIONAL! The Usernames of "Service Accounts" created in Snowflake, this will optionally exempt these Usernames from being audited against the following checks: snowflake_password_assigned_user_has_mfa_check, snowflake_accountadmins_have_email_check, snowflake_admin_default_role_check, snowflake_logins_without_mfa_check, snowflake_bypass_mfa_review_check
snowflake_service_account_usernames = []
[outputs]
# ***IMPORTANT***
# all passwords, API keys, and sensitive credentials (that end with '_value') should match the value
# of [global.credentials_location], for instance, if you specified "AWS_SSM" ensure that the '_value' option is the name
# of an AWS SecureString Parameter that contains the value to be retrieved
[outputs.postgresql]
# The name you want given to the table that will contain ElectricEye findings. Please note that for Cloud Asset
# Management (CAM) outputs that the value "_cam" will be appended to it e.g., if you provide the value of
# "electriceye_findings" then the CAM table will be called "electriceye_findings_cam"
# Also note that any value here with be turned into all lowercase (via .lower())
postgresql_table_name = ""
# PostgreSQL username, either the "master username" or a user that has the ability to create and insert records into tables
postgresql_username = ""
# The location (or actual contents) of the Password for the User specified in `postgresql_username`
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then
# the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
postgresql_password_value = ""
# The name of the PostgreSQL Database you want to connect to and create your Tables within
postgresql_database_name = ""
# Endpoint, either an IP address or hostname, of your PostgreSQL database - you can also specify "localhost" for locally running
# databases or databases running on local containers. If you use a cloud managed DB such as AWS RDS or GCP CloudSQL ensure that
# you have connectivity to it via a VPN or otherwise
postgresql_endpoint = ""
# The Port that your PostgreSQL database is running on, defaults to 5432
postgresql_port = 5432
[outputs.mongodb] # This unifies the old "docdb" output to account for local MongoDB and AWS DocumentDB
# This value indicates whether or not you are using a password for your MongoDB deployment (which you should). If
# you are using AWS DocumentDB this MUST be "true"
mongodb_password_in_use = true # Valid Choices BOOLEAN: true | false
# This value indicates that you are using AWS DocumentDB (true) or a self-hosted or other MongoDB deployment (false)
mongodb_using_aws_documentdb = false # Valid Choices BOOLEAN: true | false
# This value indicates that you are using AWS DocumentDB with TLS-enabled (true) or TLS-disabled (false)
# which will instruct ElectricEye to locally download the `global-bundle.pem` from
# https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
mongodb_aws_documentdb_tls_enabled = false # Valid Choices BOOLEAN: true | false
# MongoDB Username - if you are utilizes Mongo Role-based Access Control (RBAC) ensure the user has the proper permisisons
# write to Databases such as `readWrite` or `readWriteAnyDatabase`. If you are not using a Password then you can leave this
# value blank, ElectricEye will overwrite the value here to ensure the "pre-flight" check for blank values won't fail it
mongodb_username = ""
# The hostname or IP address of your MongoDB / AWS DocumentDB instance. E.g., `192.1.2.40`, `localhost` or
# an AWS Doc DB cluster endpoint `sample-cluster.node.us-east-1.docdb.amazonaws.com`
mongodb_endpoint = ""
# The port number for your MongoDB / AWS DocumentDB deployment. Defaults to 27017
mongodb_port = 27017 # Must be an Integer
# The location (or actual contents) of the Password for the User specified in `mongodb_username`
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then
# the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
# LEAVE THIS VALUE BLANK IF YOU DO NOT HAVE ONE
mongodb_password_value = ""
# The name you want given to your Database that will be created in MongoDB, Database names are case-sensitive so
# MongoDB recommends using snake_case or all lowercases
mongodb_database_name = ""
# The name you want given to the Collection within your Database that will be created in MongoDB,
# Database names are case-sensitive so MongoDB recommends using snake_case or all lowercases.
# PLEASE NOTE that Cloud Asset Management (CAM) output will append "_cam" to the collection name.
# e.g., if you name your Collection "electriceye_stuff" CAM will name it "electriceye_stuff_cam"
mongodb_collection_name = ""
[outputs.amazon_sqs]
# Queue Name / URL, this must be in the same account as your current credentials
amazon_sqs_queue_url = ""
# Batch Size
amazon_sqs_batch_size = 1000 # This must be an integer
# Queue Region
amazon_sqs_queue_region = ""
[outputs.slack]
# The location (or actual contents) of the Slack Bot Token associated with your Slack App - ensure that
# your App is added into the Channel you will specify and that it has "chat:write" Bot Token Scopes
# this location must match the value of `global.credentials_location` e.g., if you specify "AWS_SSM" then
# the value for this variable should be the name of the AWS Systems Manager Parameter Store SecureString Parameter
slack_app_bot_token_value = ""
# The name or identifier for your Slack Channel you want ElectricEye to send findings to. Ensure that you
# Slack App has been added to this channel as well.
slack_channel_identifier = ""
# The type of output you want sent to Slack by ElectricEye. The "Summary" selection will send an aggregation
# of the total count of findings, types of assets, number of Regions and Accounts, pass vs failing, finding breakdown
# and the "Findings" selection will send each finding based on your filter values for `electric_eye_slack_severity_filter`
# and for `electric_eye_slack_finding_state_filter - this defaults to "Summary"
electric_eye_slack_message_type = "Summary" # VALID VALUES: "Summary" | "Findings"
# A list of ElectricEye Severities (matching the ASFF Severity.Label) that you want sent to Slack if your selection for
# `electric_eye_slack_message_type` is "Findings". This defaults to ["HIGH", "CRITICAL"]
electric_eye_slack_severity_filter = ["HIGH", "CRITICAL"] # VALID VALUES | "INFORMATIONAL", "LOW", "MEDIUM", "HIGH", "CRITICAL"
# A list of ElectricEye Finding States (matching the ASFF RecordState) that you want sent to slack if your selection for
# `electric_eye_slack_message_type` is "FindingS". This defaults to ["ACTIVE"]
electric_eye_slack_finding_state_filter = ["ACTIVE"] # VALID VALUES | "ACTIVE", "ARCHIVED"
[outputs.firehose]
# The name of your Kinesis Data Firehose Delivery Stream, this must be in the same account as your current credentials
kinesis_firehose_delivery_stream_name = ""
# Delivery Stream Region
kinesis_firehose_region = ""