Configuration

Kestrel loads user-defined configurations to override default values when the runtimes start. Thus you can customize your Kestrel runtime by putting configuration values in ~/.config/kestrel/kestrel.yaml or any YAML file with path specified in the environment variable KESTREL_CONFIG.

Default Kestrel Configuration

# syntax default values
language:
  default_variable: "_"
  default_sort_order: "desc"
  default_datasource_schema: "stixshifter"
  default_analytics_schema: "docker"

# how a Kestrel session is executed
session:
  cache_directory_prefix: "kestrel-session-" # under system temp directory
  local_database_path: "local.db"
  show_execution_summary: true

# whether/how to prefetch all records/observations for entities
prefetch:
  get: true
  find: true
  process_name_change_timerange_start_offset: -5 # seconds
  process_name_change_timerange_stop_offset: 5 # seconds
  process_lifespan_start_offset: -10800 # seconds
  process_lifespan_stop_offset: 10800 # seconds

# option when generating STIX query
stixquery:
  timerange_start_offset: -300 # seconds
  timerange_stop_offset: 300 # seconds
  support_id: false # STIX 2.0 does not support unique ID

# debug options
debug:
  env_var: "KESTREL_DEBUG" # debug mode if the environment variable exists
  cache_directory: "kestrel" # under system temp directory
  session_exit_marker: "session.exited"
  maximum_exited_session: 3

Example of User-Defined Configurations

You can disable prefetch by creating ~/.config/kestrel/kestrel.yaml with the following:

prefetch:
  get: false
  find: false

Kestrel will then not proactively search for logs/records for entities extracted from the return of GET/FIND, and this will largely disable followup FIND commands/steps.