Admin Guide

Synapse-Cisco Admin Guide

Configuration

Synapse-Cisco requires API keys for the products you intend to use. Currently the power-up only supports the Cisco Secure Malware Analytics API. For information on how to sign up, please visit the Cisco Secure Malware Analytics portal.

Setting the SMA API key for global use

To set-up a global API key:

> cisco.sma.setup.apikey myapikey
Setting Cisco SMA API key for all users.

Using per-user SMA API keys

A user may set-up their own API key:

> cisco.sma.setup.apikey --self myapikey
Setting Cisco SMA API key for the current user.

Setting a SMA tag prefix for global use

Note: If not set, this will default to rep.cisco.sma.

> cisco.sma.setup.tagprefix my.prefix
Setting Cisco SMA tag prefix to my.prefix.

Setting a base SMA API URL

Note: If not set, this will default to https://panacea.threatgrid.com.

> cisco.sma.setup.url https://panacea.threatgrid.eu
Setting Cisco SMA API URL to https://panacea.threatgrid.eu

Permissions

Package (synapse-cisco) defines the following permissions:
power-ups.cisco.sma.user         : Controls user access to Synapse-Cisco SMA commands. ( default: false )
power-ups.cisco.sma.submit       : Used in addition to power-ups.cisco.sma.user to allow users to submit samples for analysis. ( default: false )

You may add rules to users/roles directly from Storm:

> auth.user.addrule visi power-ups.cisco.sma.user
Added rule power-ups.cisco.sma.user to user visi.

or:

> auth.role.addrule ninjas power-ups.cisco.sma.user
Added rule power-ups.cisco.sma.user to role ninjas.

Workflows

Synapse-Cisco provides the following workflows in Optic:

Title: SMA Configuration

Node Actions

Synapse-Cisco provides the following node actions in Optic:

Name : cisco.sma.sample.submit
Desc : Submit a sample to Cisco Secure Malware Analytics for analysis.
Forms: file:bytes, hash:sha256

Onload Events

Synapse-Cisco uses an onload event to create the following extended properties:

_cisco:sma:threat:score (The Cisco SMA threat score (0 - 100).)
_cisco:umbrella:risk:score (The Cisco Umbrella risk score (0 - 100).)
_cisco:sma:indicator:score (The Cisco SMA indicator score (0 - 100).)
_cisco:sma:indicator:severity (The Cisco SMA indicator severity level (0 - 100).)
_cisco:sma:indicator:confidence (The Cisco SMA indicator confidence level (0 - 100).)