Admin Guide
Synapse-Cisco Admin Guide
Configuration
Synapse-Cisco requires API keys for the products you intend to use. Currently the power-up only supports the Cisco Secure Malware Analytics API. For information on how to sign up, please visit the Cisco Secure Malware Analytics portal.
Setting the SMA API key for global use
To set-up a global API key:
> cisco.sma.setup.apikey myapikey
Setting Cisco SMA API key for all users.
Using per-user SMA API keys
A user may set-up their own API key:
> cisco.sma.setup.apikey --self myapikey
Setting Cisco SMA API key for the current user.
Setting a SMA tag prefix for global use
Note: If not set, this will default to rep.cisco.sma
.
> cisco.sma.setup.tagprefix my.prefix
Setting Cisco SMA tag prefix to my.prefix.
Setting a base SMA API URL
Note: If not set, this will default to https://panacea.threatgrid.com
.
> cisco.sma.setup.url https://panacea.threatgrid.eu
Setting Cisco SMA API URL to https://panacea.threatgrid.eu
Permissions
Package (synapse-cisco) defines the following permissions:
power-ups.cisco.sma.user : Controls user access to Synapse-Cisco SMA commands. ( default: false )
power-ups.cisco.sma.submit : Used in addition to power-ups.cisco.sma.user to allow users to submit samples for analysis. ( default: false )
You may add rules to users/roles directly from Storm:
> auth.user.addrule visi power-ups.cisco.sma.user
Added rule power-ups.cisco.sma.user to user visi.
or:
> auth.role.addrule ninjas power-ups.cisco.sma.user
Added rule power-ups.cisco.sma.user to role ninjas.
Workflows
Synapse-Cisco provides the following workflows in Optic:
Title: SMA Configuration
Node Actions
Synapse-Cisco provides the following node actions in Optic:
Name : cisco.sma.sample.submit
Desc : Submit a sample to Cisco Secure Malware Analytics for analysis.
Forms: file:bytes, hash:sha256
Onload Events
Synapse-Cisco uses an onload
event to create the following extended properties:
_cisco:sma:threat:score (The Cisco SMA threat score (0 - 100).)
_cisco:umbrella:risk:score (The Cisco Umbrella risk score (0 - 100).)
_cisco:sma:indicator:score (The Cisco SMA indicator score (0 - 100).)
_cisco:sma:indicator:severity (The Cisco SMA indicator severity level (0 - 100).)
_cisco:sma:indicator:confidence (The Cisco SMA indicator confidence level (0 - 100).)