User Guide

Synapse-Cisco SMA User Guide

Synapse-Cisco adds new Storm commands to allow you to query the Cisco Secure Malware Analytics API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Submit a file for analysis

Lift a file:bytes node, submit it for analysis and ingest the results:

> file:bytes#myfile | cisco.sma.sample.submit --yield
file:bytes=sha256:1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
        .created = 2024/11/19 21:06:41.713
        :_cisco:sma:threat:score = 95
        :md5 = d3e34b11550fbb94e53537b27197ab32
        :mime = application/x-dosexec; charset=binary
        :mime:pe:compiled = 1970/02/13 06:35:05.808
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :mime:pe:size = 224
        :sha1 = 86574bb8ea6286a5fb63346377a390364792077e
        :sha256 = 1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
        :size = 825856
        #rep.cisco.sma.antivirus
        #rep.cisco.sma.code_injection
        #rep.cisco.sma.data_theft
        #rep.cisco.sma.dynamic_anomaly

Search for samples

Search for samples by sha256 hash:

> cisco.sma.sample.search --sha256 09d0ec2329ac75ff73dd4f2a9dc164c2b93fccb08e1869dc2094ae31a0ca17cf
 Sample ID                        | Job Created         | Status                 | Filename
==================================|=====================|========================|==========
 e3900a5aff3b1cd8e30731656f49e3f2 | 2024-07-29 18:30:51 | job_done               | 09d0ec2329ac75ff73dd4f2a9dc164c2b93fccb08e1869dc2094ae31a0ca17cf
 eeb80b978e22ff9e78cc7d4520a4baaf | 2024-08-06 02:47:52 | job_done               | 09d0ec2329ac75ff73dd4f2a9dc164c2b93fccb08e1869dc2094ae31a0ca17cf

Specify a sample by ID and ingest the report:

> cisco.sma.sample.search --ids 00000f9f697edcb32c1eb63f245e23f2 --ingest --yield
file:bytes=sha256:557f0cd72a094bc9469364e09256b6e68c532fecb14b346190ec633eb19e5a90
        .created = 2024/11/19 21:07:33.175
        :_cisco:sma:threat:score = 95
        :md5 = 2893b9eb4688e2a61ade55730ad9b7aa
        :mime = text/plain; charset=us-ascii
        :sha1 = d6ac0ca826bbab08436d4579194544e8979a450a
        :sha256 = 557f0cd72a094bc9469364e09256b6e68c532fecb14b346190ec633eb19e5a90
        :size = 73614
        #rep.cisco.sma.antivirus

Use of meta:source nodes

Synapse-Cisco uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Cisco Secure Malware Analytics API.

> meta:source=0d96801e1e41b43660f25879ade9b447
meta:source=0d96801e1e41b43660f25879ade9b447
        .created = 2024/11/19 21:06:41.645
        :name = cisco secure malware analytics api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Cisco SMA APIs. The following example shows how to filter the results of a query to include only results observed by Synapse-Cisco SMA APIs:

> inet:server +{ <(seen)- meta:source=0d96801e1e41b43660f25879ade9b447 }