Admin Guide

Synapse-HybridAnalysis Admin Guide

Configuration

Synapse-HybridAnalysis requires a Hybrid Analysis API key. For information on how to signup, please visit the Hybrid Analysis API documentation.

Setting API key for global use

To set-up a global API key:

> hybridanalysis.setup.apikey myapikey
Setting Synapse-HybridAnalysis API key for all users.

Using per-user API keys

A user may set-up their own API key:

> hybridanalysis.setup.apikey --self myapikey
Setting Synapse-HybridAnalysis API key for the current user.

Setting a tag prefix for global use

Note: If not set, this will default to rep.hybridanalysis.

> hybridanalysis.setup.tagprefix my.prefix
Setting Hybrid Analysis tagprefix to my.prefix.

Permissions

Package (synapse-hybridanalysis) defines the following permissions:
power-ups.hybridanalysis.user    : Allows a user to issue queries to the Hybrid Analysis API. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.hybridanalysis.user
Added rule power-ups.hybridanalysis.user to user visi.

or:

> auth.role.addrule ninjas power-ups.hybridanalysis.user
Added rule power-ups.hybridanalysis.user to role ninjas.

Exported APIs

Synapse-HybridAnalysis does not currently export any APIs.

Node Actions

Synapse-HybridAnalysis provides the following node actions in Optic:

Name : byhash
Desc : Query Hybrid Analysis jobs by hash
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : overview
Desc : Query Hybrid Analysis overview API by SHA-256
Forms: file:bytes, hash:sha256

Name : download sample
Desc : Download sample file from Hybrid Analysis API by SHA-256
Forms: file:bytes, hash:sha256

Name : report summary
Desc : Query Hybrid Analysis report summaries by hash
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Onload Events

Synapse-HybridAnalysis does not use any onload events.

On-demand Migrations

AV Hit Migration

To run the migration across all views, use the query yield $lib.import(hybridanalysis).migrateAvHit(). Views are migrated in dependency order, and no nodes will be yielded.

Alternatively, yield $lib.import(hybridanalysis).migrateAvHit(global=$lib.false) will run the migration in the current view. The migrated nodes will be yielded from the query.

This function will migrate the following nodes:

it:av:filehit and it:av:prochit nodes created by the hybridanalysis.reportsummary command to it:av:scan:result. The resulting nodes are intended to deconflict with subsequent command runs.
it:av:filehit nodes created by the hybridanalysis.overview command to it:av:scan:result. The resulting nodes will not deconflict with subsequent command runs.

Edges and tags will also be copied from the it:av:filehit/it:av:prochit node to the newly created it:av:scan:result node.