Admin Guide

Synapse-MalwareBazaar Admin Guide

Configuration

Synapse-MalwareBazaar requires a MalwareBazaar API key. For information on how to sign up, please visit the abuse.ch Authentication Portal.

Setting the configuration for global use

To set-up a global configuration:

> malwarebazaar.config.add global_config global_apikey
Synapse-MalwareBazaar config "global_config" added

Creating a configuration for role-based use

Add an unscoped configuration:

> malwarebazaar.config.add myunscoped myapikey --scope unscoped
Synapse-MalwareBazaar config "myunscoped" added

Grant another user admin permissions to the new configuration:

> malwarebazaar.config.update myunscoped --perm user visi admin
Updated Synapse-MalwareBazaar config "myunscoped"

Grant a role read permissions to the new configuration:

> malwarebazaar.config.update myunscoped --perm role ninjas read
Updated Synapse-MalwareBazaar config "myunscoped"

Overriding the proxy configuration

In order to override the default proxy configuration in the Cortex the user must have the power-ups.malwarebazaar.admin or storm.lib.inet.http.proxy permission.

When the proxy configuration is set to (false) or a URL the permission will be checked when a configuration is created/updated, and when it is used to make an HTTP request.

Dependencies

Synapse-MalwareBazaar requires the following Power-Ups to be installed:

Name   : synapse-fileparser
Version: >4.16.0,<=5.0.0
Desc   : Synapse-FileParser is used to extract the archived samples. If not installed the downloaded samples will not be extracted.

Permissions

Package (synapse-malwarebazaar) defines the following permissions:
power-ups.malwarebazaar.user     : Controls user access to Synapse-MalwareBazaar. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.malwarebazaar.user
Added rule power-ups.malwarebazaar.user to user visi.

or:

> auth.role.addrule ninjas power-ups.malwarebazaar.user
Added rule power-ups.malwarebazaar.user to role ninjas.

Exported APIs

Synapse-MalwareBazaar does not currently export any APIs.

Workflows

Synapse-MalwareBazaar provides the following workflows in Optic:

Title: Configuration

Node Actions

Synapse-MalwareBazaar provides the following node actions in Optic:

Name : malwarebazaar.enrich
Desc : Enrich nodes using Synapse-MalwareBazaar.
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256

Name : malwarebazaar.download
Desc : Download a sample from MalwareBazaar.
Forms: file:bytes, hash:sha256

Onload Events

Synapse-MalwareBazaar uses the onload event to run required data migrations.