Admin Guide

Synapse-Mandiant Admin Guide

Configuration

Synapse-Mandiant requires a Mandiant Advantage API key. For information on how to sign up, please visit the Mandiant Advantage API documentation.

Setting API key for global use

To set-up a global API key:

> mandiant.advantage.setup.apikey myapikey myapisecret
Setting Mandiant Advantage API key for all users.

Using per-user API keys

A user may set-up their own API key:

> mandiant.advantage.setup.apikey --self myapikey myapisecret
Setting Mandiant Advantage API key for the current user.

Dependencies

Synapse-Mandiant requires the following Power-Ups to be installed:

Name   : synapse-fileparser
Version: >=4.13.1,<5.0.0
Desc   : Synapse-FileParser is used to parse report PDFs and link extracted indicators to the media:news node.

Permissions

Package (synapse-mandiant) defines the following permissions:
power-ups.mandiant.advantage.user : Allows a user to issue queries to the Mandiant Advantage API. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.mandiant.advantage.user
Added rule power-ups.mandiant.advantage.user to user visi.

or:

> auth.role.addrule ninjas power-ups.mandiant.advantage.user
Added rule power-ups.mandiant.advantage.user to role ninjas.

Exported APIs

Synapse-Mandiant does not currently export any APIs.

Workflows

Synapse-Mandiant provides the following workflows in Optic:

Title: Configuration

Node Actions

Synapse-Mandiant provides the following node actions in Optic:

Name : actors
Desc : Ingest threat actor details from the Mandiant Advantage API.
Forms: ou:name, ou:org, risk:threat

Name : indicators
Desc : Ingest indicator details from the Mandiant Advantage API.
Forms: inet:ipv4, inet:ipv6, inet:fqdn, hash:sha256, hash:sha1, hash:md5, file:bytes, inet:email, inet:url

Name : malware
Desc : Ingest malware family details from the Mandiant Advantage API.
Forms: risk:tool:software, it:prod:softname

Name : vulns
Desc : Ingest vulnerability details from the Mandiant Advantage API.
Forms: risk:vuln, it:sec:cve

Ingesting CPE strings

The Mandiant Advantage API may sometimes return invalid CPE strings. Invalid CPE strings will be rejected by Synapse when attempting to ingest the API data. As a workaround, the Synapse-Mandiant Power-Up peforms the following transformations on CPE strings before attempting to ingest them:

Replace \- with -. Dashes (hyphens) should not be escaped according to the CPE 2.3 specification.

Synapse v2.187.0 migration

Synapse v2.187.0 added a model migration (v0.2.31) that removed all invalid it:sec:cpe nodes from the Cortex. The Synapse-Mandiant onload migration uses the above transformations to attempt to automatically repair and restore invalid it:sec:cpe nodes that originated from the Synapse-Mandiant Power-Up.