Admin Guide
Synapse-Mandiant Admin Guide
Configuration
Synapse-Mandiant requires a Mandiant Advantage API key. For information on how to sign up, please visit the Mandiant Advantage API documentation.
Setting API key for global use
To set-up a global API key:
> mandiant.advantage.setup.apikey myapikey myapisecret
Setting Mandiant Advantage API key for all users.
Using per-user API keys
A user may set-up their own API key:
> mandiant.advantage.setup.apikey --self myapikey myapisecret
Setting Mandiant Advantage API key for the current user.
Dependencies
Synapse-Mandiant requires the following Power-Ups to be installed:
Name : synapse-fileparser
Version: >=4.13.1,<5.0.0
Desc : Synapse-FileParser is used to parse report PDFs and link extracted indicators to the media:news node.
Permissions
Package (synapse-mandiant) defines the following permissions:
power-ups.mandiant.advantage.user : Allows a user to issue queries to the Mandiant Advantage API. ( default: false )
You may add rules to users/roles directly from storm:
> auth.user.addrule visi power-ups.mandiant.advantage.user
Added rule power-ups.mandiant.advantage.user to user visi.
or:
> auth.role.addrule ninjas power-ups.mandiant.advantage.user
Added rule power-ups.mandiant.advantage.user to role ninjas.
Exported APIs
Synapse-Mandiant does not currently export any APIs.
Workflows
Synapse-Mandiant provides the following workflows in Optic:
Title: Configuration
Node Actions
Synapse-Mandiant provides the following node actions in Optic:
Name : actors
Desc : Ingest threat actor details from the Mandiant Advantage API.
Forms: ou:name, ou:org, risk:threat
Name : indicators
Desc : Ingest indicator details from the Mandiant Advantage API.
Forms: inet:ipv4, inet:ipv6, inet:fqdn, hash:sha256, hash:sha1, hash:md5, file:bytes, inet:email, inet:url
Name : malware
Desc : Ingest malware family details from the Mandiant Advantage API.
Forms: risk:tool:software, it:prod:softname
Name : vulns
Desc : Ingest vulnerability details from the Mandiant Advantage API.
Forms: risk:vuln, it:sec:cve
Onload Events
Synapse-Mandiant uses an onload
event to create the following extended properties:
_mandiant:icscore (Records the Mandiant IC-Score value.)
The onload
event will also run any required data migrations.