Admin Guide

Synapse-Mandiant Admin Guide

Configuration

Synapse-Mandiant requires a Mandiant Advantage API key. For information on how to sign up, please visit the Mandiant Advantage API documentation.

Setting API key for global use

To set-up a global API key:

> mandiant.advantage.setup.apikey myapikey myapisecret
Setting Mandiant Advantage API key for all users.

Using per-user API keys

A user may set-up their own API key:

> mandiant.advantage.setup.apikey --self myapikey myapisecret
Setting Mandiant Advantage API key for the current user.

Dependencies

Synapse-Mandiant requires the following Power-Ups to be installed:

Name   : synapse-fileparser
Version: >=4.13.1,<5.0.0
Desc   : Synapse-FileParser is used to parse report PDFs and link extracted indicators to the media:news node.

Permissions

Package (synapse-mandiant) defines the following permissions:
power-ups.mandiant.advantage.user : Allows a user to issue queries to the Mandiant Advantage API. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.mandiant.advantage.user
Added rule power-ups.mandiant.advantage.user to user visi.

or:

> auth.role.addrule ninjas power-ups.mandiant.advantage.user
Added rule power-ups.mandiant.advantage.user to role ninjas.

Exported APIs

Synapse-Mandiant does not currently export any APIs.

Workflows

Synapse-Mandiant provides the following workflows in Optic:

Title: Configuration

Node Actions

Synapse-Mandiant provides the following node actions in Optic:

Name : actors
Desc : Ingest threat actor details from the Mandiant Advantage API.
Forms: ou:name, ou:org, risk:threat

Name : indicators
Desc : Ingest indicator details from the Mandiant Advantage API.
Forms: inet:ipv4, inet:ipv6, inet:fqdn, hash:sha256, hash:sha1, hash:md5, file:bytes, inet:email, inet:url

Name : malware
Desc : Ingest malware family details from the Mandiant Advantage API.
Forms: risk:tool:software, it:prod:softname

Name : vulns
Desc : Ingest vulnerability details from the Mandiant Advantage API.
Forms: risk:vuln, it:sec:cve

Onload Events

Synapse-Mandiant uses an onload event to create the following extended properties:

_mandiant:icscore (Records the Mandiant IC-Score value.)

The onload event will also run any required data migrations.