Admin Guide
Synapse-Mandiant Admin Guide
Configuration
Synapse-Mandiant requires a Mandiant Advantage API key. For information on how to sign up, please visit the Mandiant Advantage API documentation.
Setting API key for global use
To set-up a global API key:
> mandiant.advantage.setup.apikey myapikey myapisecret
Setting Mandiant Advantage API key for all users.
Using per-user API keys
A user may set-up their own API key:
> mandiant.advantage.setup.apikey --self myapikey myapisecret
Setting Mandiant Advantage API key for the current user.
Dependencies
Synapse-Mandiant requires the following Power-Ups to be installed:
Name : synapse-fileparser
Version: >=4.13.1,<5.0.0
Desc : Synapse-FileParser is used to parse report PDFs and link extracted indicators to the media:news node.
Permissions
Package (synapse-mandiant) defines the following permissions:
power-ups.mandiant.advantage.user : Allows a user to issue queries to the Mandiant Advantage API. ( default: false )
You may add rules to users/roles directly from storm:
> auth.user.addrule visi power-ups.mandiant.advantage.user
Added rule power-ups.mandiant.advantage.user to user visi.
or:
> auth.role.addrule ninjas power-ups.mandiant.advantage.user
Added rule power-ups.mandiant.advantage.user to role ninjas.
Exported APIs
Synapse-Mandiant does not currently export any APIs.
Workflows
Synapse-Mandiant provides the following workflows in Optic:
Title: Configuration
Node Actions
Synapse-Mandiant provides the following node actions in Optic:
Name : actors
Desc : Ingest threat actor details from the Mandiant Advantage API.
Forms: ou:name, ou:org, risk:threat
Name : indicators
Desc : Ingest indicator details from the Mandiant Advantage API.
Forms: inet:ipv4, inet:ipv6, inet:fqdn, hash:sha256, hash:sha1, hash:md5, file:bytes, inet:email, inet:url
Name : malware
Desc : Ingest malware family details from the Mandiant Advantage API.
Forms: risk:tool:software, it:prod:softname
Name : vulns
Desc : Ingest vulnerability details from the Mandiant Advantage API.
Forms: risk:vuln, it:sec:cve
Onload Events
Synapse-Mandiant uses an onload event run required data migrations and to create the following extended properties:
_mandiant:icscore
forms: ('inet:ipv4', 'inet:ipv6', 'inet:fqdn', 'inet:url', 'hash:md5', 'hash:sha1', 'hash:sha256', 'inet:email', 'risk:alert')
doc: Records the Mandiant IC-Score value.
_mandiant:threat:score
forms: ('inet:ipv4', 'inet:ipv6', 'inet:fqdn', 'inet:url', 'hash:md5', 'hash:sha1', 'hash:sha256', 'inet:email')
doc: Records the Mandiant Threat Score value.
_mandiant:threat:confidence
forms: ('inet:ipv4', 'inet:ipv6', 'inet:fqdn', 'inet:url', 'hash:md5', 'hash:sha1', 'hash:sha256', 'inet:email')
doc: Records the Mandiant Threat Rating Confidence level.
_mandiant:threat:severity
forms: ('inet:ipv4', 'inet:ipv6', 'inet:fqdn', 'inet:url', 'hash:md5', 'hash:sha1', 'hash:sha256', 'inet:email')
doc: Records the Mandiant Threat Rating Severity level.
_mandiant:threat:severity:reasons
forms: ('inet:ipv4', 'inet:ipv6', 'inet:fqdn', 'inet:url', 'hash:md5', 'hash:sha1', 'hash:sha256', 'inet:email')
doc: Records the Mandiant Threat Rating Severity reasons.
The onload event will also run any required data migrations.
Ingesting CPE strings
The Mandiant Advantage API may sometimes return invalid CPE strings. Invalid CPE strings will be rejected by Synapse when attempting to ingest the API data. As a workaround, the Synapse-Mandiant Power-Up peforms the following transformations on CPE strings before attempting to ingest them:
Replace
\-with-. Dashes (hyphens) should not be escaped according to the CPE 2.3 specification.
Synapse v2.187.0 migration
Synapse v2.187.0 added a model migration (v0.2.31) that removed all invalid
it:sec:cpe nodes from the Cortex. The Synapse-Mandiant onload migration
uses the above transformations to attempt to automatically repair and restore
invalid it:sec:cpe nodes that originated from the Synapse-Mandiant Power-Up.