Changelog

Synapse-Mandiant Changelog

v3.3.0 - 2024-11-01

Automatic Migrations

  • Attempt to automatically repair any invalid it:sec:cpe nodes that were removed and queued as part of the Synapse v2.187.0 model migration. This migration will attempt to automatically repair any queued nodes that have a source of Synapse-Mandiant (via the Synapse-Mandiant meta:source -(seen)> edge). Note that some it:sec:cpe nodes that were removed may not be able to be automatically repaired/restored, in which case they will remain in the migration queue.

v3.2.0 - 2024-10-29

Features and Enhancements

  • Add option to also ingest actors associated with reports.

  • Retrieve and ingest full YARA rules associated with a malware family.

v3.1.1 - 2024-07-19

Bugfixes

  • Fix an issue where top-level category tags were not applied to indicators.

v3.1.0 - 2024-06-28

Features and Enhancements

  • Improve risk:hasvuln migration performance and use $lib.model.migration.s.riskHasVulnToVulnerable() helper.

  • Add a warning when attempting to ingest an invalid CPE string.

This release contains an automatic data migration that will run when the package is first upgraded to v3.x.x or the v3.0.0 migration did not complete. The migration creates risk:vulnerable nodes from the deprecated risk:hasvuln nodes.

v3.0.0 - 2024-04-22

Features and Enhancements

  • Update base URL to https://api.intelligence.mandiant.com.

  • Add support for an --opts dictionary command line argument to control recursive ingest.

  • Default commands to not ingest beyond one level, e.g. for mandiant.advantage.malware ingest associated reports but not also vulnerabilities associated with those reports.

  • Ingest indicator threat score data, and apply a default minimum score of 60.

  • Add extended properties to represent the threat score data.

  • Remove usage of /v4/indicator/download/{id}, and download all indicators from the respective type endpoints.

  • Remove deprecated cache arguments.

  • Replace deprecated risk:hasvuln usage with risk:vulnerable.

This release contains an automatic data migration that will run when the package is first upgraded. The migration creates risk:vulnerable nodes from the deprecated risk:hasvuln nodes.

v2.12.0 - 2024-04-04

Features and Enhancements

  • Update $lib.bytes usage with $lib.axon APIs.

Bugfixes

  • Fix a typo in the mandiant.advantage.dtm.alerts help.

  • Fix an issue where MISP tags could be added/deleted in repeated runs due to not being normalized.

v2.11.1 - 2024-02-20

Features and Enhancements

  • Update deprecated $lib.dict() usage to JSON style syntax.

v2.11.0 - 2024-02-09

Features and Enhancements

  • Enrich vulnerabilities returned from reports, campaigns, actors, and malware. Previously risk:vuln nodes created by responses from those APIs may have only contained the CVE ID.

v2.10.0 - 2024-02-06

Features and Enhancements

  • Add location data to the risk:threat nodes generated by mandiant.advantage.actors command.

  • Use the vulnerability risk rating to set risk:vuln:severity.

Bugfixes

  • Set risk:vuln:exploited to true when the exploitation state is Wide (in addition to Confirmed).

  • Set risk:vuln:exploited to false when the exploitation state is No Known.

v2.9.0 - 2024-01-23

Features and Enhancements

  • Ingest indicators from the /v4/report/{report_id}/indicators endpoint when adding a report.

v2.8.0 - 2024-01-05

Features and Enhancements

  • Add mandiant.advantage.dtm.alerts command to ingest alerts from the DTM API.

v2.7.0 - 2023-12-08

Features and Enhancements

  • Ingest MITRE ATT&CK techniques associated with threat actors.

Deprecations

  • Caching has been removed from the following commands, so the --asof and --no-cache arguments have been deprecated and will no longer have any effect:

    mandiant.advantage.actors

    mandiant.advantage.indicators

    mandiant.advantage.reports

    mandiant.advantage.malware

This release contains an automatic cache cleanup that will run when the package is first upgraded. This will remove existing cached API response data from the jsonstor.

v2.6.0 - 2023-10-05

Features and Enhancements

  • Add report ID into PDF download error messages.

  • Add mandiant.advantage.campaigns command to ingest campaigns.

  • Update ou:technique generation to use reporter properties instead of :type.

Bugfixes

  • Remove report PDF cache entry if FileParser fails to open the file as a PDF.

NOTE: This release requires Synapse-FileParser>=4.13.1

v2.5.0 - 2023-08-31

Features and Enhancements

  • Add first/last seen time to #rep.mandiant interval value to allow queries based on Mandiant’s specific first/last seen times vs global .seen interval.

v2.4.0 - 2023-07-21

Features and Enhancements

  • Add custom error message to indicate an HTTP code 404 may also be because the API key does not have permission.

  • Create a media:news node from the storyLink in News Analysis reports instead of an inet:url.

Bugfixes

  • Fix an issue where the indicator context for a malware family was not ingested.

  • Do not print a warning message when an HTTP code 204 (No Content) is returned.

v2.3.0 - 2023-07-06

Features and Enhancements

  • Add mandiant.advantage.vulns command to ingest vulnerabilities.

  • Set risk:vuln:reporter:name=mandiant and deconflict on this property when creating new vulns. This change also removed logic which would only set properties on risk:vuln if they are unset. risk:vuln nodes previously created by synapse-mandiant will be duplicated since reporter:name was unset. To migrate these nodes, and allow synapse-mandiant to overwrite all properties, the following query can be run: meta:source=87af91df0f689c810822046e49af0db8 -(seen)> risk:vuln [ :reporter:name=mandiant ].

v2.2.0 - 2023-06-16

Features and Enhancements

  • Add mandiant.advantage.malware command to ingest malware families.

  • Add --no-cache option to commands to prevent data from being cached.

  • Add node action for mandiant.advantage.actors.

  • Add options to filter report types for ingest to mandiant.advantage.reports, mandiant.advantage.actors, and mandiant.advantage.malware.

v2.1.1 - 2023-04-27

Bugfixes

  • Fix an issue where “??” values were not handled properly.

v2.1.0 - 2023-04-18

Features and Enhancements

  • Mark the Synapse-FileParser dependency as optional.

Bugfixes

  • Fix an issue where ingesting CVEs with trailing whitespace would cause an exception.

v2.0.2 - 2023-02-15

Bugfixes

  • Fix an issue where ou:technique nodes were not being created from reports.

v2.0.1 - 2023-01-31

Bugfixes

  • Fix an issue where a parsed network identifier incorrectly referenced a file.

  • Catch SpawnExit error in HTML to text conversion so that the ingest does not halt.

v2.0.0 - 2023-01-19

Features and Enhancements

  • Model threat actors using risk:threat nodes instead of the _mandiant:threatactors extended property.

  • Model malware as risk:tool:software nodes instead of the _mandiant:malware extended property.

  • Model exploits using media:news nodes instead of it:prod:softver.

  • Add ou:technique nodes from reports.

  • Indicator meta:source nodes will no longer be created as nodes will have rep.mandiant.3p.<source> tags.

  • Do not set tag timestamps on category tags for indicator sources.

  • Set/unset MISP tags instead of updating tag timestamps.

  • Add --since-last option to reports and indicators commands to simplify ingesting as regular feeds.

  • Change default IC-Score to 75 from 0.

  • Always download the report PDF and parse using Synapse-FileParser.

  • Add Power-Up dependencies to package definition.

  • Add mandiant.advantage.actors command to ingest threat actors.

This release contains an automatic data migration that will run when the package is first upgraded. The migration moves the data for the _mandiant:threatactors and _mandiant:malware extended properties, and then removes those properties from the data model. The migration will also move the report id from node data to media:news:ext:id.

v1.2.0 - 2022-10-18

Features and Enhancements

  • Support file:bytes as input to mandiant.advantage.indicators.

  • Use it:exec:query nodes to represent the query syntax for mandiant.advantage.indicators.

  • Update media:news nodes to use :publisher:name instead of :org.

  • Retry HTTP error code 429 (rate-limiting) and HTTP error codes >= 500.

  • Add rep tags to malware and threat actors set in extended properties from mandiant.advantage.reports.

Bugfixes

  • Fix the minimum required Synapse version.

  • Attempt to refresh OAuth token on HTTP 401 error codes before retrying to handle invalid token lifetimes.

v1.1.0 - 2022-08-04

Features and Enhancements

  • Support feed-style ingest of indicators using mandiant.advantage.indicators command.

  • Add mandiant.advantage.reports command to ingest reports.

v1.0.0 - 2022-06-28

Features and Enhancements

  • Initial release of the Synapse-Mandiant Power-Up.