Admin Guide
Synapse-Recorded Future Admin Guide
Configuration
Synapse-RecordedFuture requires a Recorded Future API key. For information on how to sign up, please visit the Recorded Future website.
Setting API key for global use
To set-up a global API key:
> recordedfuture.setup.apikey myapikey
Setting Recorded Future API key for all users.
Using per-user API keys
A user may set-up their own API key:
> recordedfuture.setup.apikey --self myapikey
Setting Recorded Future API key for the current user.
Recorded Future Sandbox
The Recorded Future Sandbox requires a separate API key. For more information on on the sandbox API, please visit Recorded Future Sandbox docs.
Setting a Recorded Future Sandbox API key for global use
To set-up a global Recorded Future Sandbox API key:
> recordedfuture.sandbox.setup.apikey myapikey
Setting Recorded Future Sandbox API key for all users.
Configuring the Recorded Future Sandbox URL
By default, the base API URL used will be the Recorded Future Sandbox API
https://sandbox.recordedfuture.com. This base URL can be changed with
the recordedfuture.sandbox.setup.url command. For example, to use the
private cloud:
> recordedfuture.sandbox.setup.url https://private.tria.ge
Setting Recorded Future Sandbox URL to https://private.tria.ge.
Permissions
Package (synapse-recordedfuture) defines the following permissions:
power-ups.recordedfuture.user : Controls user access to Synapse-Recorded Future. ( default: false )
power-ups.recordedfuture.sandbox.user : Controls user access to Synapse-Recorded Future sandbox commands. ( default: false )
power-ups.recordedfuture.sandbox.submit : Used in addition to power-ups.recordedfuture.sandbox.user to allow users to submit samples for analysis. ( default: false )
You may add rules to users/roles directly from storm:
> auth.user.addrule visi power-ups.recordedfuture.user
Added rule power-ups.recordedfuture.user to user visi.
or:
> auth.role.addrule ninjas power-ups.recordedfuture.user
Added rule power-ups.recordedfuture.user to role ninjas.
Exported APIs
Synapse-RecordedFuture does not currently export any APIs.
Workflows
Synapse-RecordedFuture provides the following workflows in Optic:
Title: Configuration
Title: Search
Title: Alerts
Node Actions
Synapse-Recorded Future provides the following node actions in Optic:
Name : enrich
Desc : Enrich nodes using the Recorded Future API.
Forms: hash:md5, hash:sha1, hash:sha256, inet:fqdn, inet:ipv4, inet:url, it:sec:cwe, risk:vuln
Name : ip.geo
Desc : Enrich an IP with VPN and Geographical Information.
Forms: inet:ipv4, inet:ipv6
Name : coreferences
Desc : Find co-references using the Recorded Future API.
Forms: hash:md5, hash:sha1, hash:sha256, inet:fqdn, inet:ipv4, inet:url, it:sec:cwe, risk:vuln
Onload Events
Synapse-RecordedFuture uses an onload event to create the following extended properties:
_recordedfuture:risk:score (The Recorded Future risk score (0 - 100).)
_recordedfuture:risk:criticality (The Recorded Future criticality level (0 - 4).)
_recordedfuture:risk:criticality.1 (The Recorded Future criticality level (0 - 5).)
_recordedfuture:alert:status (Status of the Recorded Future alert as shown in the portal.)
_recordedfuture:alert:assignee (User assigned to the Recorded Future alert.)
_recordedfuture:devices (The number of devices Recorded Future has detected using this IP.)