Admin Guide

Synapse-VMRay Admin Guide

Configuration

Synapse-VMRay requires a VMRay API key. For information on how to sign up, please visit the VMRay API documentation.

Setting API key for global use

To set-up a global API key:

> vmray.setup.apikey myapikey
Setting Synapse-VMRay API key for all users.

Using per-user API keys

A user may set-up their own API key:

> vmray.setup.apikey --self myapikey
Setting Synapse-VMRay API key for the current user.

Setting the API Endpoint for global use

To configure a global API endpoint:

> vmray.setup.endpoint "https://eu.cloud.vmray.com"
Setting Synapse-VMRay Endpoint for all users.

Using per-user Endpoints

A user may configure their own API endpoint:

> vmray.setup.endpoint --self "https://us.cloud.vmray.com"
Setting Synapse-VMRay Endpoint for the current user.

Permissions

Package (synapse-vmray) defines the following permissions:
power-ups.vmray.user             : Controls user access to Synapse-VMRay. ( default: false )
power-ups.vmray.submitter        : Controls user access to submitting files to VMRay from Synapse-VMRay. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.vmray.user
Added rule power-ups.vmray.user to user visi.

or:

> auth.role.addrule ninjas power-ups.vmray.user
Added rule power-ups.vmray.user to role ninjas.

Exported APIs

Synapse-VMRay does not currently export any APIs.

Node Actions

Synapse-VMRay provides the following node actions in Optic:

Name : vmray.sample.iocs
Desc : Fetch IOCs for a file/hash/url/fqdn
Forms: file:bytes, hash:sha256, hash:sha1, hash:md5, inet:url, inet:fqdn

Name : vmray.sample.mitre
Desc : Populate MITRE ATT&CK Techniques for a file/hash
Forms: file:bytes, hash:sha256, hash:sha1, hash:md5

Name : vmray.sample.vtis
Desc : Download the VMRay Threat Identifiers for a file/hash/url/fqdn
Forms: file:bytes, hash:sha256, hash:sha1, hash:md5, inet:url, inet:fqdn

Name : vmray.sample.submit
Desc : Submit a file:bytes to VMRay for analysis.
Forms: file:bytes, hash:sha256

Onload Events

Synapse-VMRay does not use any onload events.

On-demand Migrations

AV Hit Migration

To run the migration across all views, use the query yield $lib.import(vmray).migrateAvHit(). Views are migrated in dependency order, and no nodes will be yielded.

Alternatively, yield $lib.import(vmray).migrateAvHit(global=$lib.false) will run the migration in the current view. The migrated nodes will be yielded from the query.

This function will migrate it:av:filehit nodes created from sample reports to it:av:scan:result, which includes copying edges and tags. Note that the migrated it:av:scan:result nodes will not deconflict with those created from subsequent command runs.