Synapse
Synapse Pack.#
This Integration is part of theSynapse intelligence analysis platform.
This integration was integrated and tested with version 2.7.0
of Synapse
#
Configure Synapse in CortexParameter | Description | Required |
---|---|---|
url | Server URL (e.g. https://synapse.vertex.link\) | True |
port | REST API Port (default is 4443). | True |
credentials | Username and password to user to authenticate to Synapse. | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
timezone | Timezone (optional) | False |
bad_tag | Malicious Tag | False |
good_tag | Benign Tag | False |
use_optic | Synapse is running Optic | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ipReturns IP information and reputation.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | List of IPs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.IP.ip | String | The IP address of the indicator. |
Synapse.IP.tags | String | The tags applied to the IP address. |
DBotScore.Indicator | String | The value assigned by DBot for the indicator. |
DBotScore.Type | String | The type assigned by DBot for the indicator. |
DBotScore.Score | Number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
IP.Address | string | The IP address of the indicator. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
#
Command Example!ip ip="1.2.3.4"
#
Context Example#
Human Readable Output#
IP List
ip tags 1.2.3.4 mal,
test
#
urlReturns URL information and reputation.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | List of URLs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.URL.url | String | The data of the URL indicator. |
Synapse.URL.tags | String | The tags applied to the url. |
DBotScore.Indicator | String | The value assigned by DBot for the indicator. |
DBotScore.Type | String | The type assigned by DBot for the indicator. |
DBotScore.Score | Number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
URL.Data | string | The data of the URL indicator. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
#
Command Example!url url="https://google.com"
#
Context Example#
Human Readable Output#
URL List
tags url https://google.com
#
domainReturns Domain information and reputation.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | List of Domains. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.Domain.domain | String | The fully qualified domain name. |
Synapse.Domain.tags | String | The tags applied to the domain. |
DBotScore.Indicator | String | The value assigned by DBot for the indicator. |
DBotScore.Type | String | The type assigned by DBot for the indicator. |
DBotScore.Score | Number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
Domain.Name | string | The name of the domain. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
#
Command Example!domain domain="foobar.com"
#
Context Example#
Human Readable Output#
Domain List
domain tags foobar.com mal
#
fileReturns File information and reputation.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | List of File Hashes (accepts MD5, SHA1, SHA256, SHA512). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.File.hash | String | The queried file hash. |
Synapse.File.MD5 | String | The MD5 hash of the file. |
Synapse.File.SHA1 | String | The SHA1 hash of the file. |
Synapse.File.SHA256 | String | The SHA256 hash of the file. |
Synapse.File.SHA512 | String | The SHA256 hash of the file. |
Synapse.File.query | String | The formatted query in storm syntax. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. |
File.Malicious.Description | String | For malicious files, the full description. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Score | Number | The actual score. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
#
Command Example!file file="9e0c442ee3157d3f3aa2be30a1d24d81"
#
Context Example#
Human Readable Output#
File List
MD5 SHA1 SHA256 SHA512 hash query tags 9e0c442ee3157d3f3aa2be30a1d24d81 e7b03ed4dbdfb79477c49942d5796d3dfc78ac7e 290f64a315850c5bccc907f79cbeabd79345719df738ee5d02dc3447d04675b3 53e6baa124f54462786f1122e98e38ff1be3de82fe2a96b1849a8637043fd847eec7e0f53307bddf7a066565292d500c36c941f1f3bb9dcac807b2f4a0bfce1b 9e0c442ee3157d3f3aa2be30a1d24d81 file:bytes:md5=9e0c442ee3157d3f3aa2be30a1d24d81 mal
#
synapse-storm-queryExecute a Synapse Storm query.
#
Base Commandsynapse-storm-query
#
InputArgument Name | Description | Required |
---|---|---|
query | Synapse storm query (i.e. "inet:ipv4=1.2.3.4") | Required |
limit | Limit the number of results returned. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.Nodes.created | String | Timestamp when the node was first created in the Synapse Cortex. |
Synapse.Nodes.form | String | The type of node (i.e. "inet:ipv4" for an IP address). |
Synapse.Nodes.tags | String | The tags associated with the resulting node. |
Synapse.Nodes.valu | String | The node primary value (i.e. "1.2.3.4" for an IP). |
#
Command Example!synapse-storm-query query="inet:ipv4=1.2.3.5" limit=1
#
Context Example#
Human Readable OutputSynapse Query Results:
inet:ipv4=1.2.3.5
#
form valu created tags inet:ipv4 1.2.3.5 2020/09/12 10:07:17 EDT test.foo,
test.testing
#
Synapse Node Properties
.created type 1599919637048 unicast
#
synapse-list-usersLists current users in Synapse Cortex.
#
Base Commandsynapse-list-users
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.Users.Admin | Boolean | True/False whether the Synapse user is an admin. |
Synapse.Users.Email | String | The email address of the Synapse user. |
Synapse.Users.Iden | String | The unique identifier of the Synapse user. |
Synapse.Users.Name | String | The user's Synapse username. |
Synapse.Users.Roles | String | The roles applied to the Synapse user. |
Synapse.Users.Rules | String | The rules applied to the Synapse user. |
#
Command Example!synapse-list-users
#
Context Example#
Human Readable Output#
Synapse Users
Name Admin Rules Roles root true testuser false xsoar-role,
allxsoartesting false all
#
synapse-list-rolesLists current roles in Synapse Cortex.
#
Base Commandsynapse-list-roles
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.Roles.Iden | String | The unique identifier of the Synapse Role. |
Synapse.Roles.Name | String | The name of the Synapse Role. |
Synapse.Roles.Rules | String | The rules applied to the Synapse Role. |
#
Command Example!synapse-list-roles
#
Context Example#
Human Readable Output#
Synapse Roles
Name Iden Rules xsoar-role bcf176a4cbe240ae1dcf9fbebdffa680 all c486fa9eb8d50a8c35a60687f12dc4c9 xsoartestingrole e7e6ee238bc5bceeff96d10f100142ae
#
synapse-create-userCreate a new Synapse user.
#
Base Commandsynapse-create-user
#
InputArgument Name | Description | Required |
---|---|---|
username | New username to be created. | Required |
password | Optionally set the new user's password. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.Users.Admin | Boolean | True/False whether the Synapse user is an admin. |
Synapse.Users.Email | String | The email address of the Synapse user. |
Synapse.Users.Iden | String | The unique identifier of the Synapse user. |
Synapse.Users.Name | String | The user's Synapse username. |
Synapse.Users.Roles | String | The roles applied to the Synapse user. |
Synapse.Users.Rules | String | The rules applied to the Synapse user. |
#
Command Example!synapse-create-user username="xsoardemo" password="secret"
#
Context Example#
Human Readable Output#
Synapse New User
Name Admin Rules Roles xsoardemo false all
#
synapse-create-roleCreate a new Synapse role.
#
Base Commandsynapse-create-role
#
InputArgument Name | Description | Required |
---|---|---|
role | New role to create in Synapse. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.Roles.Iden | String | The unique identifier of the Synapse Role. |
Synapse.Roles.Name | String | The name of the Synapse Role. |
Synapse.Roles.Rules | String | The rules applied to the Synapse Role. |
#
Command Example!synapse-create-role role="xsoar-role-demo"
#
Context Example#
Human Readable Output#
Synapse New Role
Name Iden Rules xsoar-role-demo 029019964000fef6ccd2be428f496423
#
synapse-grant-user-roleGrants a user access to role based perrmissions.
#
Base Commandsynapse-grant-user-role
#
InputArgument Name | Description | Required |
---|---|---|
user | User's "iden" property - not the username. | Required |
role | Role's "iden" property - not the name of the role. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.Users.Admin | Boolean | True/False whether the Synapse user is an admin. |
Synapse.Users.Email | String | The email address of the Synapse user. |
Synapse.Users.Iden | String | The unique identifier of the Synapse user. |
Synapse.Users.Name | String | The user's Synapse username. |
Synapse.Users.Roles | String | The roles applied to the Synapse user. |
Synapse.Users.Rules | String | The rules applied to the Synapse user. |
#
Command Example!synapse-grant-user-role user="a2bfead4c16b0354af2a92aa05588fc9" role="bcf176a4cbe240ae1dcf9fbebdffa680"
#
Context Example#
Human Readable Output#
Synapse New User Role
Name Admin Rules Roles testuser false xsoar-role,
all
#
synapse-query-modelQuery the Synapse data model and return details for given type or form (i.e. "inet:ipv4" for an IPv4 IP address).
#
Base Commandsynapse-query-model
#
InputArgument Name | Description | Required |
---|---|---|
query | Type/Form query (i.e. "inet:ipv4" or "inet"fqdn") | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Synapse.Model.Doc | String | The docstring associated with the particular Synapse model element. |
Synapse.Model.Example | String | An example of the given Synapse element. |
Synapse.Model.Form | String | A form is the definition of an object in the Synapse data model (node). |
Synapse.Model.Properties | String | The unique properties associated with the given Synapse object. |
Synapse.Model.Type | String | A Type is the definition of a data element within the data model. |
Synapse.Model.Valu | String | The given value of the Synapse object type. |
#
Command Example!synapse-query-model query="file:bytes"
#
Context Example#
Human Readable Output#
Synapse Model Type
Type Doc Example file:bytes The file bytes type with SHA256 based primary property. N/A
Synapse
file:bytes
Form Properties#
.seen .created size md5 sha1 sha256 sha512 name mime mime:x509:cn mime:pe:size mime:pe:imphash mime:pe:compiled mime:pe:pdbpath mime:pe:exports:time mime:pe:exports:libname mime:pe:richhdr The time interval for first/last observation of the node. The time the node was created in the cortex. The file size in bytes. The md5 hash of the file. The sha1 hash of the file. The sha256 hash of the file. The sha512 hash of the file. The best known base name for the file. The "best" mime type name for the file. The Common Name (CN) attribute of the x509 Subject. The size of the executable file according to the PE file header. The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile . The compile time of the file according to the PE header. The PDB string according to the PE. The export time of the file according to the PE. The export library name according to the PE. The sha256 hash of the rich header bytes.