Skip to main content

Synapse

This Integration is part of the Synapse Pack.#

Synapse intelligence analysis platform. This integration was integrated and tested with version 2.7.0 of Synapse

Configure Synapse in Cortex#

ParameterDescriptionRequired
urlServer URL (e.g. https://synapse.vertex.link\)True
portREST API Port (default is 4443).True
credentialsUsername and password to user to authenticate to Synapse.True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
timezoneTimezone (optional)False
bad_tagMalicious TagFalse
good_tagBenign TagFalse
use_opticSynapse is running OpticFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Returns IP information and reputation.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Required

Context Output#

PathTypeDescription
Synapse.IP.ipStringThe IP address of the indicator.
Synapse.IP.tagsStringThe tags applied to the IP address.
DBotScore.IndicatorStringThe value assigned by DBot for the indicator.
DBotScore.TypeStringThe type assigned by DBot for the indicator.
DBotScore.ScoreNumberThe score assigned by DBot for the indicator.
DBotScore.VendorStringThe vendor used to calculate the score.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.

Command Example#

!ip ip="1.2.3.4"

Context Example#

{
"DBotScore": {
"Indicator": "1.2.3.4",
"Score": 3,
"Type": "ip",
"Vendor": "Synapse"
},
"IP": {
"Address": "1.2.3.4",
"Malicious": {
"Description": "Synapse returned reputation tag: mal",
"Vendor": "Synapse"
}
},
"Synapse": {
"IP": {
"ip": "1.2.3.4",
"tags": [
"mal",
"test"
]
}
}
}

Human Readable Output#

IP List#

iptags
1.2.3.4mal,
test

url#


Returns URL information and reputation.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlList of URLs.Required

Context Output#

PathTypeDescription
Synapse.URL.urlStringThe data of the URL indicator.
Synapse.URL.tagsStringThe tags applied to the url.
DBotScore.IndicatorStringThe value assigned by DBot for the indicator.
DBotScore.TypeStringThe type assigned by DBot for the indicator.
DBotScore.ScoreNumberThe score assigned by DBot for the indicator.
DBotScore.VendorStringThe vendor used to calculate the score.
URL.DatastringThe data of the URL indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.

Command Example#

!url url="https://google.com"

Context Example#

{
"DBotScore": {
"Indicator": "https://google.com",
"Score": 0,
"Type": "url",
"Vendor": "Synapse"
},
"Synapse": {
"URL": {
"tags": [],
"url": "https://google.com"
}
},
"URL": {
"Data": "https://google.com"
}
}

Human Readable Output#

URL List#

tagsurl
https://google.com

domain#


Returns Domain information and reputation.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainList of Domains.Required

Context Output#

PathTypeDescription
Synapse.Domain.domainStringThe fully qualified domain name.
Synapse.Domain.tagsStringThe tags applied to the domain.
DBotScore.IndicatorStringThe value assigned by DBot for the indicator.
DBotScore.TypeStringThe type assigned by DBot for the indicator.
DBotScore.ScoreNumberThe score assigned by DBot for the indicator.
DBotScore.VendorStringThe vendor used to calculate the score.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.

Command Example#

!domain domain="foobar.com"

Context Example#

{
"DBotScore": {
"Indicator": "foobar.com",
"Score": 3,
"Type": "domain",
"Vendor": "Synapse"
},
"Domain": {
"Malicious": {
"Description": "Synapse returned reputation tag: mal",
"Vendor": "Synapse"
},
"Name": "foobar.com"
},
"Synapse": {
"Domain": {
"domain": "foobar.com",
"tags": [
"mal"
]
}
}
}

Human Readable Output#

Domain List#

domaintags
foobar.commal

file#


Returns File information and reputation.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileList of File Hashes (accepts MD5, SHA1, SHA256, SHA512).Required

Context Output#

PathTypeDescription
Synapse.File.hashStringThe queried file hash.
Synapse.File.MD5StringThe MD5 hash of the file.
Synapse.File.SHA1StringThe SHA1 hash of the file.
Synapse.File.SHA256StringThe SHA256 hash of the file.
Synapse.File.SHA512StringThe SHA256 hash of the file.
Synapse.File.queryStringThe formatted query in storm syntax.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.Malicious.VendorStringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionStringFor malicious files, the full description.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.ScoreNumberThe actual score.
DBotScore.VendorStringThe vendor used to calculate the score.

Command Example#

!file file="9e0c442ee3157d3f3aa2be30a1d24d81"

Context Example#

{
"DBotScore": {
"Indicator": "9e0c442ee3157d3f3aa2be30a1d24d81",
"Score": 3,
"Type": "file",
"Vendor": "Synapse"
},
"File": {
"MD5": "9e0c442ee3157d3f3aa2be30a1d24d81",
"Malicious": {
"Description": "Synapse returned reputation tag: mal",
"Vendor": "Synapse"
},
"SHA1": "e7b03ed4dbdfb79477c49942d5796d3dfc78ac7e",
"SHA256": "290f64a315850c5bccc907f79cbeabd79345719df738ee5d02dc3447d04675b3",
"SHA512": "53e6baa124f54462786f1122e98e38ff1be3de82fe2a96b1849a8637043fd847eec7e0f53307bddf7a066565292d500c36c941f1f3bb9dcac807b2f4a0bfce1b"
},
"Synapse": {
"File": {
"MD5": "9e0c442ee3157d3f3aa2be30a1d24d81",
"SHA1": "e7b03ed4dbdfb79477c49942d5796d3dfc78ac7e",
"SHA256": "290f64a315850c5bccc907f79cbeabd79345719df738ee5d02dc3447d04675b3",
"SHA512": "53e6baa124f54462786f1122e98e38ff1be3de82fe2a96b1849a8637043fd847eec7e0f53307bddf7a066565292d500c36c941f1f3bb9dcac807b2f4a0bfce1b",
"hash": "9e0c442ee3157d3f3aa2be30a1d24d81",
"query": "file:bytes:md5=9e0c442ee3157d3f3aa2be30a1d24d81",
"tags": [
"mal"
]
}
}
}

Human Readable Output#

File List#

MD5SHA1SHA256SHA512hashquerytags
9e0c442ee3157d3f3aa2be30a1d24d81e7b03ed4dbdfb79477c49942d5796d3dfc78ac7e290f64a315850c5bccc907f79cbeabd79345719df738ee5d02dc3447d04675b353e6baa124f54462786f1122e98e38ff1be3de82fe2a96b1849a8637043fd847eec7e0f53307bddf7a066565292d500c36c941f1f3bb9dcac807b2f4a0bfce1b9e0c442ee3157d3f3aa2be30a1d24d81file:bytes:md5=9e0c442ee3157d3f3aa2be30a1d24d81mal

synapse-storm-query#


Execute a Synapse Storm query.

Base Command#

synapse-storm-query

Input#

Argument NameDescriptionRequired
querySynapse storm query (i.e. "inet:ipv4=1.2.3.4")Required
limitLimit the number of results returned. Default is 100.Optional

Context Output#

PathTypeDescription
Synapse.Nodes.createdStringTimestamp when the node was first created in the Synapse Cortex.
Synapse.Nodes.formStringThe type of node (i.e. "inet:ipv4" for an IP address).
Synapse.Nodes.tagsStringThe tags associated with the resulting node.
Synapse.Nodes.valuStringThe node primary value (i.e. "1.2.3.4" for an IP).

Command Example#

!synapse-storm-query query="inet:ipv4=1.2.3.5" limit=1

Context Example#

{
"Synapse": {
"Nodes": {
"created": "2020/09/12 10:07:17 EDT",
"form": "inet:ipv4",
"tags": [
"test.foo",
"test.testing"
],
"valu": "1.2.3.5"
}
}
}

Human Readable Output#

Synapse Query Results: inet:ipv4=1.2.3.5#

formvalucreatedtags
inet:ipv41.2.3.52020/09/12 10:07:17 EDTtest.foo,
test.testing

Synapse Node Properties#

.createdtype
1599919637048unicast

synapse-list-users#


Lists current users in Synapse Cortex.

Base Command#

synapse-list-users

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Synapse.Users.AdminBooleanTrue/False whether the Synapse user is an admin.
Synapse.Users.EmailStringThe email address of the Synapse user.
Synapse.Users.IdenStringThe unique identifier of the Synapse user.
Synapse.Users.NameStringThe user's Synapse username.
Synapse.Users.RolesStringThe roles applied to the Synapse user.
Synapse.Users.RulesStringThe rules applied to the Synapse user.

Command Example#

!synapse-list-users

Context Example#

{
"Synapse": {
"Users": [
{
"Admin": true,
"Email": null,
"Iden": "9e4fe25a281f3f65aff2fa192d54c705",
"Name": "root",
"Roles": [],
"Rules": []
},
{
"Admin": false,
"Email": null,
"Iden": "a2bfead4c16b0354af2a92aa05588fc9",
"Name": "testuser",
"Roles": [
"xsoar-role",
"all"
],
"Rules": []
},
{
"Admin": false,
"Email": null,
"Iden": "eec037c730f0976a1b742b9f9773a52e",
"Name": "xsoartesting",
"Roles": [
"all"
],
"Rules": []
}
]
}
}

Human Readable Output#

Synapse Users#

NameEmailAdminRulesRoles
roottrue
testuserfalsexsoar-role,
all
xsoartestingfalseall

synapse-list-roles#


Lists current roles in Synapse Cortex.

Base Command#

synapse-list-roles

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Synapse.Roles.IdenStringThe unique identifier of the Synapse Role.
Synapse.Roles.NameStringThe name of the Synapse Role.
Synapse.Roles.RulesStringThe rules applied to the Synapse Role.

Command Example#

!synapse-list-roles

Context Example#

{
"Synapse": {
"Roles": [
{
"Iden": "bcf176a4cbe240ae1dcf9fbebdffa680",
"Name": "xsoar-role",
"Rules": []
},
{
"Iden": "c486fa9eb8d50a8c35a60687f12dc4c9",
"Name": "all",
"Rules": []
},
{
"Iden": "e7e6ee238bc5bceeff96d10f100142ae",
"Name": "xsoartestingrole",
"Rules": []
}
]
}
}

Human Readable Output#

Synapse Roles#

NameIdenRules
xsoar-rolebcf176a4cbe240ae1dcf9fbebdffa680
allc486fa9eb8d50a8c35a60687f12dc4c9
xsoartestingrolee7e6ee238bc5bceeff96d10f100142ae

synapse-create-user#


Create a new Synapse user.

Base Command#

synapse-create-user

Input#

Argument NameDescriptionRequired
usernameNew username to be created.Required
passwordOptionally set the new user's password.Optional

Context Output#

PathTypeDescription
Synapse.Users.AdminBooleanTrue/False whether the Synapse user is an admin.
Synapse.Users.EmailStringThe email address of the Synapse user.
Synapse.Users.IdenStringThe unique identifier of the Synapse user.
Synapse.Users.NameStringThe user's Synapse username.
Synapse.Users.RolesStringThe roles applied to the Synapse user.
Synapse.Users.RulesStringThe rules applied to the Synapse user.

Command Example#

!synapse-create-user username="xsoardemo" password="secret"

Context Example#

{
"Synapse": {
"Users": {
"Admin": false,
"Email": null,
"Iden": "f1ac5126df0e7407a0804fc6bd41534d",
"Name": "xsoardemo",
"Roles": [
"all"
],
"Rules": []
}
}
}

Human Readable Output#

Synapse New User#

NameEmailAdminRulesRoles
xsoardemofalseall

synapse-create-role#


Create a new Synapse role.

Base Command#

synapse-create-role

Input#

Argument NameDescriptionRequired
roleNew role to create in Synapse.Required

Context Output#

PathTypeDescription
Synapse.Roles.IdenStringThe unique identifier of the Synapse Role.
Synapse.Roles.NameStringThe name of the Synapse Role.
Synapse.Roles.RulesStringThe rules applied to the Synapse Role.

Command Example#

!synapse-create-role role="xsoar-role-demo"

Context Example#

{
"Synapse": {
"Roles": {
"Iden": "029019964000fef6ccd2be428f496423",
"Name": "xsoar-role-demo",
"Rules": []
}
}
}

Human Readable Output#

Synapse New Role#

NameIdenRules
xsoar-role-demo029019964000fef6ccd2be428f496423

synapse-grant-user-role#


Grants a user access to role based perrmissions.

Base Command#

synapse-grant-user-role

Input#

Argument NameDescriptionRequired
userUser's "iden" property - not the username.Required
roleRole's "iden" property - not the name of the role.Required

Context Output#

PathTypeDescription
Synapse.Users.AdminBooleanTrue/False whether the Synapse user is an admin.
Synapse.Users.EmailStringThe email address of the Synapse user.
Synapse.Users.IdenStringThe unique identifier of the Synapse user.
Synapse.Users.NameStringThe user's Synapse username.
Synapse.Users.RolesStringThe roles applied to the Synapse user.
Synapse.Users.RulesStringThe rules applied to the Synapse user.

Command Example#

!synapse-grant-user-role user="a2bfead4c16b0354af2a92aa05588fc9" role="bcf176a4cbe240ae1dcf9fbebdffa680"

Context Example#

{
"Synapse": {
"Users": {
"Admin": false,
"Email": null,
"Iden": "a2bfead4c16b0354af2a92aa05588fc9",
"Name": "testuser",
"Roles": [
"xsoar-role",
"all"
],
"Rules": []
}
}
}

Human Readable Output#

Synapse New User Role#

NameEmailAdminRulesRoles
testuserfalsexsoar-role,
all

synapse-query-model#


Query the Synapse data model and return details for given type or form (i.e. "inet:ipv4" for an IPv4 IP address).

Base Command#

synapse-query-model

Input#

Argument NameDescriptionRequired
queryType/Form query (i.e. "inet:ipv4" or "inet"fqdn")Required

Context Output#

PathTypeDescription
Synapse.Model.DocStringThe docstring associated with the particular Synapse model element.
Synapse.Model.ExampleStringAn example of the given Synapse element.
Synapse.Model.FormStringA form is the definition of an object in the Synapse data model (node).
Synapse.Model.PropertiesStringThe unique properties associated with the given Synapse object.
Synapse.Model.TypeStringA Type is the definition of a data element within the data model.
Synapse.Model.ValuStringThe given value of the Synapse object type.

Command Example#

!synapse-query-model query="file:bytes"

Context Example#

{
"Synapse": {
"Model": {
"Doc": "The file bytes type with SHA256 based primary property.",
"Example": "N/A",
"Form": "file:bytes",
"Properties": {
".created": "The time the node was created in the cortex.",
".seen": "The time interval for first/last observation of the node.",
"md5": "The md5 hash of the file.",
"mime": "The \"best\" mime type name for the file.",
"mime:pe:compiled": "The compile time of the file according to the PE header.",
"mime:pe:exports:libname": "The export library name according to the PE.",
"mime:pe:exports:time": "The export time of the file according to the PE.",
"mime:pe:imphash": "The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .",
"mime:pe:pdbpath": "The PDB string according to the PE.",
"mime:pe:richhdr": "The sha256 hash of the rich header bytes.",
"mime:pe:size": "The size of the executable file according to the PE file header.",
"mime:x509:cn": "The Common Name (CN) attribute of the x509 Subject.",
"name": "The best known base name for the file.",
"sha1": "The sha1 hash of the file.",
"sha256": "The sha256 hash of the file.",
"sha512": "The sha512 hash of the file.",
"size": "The file size in bytes."
},
"Type": "file:bytes",
"Valu": "file:bytes"
}
}
}

Human Readable Output#

Synapse Model Type#

TypeDocExample
file:bytesThe file bytes type with SHA256 based primary property.N/A

Synapse file:bytes Form Properties#

.seen.createdsizemd5sha1sha256sha512namemimemime:x509:cnmime:pe:sizemime:pe:imphashmime:pe:compiledmime:pe:pdbpathmime:pe:exports:timemime:pe:exports:libnamemime:pe:richhdr
The time interval for first/last observation of the node.The time the node was created in the cortex.The file size in bytes.The md5 hash of the file.The sha1 hash of the file.The sha256 hash of the file.The sha512 hash of the file.The best known base name for the file.The "best" mime type name for the file.The Common Name (CN) attribute of the x509 Subject.The size of the executable file according to the PE file header.The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .The compile time of the file according to the PE header.The PDB string according to the PE.The export time of the file according to the PE.The export library name according to the PE.The sha256 hash of the rich header bytes.