Synapse

Synapse intelligence analysis platform. This integration was integrated and tested with version 2.7.0 of Synapse

Configure Synapse on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Synapse.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://synapse.vertex.link\)True
portREST API Port (default is 4443).True
credentialsUsername and password to user to authenticate to Synapse.True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
timezoneTimezone (optional)False
bad_tagMalicious TagFalse
good_tagBenign TagFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip


Returns IP information and reputation.

Base Command

ip

Input

Argument NameDescriptionRequired
ipList of IPs.Required

Context Output

PathTypeDescription
Synapse.IP.ipStringThe IP address of the indicator.
Synapse.IP.tagsStringThe tags applied to the IP address.
DBotScore.IndicatorStringThe value assigned by DBot for the indicator.
DBotScore.TypeStringThe type assigned by DBot for the indicator.
DBotScore.ScoreNumberThe score assigned by DBot for the indicator.
DBotScore.VendorStringThe vendor used to calculate the score.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.

Command Example

!ip ip="1.2.3.4"

Context Example

{
"DBotScore": {
"Indicator": "1.2.3.4",
"Score": 3,
"Type": "ip",
"Vendor": "Synapse"
},
"IP": {
"Address": "1.2.3.4",
"Malicious": {
"Description": "Synapse returned reputation tag: mal",
"Vendor": "Synapse"
}
},
"Synapse": {
"IP": {
"ip": "1.2.3.4",
"tags": [
"mal",
"test"
]
}
}
}

Human Readable Output

IP List

iptags
1.2.3.4mal,
test

url


Returns URL information and reputation.

Base Command

url

Input

Argument NameDescriptionRequired
urlList of URLs.Required

Context Output

PathTypeDescription
Synapse.URL.urlStringThe data of the URL indicator.
Synapse.URL.tagsStringThe tags applied to the url.
DBotScore.IndicatorStringThe value assigned by DBot for the indicator.
DBotScore.TypeStringThe type assigned by DBot for the indicator.
DBotScore.ScoreNumberThe score assigned by DBot for the indicator.
DBotScore.VendorStringThe vendor used to calculate the score.
URL.DatastringThe data of the URL indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.

Command Example

!url url="https://google.com"

Context Example

{
"DBotScore": {
"Indicator": "https://google.com",
"Score": 0,
"Type": "url",
"Vendor": "Synapse"
},
"Synapse": {
"URL": {
"tags": [],
"url": "https://google.com"
}
},
"URL": {
"Data": "https://google.com"
}
}

Human Readable Output

URL List

tagsurl
https://google.com

domain


Returns Domain information and reputation.

Base Command

domain

Input

Argument NameDescriptionRequired
domainList of Domains.Required

Context Output

PathTypeDescription
Synapse.Domain.domainStringThe fully qualified domain name.
Synapse.Domain.tagsStringThe tags applied to the domain.
DBotScore.IndicatorStringThe value assigned by DBot for the indicator.
DBotScore.TypeStringThe type assigned by DBot for the indicator.
DBotScore.ScoreNumberThe score assigned by DBot for the indicator.
DBotScore.VendorStringThe vendor used to calculate the score.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.

Command Example

!domain domain="foobar.com"

Context Example

{
"DBotScore": {
"Indicator": "foobar.com",
"Score": 3,
"Type": "domain",
"Vendor": "Synapse"
},
"Domain": {
"Malicious": {
"Description": "Synapse returned reputation tag: mal",
"Vendor": "Synapse"
},
"Name": "foobar.com"
},
"Synapse": {
"Domain": {
"domain": "foobar.com",
"tags": [
"mal"
]
}
}
}

Human Readable Output

Domain List

domaintags
foobar.commal

file


Returns File information and reputation.

Base Command

file

Input

Argument NameDescriptionRequired
fileList of File Hashes (accepts MD5, SHA1, SHA256, SHA512).Required

Context Output

PathTypeDescription
Synapse.File.hashStringThe queried file hash.
Synapse.File.MD5StringThe MD5 hash of the file.
Synapse.File.SHA1StringThe SHA1 hash of the file.
Synapse.File.SHA256StringThe SHA256 hash of the file.
Synapse.File.SHA512StringThe SHA256 hash of the file.
Synapse.File.queryStringThe formatted query in storm syntax.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.Malicious.VendorStringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionStringFor malicious files, the full description.
DBotScore.IndicatorStringThe value assigned by DBot for the indicator.
DBotScore.TypeStringThe type assigned by DBot for the indicator.
DBotScore.ScoreNumberThe score assigned by DBot for the indicator.
DBotScore.VendorStringThe vendor used to calculate the score.

Command Example

!file file="9e0c442ee3157d3f3aa2be30a1d24d81"

Context Example

{
"DBotScore": {
"Indicator": "9e0c442ee3157d3f3aa2be30a1d24d81",
"Score": 3,
"Type": "file",
"Vendor": "Synapse"
},
"File": {
"MD5": "9e0c442ee3157d3f3aa2be30a1d24d81",
"Malicious": {
"Description": "Synapse returned reputation tag: mal",
"Vendor": "Synapse"
},
"SHA1": "e7b03ed4dbdfb79477c49942d5796d3dfc78ac7e",
"SHA256": "290f64a315850c5bccc907f79cbeabd79345719df738ee5d02dc3447d04675b3",
"SHA512": "53e6baa124f54462786f1122e98e38ff1be3de82fe2a96b1849a8637043fd847eec7e0f53307bddf7a066565292d500c36c941f1f3bb9dcac807b2f4a0bfce1b"
},
"Synapse": {
"File": {
"MD5": "9e0c442ee3157d3f3aa2be30a1d24d81",
"SHA1": "e7b03ed4dbdfb79477c49942d5796d3dfc78ac7e",
"SHA256": "290f64a315850c5bccc907f79cbeabd79345719df738ee5d02dc3447d04675b3",
"SHA512": "53e6baa124f54462786f1122e98e38ff1be3de82fe2a96b1849a8637043fd847eec7e0f53307bddf7a066565292d500c36c941f1f3bb9dcac807b2f4a0bfce1b",
"hash": "9e0c442ee3157d3f3aa2be30a1d24d81",
"query": "file:bytes:md5=9e0c442ee3157d3f3aa2be30a1d24d81",
"tags": [
"mal"
]
}
}
}

Human Readable Output

File List

MD5SHA1SHA256SHA512hashquerytags
9e0c442ee3157d3f3aa2be30a1d24d81e7b03ed4dbdfb79477c49942d5796d3dfc78ac7e290f64a315850c5bccc907f79cbeabd79345719df738ee5d02dc3447d04675b353e6baa124f54462786f1122e98e38ff1be3de82fe2a96b1849a8637043fd847eec7e0f53307bddf7a066565292d500c36c941f1f3bb9dcac807b2f4a0bfce1b9e0c442ee3157d3f3aa2be30a1d24d81file:bytes:md5=9e0c442ee3157d3f3aa2be30a1d24d81mal

synapse-storm-query


Execute a Synapse Storm query.

Base Command

synapse-storm-query

Input

Argument NameDescriptionRequired
querySynapse storm query (i.e. "inet:ipv4=1.2.3.4")Required
limitLimit the number of results returned. Default is 100.Optional

Context Output

PathTypeDescription
Synapse.Nodes.createdStringTimestamp when the node was first created in the Synapse Cortex.
Synapse.Nodes.formStringThe type of node (i.e. "inet:ipv4" for an IP address).
Synapse.Nodes.tagsStringThe tags associated with the resulting node.
Synapse.Nodes.valuStringThe node primary value (i.e. "1.2.3.4" for an IP).

Command Example

!synapse-storm-query query="inet:ipv4=1.2.3.5" limit=1

Context Example

{
"Synapse": {
"Nodes": {
"created": "2020/09/12 10:07:17 EDT",
"form": "inet:ipv4",
"tags": [
"test.foo",
"test.testing"
],
"valu": "1.2.3.5"
}
}
}

Human Readable Output

Synapse Query Results: inet:ipv4=1.2.3.5

formvalucreatedtags
inet:ipv41.2.3.52020/09/12 10:07:17 EDTtest.foo,
test.testing

Synapse Node Properties

.createdtype
1599919637048unicast

synapse-list-users


Lists current users in Synapse Cortex.

Base Command

synapse-list-users

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
Synapse.Users.AdminBooleanTrue/False whether the Synapse user is an admin.
Synapse.Users.EmailStringThe email address of the Synapse user.
Synapse.Users.IdenStringThe unique identifier of the Synapse user.
Synapse.Users.NameStringThe user's Synapse username.
Synapse.Users.RolesStringThe roles applied to the Synapse user.
Synapse.Users.RulesStringThe rules applied to the Synapse user.

Command Example

!synapse-list-users

Context Example

{
"Synapse": {
"Users": [
{
"Admin": true,
"Email": null,
"Iden": "9e4fe25a281f3f65aff2fa192d54c705",
"Name": "root",
"Roles": [],
"Rules": []
},
{
"Admin": false,
"Email": null,
"Iden": "a2bfead4c16b0354af2a92aa05588fc9",
"Name": "testuser",
"Roles": [
"xsoar-role",
"all"
],
"Rules": []
},
{
"Admin": false,
"Email": null,
"Iden": "eec037c730f0976a1b742b9f9773a52e",
"Name": "xsoartesting",
"Roles": [
"all"
],
"Rules": []
}
]
}
}

Human Readable Output

Synapse Users

NameEmailAdminRulesRoles
roottrue
testuserfalsexsoar-role,
all
xsoartestingfalseall

synapse-list-roles


Lists current roles in Synapse Cortex.

Base Command

synapse-list-roles

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
Synapse.Roles.IdenStringThe unique identifier of the Synapse Role.
Synapse.Roles.NameStringThe name of the Synapse Role.
Synapse.Roles.RulesStringThe rules applied to the Synapse Role.

Command Example

!synapse-list-roles

Context Example

{
"Synapse": {
"Roles": [
{
"Iden": "bcf176a4cbe240ae1dcf9fbebdffa680",
"Name": "xsoar-role",
"Rules": []
},
{
"Iden": "c486fa9eb8d50a8c35a60687f12dc4c9",
"Name": "all",
"Rules": []
},
{
"Iden": "e7e6ee238bc5bceeff96d10f100142ae",
"Name": "xsoartestingrole",
"Rules": []
}
]
}
}

Human Readable Output

Synapse Roles

NameIdenRules
xsoar-rolebcf176a4cbe240ae1dcf9fbebdffa680
allc486fa9eb8d50a8c35a60687f12dc4c9
xsoartestingrolee7e6ee238bc5bceeff96d10f100142ae

synapse-create-user


Create a new Synapse user.

Base Command

synapse-create-user

Input

Argument NameDescriptionRequired
usernameNew username to be created.Required
passwordOptionally set the new user's password.Optional

Context Output

PathTypeDescription
Synapse.Users.AdminBooleanTrue/False whether the Synapse user is an admin.
Synapse.Users.EmailStringThe email address of the Synapse user.
Synapse.Users.IdenStringThe unique identifier of the Synapse user.
Synapse.Users.NameStringThe user's Synapse username.
Synapse.Users.RolesStringThe roles applied to the Synapse user.
Synapse.Users.RulesStringThe rules applied to the Synapse user.

Command Example

!synapse-create-user username="xsoardemo" password="secret"

Context Example

{
"Synapse": {
"Users": {
"Admin": false,
"Email": null,
"Iden": "f1ac5126df0e7407a0804fc6bd41534d",
"Name": "xsoardemo",
"Roles": [
"all"
],
"Rules": []
}
}
}

Human Readable Output

Synapse New User

NameEmailAdminRulesRoles
xsoardemofalseall

synapse-create-role


Create a new Synapse role.

Base Command

synapse-create-role

Input

Argument NameDescriptionRequired
roleNew role to create in Synapse.Required

Context Output

PathTypeDescription
Synapse.Roles.IdenStringThe unique identifier of the Synapse Role.
Synapse.Roles.NameStringThe name of the Synapse Role.
Synapse.Roles.RulesStringThe rules applied to the Synapse Role.

Command Example

!synapse-create-role role="xsoar-role-demo"

Context Example

{
"Synapse": {
"Roles": {
"Iden": "029019964000fef6ccd2be428f496423",
"Name": "xsoar-role-demo",
"Rules": []
}
}
}

Human Readable Output

Synapse New Role

NameIdenRules
xsoar-role-demo029019964000fef6ccd2be428f496423

synapse-grant-user-role


Grants a user access to role based perrmissions.

Base Command

synapse-grant-user-role

Input

Argument NameDescriptionRequired
userUser's "iden" property - not the username.Required
roleRole's "iden" property - not the name of the role.Required

Context Output

PathTypeDescription
Synapse.Users.AdminBooleanTrue/False whether the Synapse user is an admin.
Synapse.Users.EmailStringThe email address of the Synapse user.
Synapse.Users.IdenStringThe unique identifier of the Synapse user.
Synapse.Users.NameStringThe user's Synapse username.
Synapse.Users.RolesStringThe roles applied to the Synapse user.
Synapse.Users.RulesStringThe rules applied to the Synapse user.

Command Example

!synapse-grant-user-role user="a2bfead4c16b0354af2a92aa05588fc9" role="bcf176a4cbe240ae1dcf9fbebdffa680"

Context Example

{
"Synapse": {
"Users": {
"Admin": false,
"Email": null,
"Iden": "a2bfead4c16b0354af2a92aa05588fc9",
"Name": "testuser",
"Roles": [
"xsoar-role",
"all"
],
"Rules": []
}
}
}

Human Readable Output

Synapse New User Role

NameEmailAdminRulesRoles
testuserfalsexsoar-role,
all

synapse-query-model


Query the Synapse data model and return details for given type or form (i.e. "inet:ipv4" for an IPv4 IP address).

Base Command

synapse-query-model

Input

Argument NameDescriptionRequired
queryType/Form query (i.e. "inet:ipv4" or "inet"fqdn")Required

Context Output

PathTypeDescription
Synapse.Model.DocStringThe docstring associated with the particular Synapse model element.
Synapse.Model.ExampleStringAn example of the given Synapse element.
Synapse.Model.FormStringA form is the definition of an object in the Synapse data model (node).
Synapse.Model.PropertiesStringThe unique properties associated with the given Synapse object.
Synapse.Model.TypeStringA Type is the definition of a data element within the data model.
Synapse.Model.ValuStringThe given value of the Synapse object type.

Command Example

!synapse-query-model query="file:bytes"

Context Example

{
"Synapse": {
"Model": {
"Doc": "The file bytes type with SHA256 based primary property.",
"Example": "N/A",
"Form": "file:bytes",
"Properties": {
".created": "The time the node was created in the cortex.",
".seen": "The time interval for first/last observation of the node.",
"md5": "The md5 hash of the file.",
"mime": "The \"best\" mime type name for the file.",
"mime:pe:compiled": "The compile time of the file according to the PE header.",
"mime:pe:exports:libname": "The export library name according to the PE.",
"mime:pe:exports:time": "The export time of the file according to the PE.",
"mime:pe:imphash": "The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .",
"mime:pe:pdbpath": "The PDB string according to the PE.",
"mime:pe:richhdr": "The sha256 hash of the rich header bytes.",
"mime:pe:size": "The size of the executable file according to the PE file header.",
"mime:x509:cn": "The Common Name (CN) attribute of the x509 Subject.",
"name": "The best known base name for the file.",
"sha1": "The sha1 hash of the file.",
"sha256": "The sha256 hash of the file.",
"sha512": "The sha512 hash of the file.",
"size": "The file size in bytes."
},
"Type": "file:bytes",
"Valu": "file:bytes"
}
}
}

Human Readable Output

Synapse Model Type

TypeDocExample
file:bytesThe file bytes type with SHA256 based primary property.N/A

Synapse file:bytes Form Properties

.seen.createdsizemd5sha1sha256sha512namemimemime:x509:cnmime:pe:sizemime:pe:imphashmime:pe:compiledmime:pe:pdbpathmime:pe:exports:timemime:pe:exports:libnamemime:pe:richhdr
The time interval for first/last observation of the node.The time the node was created in the cortex.The file size in bytes.The md5 hash of the file.The sha1 hash of the file.The sha256 hash of the file.The sha512 hash of the file.The best known base name for the file.The "best" mime type name for the file.The Common Name (CN) attribute of the x509 Subject.The size of the executable file according to the PE file header.The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .The compile time of the file according to the PE header.The PDB string according to the PE.The export time of the file according to the PE.The export library name according to the PE.The sha256 hash of the rich header bytes.