Supercharge Your Analysis with Synapse Power-Ups
by mb | 2021-08-25
The Vertex Project is proud to announce the release of Synapse Power-Ups, which are Storm Services and Packages that analysts can use to extend Synapse’s functionality, enrich their analysis, and integrate additional data, as well as to ask new questions of the data. Power-Ups allow analysts to automate data modeling and keep the majority - if not all - of their workflow within Synapse. Power-Ups that are ready to use out of the box and do not require devops support are called Rapid Power-Ups.
Power-Ups for Synapse Open-Source Users
Although the majority of our ever growing list of Power-Ups are reserved for our commercial customers, we are releasing the following Rapid Power-Ups for our Open-Source users:
Synapse-Mitre-Attack
With Synapse-Mitre-Attack, analysts can import and model the current MITRE Enterprise ATT&CK matrix within Synapse, creating nodes to represent tactics, techniques, groups, software, and mitigations. This Power-Up will also parse free form text fields from other nodes for references to ATT&CK elements and link the parsed node to any elements that are found.
Synapse-MISP
Synapse-MISP allows analysts to quickly and easily bulk ingest published threat indicators from any MISP instance (including The Vertex Project’s public MISP instance) into Synapse. Analysts can configure this Power-Up to a MISP server and then continually sync published events. Synapse-MISP will automatically translate MISP objects and relationships into the Synapse data model, negating the need for analysts to model the data by hand.
Synapse-TOR
Analysts can use Synapse-TOR to query the TOR Project exit node status API to ingest and tag current TOR exit nodes (IPv4 / IPv6).
Installing a Public Synapse Power-Up
If you already have your own Synapse Open-Source instance up and running (and if not, check out our Quickstart Guide), then you can install any of the Power-Ups shared in this blog. In this section, we’ll walk you through the installation process. The commands in the following steps assume that you’re using the Storm CLI mentioned in Synapse’s Quickstart Guide. You can access the Storm CLI by running:
python -m synapse.tools.storm <cortexurl>
You should see the following output:
Welcome to the Storm interpreter!
Local interpreter (non-storm) commands may be executed with a ! prefix:
Use !quit to exit.
Use !help to see local interpreter commands.
storm>
Now that you’re within the Storm interpreter, you can install Public Power-Ups by following these steps:
Install the Vertex package
The first thing you’ll need to do is install the Vertex package onto your Synapse instance, which you can do by running the following command:
storm> pkg.load https://packages.vertex.link/pkgrepo
You’ll then be able to view the loaded Vertex package by running:
storm> help vertex
package: vertex
vertex.pkg.install : Load a Storm package from a repository.
vertex.pkg.list : List the Storm packages available.
vertex.register : Register Cortex with the Storm package repository.
vertex.repo.list : List the Storm package repositories managed by the server.
Register your Cortex
Now you can use the Vertex package to register your Synapse instance, also known as a Cortex, with the Storm package repository. This will allow you to download and install Storm packages. To register your Cortex, run:
storm> vertex.register <your email address>
You’ll get a message notifying you that your Cortex (identified by a GUID) has been registered successfully, and that you should login to your account to validate it.
storm> vertex.register test.email@vertex.link
Cortex 4c6a704203da1f5ca7bcb753cbd54c87 registered successfully, please log in to your account to validate.
Now you’ll want to check the email account that you registered with, as you should receive an email from signup@thevertexproject.com
with a link to complete your Cortex registration. The message should resemble that seen below:
The link will bring you to the following page, where you can create your Vertex account and set your password:
Once you’ve created an account and set your password, you’ll see a pending registration request similar to that shown below. You can click the green check mark to approve your Cortex registration request.
Then you’ll get a prompt to confirm your Cortex:
Once you’ve registered your Cortex, it will show up in your Vertex account as an Authorized Cortex.
View your Synapse Power-Ups
Now you can return to your Cortex to choose which Power-Up(s) to install. Run the command below to list the available Storm packages by name, authorization status, version number, and description:
storm> vertex.pkg.list
You can also specify a package to view more detailed information, such as name, version history, release dates, required Synapse version, and description:
storm> vertex.pkg.list --pkg <package name>
Install the selected Power-Up
Once you’ve chosen a Power-Up to install, use the following command to load the selected Storm package from the repository:
storm> vertex.pkg.install <package name>
Setup your Power-Up
Some Power-Ups will require you to have your own API key. You can search for commands related to “setup” by running the following query:
storm> help setup
This query will return all commands containing the string “setup,” such as the misp.setup.apikey command shown below:
storm> help setup
package: synapse-misp
misp.setup.apikey : Set the MISP API key.
misp.setup.url : Set the MISP server URL.
For detailed help on any command, use --help
Using Synapse Power-Ups
If you’d like more information about a specific command, such as whether it accepts optional arguments or what type of nodes it will accept as input and create as output, you can run the following:
storm> <command> --help
For example:
storm> misp.sync --help
Sync events from the configured MISP server.
Examples
misp.sync --last 2d
Usage: misp.sync [options]
Options:
--help : Display the command usage.
--last : Load events published in the last time period (MISP last syntax). (default: 24h)
--debug : Run the command with more verbose/debug output.
--resync : Reload the entire server contents from the beginning.
--ssl-noverify : Disable SSL verfication of the MISP server (INSECURE!).
Manual Execution
You can also execute Power-Ups through the cmdline. The Synapse-MISP command shown below, for example, prompts the Power-Up to ingest indicators from a configured MISP server:
storm> misp.sync
In another example, the Synapse-MITRE-ATT&CK command shown below accepts both media:news and inet:web:post nodes as input as it scrapes fields for MITRE ATT&CK elements and links them with refs light-edges. If you want to leverage this command you’ll need to lift the media:news or inet:web:post nodes that you’d like to scrape, then pipe them to the MITRE.attack.enrich command, optionally using --yield to instruct Storm to show the resulting nodes that the Power-Up creates:
storm> media:news#example | mitre.attack.enrich --yield
Automatic Execution
In addition to executing Power-Ups manually, you can also launch them through event or time-based automation. If you regularly process public reporting, for example, you may want to create a Trigger that will automatically call the appropriate Power-Up(s) to enrich reported indicators when you apply a tag denoting a reported association with a threat actor, campaign, or malware. Similarly, you can schedule a Cron job to regularly sync events published in a MISP instance, so as to ensure that any new data published in MISP is also ingested into the Cortex.
Super Powering the Analyst Through Synapse Power-Ups
Synapse Power-Ups help analysts operate at scale by extending Synapse’s functionality and facilitating the smooth ingest, enrichment, and analysis of data from external sources. The Power-Ups that we’ve made public today are just a few of those that The Vertex Project has developed thus far. Have an idea of a resource that you’d like to see as a Power-Up? Let us know!