Catalyst / admin/Syanpse-Vanguard 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Syanpse-Vanguard

public
Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Syanpse-Vanguard / synapse-vanguard-v3 / docs / INTEGRATION-IronNode.md 6848 B · main
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
# Setting up the Synapse IronNode → Synapse-Vanguard event feed

This guide walks an administrator through connecting **Synapse IronNode** to a
**Synapse-Vanguard** SIEM so that IronNode incidents are pushed into Vanguard as
security events.

The connection uses a single **API key** and **ingest URL** that Vanguard issues
and IronNode stores. Once set up, IronNode forwards each incident automatically
through its lifecycle (triggered → triage → closed).

```
  Synapse IronNode  ──POST /v1/ingest/events (Bearer <API key>)──▶  Synapse-Vanguard
   (incidents)                                                        (event search)
```

---

## Before you start

| You need | Where |
|---|---|
| A **Vanguard admin** account (role: *System Administrator*) | Vanguard login |
| An **IronNode** account with **3rd Line Analyst** rank or above | IronNode login |
| Network path from IronNode to Vanguard on the app port (default **5500**) | firewall / LAN |

> The two apps talk over HTTP(S) on Vanguard's app port. If they're on different
> hosts, make sure IronNode can reach `http://<vanguard-host>:5500`.

---

## Step 1 — Generate the API key in Vanguard

1. Sign in to Vanguard (`http://<vanguard-host>:5500/`) as an administrator.
2. In the top-right, open the **Admin ▾** menu and choose **🔑 Ingress API (IronNode)**.
3. You'll see two things:
   - **Ingest URL** — e.g. `http://<vanguard-host>:5500/v1/ingest/events`
   - **API key** — created when you click **Generate key**
4. Click **Generate key**. A key beginning with `svg_…` appears.
5. Use the **Copy** buttons to copy **both** the Ingest URL and the API key —
   you'll paste them into IronNode next.

> **Keep the key safe.** Anyone with the key + URL can send events to Vanguard.
> The key is stored encrypted; you can re-open this panel any time to copy it
> again, or **Regenerate** it (which immediately disables the old key).

The **Enable/Disable** toggle controls whether the ingest endpoint accepts data
at all. Leave it **enabled**.

---

## Step 2 — Configure IronNode

1. Sign in to IronNode as a **3rd Line Analyst** (or higher).
2. Go to **Settings** → find the **Synapse-Vanguard SIEM forwarder** card.
3. Fill in:
   - **Vanguard ingest URL** — paste the Ingest URL from Step 1
     (e.g. `http://<vanguard-host>:5500/v1/ingest/events`).
   - **Vanguard API key** — paste the `svg_…` key from Step 1.
4. Click **Test connection**.
   - *"Connected — Vanguard accepted the API key."* → you're good.
   - ❌ See [Troubleshooting](#troubleshooting) below.
5. Click **Save**.
6. Turn the **Forward incidents to Vanguard** toggle **on**.

The status pill at the top of the card should now read **Forwarding**.

> The API key is stored **AES-256-GCM encrypted** in IronNode's tenant vault and
> is never shown again in the browser. Re-enter it only if you regenerate it in
> Vanguard.

---

## Step 3 — Verify it works

1. In IronNode, trigger a playbook (via its webhook, or however you normally
   raise an incident). This creates an incident.
2. In Vanguard, go to the main dashboard and search with **Source type =
   `ironnode`**.
3. You should see incident events appear, for example:
   - `Incident TRIGGERED — <playbook>` when the incident is raised
   - `Incident AWAITING_TRIAGE — <playbook> (severity N/10)` once the AI scores it
   - `Incident CLOSED — <playbook>` when the playbook finishes

High-severity incidents show as **Critical/Emergency** and pulse red in the
Vanguard event table.

---

## How severity maps

IronNode scores incidents **1–10** (10 = most severe). Vanguard uses the syslog
**0–7** scale (0 = most severe). IronNode converts automatically:

| IronNode risk score | Vanguard severity |
|---|---|
| 10 | EMERGENCY (pulses red) |
| 9 | ALERT |
| 7–8 | CRITICAL (pulses red) |
| 6 | ERROR |
| 5 | WARNING |
| 3–4 | NOTICE |
| 2 | INFO |
| 1 | DEBUG |
| (not yet scored) | NOTICE |

> In Vanguard, **EMERGENCY** and **CRITICAL** rows pulse red so the most serious
> incidents stand out immediately.

---

## Rotating / revoking the key

**To rotate the key** (e.g. if it may have leaked):

1. In Vanguard: **Admin ▾ → Ingress API (IronNode) → Regenerate key**. The old
   key stops working immediately.
2. Copy the new key.
3. In IronNode: **Settings → Synapse-Vanguard SIEM forwarder**, paste the new key
   into the **API key** field, **Test connection**, **Save**.

**To stop the feed entirely**, do either:
- In Vanguard, toggle the Ingress API **off** (rejects all pushes), **or**
- In IronNode, toggle **Forward incidents to Vanguard** **off** (stops sending).

The key stays stored in both apps until you overwrite it, so you can pause and
resume without re-entering anything.

---

## Troubleshooting

| Symptom | Cause / fix |
|---|---|
| Test says **"Rejected: invalid or disabled API key"** (HTTP 401) | The key is wrong or Vanguard's Ingress API is toggled off. Re-copy the key from Vanguard; make sure the Ingress API is **enabled**. |
| Test says **"Connection failed"** or a timeout | IronNode can't reach the URL. Check the host/port, that Vanguard is running, and that a firewall isn't blocking port **5500**. |
| Test says **HTTP 404** | The URL is wrong — it must end in `/v1/ingest/events`. |
| Saved but **no events in Vanguard** | Confirm the **Forward incidents** toggle is on in IronNode, that incidents are actually being raised, and search Vanguard for source type `ironnode` (not a host filter). |
| **"Forbidden — 3rd Line Analyst or above required"** | Your IronNode account lacks the `INTEGRATION_MANAGE` capability. Ask an administrator to raise your rank or configure it for you. |
| Events appear but severity looks off | See [How severity maps](#how-severity-maps) — IronNode 1–10 is inverted to Vanguard's 0–7 scale. |

---

## Reference — the API (for advanced/manual use)

Any external system can push events with the same key, not just IronNode.

**Endpoint**

```
POST http://<vanguard-host>:5500/v1/ingest/events
Authorization: Bearer <svg_… API key>
Content-Type: application/json
```

**Body**

```json
{
  "events": [
    {
      "ts": "2026-07-03T10:00:00Z",
      "host": "synapse-ironnode",
      "message": "Incident TRIGGERED — Brute Force (severity 9/10)",
      "severity": 1,
      "category": "incident",
      "mitre_technique": "T1110",
      "fields": { "incident_id": "i-123", "status": "TRIGGERED" }
    }
  ]
}
```

- `severity` is the syslog scale **0–7** (0 = emergency). Omit it to default to INFO.
- All fields except `message` are optional; unknown keys can go under `fields`.
- An **empty** `{"events": []}` body is a valid connection probe (returns
  `{"accepted": 0}` with a good key, `401` with a bad one).

**Response**

```json
{ "accepted": 1 }
```

Max 5000 events per request.