Storm Reference - Advanced - Methods

Some of Storm’s Built-In Variables support methods used to perform various actions on the object represented by the variable.

A subset of the built-in variables / objects that support methods, along with a few commonly used methods and examples, are listed below. For full detail, refer to the Storm Types technical reference.

The built-in $lib variable is used to access Storm libraries. See the Storm Libraries technical reference for additional detail on available libraries, or Storm Reference - Advanced - Libraries for user examples.

Note

In the examples below, the $lib.print() library function is used to display the value returned when a specific built-in variable or method is called. This is done for illustrative purposes only; $lib.print() is not required in order to use variables or methods.

In some instances we have also included “use-case” examples, where the variable or method is used in one or more sample queries to illustrate possible practical use cases. These represent exemplar Storm queries for how a variable or method might be used in practice. While we have attempted to use relatively simple examples for clarity, some examples may leverage additional Storm features such as subqueries (Storm Reference - Subqueries), subquery filters (Subquery Filters), or flow control elements such as “for” loops or “switch” statements (Storm Reference - Advanced - Control Flow).

$node

$node is a built-in Storm variable that references the current node in the Storm query pipeline. $node can be used as a variable on its own or with the example methods listed below. See the storm:node section of the Storm Types technical documentation for a full list.

Note

As the $node variable and related methods reference the current node in the Storm pipeline, the variable and its methods will contain (and return) a null value if the inbound result set is empty (i.e., contains no nodes).

Examples

  • Print the value of $node for an inet:dns:a node:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node)

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node)
Executing query at 2021/02/25 21:54:24.209
Node{(('inet:dns:a', ('woot.com', 917309932)), {'iden': '01235b5877954084e798f09ba3fd3f1cda2e7b41d79b752b80acbed1b609cbaa', 'tags': {}, 'props': {'.created': 1614290064192, 'fqdn': 'woot.com', 'ipv4': 917309932, '.seen': (1482957991000, 1482957991001)}, 'tagprops': defaultdict(<class 'dict'>, {}), 'nodedata': {}})}
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 30 ms (33/sec).
  • Print the value of $node for an inet:fqdn node with tags present:
inet:fqdn=aunewsonline.com $lib.print($node)

cli> storm inet:fqdn=aunewsonline.com $lib.print($node)
Executing query at 2021/02/25 21:54:24.295
Node{(('inet:fqdn', 'aunewsonline.com'), {'iden': '53aa7a2f7125392302c36247b97569dd84a7f3fe9e92eb99abd984349dc53fe4', 'tags': {'aka': (None, None), 'aka.feye': (None, None), 'aka.feye.thr': (None, None), 'aka.feye.thr.apt1': (None, None), 'cno': (None, None), 'cno.infra': (None, None), 'cno.infra.sink': (None, None), 'cno.infra.sink.hole': (None, None), 'cno.infra.sink.hole.kleissner': (1385424000000, 1480118400000)}, 'props': {'.created': 1614290064277, 'host': 'aunewsonline', 'domain': 'com', 'issuffix': 0, 'iszone': 1, 'zone': 'aunewsonline.com'}, 'tagprops': defaultdict(<class 'dict'>, {}), 'nodedata': {}})}
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
complete. 1 nodes in 19 ms (52/sec).

Note

The value of $node is the entire node object and associated properties and tags, as opposed to a specific aspect of the node, such as its iden or primary property value.

As demonstrated below, some node constructors can “intelligently” leverage the relevant aspects of the full node object (the value of the $node variable) when creating new nodes.

  • Use the $node variable to create an edge:refs node showing that a news article references the domain woot[.]com:
media:news=a3759709982377809f28fc0555a38193 [ edge:refs=($node,(inet:fqdn,woot.com)) ]

In the example above, the $node.ndef() method could have been used instead of $node to create the edge:refs node. In this case, the node constructor knows to use the ndef from the $node object to create the node.

  • Use the $node variable to create multiple whois name server records (inet:whois:recns) from a set of inbound recent whois record nodes for the domain woot[.]com:
inet:whois:rec:fqdn=woot.com +:asof>=2019/06/13 [ inet:whois:recns=(ns1.somedomain.com,$node) ]

In the example above, the $node.value() method could have been used instead of $node to create the inet:whois:recns nodes. In this case, the node constructor knows to use the primary property value from the inet:whois:rec nodes to create the inet:whois:recns nodes.

$node.form()

The $node.form() method returns the form of the current node in the Storm pipeline.

The method takes no arguments.

Examples

  • Print the form of an inet:dns:a node:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.form())

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.form())
Executing query at 2021/02/25 21:54:24.528
inet:dns:a
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 35 ms (28/sec).

$node.globtags()

The $node.globtags() method returns a list of string matches from the set of tags applied to the current node in the Storm pipeline.

The method takes a single argument consisting of a wildcard expression for the substring to match.

  • The argument requires at least one wildcard ( * ) representing the substring(s) to match.
  • The method performs an exclusive match and returns only the matched substring(s), not the entire tag containing the substring match.
  • The wildcard ( * ) character can be used to match full or partial tag elements.
  • Single wildcards are constrained by tag element boundaries (i.e., the dot ( . ) character. Single wildcards can match an entire tag element or a partial string within an element.
  • The double wildcard ( ** ) can be used to match across any number of tag elements; that is, the double wildcard is not constrained by the dot boundary.
  • If the string expression starts with a wildcard, it must be enclosed in quotes in accordance with the use of Entering Literals.

See $node.tags() to access full tags (vs. tag substrings).

Examples

  • Print the set of top-level (root) tags from any tags applied to the current node:
inet:fqdn=aunewsonline.com $lib.print($node.globtags("*"))

cli> storm inet:fqdn=aunewsonline.com $lib.print($node.globtags("*"))
Executing query at 2021/02/25 21:54:24.621
['aka', 'cno', 'foo', 'faz']
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 26 ms (38/sec).
  • Print the list of numbers associated with any threat group tags applied to the current node:
inet:fqdn=aunewsonline.com $lib.print($node.globtags(cno.threat.t*))

cli> storm inet:fqdn=aunewsonline.com $lib.print($node.globtags(cno.threat.t*))
Executing query at 2021/02/25 21:54:24.663
['83']
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 28 ms (35/sec).

In the example above, $node.globtags() returns the matching substring only (“83”), which is the portion matching the wildcard; it does not return the “t” character.

  • Print the list of organizations and associated threat group names from any third-party alias (“aka”) tags applied to the current node:
inet:fqdn=aunewsonline.com $lib.print($node.globtags(aka.*.thr.*))

cli> storm inet:fqdn=aunewsonline.com $lib.print($node.globtags(aka.*.thr.*))
Executing query at 2021/02/25 21:54:24.706
[('feye', 'apt1'), ('symantec', 'commentcrew')]
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 27 ms (37/sec).
  • Print all sub-tags for any tags starting with “foo” applied to the current node:
inet:fqdn=aunewsonline.com $lib.print($node.globtags(foo.**))

cli> storm inet:fqdn=aunewsonline.com $lib.print($node.globtags(foo.**))
Executing query at 2021/02/25 21:54:24.748
['bar', 'bar.baz', 'derp']
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 27 ms (37/sec).

$node.iden()

The $node.iden() method returns the Iden of the current node in the Storm pipeline.

The method takes no arguments.

Examples

  • Print the iden of an inet:dns:a node:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.iden())

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.iden())
Executing query at 2021/02/25 21:54:24.793
01235b5877954084e798f09ba3fd3f1cda2e7b41d79b752b80acbed1b609cbaa
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 35 ms (28/sec).

$node.isform()

The $node.isform() method returns a Boolean value (true / false) for whether the current node in the Storm pipeline is of a specified form.

The method takes a single argument of a form name.

Examples

  • Print the Boolean value for whether a node is an inet:dns:a form:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.isform(inet:dns:a))

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.isform(inet:dns:a))
Executing query at 2021/02/25 21:54:24.843
True
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 34 ms (29/sec).
  • Print the Boolean value for whether a node is an inet:fqdn form:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.isform(inet:fqdn))

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.isform(inet:fqdn))
Executing query at 2021/02/25 21:54:24.892
False
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 34 ms (29/sec).

$node.ndef()

The $node.ndef() method returns the Ndef (“node definition”) of the current node in the Storm pipeline.

The method takes no arguments.

Examples

  • Print the ndef of an inet:dns:a node:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.ndef())

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.ndef())
Executing query at 2021/02/25 21:54:24.941
('inet:dns:a', ('woot.com', 917309932))
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 33 ms (30/sec).

$node.repr()

The $node.repr() method returns the human-friendly Repr (“representation”) of the specified property of the current node in the Storm pipeline.

The method can optionally take one argument.

  • If no arguments are provided, the method returns the repr of the node’s primary property value.
  • If an argument is provided, it should be the string of the secondary property name (i.e., without the leading colon ( : ) from relative property syntax).
  • If a universal property string is provided, it must be preceded by the dot / period ( . ) and enclosed in quotes in accordance with the use of Entering Literals.

See $node.value() to return the raw value of a property.

Examples

  • Print the repr of the primary property value of an inet:dns:a node:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.repr())

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.repr())
Executing query at 2021/02/25 21:54:24.989
('woot.com', '54.173.9.236')
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 33 ms (30/sec).
  • Print the repr of the :ipv4 secondary property value of an inet:dns:a node:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.repr(ipv4))

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.repr(ipv4))
Executing query at 2021/02/25 21:54:25.037
54.173.9.236
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 35 ms (28/sec).
  • Print the repr of the .seen universal property value of an inet:dns:a node:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.repr(".seen"))

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.repr(".seen"))
Executing query at 2021/02/25 21:54:25.087
('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 33 ms (30/sec).

$node.tags()

The $node.tags() method returns a list of the tags applied to the current node in the Storm pipeline.

The method can optionally take one argument.

  • If no arguments are provided, the method returns the full list of all tags applied to the node.
  • An optional argument consisting of a wildcard string expression can be used to match a subset of tags.
    • If a string is used with no wildcards, the string must be an exact match for the tag element.
    • The wildcard ( * ) character can be used to match full or partial tag elements.
    • The method performs an inclusive match and returns the full tag for all tags that match the provided expression.
    • Single wildcards are constrained by tag element boundaries (i.e., the dot ( . ) character). Single wildcards can match an entire tag element or a partial string within an element.
    • The double wildcard ( ** ) can be used to match across any number of tag elements; that is, the double wildcard is not constrained by the dot boundary.
    • If the string expression starts with a wildcard, it must be enclosed in quotes in accordance with the use of Entering Literals.

See $node.globtags() to access tag substrings (vs. full tags).

Examples

  • Print the list of all tags associated with an inet:fqdn node:
inet:fqdn=aunewsonline.com $lib.print($node.tags())

cli> storm inet:fqdn=aunewsonline.com $lib.print($node.tags())
Executing query at 2021/02/25 21:54:25.135
['aka', 'aka.feye', 'aka.feye.thr', 'aka.feye.thr.apt1', 'cno', 'cno.infra', 'cno.infra.sink', 'cno.infra.sink.hole', 'cno.infra.sink.hole.kleissner', 'aka.symantec', 'aka.symantec.thr', 'aka.symantec.thr.commentcrew', 'cno.threat', 'cno.threat.t83', 'cno.threat.t83.tc', 'foo', 'foo.bar', 'foo.bar.baz', 'faz', 'faz.baz', 'foo.derp']
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 27 ms (37/sec).
  • Print the tag matching the string “cno” if present on an inet:fqdn node:
inet:fqdn=aunewsonline.com $lib.print($node.tags(cno))

cli> storm inet:fqdn=aunewsonline.com $lib.print($node.tags(cno))
Executing query at 2021/02/25 21:54:25.177
['cno']
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 26 ms (38/sec).
  • Print the list of all tags two elements in length that start with “foo”:
inet:fqdn=aunewsonline.com $lib.print($node.tags(foo.*))

cli> storm inet:fqdn=aunewsonline.com $lib.print($node.tags(foo.*))
Executing query at 2021/02/25 21:54:25.219
['foo.bar', 'foo.derp']
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 27 ms (37/sec).
  • Print the list of all tags of any length that start with “f”:
inet:fqdn=aunewsonline.com $lib.print($node.tags(f**))

cli> storm inet:fqdn=aunewsonline.com $lib.print($node.tags(f**))
Executing query at 2021/02/25 21:54:25.261
['foo', 'foo.bar', 'foo.bar.baz', 'faz', 'faz.baz', 'foo.derp']
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 28 ms (35/sec).
  • Print the list of all tags of any length whose first element starts with “a” and whose third element is “thr”:
inet:fqdn=aunewsonline.com $lib.print($node.tags(a*.*.thr.**))

cli> storm inet:fqdn=aunewsonline.com $lib.print($node.tags(a*.*.thr.**))
Executing query at 2021/02/25 21:54:25.305
['aka.feye.thr.apt1', 'aka.symantec.thr.commentcrew']
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 27 ms (37/sec).

$node.value()

The $node.value() method returns the raw value of the primary property of the current node in the Storm pipeline.

The method takes no arguments.

See $node.repr() to return the human-friendly value of a property.

Note

The $node.value() method is only used to return the primary property value of a node. Secondary property values can be accessed via a user-defined variable (i.e., $myvar = :<prop>).

Examples

  • Print the value of the primary property value of an inet:dns:a node:
inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.value())

cli> storm inet:dns:a=(woot.com,54.173.9.236) $lib.print($node.value())
Executing query at 2021/02/25 21:54:25.347
('woot.com', 917309932)
inet:dns:a=('woot.com', '54.173.9.236')
        .created = 2021/02/25 21:54:24.192
        .seen = ('2016/12/28 20:46:31.000', '2016/12/28 20:46:31.001')
        :fqdn = woot.com
        :ipv4 = 54.173.9.236
complete. 1 nodes in 34 ms (29/sec).

$path

$path is a built-in Storm variable that references the path of a node as it travels through the pipeline of a Storm query.

The $path variable is generally not used on its own, but in conjunction with its methods. See the storm:path section of the Storm Types technical documentation for a full list.

$path.idens()

The $path.idens() method returns the list of idens (Iden) of each node in a node’s path through a Storm query.

The method takes no arguments.

Examples

  • Print the list of iden(s) for the path of a single lifted node:
inet:fqdn=aunewsonline.com $lib.print($path.idens())

cli> storm inet:fqdn=aunewsonline.com $lib.print($path.idens())
Executing query at 2021/02/25 21:54:25.396
['53aa7a2f7125392302c36247b97569dd84a7f3fe9e92eb99abd984349dc53fe4']
inet:fqdn=aunewsonline.com
        .created = 2021/02/25 21:54:24.277
        :domain = com
        :host = aunewsonline
        :issuffix = False
        :iszone = True
        :zone = aunewsonline.com
        #aka.feye.thr.apt1
        #aka.symantec.thr.commentcrew
        #cno.infra.sink.hole.kleissner = (2013/11/26 00:00:00.000, 2016/11/26 00:00:00.000)
        #cno.threat.t83.tc
        #faz.baz
        #foo.bar.baz
        #foo.derp
complete. 1 nodes in 27 ms (37/sec).

Note

A lift operation contains no pivots (i.e., no “path”), so the method returns only the iden of the lifted node.

  • Print the list of idens for the path of a single node through two pivots to a single end node:
inet:fqdn=aunewsonline.com -> inet:dns:a +:ipv4=67.215.66.149 -> inet:ipv4 $lib.print($path.idens())

cli> storm inet:fqdn=aunewsonline.com -> inet:dns:a +:ipv4=67.215.66.149 -> inet:ipv4 $lib.print($path.idens())
Executing query at 2021/02/25 21:54:25.496
['53aa7a2f7125392302c36247b97569dd84a7f3fe9e92eb99abd984349dc53fe4', '07c79039d00b4391699c9328dc6ccaf864d84d0b38545ded117d1d7ccc6e366c', '9596f5253f25ee74689157706ddf3b459874a6d3cb0adfce4e07018ec8162fc1']
inet:ipv4=67.215.66.149
        .created = 2021/02/25 21:54:25.477
        :type = unicast
complete. 1 nodes in 44 ms (22/sec).

The example above returns the idens of the original inet:fqdn node, the inet:dns:a node with the specified IP, and the inet:ipv4 node.

  • Print the list of idens for the path of a single node through two pivots to three different end nodes (i.e., three paths):
inet:fqdn=aunewsonline.com -> inet:dns:a -> inet:ipv4 $lib.print($path.idens())

cli> storm inet:fqdn=aunewsonline.com -> inet:dns:a -> inet:ipv4 $lib.print($path.idens())
Executing query at 2021/02/25 21:54:25.554
['53aa7a2f7125392302c36247b97569dd84a7f3fe9e92eb99abd984349dc53fe4', '07c79039d00b4391699c9328dc6ccaf864d84d0b38545ded117d1d7ccc6e366c', '9596f5253f25ee74689157706ddf3b459874a6d3cb0adfce4e07018ec8162fc1']
inet:ipv4=67.215.66.149
        .created = 2021/02/25 21:54:25.477
        :type = unicast
['53aa7a2f7125392302c36247b97569dd84a7f3fe9e92eb99abd984349dc53fe4', '0dde48198d3bcc58b40ab82155b218ecd48b533b964d5d2fa3e7453d990541f5', '5af9ae36456988c24edecafa739da75231c067ba3d104a2746e9616ea7a312d6']
inet:ipv4=184.168.221.92
        .created = 2021/02/25 21:54:25.480
        :type = unicast
['53aa7a2f7125392302c36247b97569dd84a7f3fe9e92eb99abd984349dc53fe4', '1c53655a7f3bc67be338cde70d6565d4bc84d343d37513679d4efcd0ec59d3fe', 'acecd1f87d1dfc31148bf0ed417b69fde1c77eb2e7effdea434765fe8b759351']
inet:ipv4=104.239.213.7
        .created = 2021/02/25 21:54:25.483
        :type = unicast
complete. 3 nodes in 39 ms (76/sec).

In the example above, the FQDN has three DNS A records, thus there are three different paths that the original node takes through the query.