Storm Reference - Advanced - Variables

Storm supports the use of variables. A Variable is a value that can change depending on conditions or on information passed to the Storm query. (Contrast this with a Constant, which is a value that is fixed and does not change.)

Variables can be used in a variety of ways, from providing simpler or more efficient ways to reference node properties, to facilitating bulk operations, to performing complex tasks or writing extensions to Synapse in Storm.

These documents approach variables and their use from a user standpoint and aim to provide sufficient background for users to understand and begin to use variables. They do not provide an in-depth discussion of variables and their use from a fully developer-oriented perspective.

Storm Operating Concepts

When leveraging variables in Storm, it is important to keep in mind the high-level Storm Operating Concepts. Specifically:

  • Storm operations (e.g., lifts, filters, pivots, etc.) are performed on nodes.
  • Operations can be chained and are executed in order from left to right.
  • Storm acts as an execution pipeline, with each node passed individually and independently through the chain of Storm operations.
  • Most Storm operations consume nodes — that is, a given operation (such as a filter or pivot) acts upon the inbound node in some way and returns only the node or set of nodes that result from that operation.

These principles apply to variables that reference nodes (or node properties) in Storm just as they apply to nodes, and so affect the way variables behave within Storm queries.

Variable Concepts

Variable Scope

A variable’s scope is its lifetime and under what conditions it may be accessed. There are two dimensions that impact a variable’s scope: its call frame and its runtime safety (“runtsafety”).

Call Frame

A variable’s call frame is where the variable is used. The main Storm query starts with its own call frame, and each call to a “pure” Storm command, function, or subquery creates a new call frame. The new call frame gets a copy of all the variables from the calling call frame. Changes to existing variables or the creation of new variables within the new call frame do not impact the calling scope.

Runtsafe vs. Non-Runtsafe

An important distinction to keep in mind when using variables in Storm is whether the variable is runtime-safe (“Runtsafe”) or non-runtime safe (“Non-Runtsafe”).

A variable that is runtsafe has a value independent of any nodes passing through the Storm pipeline. For example, a variable whose value is explicitly set, such as $string = mystring or $ipv4 = 8.8.8.8 is considered runtsafe because the value does not change / is not affected by the specific node passing through the Storm pipeline.

A variable that is non-runtsafe has a value derived from a node passing through the Storm pipeline. For example, a variable whose value is set to a node property value may change based on the specific node passing through the Storm pipeline. In other words, if your Storm query is operating on a set of DNS A nodes (inet:dns:a) and you define the variable $fqdn = :fqdn (setting the variable to the value of the :fqdn secondary property), the value of the variable will change based on the specific value of that property for each inet:dns:a node in the pipeline.

All non-runtsafe variables are scoped to an individual node as it passes through the Storm pipeline. This means that a variable’s value based on a given node is not available when processing a different node (at least not without using special commands, methods, or libraries). In other words, the path of a particular node as it passes through the Storm pipeline is its own scope.

The “safe” in non-runtsafe should not be interpreted as meaning the use of non-runtsafe variables is somehow “risky” or involves insecure programming or processing of data. It simply means the value of the variable is not safe from changing (i.e., it may change) as the Storm pipeline progresses.

Types of Variables

Storm supports two types of variables:

  • Built-in variables. Built-in variables facilitate many common Storm operations. They may vary in their scope and in the context in which they can be used.
  • User-defined variables User-defined variables are named and defined by the user. They are most often limited in scope and facilitate operations within a specific Storm query.

Built-In Variables

Storm includes a set of built-in variables and associated variable methods (Storm Reference - Advanced - Methods) and libraries (Storm Reference - Advanced - Libraries and the Storm Libraries technical documentation) that facilitate Cortex-wide, node-specific, and context-specific operations.

Built-in variables differ from user-defined variables in that built-in variable names:

  • are initialized at Cortex start,
  • are reserved,
  • can be accessed automatically (i.e., without needing to define them) from within Storm, and
  • persist across user sessions and Cortex reboots.

Global Variables

Global variables operate independently of any node. That is, they can be invoked in a Storm query in the absence of any nodes in the Storm execution pipeline (though they can also be leveraged when performing operations on nodes).

$lib

The library variable ( $lib ) is a built-in variable that provides access to the global Storm library. In Storm, libraries are accessed using built-in variable names (e.g., $lib.print()).

See the Storm Libraries technical documentation for descriptions of the libraries available within Storm.

Node-Specific Variables

Storm includes node-specific variables that are designed to operate on or in conjunction with nodes and require one or more nodes in the Storm pipeline.

Note

Node-specific variables are always non-runtsafe.

$node

The node variable ($node) is a built-in Storm variable that references the current node in the Storm query. Specifically, this variable contains the inbound node’s node object, and provides access to the node’s attributes, properties, and associated attribute and property values.

Invoking this variable during a Storm query is useful when you want to:

  • access the raw and entire node object,
  • store the value of the current node before pivoting to another node, or
  • use an aspect of the current node in subsequent query operations.

The $node variable supports a number of built-in methods that can be used to access specific data or properties associated with a node. See the technical documentation for the storm:node object or the $node section of the Storm Reference - Advanced - Methods user documentation for additional detail and examples.

$path

The path variable ($path) is a built-in Storm variable that references the path of a node as it travels through the pipeline of a Storm query.

The $path variable is not used on its own, but in conjunction with its methods. See the technical documentattion for the storm:path object or the $path section of the Storm Reference - Advanced - Methods user documentation for additional detail and examples.

Trigger-Specific Variables

A Trigger is used to support automation within a Cortex. Triggers use events (such as the creation of a node, setting the value of a node’s property, or applying a tag to a node) to fire (“trigger”) the execution of a predefined Storm query. Storm uses a built-in variable specifically within the context of trigger-initiated Storm queries.

$tag

Within the context of triggers that fire on tag:add events, the $tag variable represents the name of the tag that caused the trigger to fire.

For example:

You write a trigger to fire when any tag matching the expression #foo.bar.* is added to a file:bytes node. The trigger executes the following Storm command:

-> hash:md5 [ +#$tag ]

Because the trigger uses a wildcard expression, it will fire on any tag that matches that expression (e.g., #foo.bar.hurr, #foo.bar.derp, etc.). The Storm snippet above will take the inbound file:bytes node, pivot to the file’s associated MD5 node (hash:md5), and apply the same tag that fired the trigger to the MD5.

See the Triggers section of the Storm Reference - Automation document and the Storm trigger command for a more detailed discussion of triggers and associated Storm commands.

CSVTool-Specific Variables

Synapse’s CSVTool is used to ingest (import) data into or export data from a Cortex using comma-separated value (CSV) format. Storm includes a built-in variable to facilitate bulk data ingest using CSV.

$rows

The $rows variable refers to the set of rows in a CSV file. When ingesting data into a Cortex, CSVTool reads a CSV file and a file containing a Storm query that tells CSVTool how to process the CSV data. The Storm query is typically constructed to iterate over the set of rows ($rows) using a “for” loop that uses user-defined variables to reference each field (column) in the CSV data.

For example:

for ($var1, $var2, $var3, $var4) in $rows { <do stuff> }

See Synapse Tools - csvtool for a more detailed discussion of CSVTool use and associated Storm syntax.

User-Defined Variables

User-defined variables can be defined in one of two ways:

  • At runtime (i.e., within the scope of a specific Storm query). This is the most common use for user-defined variables.
  • Mapped via options passed to the Storm runtime (i.e., when using the --optifle option from Synapse cmdr or via Cortex API access). This method is less common. When defined in this manner, user-defined variables will behave as though they are built-in variables that are runtsafe.

Variable Names

All variable names in Storm (including built-in variables) begin with a dollar sign ( $ ). A variable name can be any alphanumeric string, except for the name of a built-in variable (see Built-In Variables), as those names are reserved. Variable names are case-sensitive; the variable $MyVar is different from $myvar.

Note

Storm will not prevent you from using the name of a built-in variable to define a variable (such as $node = 7). However, doing so may result in undesired effects or unexpected errors due to the variable name collision.

Defining Variables

Within Storm, a user-defined variable is defined using the syntax:

$<varname> = <value>

The variable name must be specified first, followed by the equals sign and the value of the variable itself.

<value> can be:

  • an explicit value / literal,
  • a node secondary or universal property,
  • a tag or tag property,
  • a built-in variable or method,
  • a library function,
  • a mathematical expression / “dollar expression”, or
  • an embedded query.

Examples

Two types of examples are used below:

  • Demonstrative example: the $lib.print() library function is used to display the value of the user-defined variable being set. This is done for illustrative purposes only; $lib.print() is not required in order to use variables or methods.

    Keep Storm’s operation chaining, pipeline, and node consumption aspects in mind when reviewing the demonstrative examples below. When using $lib.print() to display the value of a variable, the queries below will:

    • Lift the specified node(s).
    • Assign the variable. Note that assigning a variable has no impact on the nodes themselves.
    • Print the variable’s value.
    • Return any nodes still in the pipeline. Because variable assignment doesn’t impact the node(s), they are not consumed and so are returned (displayed) at the CLI.

    The effect of this process is that for each node in the Storm query pipeline, the output of $lib.print() is displayed, followed by the relevant node.

  • Use-case example: the user-defined variable is used in one or more sample queries to illustrate possible practical use cases. These represent exemplar Storm queries for how a variable or method might be used in practice. While we have attempted to use relatively simple examples for clarity, some examples may leverage additional Storm features such as subqueries, subquery filters, or flow control elements such as “for” loops or “switch” statements.

Assign a literal to a user-defined variable:

  • Assign the value 5 to the variable $threshold:
$threshold=5 $lib.print($threshold)

cli> storm $threshold=5 $lib.print($threshold)
Executing query at 2021/08/02 21:50:48.893
5
complete. 0 nodes in 856 ms (0/sec).
  • Tag any file:bytes nodes that have a number of AV signature hits higher than a given threshold for review:
$threshold=5 file:bytes +{ -> it:av:filehit } >= $threshold [ +#review ]

Assign a node secondary property to a user-defined variable:

  • Assign the :user property from an Internet-based account (inet:web:acct) to the variable $user:
inet:web:acct=(twitter.com,bert) $user=:user $lib.print($user)

cli> storm inet:web:acct=(twitter.com,bert) $user=:user $lib.print($user)
Executing query at 2021/08/02 21:50:50.136
bert
inet:web:acct=twitter.com/bert
        .created = 2021/08/02 21:50:50.114
        :email = bert@gmail.com
        :site = twitter.com
        :user = bert
complete. 1 nodes in 39 ms (25/sec).
  • Find email addresses associated with a set of Internet accounts where the username of the email address is the same as the username of the Internet account:
inet:web:acct $user=:user -> inet:email +:user=$user

Assign a node universal property to a user-defined variable:

  • Assign the .seen universal property from a DNS A node to the variable $time:
inet:dns:a=(woot.com,1.2.3.4) $time=.seen $lib.print($time)

cli> storm inet:dns:a=(woot.com,1.2.3.4) $time=.seen $lib.print($time)
Executing query at 2021/08/02 21:50:50.340
(1543289294000, 1565893967000)
inet:dns:a=('woot.com', '1.2.3.4')
        .created = 2021/08/02 21:50:50.321
        .seen = ('2018/11/27 03:28:14.000', '2019/08/15 18:32:47.000')
        :fqdn = woot.com
        :ipv4 = 1.2.3.4
complete. 1 nodes in 40 ms (25/sec).

Note

In the example above, the raw value of the .seen property is assigned to the $time variable. .seen is an interval (ival) type, consisting of a pair of minimum and maximum time values. These values are stored in Unix epoch millis, which are the values shown by the output of the $lib.print() function.

  • Given a DNS A record, find other DNS A records that pointed to the same IP address in the same time window:
inet:dns:a=(woot.com,1.2.3.4) $time=.seen -> inet:ipv4 -> inet:dns:a +.seen@=$time

Assign a tag to a user-defined variable:

  • Assign the explicit tag value cno.infra.anon.tor to the variable $tortag:
$tortag=cno.infra.anon.tor $lib.print($tortag)

cli> storm $tortag=cno.infra.anon.tor $lib.print($tortag)
Executing query at 2021/08/02 21:50:50.544
cno.infra.anon.tor
complete. 0 nodes in 24 ms (0/sec).
  • Tag IP addresses that Shodan says are associated with Tor with the #cno.infra.anon.tor tag:
$tortag=cno.infra.anon.tor inet:ipv4#rep.shodan.tor [ +#$tortag ]

Assign a tag timestamp to a user-defined variable:

  • Assign the times associated with Threat Group 20’s use of a malicious domain to the variable $time:
inet:fqdn=evildomain.com $time=#cno.threat.t20.tc $lib.print($time)

cli> storm inet:fqdn=evildomain.com $time=#cno.threat.t20.tc $lib.print($time)
Executing query at 2021/08/02 21:50:50.717
(1441670400000, 1504828800000)
inet:fqdn=evildomain.com
        .created = 2021/08/02 21:50:50.698
        :domain = com
        :host = evildomain
        :issuffix = False
        :iszone = True
        :zone = evildomain.com
        #cno.threat.t20.tc = (2015/09/08 00:00:00.000, 2017/09/08 00:00:00.000)
complete. 1 nodes in 34 ms (29/sec).
  • Find DNS A records for any subdomain associated with a Threat Group 20 zone during the time they controlled the zone:
inet:fqdn#cno.threat.t20.tc $time=#cno.threat.t20.tc -> inet:fqdn:zone -> inet:dns:a +.seen@=$time

Assign a tag property to a user-defined variable:

  • Assign the risk value assigned by DomainTools to an FQDN to the variable $risk:
inet:fqdn=badsite.org $risk=#rep.domaintools:risk $lib.print($risk)

cli> storm inet:fqdn=badsite.org $risk=#rep.domaintools:risk $lib.print($risk)
Executing query at 2021/08/02 21:50:50.981
85
inet:fqdn=badsite.org
        .created = 2021/08/02 21:50:50.963
        :domain = org
        :host = badsite
        :issuffix = False
        :iszone = True
        :zone = badsite.org
        #rep.domaintools:risk = 85
complete. 1 nodes in 32 ms (31/sec).
  • Given an FQDN with a risk score, find all FQDNs with an equal or higher risk score:
inet:fqdn=badsite.org $risk=#rep.domaintools:risk inet:fqdn#rep.domaintools:risk>=$risk

Assign a built-in variable to a user-defined variable:

  • Assign a ps:person node to the variable $person:
ps:person=0040a7600a7a4b59297a287d11173d5c $person=$node $lib.print($person)

cli> storm ps:person=0040a7600a7a4b59297a287d11173d5c $person=$node $lib.print($person)
Executing query at 2021/08/02 21:50:51.156
Node{(('ps:person', '0040a7600a7a4b59297a287d11173d5c'), {'iden': '1275e1464cdd865aa78fbe45c3a4fee391713063e4015323b6c38cee81370f5b', 'tags': {}, 'props': {'.created': 1627941051142}, 'tagprops': {}, 'nodedata': {}})}
ps:person=0040a7600a7a4b59297a287d11173d5c
        .created = 2021/08/02 21:50:51.142
complete. 1 nodes in 32 ms (31/sec).
  • For a given person, find all objects the person “has” and all the news articles that reference that person (uses the Storm tee command):
ps:person=0040a7600a7a4b59297a287d11173d5c $person = $node | tee { edge:has:n1=$person -> * } { edge:refs:n2=$person <- * +media:news }

Note

See the technical documentation for the storm:node object or the $node section of the Storm Reference - Advanced - Methods user documentation for additional detail and examples when using the $node built-in variable.

Assign a built-in variable method to a user-defined variable:

  • Assign the value of a domain node to the variable $fqdn:
inet:fqdn=mail.mydomain.com $fqdn=$node.value() $lib.print($fqdn)

cli> storm inet:fqdn=mail.mydomain.com $fqdn=$node.value() $lib.print($fqdn)
Executing query at 2021/08/02 21:50:51.468
mail.mydomain.com
inet:fqdn=mail.mydomain.com
        .created = 2021/08/02 21:50:51.449
        :domain = mydomain.com
        :host = mail
        :issuffix = False
        :iszone = False
        :zone = mydomain.com
complete. 1 nodes in 36 ms (27/sec).
  • Find the DNS A records associated with a given domain where the PTR record for the IP matches the FQDN:
inet:fqdn=mail.mydomain.com $fqdn=$node.value() -> inet:dns:a +{ -> inet:ipv4 +:dns:rev=$fqdn }

Assign a library function to a user-defined variable:

  • Assign a value to the variable $mytag using a library function:
$mytag = $lib.str.format("cno.mal.sofacy") $lib.print($mytag)

cli> storm $mytag = $lib.str.format("cno.mal.sofacy") $lib.print($mytag)
Executing query at 2021/08/02 21:50:51.684
cno.mal.sofacy
complete. 0 nodes in 34 ms (0/sec).
  • Assign a value to the variable $mytag using a library function (example 2):
file:bytes=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 for $tag in $node.tags(code.fam.*) { $malfam=$tag.split(".").index(2) $mytag=$lib.str.format("cno.mal.{malfam}", malfam=$malfam) $lib.print($mytag) }

cli> storm file:bytes=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 for $tag in $node.tags(code.fam.*) { $malfam=$tag.split(".").index(2) $mytag=$lib.str.format("cno.mal.{malfam}", malfam=$malfam) $lib.print($mytag) }
Executing query at 2021/08/02 21:50:51.776
cno.mal.sofacy
file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        .created = 2021/08/02 21:50:51.759
        :sha256 = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        #code.fam.sofacy
complete. 1 nodes in 80 ms (12/sec).

The above example leverages:

  • three variables ($tag, $malfam, and $mytag);
  • the $node.tags() method;
  • the $lib.split(), $lib.index(), and $lib.str.format() library functions; as well as
  • a “for” loop.
  • If a file is tagged as part of a malicious code (malware) family, then also tag the file to indicate it is part of that malware’s ecosystem:
file:bytes=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 for $tag in $node.tags(code.fam.*) { $malfam=$tag.split(".").index(2) $mytag=$lib.str.format("cno.mal.{malfam}", malfam=$malfam) [ +#$mytag ] }

Use a mathematical expression / “dollar expression” as a variable:

  • Use a mathematical expression to increment the variable $x:
$x=5 $x=$($x + 1) $lib.print($x)

cli> storm $x=5 $x=$($x + 1) $lib.print($x)
Executing query at 2021/08/02 21:50:51.972
6
complete. 0 nodes in 38 ms (0/sec).
  • For any domain with a “risk” score from Talos, tag those with a score greater than 75 as “high risk”:
inet:fqdn#rep.talos:risk $risk=#rep.talos:risk if $($risk > 75) { [ +#high.risk ] }

Note

In the examples above, the mathematical expressions $($x + 1) and $($risk > 75) are not themselves variables, despite starting with a dollar sign ( $ ). The syntax convention of “dollar expression” ( $( <expression> ) ) allows Storm to support the use of variables (like $x and $risk) in mathematical and logical operations.