User Guide

Synapse-NetTools provides additional Storm commands for querying public WHOIS/DNS APIs and ingesting the results into a Cortex.

Getting Started

Check with your Global Admin to enable permissions.

Examples

Gather live WHOIS data for an FQDN

> inet:fqdn=example.org | nettools.whois --yield
inet:whois:rec=('example.org', '2026/01/16 15:54:51.136')
        .created = 2026/04/16 13:30:22.651
        :asof = 2026/01/16 15:54:51.136
        :created = 1995/08/31 04:00:00.000
        :expires = 2026/08/30 04:00:00.000
        :fqdn = example.org
        :registrar = icann
        :updated = 2026/01/16 15:54:51.136

Gather live DNS data for an FQDN

> inet:fqdn=vertex.link | nettools.dns --yield
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2026/04/16 13:30:22.670
        .seen = ('2026/04/16 13:30:22.671', '2026/04/16 13:30:22.672')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9

Use of meta:source nodes

Synapse-NetTools uses a meta:source node and -(seen)> light weight edges to track nodes observed from the WHOIS/DNS APIs.

> meta:source=47195abdcd06156f50a36f8df20bb105
meta:source=47195abdcd06156f50a36f8df20bb105
        .created = 2026/04/16 13:30:22.508
        :name = data from nettools api
        :type = nettools

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-NetTools. The following example shows how to filter the results of a query to include only results observed by Synapse-NetTools:

> inet:fqdn=vertex.link -> inet:dns:a +{ <(seen)- meta:source=47195abdcd06156f50a36f8df20bb105 }
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2026/04/16 13:30:22.670
        .seen = ('2026/04/16 13:30:22.671', '2026/04/16 13:30:22.672')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9