User Guide

Synapse-NetTools provides additional Storm commands for querying public WHOIS/DNS APIs and ingesting the results into a Cortex.

Getting Started

Check with your Global Admin to enable permissions.

Examples

Gather live WHOIS data for an FQDN

> inet:fqdn=example.org | nettools.whois --yield
inet:whois:rec=('example.org', '2015/08/19 20:25:53.000')
        .created = 2024/04/09 17:00:51.954
        :asof = 2015/08/19 20:25:53.000
        :created = 1995/08/31 04:00:00.000
        :expires = 2010/08/30 04:00:00.000
        :fqdn = example.org
        :registrant = icann
        :registrar = icann
        :text = domain name: example.org
                registry domain id: d2328855-lror
                registrar whois server:
                registrar url:
                updated date: 2015-08-19t20:25:53z
                creation date: 1995-08-31t04:00:00z
                registry expiry date: 2010-08-30t04:00:00z
                registrar registration expiration date:
                registrar: icann
                registrar iana id: 376
                registrar abuse contact email:
                registrar abuse contact phone:
                reseller:
                domain status: serverdeleteprohibited https://icann.org/epp#serverdeleteprohibited
                domain status: serverrenewprohibited https://icann.org/epp#serverrenewprohibited
                domain status: servertransferprohibited https://icann.org/epp#servertransferprohibited
                domain status: serverupdateprohibited https://icann.org/epp#serverupdateprohibited
                registrant organization: icann
                registrant state/province: ca
                registrant country: us
                name server: a.iana-servers.net
                name server: b.iana-servers.net
                dnssec: signeddelegation
                url of the icann whois inaccuracy complaint form https://www.icann.org/wicf/)
                >>> last update of whois database: 2022-05-20t19:14:13z <<<

                for more information on whois status codes, please visit https://icann.org/epp

                access to public interest registry whois information is provided to assist persons in determining the contents of a domain name registration record in the public interest registry registry database. the data in this record is provided by public interest registry for informational purposes only, and public interest registry does not guarantee its accuracy. this service is intended only for query-based access. you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of registry operator, a registrar, or afilias except as reasonably necessary to register domain names or modify existing registrations. all rights reserved. public interest registry reserves the right to modify these terms at any time. by submitting this query, you agree to abide by this policy.

                the registrar of record identified in this output may have an rdds service that can be queried for additional information on how to contact the registrant, admin, or tech contact of the queried domain name.

        :updated = 2015/08/19 20:25:53.000

Gather live DNS data for an FQDN

> inet:fqdn=vertex.link | nettools.dns --yield
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2024/04/09 17:00:52.097
        .seen = ('2024/04/09 17:00:52.107', '2024/04/09 17:00:52.108')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9

Use of meta:source nodes

Synapse-NetTools uses a meta:source node and -(seen)> light weight edges to track nodes observed from the WHOIS/DNS APIs.

> meta:source=47195abdcd06156f50a36f8df20bb105
meta:source=47195abdcd06156f50a36f8df20bb105
        .created = 2024/04/09 17:00:51.922
        :name = data from nettools api
        :type = nettools

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-NetTools. The following example shows how to filter the results of a query to include only results observed by Synapse-NetTools:

> inet:fqdn=vertex.link -> inet:dns:a +{ <(seen)- meta:source=47195abdcd06156f50a36f8df20bb105 }
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2024/04/09 17:00:52.097
        .seen = ('2024/04/09 17:00:52.107', '2024/04/09 17:00:52.108')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9