User Guide

Synapse-AlienVault User Guide

Synapse-AlienVault adds new Storm commands to allow you to query the AlienVault API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> alienvault.setup.apikey --self myapikey
Setting Synapse-AlienVault API key for the current user.

Query the AlienVault API for Passive DNS

Enrich an FQDN with alienvault.otx.pdns and yield the results:

> inet:fqdn=vertex.link | alienvault.otx.pdns --yield --size 5
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2023/01/31 20:19:00.731
        .seen = ('2021/08/18 17:57:58.000', '2021/08/18 17:58:03.001')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9
inet:dns:a=('misp.power-ups.vertex.link', '138.197.2.57')
        .created = 2023/01/31 20:19:00.753
        .seen = ('2021/08/04 22:33:40.000', '2021/08/04 22:33:40.001')
        :fqdn = misp.power-ups.vertex.link
        :ipv4 = 138.197.2.57
inet:dns:a=('misp.power-ups.vertex.link', '165.227.202.40')
        .created = 2023/01/31 20:19:00.775
        .seen = ('2021/08/04 20:42:34.000', '2021/08/04 20:42:34.001')
        :fqdn = misp.power-ups.vertex.link
        :ipv4 = 165.227.202.40
inet:dns:a=('slackinvite.vertex.link', '138.197.64.146')
        .created = 2023/01/31 20:19:00.794
        .seen = ('2021/07/23 14:54:29.000', '2021/07/23 14:57:21.001')
        :fqdn = slackinvite.vertex.link
        :ipv4 = 138.197.64.146
inet:dns:a=('0e5e2e8c71c0e8b846f8802baea041a6.demo01.optic.vertex.link', '157.230.200.58')
        .created = 2023/01/31 20:19:00.815
        .seen = ('2021/07/19 16:57:18.000', '2021/07/19 16:57:18.001')
        :fqdn = 0e5e2e8c71c0e8b846f8802baea041a6.demo01.optic.vertex.link
        :ipv4 = 157.230.200.58

Bypass caching for passive DNS lookup:

> inet:fqdn=vertex.link | alienvault.otx.pdns --yield --asof now --size 5
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2023/01/31 20:19:00.731
        .seen = ('2021/08/18 17:57:58.000', '2021/08/18 17:58:03.001')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9
inet:dns:a=('misp.power-ups.vertex.link', '138.197.2.57')
        .created = 2023/01/31 20:19:00.753
        .seen = ('2021/08/04 22:33:40.000', '2021/08/04 22:33:40.001')
        :fqdn = misp.power-ups.vertex.link
        :ipv4 = 138.197.2.57
inet:dns:a=('misp.power-ups.vertex.link', '165.227.202.40')
        .created = 2023/01/31 20:19:00.775
        .seen = ('2021/08/04 20:42:34.000', '2021/08/04 20:42:34.001')
        :fqdn = misp.power-ups.vertex.link
        :ipv4 = 165.227.202.40
inet:dns:a=('slackinvite.vertex.link', '138.197.64.146')
        .created = 2023/01/31 20:19:00.794
        .seen = ('2021/07/23 14:54:29.000', '2021/07/23 14:57:21.001')
        :fqdn = slackinvite.vertex.link
        :ipv4 = 138.197.64.146
inet:dns:a=('0e5e2e8c71c0e8b846f8802baea041a6.demo01.optic.vertex.link', '157.230.200.58')
        .created = 2023/01/31 20:19:00.815
        .seen = ('2021/07/19 16:57:18.000', '2021/07/19 16:57:18.001')
        :fqdn = 0e5e2e8c71c0e8b846f8802baea041a6.demo01.optic.vertex.link
        :ipv4 = 157.230.200.58

Enrich an IP address with alienvault.otx.pdns and yield the results:

> inet:ipv4=161.35.137.163 | alienvault.otx.pdns --yield --size 5
inet:dns:a=('mta-sts.box.westwooddolphins.com', '161.35.137.163')
        .created = 2023/01/31 20:19:01.077
        .seen = ('2021/01/07 19:07:53.000', '2021/01/07 19:07:53.001')
        :fqdn = mta-sts.box.westwooddolphins.com
        :ipv4 = 161.35.137.163
inet:dns:a=('box.westwooddolphins.com', '161.35.137.163')
        .created = 2023/01/31 20:19:01.101
        .seen = ('2021/01/07 19:07:53.000', '2021/01/07 19:07:53.001')
        :fqdn = box.westwooddolphins.com
        :ipv4 = 161.35.137.163
inet:dns:a=('ns1.box.westwooddolphins.com', '161.35.137.163')
        .created = 2023/01/31 20:19:01.119
        .seen = ('2021/01/07 19:07:53.000', '2021/01/07 19:07:53.001')
        :fqdn = ns1.box.westwooddolphins.com
        :ipv4 = 161.35.137.163
inet:dns:a=('ns2.box.westwooddolphins.com', '161.35.137.163')
        .created = 2023/01/31 20:19:01.138
        .seen = ('2021/01/07 19:07:53.000', '2021/01/07 19:07:53.001')
        :fqdn = ns2.box.westwooddolphins.com
        :ipv4 = 161.35.137.163
inet:dns:a=('autoconfig.westwooddolphins.com', '161.35.137.163')
        .created = 2023/01/31 20:19:01.161
        .seen = ('2021/01/07 19:07:01.000', '2021/01/07 19:07:31.001')
        :fqdn = autoconfig.westwooddolphins.com
        :ipv4 = 161.35.137.163

Download the latest Pulses from the AlienVault API

Download the latest OTX Pulses:

> alienvault.otx.pulses --yield --size 10
media:news=2920187baa71b3fab7fec9e245f5b875
        .created = 2023/01/31 20:19:01.243
        :published = 2022/01/20 10:02:39.594
        :summary = Brazil-based malspam pushing Astaroth/Guildma malware.
        :title = brazil emails pushing astaroth/guildma malware
media:news=37244b847c38603acc645776b7215a0d
        .created = 2023/01/31 20:19:01.995
        :published = 2022/01/20 09:19:07.803
        :summary = Recently, security researchers released an analysis report about MHT format files (Web archive files) implanting malware by carrying Office macros Because the attack methods used by the samples mentioned are similar to those of OceanLotus, the report announces that the attack was possibly carried out by the this organization.
        :title = oceanlotus uses glitch to spread malware
media:news=b21516142c8d3ce6d29a95aa3c182fd9
        .created = 2023/01/31 20:19:03.319
        :published = 2022/01/19 17:17:49.828
        :summary = The latest iteration of the PerSwaysion phishing campaign has been observed in a series of emails sent from Amazon’s Simple Email Service, according to SeclarityIO, a security firm.
        :title = perswaysion threat actor updates their techniques and infrastructure
media:news=7597040b04b7edb6dc3e1f59ee90d33e
        .created = 2023/01/31 20:19:03.606
        :published = 2022/01/18 15:45:01.805
        :summary = Cyble Research Labs has identified a new Linux variant of the AvosLocker ransomware group, which demands a ransom of up to $20m (£13m) for the release of a malicious file.
        :title = avoslocker ransomware linux version targets vmware esxi servers
media:news=9328b9c21018d69453f498e778622024
        .created = 2023/01/31 20:19:04.031
        :published = 2022/01/18 15:35:42.020
        :summary = A suspected intelligence gathering campaign targeting renewable energy and industrial technology organisations in 2022 has been linked to a custom 'Mail Box' phishing kit, which collects passwords from users' email accounts, and compromised websites.
        :title = tracking a renewable energy intelligence gathering campaign
media:news=87ce547ea2f380094c47d5f9d10fd22e
        .created = 2023/01/31 20:19:04.788
        :published = 2022/01/18 09:09:11.107
        :summary = Recorded Future has released an in-depth analysis of keystroke injection malware, using the Arduino microcontroller programming platform to inject keystrokes into victims’ computer systems, as part of a series of attacks.
        :title = fin7 uses flash drives to spread remote access trojan
media:news=bc3a62217ade461cd8f49fce510d8a6a
        .created = 2023/01/31 20:19:05.268
        :published = 2022/01/17 16:54:33.395
        :summary = An analysis of Earth Lusca’s cyberespionage operations has revealed details of the Chinese threat actor's operations, and how it targets targets in a variety of countries and regions.
        :title = delving deep: an analysis of earth lusca’s operations
media:news=8fb63d59352f4c28ad83699df47a17bc
        .created = 2023/01/31 20:19:06.746
        :published = 2022/01/17 16:16:26.679
        :summary = Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022.
        :title = destructive malware targeting ukrainian organizations
media:news=14e1ac07a5a21453e93aa8c3587a9c21
        .created = 2023/01/31 20:19:06.966
        :published = 2021/12/17 13:59:15.228
        :summary = Threat actors' consistency over time represents an indication of effectiveness and experience, resulting in an increasing risk for targeted companies. The Yoroi Malware ZLAB is tracking the threat actor Aggah (TH-157) since 2019, along with PaloAlto UNIT42, HP and Juniper Networks, and the persistency of its malicious operation over time reveals a structured information stealing infrastructure, a worldwide campaign capable of quickly varying its distribution technique.
                   They discovered new data theft and reconnaissance operations targeting multiple victims worldwide, including Ukraine, Lithuania, and Italy. The whole campaign impacted hundreds of victims and lasted for two months. CERT Yoroi was able to track the malware distribution infrastructure which was abusing the Bitbucket code repository infrastructures to evade detection mechanism, URL and domain reputation security check.
        :title = serverless infostealer delivered in east european countries
media:news=5bf9f2f8c20d77a009788f924b2cbeca
        .created = 2023/01/31 20:19:07.977
        :published = 2021/12/16 12:31:55.910
        :summary = Contact Forms is a campaign that uses a web site's contact form to email malicious links disguised as some sort of legal complaint.  We've seen this campaign push BazarLoader malware and distribute Sliver, but recently it's been pushing IcedID (Bokbot).  Most of the time, the Contact Forms campaign uses a "Stolen Images Evidence" theme, with emails stating a supposed violation of the Digital Millennium Copyright Act (DMCA).
        :title = how the contact forms campaign tricks people

To force a redownload of your subscribed pulses:

> alienvault.otx.pulses --yield --resync --size 5
media:news=2920187baa71b3fab7fec9e245f5b875
        .created = 2023/01/31 20:19:01.243
        :published = 2022/01/20 10:02:39.594
        :summary = Brazil-based malspam pushing Astaroth/Guildma malware.
        :title = brazil emails pushing astaroth/guildma malware
media:news=37244b847c38603acc645776b7215a0d
        .created = 2023/01/31 20:19:01.995
        :published = 2022/01/20 09:19:07.803
        :summary = Recently, security researchers released an analysis report about MHT format files (Web archive files) implanting malware by carrying Office macros Because the attack methods used by the samples mentioned are similar to those of OceanLotus, the report announces that the attack was possibly carried out by the this organization.
        :title = oceanlotus uses glitch to spread malware
media:news=b21516142c8d3ce6d29a95aa3c182fd9
        .created = 2023/01/31 20:19:03.319
        :published = 2022/01/19 17:17:49.828
        :summary = The latest iteration of the PerSwaysion phishing campaign has been observed in a series of emails sent from Amazon’s Simple Email Service, according to SeclarityIO, a security firm.
        :title = perswaysion threat actor updates their techniques and infrastructure
media:news=7597040b04b7edb6dc3e1f59ee90d33e
        .created = 2023/01/31 20:19:03.606
        :published = 2022/01/18 15:45:01.805
        :summary = Cyble Research Labs has identified a new Linux variant of the AvosLocker ransomware group, which demands a ransom of up to $20m (£13m) for the release of a malicious file.
        :title = avoslocker ransomware linux version targets vmware esxi servers
media:news=9328b9c21018d69453f498e778622024
        .created = 2023/01/31 20:19:04.031
        :published = 2022/01/18 15:35:42.020
        :summary = A suspected intelligence gathering campaign targeting renewable energy and industrial technology organisations in 2022 has been linked to a custom 'Mail Box' phishing kit, which collects passwords from users' email accounts, and compromised websites.
        :title = tracking a renewable energy intelligence gathering campaign

Enrich IP Addresses using the AlienVault API

Enrich an IP address using the AlienVault IP endpoints:

> [inet:ipv4=8.8.8.8] | alienvault.otx.ip --asof now --yield --size 5
inet:ipv4=8.8.8.8
        .created = 2023/01/31 20:19:11.599
        :asn = 15169
        :latlong = 37.751,-97.822
        :type = unicast
inet:dns:a=('tangyintz.com', '8.8.8.8')
        .created = 2023/01/31 20:19:11.721
        .seen = ('2021/08/24 02:45:23.000', '2021/08/24 02:45:53.001')
        :fqdn = tangyintz.com
        :ipv4 = 8.8.8.8
inet:dns:a=('leasingvine.com', '8.8.8.8')
        .created = 2023/01/31 20:19:11.744
        .seen = ('2021/08/24 02:41:57.000', '2021/08/24 02:41:57.001')
        :fqdn = leasingvine.com
        :ipv4 = 8.8.8.8
inet:dns:a=('ds.anyi01.cn', '8.8.8.8')
        .created = 2023/01/31 20:19:11.775
        .seen = ('2021/08/23 21:52:08.000', '2021/08/23 21:54:58.001')
        :fqdn = ds.anyi01.cn
        :ipv4 = 8.8.8.8
inet:dns:a=('sq.anyi01.cn', '8.8.8.8')
        .created = 2023/01/31 20:19:11.799
        .seen = ('2021/08/23 21:52:03.000', '2021/08/23 21:54:54.001')
        :fqdn = sq.anyi01.cn
        :ipv4 = 8.8.8.8

Enrich FQDNs and URLs using the AlienVault API

Enrich an FQDN using the AlienVault Domain endpoints (and bypass caching):

> inet:fqdn=vertex.link | alienvault.otx.domain --yield --size 5 --asof now
inet:whois:rec=('vertex.link', '2021/03/24 07:27:53.950')
        .created = 2023/01/31 20:19:11.909
        :asof = 2021/03/24 07:27:53.950
        :created = 2014/08/15 23:07:48.961
        :expires = 2021/08/15 23:07:48.961
        :fqdn = vertex.link
        :registrant = redacted for privacy
        :registrar = enom, inc.
        :updated = 2021/03/24 07:27:53.950
file:bytes=sha256:4d5424172893d6a1f612ec4d2eafe8a351086d8b24628d938df2e35ce5635454
        .created = 2023/01/31 20:19:11.943
        :sha256 = 4d5424172893d6a1f612ec4d2eafe8a351086d8b24628d938df2e35ce5635454
file:bytes=sha256:ff20738f2f0f58e2a7910c06fdb62441c0515c7188ee2abe0e0cc91db259c785
        .created = 2023/01/31 20:19:11.951
        :sha256 = ff20738f2f0f58e2a7910c06fdb62441c0515c7188ee2abe0e0cc91db259c785
inet:http:request=a819a1216e80431a435f96e6607e9b70
        .created = 2023/01/31 20:19:11.975
        :response:code = 0
        :time = 2021/07/27 01:10:12.000
        :url = https://vertex.link/open
inet:http:request=649ced85b36c22aeb4bcf0ab9526fbd4
        .created = 2023/01/31 20:19:11.982
        :response:code = 0
        :time = 2021/07/23 14:53:47.000
        :url = https://slackinvite.vertex.link

Enrich a URL using the AlienVault URL endpoints:

> inet:url=https://news.google.com/topstories | alienvault.otx.url --yield --size 5 --asof now
inet:http:request=c5066a2f4a96c8c3275267a8301ede63
        .created = 2023/01/31 20:19:12.064
        :method = GET
        :response:body = sha256:13f3c46b683f1ccace15188334849f1ad6d9e298ee1a625755e6693eda1acaf6
        :response:code = 200
        :response:headers = [('strict-transport-security', 'max-age=31536000'), ('x-content-type-options', 'nosniff'), ('content-security-policy', "script-src 'nonce-blh4MRsASGv9vD8v/+toMw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DotsSplashUi/cspreport;worker-src 'self'"), ('content-encoding', 'gzip'), ('transfer-encoding', 'chunked'), ('set-cookie', 'GN_PREF=W251bGwsIkNBRVNEQWpYbXJfNkJSQzR5TDM1QWciXQo_; Expires=Thu, 04-Mar-2021 04:50:31 GMT; Path=/; Secure'), ('expires', 'Mon, 01 Jan 1990 00:00:00 GMT'), ('server', 'ESF'), ('x-xss-protection', '0'), ('x-ua-compatible', 'IE=edge'), ('pragma', 'no-cache'), ('cache-control', 'no-cache, no-store, max-age=0, must-revalidate'), ('date', 'Wed, 02 Sep 2020 16:50:31 GMT'), ('x-frame-options', 'SAMEORIGIN'), ('alt-svc', 'h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"'), ('content-type', 'text/html; charset=utf-8')]
        :server:ipv4 = 172.217.14.206
        :time = 2020/09/02 16:50:29.000
        :url = https://news.google.com/topstories

Enrich Files using the AlienVault API

> file:bytes=0014b9a0d8f99a1be4ab5090eeef5510235506885254a40f92decc169da8064d  | alienvault.otx.files --yield --size 5 --asof now
file:bytes=sha256:0014b9a0d8f99a1be4ab5090eeef5510235506885254a40f92decc169da8064d
        .created = 2023/01/31 20:19:12.080
        :md5 = fce8a6a68bd17fe2336f15b34b1fc411
        :mime:pe:imphash = 8390a196de8a4623c526bb32b981e903
        :sha1 = 2f92cc78ca4e326928347e8ebb0b345daecddbac
        :sha256 = 0014b9a0d8f99a1be4ab5090eeef5510235506885254a40f92decc169da8064d
        :size = 577536

Use of meta:source nodes

Synapse-AlienVault uses a meta:source node and -(seen)> light weight edges to track nodes observed from the AlienVault API.

> meta:source=448b84f640c8c7f11e210e57d2523e78
meta:source=448b84f640c8c7f11e210e57d2523e78
        .created = 2023/01/31 20:19:00.721
        :name = alienvault api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-AlienVault. The following example shows how to filter the results of a query to include only results observed by Synapse-AlienVault:

> #cool.tag.lift +{ <(seen)- meta:source=448b84f640c8c7f11e210e57d2523e78 }