Package Documentation
Storm Package: synapse-assemblyline
The following Commands are available from this package. This documentation is generated for version 0.1.0 of the package.
Storm Commands
This package implements the following Storm Commands.
assemblyline.byid
Ingest a submission report by ID.
Examples:
// Ingest a report and its AssemblyLine ontology by ID and yield the resulting nodes, and display debug output
assemblyline.byid "3RVzQWO3JJAeslxIhNjxIr" --yield --debug
Usage: assemblyline.byid [options] <id>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
--no-ssl-verify : Ignore SSL certificate validation errors.
Arguments:
<id> : The submission ID to ingest.
assemblyline.download
Download a file from the configured AssemblyLine instance in the configured Axon.
Examples:
// Download a set of files in the configured Axon and yield the created file:bytes nodes
hash:sha256#my.files | assemblyline.download --yield
Usage: assemblyline.download [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--no-ssl-verify : Ignore SSL certificate validation errors.
--yield : Yield the newly created nodes.
assemblyline.enrich
Ingest the most recently completed submission report for inet:url, file:bytes, or hash:sha256 nodes.
Examples:
// Enrich an inet:url and print debug output
inet:fqdn=vertex.link | assemblyline.enrich --debug
// Enrich a set of file:bytes nodes and yield the created nodes
file:bytes#my.files | assemblyline.enrich --yield
Usage: assemblyline.enrich [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--no-ssl-verify : Ignore SSL certificate validation errors.
assemblyline.feed
Ingest the completed submission reports for a specific time range.
The --since-last option can be used to retrieve new results since the last run of
the command. When using --since-last, the time of the query execution will be
stored in the :offset property of an associated it:exec:query node. This means
the offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
If --since-last is not used and instead --min-time and/or --max-time is used, instead
reports from the specified time range will be ingested, and the :offset property of
the associated it:exec:query node will not be updated.
When using --since-last, the --min-time and --max-time options are ignored.
Examples:
// Ingest the reports for Feb 12, 2024 to Feb 14, 2024
assemblyline.feed --min-time 2024-02-12 --max-time 2024-02-14
// Ingest all report that completed in the last four days and yield the results
assemblyline.feed --min-time "-4days" --yield
// Use the stored value on the it:exec:query node to retrieve new results, and print any debug output
assemblyline.feed --since-last --debug
// Create a cron job to ingest new results every day
cron.add --name assemblyline.feed --hour 3 { assemblyline.feed --since-last }
Usage: assemblyline.feed [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
--no-ssl-verify : Ignore SSL certificate validation errors.
--min-time <min_time> : Specify the minimum time to limit feed results. (default: -24hours)
--max-time <max_time> : Specify the maximum time to limit feed results. (default: now)
--since-last : Retrieve results since the last run of the command with --since-last specified.
assemblyline.search
Search an AssemblyLine instance's "submission" index for reports matching a given search query.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Examples:
// Search for and ingest reports for files with the given hash, and yield the resulting nodes
assemblyline.search "files.sha256=8bd0c0428cfd81a374705bf1e852be9fee2defe77ad29c37580ddb5c509e38de" --yield
// Search for all reports for files ending in ".ps1" that contain more than 1 file and yield the created nodes
assemblyline.search "files.name:*.ps1" --filter "file_count:>1" --yield
Usage: assemblyline.search [options] <query>
Options:
--help : Display the command usage.
--filter <filter> : An optional filter string to limit results by.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
--no-ssl-verify : Ignore SSL certificate validation errors.
Arguments:
<query> : The query string.
assemblyline.setup.apikey
Manage the AssemblyLine API username and key.
Examples
// Set a global AssemblyLine API username and key
assemblyline.setup.apikey visi abcd1234
// Set a AssemblyLine API username and key for the current user
assemblyline.setup.apikey --self visi abcd1234
// Display the API key scope of the current key
assemblyline.setup.apikey --show-scope
// Display the current API key.
assemblyline.setup.apikey --show-apikey
// Remove the current global API key.
assemblyline.setup.apikey --remove
// Remove the per-user API key for the current user.
assemblyline.setup.apikey --self --remove
Usage: assemblyline.setup.apikey [options] <apiuser> <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key).
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apiuser] : The API username string.
[apikey] : The API key string.
assemblyline.setup.endpoint
Set the AssemblyLine endpoint to send REST requests to.
Examples:
// Set a global API endpoint
assemblyline.setup.endpoint "https://assemblyline.vertex.link/"
// Display the currently configured endpoint
assemblyline.setup.endpoint --show-endpoint
// Remove the API endpoint
assemblyline.setup.endpoint --remove
Usage: assemblyline.setup.endpoint [options] <endpoint>
Options:
--help : Display the command usage.
--show-endpoint : Display the endpoint value.
--remove : Remove the configured endpoint.
Arguments:
[endpoint] : The AssemblyLine API endpoint to use.
assemblyline.setup.tagprefix
Set the tag prefix when recording AssemblyLine tags.
The default tag prefix is "rep.assemblyline" if not specified.
Any tags provided by the AssemblyLine API will be added within the given namespace.
For example, the AssemblyLine attribution "COBALT STRIKEBEACON" would result in
"rep.assemblyline.cobalt_strikebeacon".
Any characters incompatible with tag names are replaced with "_".
Examples:
// Set the Synapse-AssemblyLine tag prefix to "rep.assemblyline"
assemblyline.setup.tagprefix "rep.assemblyline"
Usage: assemblyline.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
assemblyline.submit
Post a file from the configured Axon to the configured AssemblyLine instance.
Examples:
// Post a set of files to AssemblyLine for processing, but do not wait for results
file:bytes#my.files | assemblyline.submit --debug
// Post a set URLs to analyze, wait on analysis to complete for all of them, and yield the results
inet:url#my.urls | assemblyline.submit --wait
Usage: assemblyline.submit [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--no-ssl-verify : Ignore SSL certificate validation errors.
--wait : Block on analysis completion of a sample or samples and yield results.
Storm Modules
This package does not export any Storm APIs.