User Guide
Synapse-AssemblyLine User Guide
Synapse-AssemblyLine adds new Storm commands to allow you to query the AssemblyLine API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal Username and API key
To set-up a personal use API key:
> assemblyline.setup.apikey --self myapiuser myapikey
Setting AssemblyLine API username and key for the current user.
Setting the tag prefix
To configure the base tag to use when tagging samples:
> assemblyline.setup.tagprefix "rep.assemblyline"
Setting AssemblyLine tag prefix to rep.assemblyline.
To set the base tag, the permission globals.set.assemblyline:tag:prefix
must be set on your user/role. Contact your Admin to enable these permissions.
Enriching Nodes
To enrich a file:bytes node with the latest report in the configured AssemblyLine instance:
> file:bytes#to.enrich | assemblyline.enrich --yield --size 3 --no-ssl-verify
file:bytes=sha256:db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
.created = 2024/05/08 16:13:18.093
:md5 = 5746bd7e255dd6a8afa06f7c42c1ba41
:sha1 = 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8
:sha256 = db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
:size = 345088
#to.enrich
inet:fqdn=schemas.microsoft.com
.created = 2024/05/08 16:13:18.600
:domain = microsoft.com
:host = schemas
:issuffix = false
:iszone = false
:zone = microsoft.com
inet:url=http://schemas.microsoft.com/SMI/2005/WindowsSettings
.created = 2024/05/08 16:13:18.639
:base = http://schemas.microsoft.com/SMI/2005/WindowsSettings
:fqdn = schemas.microsoft.com
:params =
:path = /SMI/2005/WindowsSettings
:port = 80
:proto = http
To enrich an inet:url node with the latest report in the configured AssemblyLine instance:
> inet:url#to.enrich | assemblyline.enrich --yield --size 3 --no-ssl-verify
file:bytes=sha256:1110a3b0441be8dcb0286d7a2ea24fed4ce3744a183e290ba79a75717baac812
.created = 2024/05/08 16:13:19.013
:md5 = 1d4eb75aefecc669859d4bb01dcbac21
:sha1 = 8b675916c58edcfb7c8f38db236c9e1bfe27d125
:sha256 = 1110a3b0441be8dcb0286d7a2ea24fed4ce3744a183e290ba79a75717baac812
:size = 148
inet:fqdn=match.adsrvr.org
.created = 2024/05/08 16:13:19.091
:domain = adsrvr.org
:host = match
:issuffix = false
:iszone = false
:zone = adsrvr.org
inet:fqdn=2funit42.paloaltonetworks.com
.created = 2024/05/08 16:13:19.129
:domain = paloaltonetworks.com
:host = 2funit42
:issuffix = false
:iszone = false
:zone = paloaltonetworks.com
Get Submissions by ID
To retrieve a specific submission report and ontology via an ID:
> assemblyline.byid "78USm5gT2v4r3IBIG5yWF1" --yield --size 3 --no-ssl-verify
file:bytes=sha256:1110a3b0441be8dcb0286d7a2ea24fed4ce3744a183e290ba79a75717baac812
.created = 2024/05/08 16:13:19.013
:md5 = 1d4eb75aefecc669859d4bb01dcbac21
:sha1 = 8b675916c58edcfb7c8f38db236c9e1bfe27d125
:sha256 = 1110a3b0441be8dcb0286d7a2ea24fed4ce3744a183e290ba79a75717baac812
:size = 148
inet:fqdn=match.adsrvr.org
.created = 2024/05/08 16:13:19.091
:domain = adsrvr.org
:host = match
:issuffix = false
:iszone = false
:zone = adsrvr.org
inet:fqdn=2funit42.paloaltonetworks.com
.created = 2024/05/08 16:13:19.129
:domain = paloaltonetworks.com
:host = 2funit42
:issuffix = false
:iszone = false
:zone = paloaltonetworks.com
Searching Submissions
To search the configured AssemblyLine instance’s Submission index using AssemblyLine’s own search syntax:
> assemblyline.search "files.name:*.ps1" --filter "file_count:1" --yield --no-ssl-verify --size 3
file:bytes=sha256:dad42acaceb845bc18d8530ad5663a770ad222646c52ae495042580b3857a140
.created = 2024/05/08 16:13:19.866
:md5 = ab20b0eb0c420beb74ddbc5a69e31b85
:sha1 = 5d9f173e665a92098f85041f5b7a48d97b20f1fa
:sha256 = dad42acaceb845bc18d8530ad5663a770ad222646c52ae495042580b3857a140
:size = 1114
file:bytes=sha256:d744879999e407c9b1ce1438d9d1747086c02f8998885e8bddb47fdb5343303a
.created = 2024/05/08 16:13:20.403
:md5 = 0a4fac5368cbb1878fa439542be44253
:sha1 = 133e97f9b8a0fbace979287c0f69a0bf7bcfca59
:sha256 = d744879999e407c9b1ce1438d9d1747086c02f8998885e8bddb47fdb5343303a
:size = 13975
inet:fqdn=security.cryptography.md
.created = 2024/05/08 16:13:20.506
:domain = cryptography.md
:host = security
:issuffix = false
:iszone = false
:zone = cryptography.md
Ingesting Submission Feeds
To ingest the completed submission reports and their matching ontologies for a specific time period:
> assemblyline.feed --min-time 2024-02-12 --max-time 2024-02-15 --yield --size 3 --no-ssl-verify
file:bytes=sha256:fd3e8f25167d78dbb961eebf7428a295f6c6d389080de0cdf5c063bf4d1ff494
.created = 2024/05/08 16:13:20.947
:md5 = 8d55caaf1d1bea44301b4f6cb2b3ce3f
:sha1 = cc7370c219da960c53da806c9c15c7be0ff428f9
:sha256 = fd3e8f25167d78dbb961eebf7428a295f6c6d389080de0cdf5c063bf4d1ff494
inet:url=https://vertex.link/blogs/intel-sharing-sinkhole-research/
.created = 2024/05/08 16:13:20.996
:base = https://vertex.link/blogs/intel-sharing-sinkhole-research/
:fqdn = vertex.link
:params =
:path = /blogs/intel-sharing-sinkhole-research/
:port = 443
:proto = https
file:bytes=sha256:2258a525aa1fdbc6f4820616dd3db7ba164bd795caab6f77c8b7d3d9618dc968
.created = 2024/05/08 16:13:17.755
:md5 = 96eab6b08e69e72849196f413f8fe2f7
:sha1 = dca29b98bdc5f021fad4967504318dd7d37b5c86
:sha256 = 2258a525aa1fdbc6f4820616dd3db7ba164bd795caab6f77c8b7d3d9618dc968
:size = 1024
Downloading Files
To download a file into the configured axon:
> file:bytes#to.download | assemblyline.download --yield --no-ssl-verify
file:bytes=sha256:bb38e04ca01881df5e6b92e2231f3173ee6d610b32af3068e8fe6b001c51a10f
.created = 2024/05/08 16:13:21.330
:md5 = d174dcfb35c14d5fcaa086d2c864ae61
:sha1 = 7efbb1a5408a6dc09a965a79f7daa516833e4858
:sha256 = bb38e04ca01881df5e6b92e2231f3173ee6d610b32af3068e8fe6b001c51a10f
:sha512 = 78eec7b45a7a4bc704786d46a5745144396ce5ec6ce0854d9061f795a8f29ce140f4db18c865a0ae4d72ffe7d8520f58476013e1068d8849bcb3237fc3ce5bee
:size = 39584
#to.download
Submitting Files for Analysis
To submit a URL for analysis, and pend on the results:
> inet:url#to.submit.wait | assemblyline.submit --no-ssl-verify --wait
inet:url=https://vertex.link/blogs/intel-sharing-sinkhole-research/
.created = 2024/05/08 16:13:20.996
:base = https://vertex.link/blogs/intel-sharing-sinkhole-research/
:fqdn = vertex.link
:params =
:path = /blogs/intel-sharing-sinkhole-research/
:port = 443
:proto = https
#to.submit.wait
file:bytes=sha256:fd3e8f25167d78dbb961eebf7428a295f6c6d389080de0cdf5c063bf4d1ff494
.created = 2024/05/08 16:13:20.947
:md5 = 8d55caaf1d1bea44301b4f6cb2b3ce3f
:mime = text/plain
:sha1 = cc7370c219da960c53da806c9c15c7be0ff428f9
:sha256 = fd3e8f25167d78dbb961eebf7428a295f6c6d389080de0cdf5c063bf4d1ff494
inet:url=https://vertex.link/blogs/intel-sharing-sinkhole-research/
.created = 2024/05/08 16:13:20.996
:base = https://vertex.link/blogs/intel-sharing-sinkhole-research/
:fqdn = vertex.link
:params =
:path = /blogs/intel-sharing-sinkhole-research/
:port = 443
:proto = https
#to.submit.wait
To submit a file that exists in the configured Axon for analysis:
> file:bytes#to.submit.nowait | assemblyline.submit --no-ssl-verify
Successfully submitted 2258a525aa1fdbc6f4820616dd3db7ba164bd795caab6f77c8b7d3d9618dc968 for analysis
file:bytes=sha256:2258a525aa1fdbc6f4820616dd3db7ba164bd795caab6f77c8b7d3d9618dc968
.created = 2024/05/08 16:13:17.755
:md5 = 96eab6b08e69e72849196f413f8fe2f7
:sha1 = dca29b98bdc5f021fad4967504318dd7d37b5c86
:sha256 = 2258a525aa1fdbc6f4820616dd3db7ba164bd795caab6f77c8b7d3d9618dc968
:size = 1024
#to.submit.nowait
Use of meta:source nodes
Synapse-AssemblyLine uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the AssemblyLine API.
> meta:source=6771e8d8fc54583c2cebc1ab9e7bd9bd
meta:source=6771e8d8fc54583c2cebc1ab9e7bd9bd
.created = 2024/05/08 16:13:18.354
:name = assemblyline api
:type = synapse.assemblyline
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-AssemblyLine. The following example shows how to filter the results of a query to include only results observed by Synapse-AssemblyLine:
> #cool.tag.lift +{ <(seen)- meta:source=6771e8d8fc54583c2cebc1ab9e7bd9bd }