Package Documentation
Storm Package: synapse-cisco
The following Commands are available from this package. This documentation is generated for version 0.2.0 of the package.
Storm Commands
This package implements the following Storm Commands.
cisco.sma.sample.search
Search for samples in Cisco Secure Malware Analytics.
By default this will display summary information about samples
matching the query. The ``--ingest`` option can be specified to ingest
the reports associated with the samples, and the ``--download``
option can be used to download the actual samples.
By default, only sample runs from the last 30 days will be returned;
use ``--after and/or ``--before`` params to specify an alternate date range.
Examples:
// Search for samples with a specific sha256 hash
cisco.sma.sample.search --sha256
// Search for samples using file:bytes nodes
file:bytes#mysample | cisco.sma.sample.search --sha256 :sha256
Usage: cisco.sma.sample.search [options]
Options:
--help : Display the command usage.
--sha256 <sha256> : A sha256 hash to search for.
--sha1 <sha1> : A sha1 hash to search for.
--md5 <md5> : An md5 hash to search for.
--ids [<ids> ...] : Sample IDs to search for.
--after <after> : Filter by records created after a specific time.
--before <before> : Filter by records created before a specific time.
--org-only : Restrict results to those submitted by the API key user's organization.
--user-only : Restrict results to those submitted by the API key user.
--size <size> : Limit the number of results to the given size.
--ingest : Ingest the sandbox reports for the samples.
--download : Download the sample files.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
cisco.sma.sample.submit
Submit a sample to Cisco Secure Malware Analytics for analysis.
This command takes a file:bytes or hash:sha256 node as input and submits the
file from the Axon to Cisco Secure Malware Analytics for analysis. After
submitting the file, the command will wait for the analysis to be complete
and ingest the results. The ``--background`` option may be used to skip waiting
for the analysis to complete.
When submitting using a file:bytes node, the ``:name`` property from the node will
be used as the file name if available, otherwise the sha256 hash will be used.
Examples:
// Submit a file:bytes node for analysis
file:bytes:name="cobalt.zip" | cisco.sma.sample.submit
// Submit a file using a hash:sha256 node and do not wait for results
hash:sha256#my.malware | cisco.sma.sample.submit --background
Usage: cisco.sma.sample.submit [options]
Options:
--help : Display the command usage.
--tags <tags> : Tags to apply to this sample in Cisco SMA.
--playbook <playbook> : Name of a playbook to apply to this sample run.
--private : Mark this sample as private.
--classify : Submit to the Malware Analytics classification service, and only analyze if it is
considered interesting.
--sample-password <sample_password>: Password used to open the submitted archive or document.
--vm <vm> : A string identifying a specific VM to use.
--network-exit <network_exit>: Specify the network exit location for any outgoing network traffic that is generated
during the analysis.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--background : Do not wait for the sample run to complete.
cisco.sma.setup.apikey
Manage the Cisco SMA API key.
Examples
// Set a global Cisco SMA API key
cisco.sma.setup.apikey abcd1234
// Set a Cisco SMA API key for the current user
cisco.sma.setup.apikey --self abcd1234
// Display the API key scope of the current key
cisco.sma.setup.apikey --show-scope
// Display the current API key.
cisco.sma.setup.apikey --show-apikey
// Remove the current global API key.
cisco.sma.setup.apikey --remove
// Remove the per-user API key for the current user.
cisco.sma.setup.apikey --self --remove
Usage: cisco.sma.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key).
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apikey] : The API key string.
cisco.sma.setup.tagprefix
Set the tag prefix used when recording Cisco SMA tags.
The default tag prefix is "rep.cisco.sma" if not specified.
Any tags provided by the Cisco SMA API will be added within the given namespace.
For example, the tag "obfuscation" would result in "#rep.cisco.sma.obfuscation".
Any characters incompatible with tag names are replaced with "_".
Usage: cisco.sma.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
cisco.sma.setup.url
Manage the Cisco SMA API URL.
By default, the base API URL used will be https://panacea.threatgrid.com
Examples:
// Set the Cisco SMA API URL
cisco.sma.setup.url https://panacea.threatgrid.eu
// Display the current API URL.
cisco.sma.setup.url --show-url
// Remove the current API URL.
cisco.sma.setup.url --remove
Usage: cisco.sma.setup.url [options] <url>
Options:
--help : Display the command usage.
--show-url : Display the API URL value.
--remove : Remove the configured API URL.
Arguments:
[url] : The base API URL.
Storm Modules
This package does not export any Storm APIs.