Package Documentation
Storm Package: synapse-cybersixgill
The following Commands are available from this package. This documentation is generated for version 0.3.0 of the package.
Storm Commands
This package implements the following Storm Commands.
cybersixgill.cve.enrich
Query the DVE Enrichment API for information on CVEs.
This command takes it:sec:cve or risk:vuln nodes as input and queries the
DVE Enrichment API to retrieve additional CVE information.
You may also query by providing a CVE identifier to the --cve argument.
Examples:
// Enrich an it:sec:cve node
it:sec:cve=CVE-2020-0796 | cybersixgill.cve.enrich --yield
// Specify a CVE with --cve
cybersixgill.cve.enrich --cve CVE-2020-0796 --yield
Usage: cybersixgill.cve.enrich [options]
Options:
--help : Display the command usage.
--cve <cve> : Specify a CVE to get data for.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
cybersixgill.iocs
Query the Dark Feed Enrichment API for information on IOCs.
This command takes inet:fqdn, inet:ipv4, inet:url, hash:md5, hash:sha1, hash:sha256,
or file:bytes nodes as input and queries the the Dark Feed Enrichment API to retrieve
additional IOC information.
You may also search for IOCs based on actor names and sixgill post IDs by specifying
--field <name>=<value> where "name" is either "actor" or "post_id", and value is
the value to search for.
This command will also create an it:exec:query node to represent the query syntax and
link resulting IOC nodes to it via -(found)> edges. If an inbound node is used to
search, a -(refs)> edge will also be added from the query node to the inbound node.
Note: Channel ID d5cd46c205c20c87006b55a18b106428 is used when querying the API.
Examples:
// Enrich an md5 hash
hash:md5=ad49374e3c72613023fe420f0d6010d9 | cybersixgill.iocs --yield
// Search for IOCs by actor name
cybersixgill.iocs --yield --field actor=james
Usage: cybersixgill.iocs [options]
Options:
--help : Display the command usage.
--field <field> : Search for a sixgill field in <name>=<value> format, where "name" is "actor" or "post_id".
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
cybersixgill.setup.apikey
Manage the Cybersixgill client id and secret.
Examples
// Set a global Cybersixgill client id and secret
cybersixgill.setup.apikey client_id client_secret
// Set a Cybersixgill client id and secret for the current user
cybersixgill.setup.apikey --self client_id client_secret
// Display the client id and secret scope of the current key
cybersixgill.setup.apikey --show-scope
// Display the current client id and secret.
cybersixgill.setup.apikey --show-apikey
// Remove the current global client id and secret.
cybersixgill.setup.apikey --remove
// Remove the per-user client id and secret for the current user.
cybersixgill.setup.apikey --self --remove
Usage: cybersixgill.setup.apikey [options] <clientid> <clientsecret>
Options:
--help : Display the command usage.
--self : Set or remove as user variables. If not used, set globally.
--show-scope : Display the client id and secret scope in use (global vs self).
--show-apikey : Display the client id and secret values (requires admin perms or a "self" scope key).
--remove : Remove the configured client id and secret. May be used with --self.
Arguments:
[clientid] : The client id string.
[clientsecret] : The client secret string.
cybersixgill.setup.tagprefix
Set the tag prefix used when recording Cybersixgill tags.
The default tag prefix is "rep.cybersixgill" if not specified.
Any labels provided by the Cybersixgill API will be added within the given namespace.
For example, the label "malware" would result in a "#rep.cybersixgill.malware" tag. Any
characters incompatible with tag names are replaced with "_".
Usage: cybersixgill.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.