Package Documentation

Storm Package: synapse-cybersixgill

The following Commands are available from this package. This documentation is generated for version 0.3.0 of the package.

Storm Commands

This package implements the following Storm Commands.

cybersixgill.cve.enrich

Query the DVE Enrichment API for information on CVEs.

This command takes it:sec:cve or risk:vuln nodes as input and queries the
DVE Enrichment API to retrieve additional CVE information.

You may also query by providing a CVE identifier to the --cve argument.

Examples:

  // Enrich an it:sec:cve node
  it:sec:cve=CVE-2020-0796 | cybersixgill.cve.enrich --yield

  // Specify a CVE with --cve
  cybersixgill.cve.enrich --cve CVE-2020-0796 --yield


Usage: cybersixgill.cve.enrich [options]

Options:

  --help                      : Display the command usage.
  --cve <cve>                 : Specify a CVE to get data for.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.

cybersixgill.iocs

Query the Dark Feed Enrichment API for information on IOCs.

This command takes inet:fqdn, inet:ipv4, inet:url, hash:md5, hash:sha1, hash:sha256,
or file:bytes nodes as input and queries the the Dark Feed Enrichment API to retrieve
additional IOC information.

You may also search for IOCs based on actor names and sixgill post IDs by specifying
--field <name>=<value> where "name" is either "actor" or "post_id", and value is
the value to search for.

This command will also create an it:exec:query node to represent the query syntax and
link resulting IOC nodes to it via -(found)> edges. If an inbound node is used to
search, a -(refs)> edge will also be added from the query node to the inbound node.

Note: Channel ID d5cd46c205c20c87006b55a18b106428 is used when querying the API.

Examples:

  // Enrich an md5 hash
  hash:md5=ad49374e3c72613023fe420f0d6010d9 | cybersixgill.iocs --yield

  // Search for IOCs by actor name
  cybersixgill.iocs --yield --field actor=james


Usage: cybersixgill.iocs [options]

Options:

  --help                      : Display the command usage.
  --field <field>             : Search for a sixgill field in <name>=<value> format, where "name" is "actor" or "post_id".
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.

cybersixgill.setup.apikey

Manage the Cybersixgill client id and secret.

Examples

    // Set a global Cybersixgill client id and secret
    cybersixgill.setup.apikey client_id client_secret

    // Set a Cybersixgill client id and secret for the current user
    cybersixgill.setup.apikey --self client_id client_secret

    // Display the client id and secret scope of the current key
    cybersixgill.setup.apikey --show-scope

    // Display the current client id and secret.
    cybersixgill.setup.apikey --show-apikey

    // Remove the current global client id and secret.
    cybersixgill.setup.apikey --remove

    // Remove the per-user client id and secret for the current user.
    cybersixgill.setup.apikey --self --remove


Usage: cybersixgill.setup.apikey [options] <clientid> <clientsecret>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove as user variables. If not used, set globally.
  --show-scope                : Display the client id and secret scope in use (global vs self).
  --show-apikey               : Display the client id and secret values (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured client id and secret. May be used with --self.

Arguments:

  [clientid]                  : The client id string.
  [clientsecret]              : The client secret string.

cybersixgill.setup.tagprefix

Set the tag prefix used when recording Cybersixgill tags.
The default tag prefix is "rep.cybersixgill" if not specified.

Any labels provided by the Cybersixgill API will be added within the given namespace.
For example, the label "malware" would result in a "#rep.cybersixgill.malware" tag. Any
characters incompatible with tag names are replaced with "_".


Usage: cybersixgill.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.