Package Documentation

Storm Package: synapse-cybersixgill

The following Commands are available from this package. This documentation is generated for version 0.5.1 of the package.

Storm Commands

This package implements the following Storm Commands.

cybersixgill.credentials.leaks

Query the Cybersixgill Credentials Leaks API.

This command takes inet:fqdn or inet:email nodes as input and queries the Credentials Leaks
API to retrieve leaked credential information by domain or email address.

Examples:

  // Query credential leaks by domain
  inet:fqdn=vertex.link | cybersixgill.credentials.leaks

  // Query credential leaks by email address
  inet:[email protected] | cybersixgill.credentials.leaks


Usage: cybersixgill.credentials.leaks [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --start <start>             : Specify the start date/time to search from. (default: -30days)
  --end <end>                 : Specify the end date/time to search to. (default: now)

cybersixgill.cve.enrich

Query the DVE Enrichment API for information on CVEs.

This command takes it:sec:cve or risk:vuln nodes as input and queries the
DVE Enrichment API to retrieve additional CVE information. If a risk:vuln is provided
and :reporter:name!=cybersixgill a new risk:vuln node will be created.

You may also query by providing a CVE identifier to the --cve argument.

Examples:

  // Enrich an it:sec:cve node
  it:sec:cve=CVE-2020-0796 | cybersixgill.cve.enrich --yield

  // Specify a CVE with --cve
  cybersixgill.cve.enrich --cve CVE-2020-0796 --yield


Usage: cybersixgill.cve.enrich [options]

Options:

  --help                      : Display the command usage.
  --cve <cve>                 : Specify a CVE to get data for.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.

cybersixgill.intel.items

Query the Cybersixgill Intel Items API.

Note: The default time range is the last seven days (start: -7days to end:
now). These values were selected to maximize the chance of a successful
response from the API. If selecting a larger time range, especially with a
broad query, be aware of possible failures due to API timeouts.

This command will also create an it:exec:query node to represent the query options,
and will link resulting nodes to it via -(found)> edges.

Examples:

  // Query for qakbot, limit to 100 nodes, and yield the results
  cybersixgill.intel.items qakbot --size 100 --yield

  // Query for qakbot but only repository typed items, in the last 10 days
  cybersixgill.intel.items "qakbot AND type:repository" --start "-10days"


Usage: cybersixgill.intel.items [options] <query>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --start <start>             : Specify the start date/time to search from. (default: -7days)
  --end <end>                 : Specify the end date/time to search to. (default: now)

Arguments:

  <query>                     : The search query.

cybersixgill.iocs

Query the Dark Feed Enrichment API for information on IOCs.

This command takes inet:fqdn, inet:ipv4, inet:url, hash:md5, hash:sha1, hash:sha256,
or file:bytes nodes as input and queries the the Dark Feed Enrichment API to retrieve
additional IOC information.

You may also search for IOCs based on actor names and sixgill post IDs by specifying
--field <name>=<value> where "name" is either "actor" or "post_id", and value is
the value to search for.

This command will also create an it:exec:query node to represent the query syntax and
link resulting IOC nodes to it via -(found)> edges. If an inbound node is used to
search, a -(refs)> edge will also be added from the query node to the inbound node.

Note: Channel ID d5cd46c205c20c87006b55a18b106428 is used when querying the API.

Examples:

  // Enrich an md5 hash
  hash:md5=ad49374e3c72613023fe420f0d6010d9 | cybersixgill.iocs --yield

  // Search for IOCs by actor name
  cybersixgill.iocs --yield --field actor=james


Usage: cybersixgill.iocs [options]

Options:

  --help                      : Display the command usage.
  --field <field>             : Search for a sixgill field in <name>=<value> format, where "name" is "actor" or "post_id".
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.

cybersixgill.setup.apikey

Manage the Cybersixgill client id and secret.

Examples

    // Set a global Cybersixgill client id and secret
    cybersixgill.setup.apikey client_id client_secret

    // Set a Cybersixgill client id and secret for the current user
    cybersixgill.setup.apikey --self client_id client_secret

    // Display the client id and secret scope of the current key
    cybersixgill.setup.apikey --show-scope

    // Display the current client id and secret.
    cybersixgill.setup.apikey --show-apikey

    // Remove the current global client id and secret.
    cybersixgill.setup.apikey --remove

    // Remove the per-user client id and secret for the current user.
    cybersixgill.setup.apikey --self --remove


Usage: cybersixgill.setup.apikey [options] <clientid> <clientsecret>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove as user variables. If not used, set globally.
  --show-scope                : Display the client id and secret scope in use (global vs self).
  --show-apikey               : Display the client id and secret values (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured client id and secret. May be used with --self.

Arguments:

  [clientid]                  : The client id string.
  [clientsecret]              : The client secret string.

cybersixgill.setup.tagprefix

Set the tag prefix used when recording Cybersixgill tags.
The default tag prefix is "rep.cybersixgill" if not specified.

Any labels provided by the Cybersixgill API will be added within the given namespace.
For example, the label "malware" would result in a "#rep.cybersixgill.malware" tag. Any
characters incompatible with tag names are replaced with "_".


Usage: cybersixgill.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

Storm Modules

This package does not export any Storm APIs.