Package Documentation
Storm Package: synapse-cybersixgill
The following Commands are available from this package. This documentation is generated for version 1.0.0 of the package.
Storm Commands
This package implements the following Storm Commands.
cybersixgill.credentials.leaks
Query the Cybersixgill Credentials Leaks API.
This command takes inet:fqdn or inet:email nodes as input and queries the Credentials Leaks
API to retrieve leaked credential information by domain or email address.
Examples:
// Query credential leaks by domain
inet:fqdn=vertex.link | cybersixgill.credentials.leaks
// Query credential leaks by email address
inet:email=blackout@vertex.link | cybersixgill.credentials.leaks
Usage: cybersixgill.credentials.leaks [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--start <start> : Specify the start date/time to search from. (default: -30days)
--end <end> : Specify the end date/time to search to. (default: now)
Inputs:
inet:email : inet:email nodes
inet:fqdn : inet:fqdn nodes
The command is accessible to users with one or more of the following permissions:
power-ups.cybersixgill.user
cybersixgill.cve.enrich
Query the DVE Enrichment API for information on CVEs.
This command takes it:sec:cve or risk:vuln nodes as input and queries the
DVE Enrichment API to retrieve additional CVE information. If a risk:vuln is provided
and :reporter:name!=cybersixgill a new risk:vuln node will be created.
You may also query by providing a CVE identifier to the --cve argument.
Examples:
// Enrich an it:sec:cve node
it:sec:cve=CVE-2020-0796 | cybersixgill.cve.enrich --yield
// Specify a CVE with --cve
cybersixgill.cve.enrich --cve CVE-2020-0796 --yield
Usage: cybersixgill.cve.enrich [options]
Options:
--help : Display the command usage.
--cve <cve> : Specify a CVE to get data for.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
Inputs:
it:sec:cve : it:sec:cve nodes
risk:vuln : risk:vuln nodes
The command is accessible to users with one or more of the following permissions:
power-ups.cybersixgill.user
cybersixgill.intel.items
Query the Cybersixgill Intel Items API.
Note: The default time range is the last seven days (start: -7days to end:
now). These values were selected to maximize the chance of a successful
response from the API. If selecting a larger time range, especially with a
broad query, be aware of possible failures due to API timeouts.
This command will also create an it:exec:query node to represent the query options,
and will link resulting nodes to it via -(found)> edges.
Examples:
// Query for qakbot, limit to 100 nodes, and yield the results
cybersixgill.intel.items qakbot --size 100 --yield
// Query for qakbot but only repository typed items, in the last 10 days
cybersixgill.intel.items "qakbot AND type:repository" --start "-10days"
Usage: cybersixgill.intel.items [options] <query>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--start <start> : Specify the start date/time to search from. (default: -7days)
--end <end> : Specify the end date/time to search to. (default: now)
Arguments:
<query> : The search query.
The command is accessible to users with one or more of the following permissions:
power-ups.cybersixgill.user
cybersixgill.intel.items.byid
Query the Cybersixgill Intel Items API by item ID.
Examples:
// Query for an intel item by ID
cybersixgill.intel.items.byid aWxtLWltLTAwMDQzN185YWZmM2QyMzJlMzE3ZmY4ZmEzMTA1ZWNlZTVmMzg1ZGNiNmQzYTIz
Usage: cybersixgill.intel.items.byid [options] <id>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
Arguments:
<id> : The item ID to query.
The command is accessible to users with one or more of the following permissions:
power-ups.cybersixgill.user
cybersixgill.iocs
Query the Dark Feed Enrichment API for information on IOCs.
This command takes inet:fqdn, inet:ipv4, inet:url, hash:md5, hash:sha1, hash:sha256,
or file:bytes nodes as input and queries the the Dark Feed Enrichment API to retrieve
additional IOC information.
You may also search for IOCs based on actor names and sixgill post IDs by specifying
--field <name>=<value> where "name" is either "actor" or "post_id", and value is
the value to search for.
This command will also create an it:exec:query node to represent the query syntax and
link resulting IOC nodes to it via -(found)> edges. If an inbound node is used to
search, a -(refs)> edge will also be added from the query node to the inbound node.
Note: Channel ID d5cd46c205c20c87006b55a18b106428 is used when querying the API.
Examples:
// Enrich an md5 hash
hash:md5=ad49374e3c72613023fe420f0d6010d9 | cybersixgill.iocs --yield
// Search for IOCs by actor name
cybersixgill.iocs --yield --field actor=james
Usage: cybersixgill.iocs [options]
Options:
--help : Display the command usage.
--field <field> : Search for a sixgill field in <name>=<value> format, where "name" is "actor" or
"post_id".
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
Inputs:
file:bytes : file:bytes nodes
hash:md5 : hash:md5 nodes
hash:sha1 : hash:sha1 nodes
hash:sha256 : hash:sha256 nodes
inet:fqdn : inet:fqdn nodes
inet:ipv4 : inet:ipv4 nodes
inet:url : inet:url nodes
The command is accessible to users with one or more of the following permissions:
power-ups.cybersixgill.user
cybersixgill.setup.apikey
Manage the Cybersixgill client id and secret.
Examples
// Set a global Cybersixgill client id and secret
cybersixgill.setup.apikey client_id client_secret
// Set a Cybersixgill client id and secret for the current user
cybersixgill.setup.apikey --self client_id client_secret
// Display the client id and secret scope of the current key
cybersixgill.setup.apikey --show-scope
// Display the current client id and secret.
cybersixgill.setup.apikey --show-apikey
// Remove the current global client id and secret.
cybersixgill.setup.apikey --remove
// Remove the per-user client id and secret for the current user.
cybersixgill.setup.apikey --self --remove
Usage: cybersixgill.setup.apikey [options] <clientid> <clientsecret>
Options:
--help : Display the command usage.
--self : Set or remove as user variables. If not used, set globally.
--show-scope : Display the client id and secret scope in use (global vs self).
--show-apikey : Display the client id and secret values (requires admin perms or a "self" scope key).
--remove : Remove the configured client id and secret. May be used with --self.
Arguments:
[clientid] : The client id string.
[clientsecret] : The client secret string.
The command is accessible to users with one or more of the following permissions:
power-ups.cybersixgill.user
cybersixgill.setup.tagprefix
Set the tag prefix used when recording Cybersixgill tags.
The default tag prefix is "rep.cybersixgill" if not specified.
Any labels provided by the Cybersixgill API will be added within the given namespace.
For example, the label "malware" would result in a "#rep.cybersixgill.malware" tag. Any
characters incompatible with tag names are replaced with "_".
Usage: cybersixgill.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
The command is accessible to users with one or more of the following permissions:
power-ups.cybersixgill.user
Storm Modules
This package does not export any Storm APIs.