Package Documentation
Storm Package: synapse-cybersixgill
The following Commands are available from this package. This documentation is generated for version 0.7.0 of the package.
Storm Commands
This package implements the following Storm Commands.
cybersixgill.credentials.leaks
Query the Cybersixgill Credentials Leaks API.
This command takes inet:fqdn or inet:email nodes as input and queries the Credentials Leaks
API to retrieve leaked credential information by domain or email address.
Examples:
// Query credential leaks by domain
inet:fqdn=vertex.link | cybersixgill.credentials.leaks
// Query credential leaks by email address
inet:[email protected] | cybersixgill.credentials.leaks
Usage: cybersixgill.credentials.leaks [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--start <start> : Specify the start date/time to search from. (default: -30days)
--end <end> : Specify the end date/time to search to. (default: now)
cybersixgill.cve.enrich
Query the DVE Enrichment API for information on CVEs.
This command takes it:sec:cve or risk:vuln nodes as input and queries the
DVE Enrichment API to retrieve additional CVE information. If a risk:vuln is provided
and :reporter:name!=cybersixgill a new risk:vuln node will be created.
You may also query by providing a CVE identifier to the --cve argument.
Examples:
// Enrich an it:sec:cve node
it:sec:cve=CVE-2020-0796 | cybersixgill.cve.enrich --yield
// Specify a CVE with --cve
cybersixgill.cve.enrich --cve CVE-2020-0796 --yield
Usage: cybersixgill.cve.enrich [options]
Options:
--help : Display the command usage.
--cve <cve> : Specify a CVE to get data for.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
cybersixgill.intel.items
Query the Cybersixgill Intel Items API.
Note: The default time range is the last seven days (start: -7days to end:
now). These values were selected to maximize the chance of a successful
response from the API. If selecting a larger time range, especially with a
broad query, be aware of possible failures due to API timeouts.
This command will also create an it:exec:query node to represent the query options,
and will link resulting nodes to it via -(found)> edges.
Examples:
// Query for qakbot, limit to 100 nodes, and yield the results
cybersixgill.intel.items qakbot --size 100 --yield
// Query for qakbot but only repository typed items, in the last 10 days
cybersixgill.intel.items "qakbot AND type:repository" --start "-10days"
Usage: cybersixgill.intel.items [options] <query>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--start <start> : Specify the start date/time to search from. (default: -7days)
--end <end> : Specify the end date/time to search to. (default: now)
Arguments:
<query> : The search query.
cybersixgill.intel.items.byid
Query the Cybersixgill Intel Items API by item ID.
Examples:
// Query for an intel item by ID
cybersixgill.intel.items.byid aWxtLWltLTAwMDQzN185YWZmM2QyMzJlMzE3ZmY4ZmEzMTA1ZWNlZTVmMzg1ZGNiNmQzYTIz
Usage: cybersixgill.intel.items.byid [options] <id>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
Arguments:
<id> : The item ID to query.
cybersixgill.iocs
Query the Dark Feed Enrichment API for information on IOCs.
This command takes inet:fqdn, inet:ipv4, inet:url, hash:md5, hash:sha1, hash:sha256,
or file:bytes nodes as input and queries the the Dark Feed Enrichment API to retrieve
additional IOC information.
You may also search for IOCs based on actor names and sixgill post IDs by specifying
--field <name>=<value> where "name" is either "actor" or "post_id", and value is
the value to search for.
This command will also create an it:exec:query node to represent the query syntax and
link resulting IOC nodes to it via -(found)> edges. If an inbound node is used to
search, a -(refs)> edge will also be added from the query node to the inbound node.
Note: Channel ID d5cd46c205c20c87006b55a18b106428 is used when querying the API.
Examples:
// Enrich an md5 hash
hash:md5=ad49374e3c72613023fe420f0d6010d9 | cybersixgill.iocs --yield
// Search for IOCs by actor name
cybersixgill.iocs --yield --field actor=james
Usage: cybersixgill.iocs [options]
Options:
--help : Display the command usage.
--field <field> : Search for a sixgill field in <name>=<value> format, where "name" is "actor" or
"post_id".
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
cybersixgill.setup.apikey
Manage the Cybersixgill client id and secret.
Examples
// Set a global Cybersixgill client id and secret
cybersixgill.setup.apikey client_id client_secret
// Set a Cybersixgill client id and secret for the current user
cybersixgill.setup.apikey --self client_id client_secret
// Display the client id and secret scope of the current key
cybersixgill.setup.apikey --show-scope
// Display the current client id and secret.
cybersixgill.setup.apikey --show-apikey
// Remove the current global client id and secret.
cybersixgill.setup.apikey --remove
// Remove the per-user client id and secret for the current user.
cybersixgill.setup.apikey --self --remove
Usage: cybersixgill.setup.apikey [options] <clientid> <clientsecret>
Options:
--help : Display the command usage.
--self : Set or remove as user variables. If not used, set globally.
--show-scope : Display the client id and secret scope in use (global vs self).
--show-apikey : Display the client id and secret values (requires admin perms or a "self" scope key).
--remove : Remove the configured client id and secret. May be used with --self.
Arguments:
[clientid] : The client id string.
[clientsecret] : The client secret string.
cybersixgill.setup.tagprefix
Set the tag prefix used when recording Cybersixgill tags.
The default tag prefix is "rep.cybersixgill" if not specified.
Any labels provided by the Cybersixgill API will be added within the given namespace.
For example, the label "malware" would result in a "#rep.cybersixgill.malware" tag. Any
characters incompatible with tag names are replaced with "_".
Usage: cybersixgill.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
Storm Modules
This package does not export any Storm APIs.