Package Documentation

Storm Package: synapse-flashpoint

The following Commands are available from this package. This documentation is generated for version 1.15.0 of the package.

Storm Commands

This package implements the following Storm Commands.

flashpoint.ignite.communities.search

Query the Flashpoint Communities Search API by specifying query parameters.

The command builds a query to search for web posts that match a
specified set of filters. To submit custom queries with more advanced
logic, the ``--raw`` argument may be used to specify a full Ignite query object.

The results of queries will be used to create inet:service:message nodes, with
``refs`` light edges to any additional nodes that were created from data provided
by Flashpoint enrichments. If there is a language translation of the message
available, a lang:translation node will be created with a ``refs`` edge to the
original inet:service:message node.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Retrieve 1000 posts from 2023
  flashpoint.ignite.communities.search --size 1000 --date (2023-01-01, 2023-12-31)

  // Retrieve 500 posts with the keyword 'exploit' that contain a 'url_domains' enrichment
  flashpoint.ignite.communities.search --size 500 --query exploit --enrichments url_domains

  // Retrieve 50 Discord messages with images and download the media files
  flashpoint.ignite.communities.search --size 50 --site Discord --media_type image --download-media

  // Use an Ignite query object to perform a search
  flashpoint.ignite.communities.search --raw ({'size': 50, 'include': {'site': ['Discord'], 'media': {'type': ['image']}}})


Usage: flashpoint.ignite.communities.search [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A search query string.
  --author [<author> ...]     : Filter by results from specific site actors (case-sensitive).
  --site [<site> ...]         : Filter by results from specific sites (case-sensitive).
  --type [<type> ...]         : Filter by results from specific source types. (choices: blog, board, chat, forum, gab,
                                mastodon, paste, ransomware, reddit)
  --media_type [<media_type> ...]: Filter by results with specific media type attachments.
  --enrichments [<enrichments> ...]: Filter by results with specific Flashpoint enrichments. (choices: bins,
                                bitcoin_addresses, cve_ids, email_addresses, ethereum_addresses, ip_addresses,
                                monero_addresses, social_media_handles, url_domains)
  --date <date>               : Filter by results within a specific time interval.
  --size <size>               : Number of results to request.
  --yield                     : Yield the newly created nodes.
  --debug                     : Show verbose debug output.
  --download-media            : Download media files associated with results.
  --no-parse                  : If --download-media is specified, skip parsing downloaded files with Fileparser.
  --raw <raw>                 : An Ignite search query object to use for the search.

The command is accessible to users with one or more of the following permissions:

• power-ups.flashpoint.user

flashpoint.ignite.fraud.search

Query the Flashpoint Fraud Search API by specifying query parameters.

The command builds a query to search for card fraud data that matches a
specified set of filters. To submit custom queries with more advanced
logic, the ``--raw`` argument may be used to specify a full Ignite query object.

The results of queries will be used to create econ:pay:card nodes, with a
``refs`` light edge from the inet:service:message node for the post
where the card data was found.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Retrieve 10000 full_card results and yield the created nodes
  flashpoint.ignite.fraud.search --size 10000 --type full_card --yield

  // Retrieve 500 results from 2023
  flashpoint.ignite.fraud.search --size 500 --date (2023-01-01, 2023-12-31)

  // Retrieve 500 results from the site "Eurodollars" with specific BINs
  flashpoint.ignite.fraud.search --size 500 --site Eurodollars --bin 511563 540385

  // Use an Ignite query object to perform a search
  flashpoint.ignite.fraud.search --raw ({'size': 500, 'include': {'site': ['Eurodollars'], 'bin': [511563, 540385]}})


Usage: flashpoint.ignite.fraud.search [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A search query string.
  --author [<author> ...]     : Filter by results from specific site actors (case-sensitive).
  --bin [<bin> ...]           : Filter by results with specific BINs.
  --site [<site> ...]         : Filter by results from specific sites (case-sensitive).
  --date <date>               : Filter by results within a specific time interval.
  --type [<type> ...]         : Filter by results of specific types. (choices: full_card, partial_card_cvv,
                                partial_card_dump)
  --size <size>               : Number of results to request.
  --yield                     : Yield the newly created nodes.
  --debug                     : Show verbose debug output.
  --raw <raw>                 : An Ignite search query object to use for the search.

The command is accessible to users with one or more of the following permissions:

• power-ups.flashpoint.user

flashpoint.ignite.indicators

Retrieve bulk indicators from the Flashpoint Technical Indicators Ignite API.

This command queries the Flashpoint Technical Indicators API to retrieve indicators
of compromise that Flashpoint has identified as likely malicious.

Examples:

  // Retrieve 1000 indicators and yield the created nodes
  flashpoint.ignite.indicators --size 1000 --yield

  // Retrieve 100000 indicators from 2020
  flashpoint.ignite.indicators --size 100000 --start-date 2020-01-01 --end-date 2020-12-31


Usage: flashpoint.ignite.indicators [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A free text search query string, also accepts Lucene query syntax.
  --search-fields <search_fields>: Search specific value types, for example "filename==this.exe".
  --search-tags <search_tags> : Search for keywords inside tags, for example "malware:agenttesla".
  --types <types>             : Search for specific indicator types, for example "url,domain,ip-src".
  --size <size>               : Number of indicators to return. (default: 1000)
  --start-date <start_date>   : Search for indicators first added after this date.
  --end-date <end_date>       : Search for indicators first added before this date.
  --updated-since <updated_since>: Search for indicators updated after this date.
  --updated-until <updated_until>: Search for indicators updated before this date.
  --yield                     : Yield the newly created nodes.
  --debug                     : Show verbose debug output.
  --add-tags                  : Add Flashpoint provided tags on nodes.
  --tag <tag>                 : Specify a custorm tag to add to the created nodes.

The command is accessible to users with one or more of the following permissions:

• power-ups.flashpoint.user

flashpoint.ignite.reports.search

Query the Flashpoint Reports Search API by specifying query parameters.

The command builds a query to search for reports that match a
specified set of filters.

The results of queries will be used to create media:news nodes, with ``refs``
light edges to nodes which were referenced in the report.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Search for 10 reports related to ransomware and yield the results
  flashpoint.ignite.reports.search --query ransomware --size 10 --yield

  // Search for reports published in the last 7 days which were tagged with
  // the 'Hospitality' topic
  flashpoint.ignite.reports.search --tags Hospitality --since -7days

  //  Ingest specific reports by ID
  flashpoint.ignite.reports.search --ids "7XH-_pABNa4lgsjsv0Bq" "LajyEI4BXWZCylr5HuM_"


Usage: flashpoint.ignite.reports.search [options]

Options:

  --help                      : Display the command usage.
  --ids [<ids> ...]           : Ingest specific reports by ID.
  --query <query>             : Search report bodies, titles, summaries, and sources.
  --body <body>               : Search report bodies.
  --title <title>             : Search report titles.
  --summary <summary>         : Search report summaries.
  --source <source>           : Search report sources.
  --actors [<actors> ...]     : Filter by results with specific actors.
  --tags [<tags> ...]         : Tag filter strings. Tags prepended with '+' are required, tags with '-' are excluded,
                                and tags with no prefix are searched for in an 'or' fashion.
  --since <since>             : Search for reports published after this date.
  --until <until>             : Search for reports published before this date.
  --updated-since <updated_since>: Search for reports updated after this date.
  --updated-until <updated_until>: Search for reports updated before this date.
  --size <size>               : Number of results to request.
  --yield                     : Yield the newly created nodes.
  --debug                     : Show verbose debug output.
  --download-assets           : Download assets associated with results.
  --no-parse                  : If --download-assets is specified, skip parsing downloaded files with Fileparser.

The command is accessible to users with one or more of the following permissions:

• power-ups.flashpoint.user

flashpoint.setup.apikey

Set the Flashpoint API key.


Usage: flashpoint.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set the key as a user variable. If not used, the key is set globally.

Arguments:

  <apikey>                    : The Flashpoint API key string.

The command is accessible to users with one or more of the following permissions:

• power-ups.flashpoint.user

flashpoint.setup.tagprefix

Set the tag prefix used when recording Flashpoint data as tags.
The default tag prefix is "rep.flashpoint" if not specified.
For example, the Flashpoint tag "enrichments.lang.ru" would result in
"#rep.flashpoint.enrichments.lang.ru".  Any characters incompatible with
tag names are replaced with "_".


Usage: flashpoint.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

The command is accessible to users with one or more of the following permissions:

• power-ups.flashpoint.user

Storm Modules

This package implements the following Storm Modules.

flashpoint

convertQuery(query)

Use the Flashpoint conversion API to convert an FPTools search query into an Ignite query object.

Example:

Convert a query to Ignite syntax:

init { $flashpoint=$lib.import(flashpoint) }

$fptools_query = "+(fp.tools search terms) +sort_date:[now-24h TO now]"
$ignite_query = $flashpoint.convertQuery($fptools_query)

Args:

query (str): An FPTools query string.

Returns:

An Ignite query object if the conversion was successful. The return type is dict.