Package Documentation

Storm Package: synapse-flashpoint

The following Commands are available from this package. This documentation is generated for version 1.8.1 of the package.

Storm Commands

This package implements the following Storm Commands.

flashpoint.indicators

Retrieve bulk indicators from the Flashpoint Technical Indicators API.

This command queries the Flashpoint Technical Indicators API to retrieve indicators
of compromise that Flashpoint has identified as likely malicious.

Examples:

  // Retrieve 1000 indicators and yield the created nodes
  flashpoint.indicators --size 1000 --yield

  // Retrieve 100000 indicators from 2020
  flashpoint.indicators --size 100000 --start-date 2020-01-01 --end-date 2020-12-31


Usage: flashpoint.indicators [options]

Options:

  --help                      : Display the command usage.
  --size <size>               : Number of indicators to return. (default: 1000)
  --start-date <start_date>   : Start date of indicators to query.
  --end-date <end_date>       : End date of indicators to query.
  --yield                     : Yield the newly created nodes.
  --debug                     : Show verbose debug output.
  --add-tags                  : Add Flashpoint provided tags on nodes.
  --tag <tag>                 : Specify a custorm tag to add to the created nodes.

flashpoint.search.query

Query the Flashpoint Search API by specifying query parameters.

The command builds a query to search for web posts that match a specified set
of filters. Each filter specified will be added with an AND operator to the
resulting query. To submit custom queries with more advanced logic, the
flashpoint.search.query.custom can be used.

The ``--enrichments`` argument accepts the following options:

  bitcoin_addresses
  card_numbers
  domains
  email_addresses
  ethereum_addresses
  ip_addresses
  social_media

As well as the option ``any``, which will apply a filter that matches results
with any of the listed options.

This command can also take nodes as input which will be used to add additional
filters to the query that is constructed.

The results of queries will be used to create inet:web:post nodes, with ``refs``
light edges to any additional nodes that were created from data provided by
Flashpoint enrichments. Depending on the types of results returned, inet:web:group
nodes may also be created representing the parent container (thread/channel/etc.)
with ``refs`` to any enrichment data available for that container.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Retrieve 1000 posts and yield the created nodes
  flashpoint.search.query --size 1000 --yield

  // Retrieve 100000 posts from 2020
  flashpoint.search.query --size 100000 --time (2020-01-01, 2020-12-31)

  // Retrieve posts with the keyword 'exploit' that contain a 'domain' enrichment
  flashpoint.search.query --keyword exploit --enrichment domain

  // Retrieve posts from 2020 with any enrichments
  flashpoint.search.query --time (2020-01-01, 2020-12-31) --enrichment any


Usage: flashpoint.search.query [options]

Options:

  --help                      : Display the command usage.
  --keyword [<keyword> ...]   : Filter by results with the specified keywords.
  --enrichment [<enrichment> ...]: Filter by results with specific Flashpoint enrichments.
  --time <time>               : Filter by results within a specific time interval.
  --size <size>               : Number of results to request. (default: 1000)
  --yield                     : Yield the newly created nodes.
  --no-tags                   : Skip creating tags on nodes.
  --debug                     : Show verbose debug output.
  --download-media            : Download media files associated with results.
  --no-parse                  : If --download-media is specified, skip parsing downloaded files with Fileparser.

flashpoint.search.query.custom

Query the Flashpoint Search API with a custom query string.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.


Usage: flashpoint.search.query.custom [options] <query>

Options:

  --help                      : Display the command usage.
  --size <size>               : Number of results to return. (default: 1000)
  --yield                     : Yield the newly created nodes.
  --traditional               : Specifies that the query uses "traditional" syntax. See Flashpoint docs for details.
  --no-tags                   : Skip creating tags on nodes.
  --debug                     : Show verbose debug output.
  --download-media            : Download media files associated with results.
  --no-parse                  : If --download-media is specified, skip parsing downloaded files with Fileparser.

Arguments:

  <query>                     : Search query string.

flashpoint.setup.apikey

Set the Flashpoint API key.


Usage: flashpoint.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set the key as a user variable. If not used, the key is set globally.

Arguments:

  <apikey>                    : The Flashpoint API key string.

flashpoint.setup.tagprefix

Set the tag prefix used when recording Flashpoint data as tags.
The default tag prefix is "rep.flashpoint" if not specified.
For example, the Flashpoint tag "enrichments.lang.ru" would result in
"#rep.flashpoint.enrichments.lang.ru".  Any characters incompatible with
tag names are replaced with "_".


Usage: flashpoint.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

Storm Modules

This package does not export any Storm APIs.