Package Documentation
Storm Package: synapse-flashpoint
The following Commands are available from this package. This documentation is generated for version 1.11.1 of the package.
Storm Commands
This package implements the following Storm Commands.
flashpoint.ignite.communities.search
Query the Flashpoint Communities Search API by specifying query parameters.
The command builds a query to search for web posts that match a
specified set of filters. To submit custom queries with more advanced
logic, the ``--raw`` argument may be used to specify a full Ignite query object.
The results of queries will be used to create inet:service:message nodes, with
``refs`` light edges to any additional nodes that were created from data provided
by Flashpoint enrichments. If there is a language translation of the message
available, a lang:translation node will be created with a ``refs`` edge to the
original inet:service:message node.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Examples:
// Retrieve 1000 posts from 2023
flashpoint.ignite.communities.search --size 1000 --date (2023-01-01, 2023-12-31)
// Retrieve 500 posts with the keyword 'exploit' that contain a 'url_domains' enrichment
flashpoint.ignite.communities.search --size 500 --query exploit --enrichments url_domains
// Retrieve 50 Discord messages with images and download the media files
flashpoint.ignite.communities.search --size 50 --site Discord --media_type image --download-media
// Use an Ignite query object to perform a search
flashpoint.ignite.communities.search --raw ({'size': 50, 'include': {'site': ['Discord'], 'media': {'type': ['image']}}})
Usage: flashpoint.ignite.communities.search [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--author [<author> ...] : Filter by results from specific site actors (case-sensitive).
--site [<site> ...] : Filter by results from specific sites (case-sensitive).
--type [<type> ...] : Filter by results from specific source types. (choices: blog, board, chat, forum, gab,
mastodon, paste, ransomware, reddit)
--media_type [<media_type> ...]: Filter by results with specific media type attachments.
--enrichments [<enrichments> ...]: Filter by results with specific Flashpoint enrichments. (choices: bins,
bitcoin_addresses, cve_ids, email_addresses, ethereum_addresses, ip_addresses,
monero_addresses, social_media_handles, url_domains)
--date <date> : Filter by results within a specific time interval.
--size <size> : Number of results to request.
--yield : Yield the newly created nodes.
--debug : Show verbose debug output.
--download-media : Download media files associated with results.
--no-parse : If --download-media is specified, skip parsing downloaded files with Fileparser.
--raw <raw> : An Ignite search query object to use for the search.
flashpoint.ignite.fraud.search
Query the Flashpoint Fraud Search API by specifying query parameters.
The command builds a query to search for card fraud data that matches a
specified set of filters. To submit custom queries with more advanced
logic, the ``--raw`` argument may be used to specify a full Ignite query object.
The results of queries will be used to create econ:pay:card nodes, with a
``refs`` light edge from the inet:service:message node for the post
where the card data was found.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Examples:
// Retrieve 10000 full_card results and yield the created nodes
flashpoint.ignite.fraud.search --size 10000 --type full_card --yield
// Retrieve 500 results from 2023
flashpoint.ignite.fraud.search --size 500 --date (2023-01-01, 2023-12-31)
// Retrieve 500 results from the site "Eurodollars" with specific BINs
flashpoint.ignite.fraud.search --size 500 --site Eurodollars --bin 511563 540385
// Use an Ignite query object to perform a search
flashpoint.ignite.fraud.search --raw ({'size': 500, 'include': {'site': ['Eurodollars'], 'bin': [511563, 540385]}})
Usage: flashpoint.ignite.fraud.search [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--author [<author> ...] : Filter by results from specific site actors (case-sensitive).
--bin [<bin> ...] : Filter by results with specific BINs.
--site [<site> ...] : Filter by results from specific sites (case-sensitive).
--date <date> : Filter by results within a specific time interval.
--type [<type> ...] : Filter by results of specific types. (choices: full_card, partial_card_cvv,
partial_card_dump)
--size <size> : Number of results to request.
--yield : Yield the newly created nodes.
--debug : Show verbose debug output.
--raw <raw> : An Ignite search query object to use for the search.
flashpoint.ignite.indicators
Retrieve bulk indicators from the Flashpoint Technical Indicators Ignite API.
This command queries the Flashpoint Technical Indicators API to retrieve indicators
of compromise that Flashpoint has identified as likely malicious.
Examples:
// Retrieve 1000 indicators and yield the created nodes
flashpoint.ignite.indicators --size 1000 --yield
// Retrieve 100000 indicators from 2020
flashpoint.ignite.indicators --size 100000 --start-date 2020-01-01 --end-date 2020-12-31
Usage: flashpoint.ignite.indicators [options]
Options:
--help : Display the command usage.
--query <query> : A free text search query string, also accepts Lucene query syntax.
--search-fields <search_fields>: Search specific value types, for example "filename==this.exe".
--search-tags <search_tags> : Search for keywords inside tags, for example "malware:agenttesla".
--types <types> : Search for specific indicator types, for example "url,domain,ip-src".
--size <size> : Number of indicators to return. (default: 1000)
--start-date <start_date> : Search for indicators first added after this date.
--end-date <end_date> : Search for indicators first added before this date.
--updated-since <updated_since>: Search for indicators updated after this date.
--updated-until <updated_until>: Search for indicators updated before this date.
--yield : Yield the newly created nodes.
--debug : Show verbose debug output.
--add-tags : Add Flashpoint provided tags on nodes.
--tag <tag> : Specify a custorm tag to add to the created nodes.
flashpoint.ignite.reports.search
Query the Flashpoint Reports Search API by specifying query parameters.
The command builds a query to search for reports that match a
specified set of filters.
The results of queries will be used to create media:news nodes, with ``refs``
light edges to nodes which were referenced in the report.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Examples:
// Search for 10 reports related to ransomware and yield the results
flashpoint.ignite.reports.search --query ransomware --size 10 --yield
// Search for reports published in the last 7 days which were tagged with
// the 'Hospitality' topic
flashpoint.ignite.reports.search --tags Hospitality --since -7days
// Ingest specific reports by ID
flashpoint.ignite.reports.search --ids "7XH-_pABNa4lgsjsv0Bq" "LajyEI4BXWZCylr5HuM_"
Usage: flashpoint.ignite.reports.search [options]
Options:
--help : Display the command usage.
--ids [<ids> ...] : Ingest specific reports by ID.
--query <query> : Search report bodies, titles, summaries, and sources.
--body <body> : Search report bodies.
--title <title> : Search report titles.
--summary <summary> : Search report summaries.
--source <source> : Search report sources.
--actors [<actors> ...] : Filter by results with specific actors.
--tags [<tags> ...] : Tag filter strings. Tags prepended with '+' are required, tags with '-' are excluded,
and tags with no prefix are searched for in an 'or' fashion.
--since <since> : Search for reports published after this date.
--until <until> : Search for reports published before this date.
--updated-since <updated_since>: Search for reports updated after this date.
--updated-until <updated_until>: Search for reports updated before this date.
--size <size> : Number of results to request.
--yield : Yield the newly created nodes.
--debug : Show verbose debug output.
--download-assets : Download assets associated with results.
--no-parse : If --download-assets is specified, skip parsing downloaded files with Fileparser.
flashpoint.indicators
Retrieve bulk indicators from the Flashpoint Technical Indicators API.
This command queries the Flashpoint Technical Indicators API to retrieve indicators
of compromise that Flashpoint has identified as likely malicious.
Examples:
// Retrieve 1000 indicators and yield the created nodes
flashpoint.indicators --size 1000 --yield
// Retrieve 100000 indicators from 2020
flashpoint.indicators --size 100000 --start-date 2020-01-01 --end-date 2020-12-31
Usage: flashpoint.indicators [options]
Options:
--help : Display the command usage.
--size <size> : Number of indicators to return. (default: 1000)
--start-date <start_date> : Start date of indicators to query.
--end-date <end_date> : End date of indicators to query.
--yield : Yield the newly created nodes.
--debug : Show verbose debug output.
--add-tags : Add Flashpoint provided tags on nodes.
--tag <tag> : Specify a custorm tag to add to the created nodes.
flashpoint.search.query
Query the Flashpoint Search API by specifying query parameters.
The command builds a query to search for web posts that match a specified set
of filters. Each filter specified will be added with an AND operator to the
resulting query. To submit custom queries with more advanced logic, the
flashpoint.search.query.custom can be used.
The ``--enrichments`` argument accepts the following options:
bitcoin_addresses
card_numbers
domains
email_addresses
ethereum_addresses
ip_addresses
social_media
As well as the option ``any``, which will apply a filter that matches results
with any of the listed options.
This command can also take nodes as input which will be used to add additional
filters to the query that is constructed.
The results of queries will be used to create inet:web:post nodes, with ``refs``
light edges to any additional nodes that were created from data provided by
Flashpoint enrichments. Depending on the types of results returned, inet:web:group
nodes may also be created representing the parent container (thread/channel/etc.)
with ``refs`` to any enrichment data available for that container.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Examples:
// Retrieve 1000 posts and yield the created nodes
flashpoint.search.query --size 1000 --yield
// Retrieve 100000 posts from 2020
flashpoint.search.query --size 100000 --time (2020-01-01, 2020-12-31)
// Retrieve posts with the keyword 'exploit' that contain a 'domain' enrichment
flashpoint.search.query --keyword exploit --enrichment domain
// Retrieve posts from 2020 with any enrichments
flashpoint.search.query --time (2020-01-01, 2020-12-31) --enrichment any
Usage: flashpoint.search.query [options]
Options:
--help : Display the command usage.
--keyword [<keyword> ...] : Filter by results with the specified keywords.
--enrichment [<enrichment> ...]: Filter by results with specific Flashpoint enrichments.
--time <time> : Filter by results within a specific time interval.
--size <size> : Number of results to request. (default: 1000)
--yield : Yield the newly created nodes.
--no-tags : Skip creating tags on nodes.
--debug : Show verbose debug output.
--download-media : Download media files associated with results.
--no-parse : If --download-media is specified, skip parsing downloaded files with Fileparser.
--fields <fields> : Specify a list of fields to search. (default: enrichments, body.text/html+sanitized,
body.text/plain, user.names.handle, site_actor.names.handle, site_actor.names.aliases,
site_actor.fpid, title, container.fpid, container.title, container.container.title,
site.source_uri, site.title, native_id)
flashpoint.search.query.custom
Query the Flashpoint Search API with a custom query string.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Usage: flashpoint.search.query.custom [options] <query>
Options:
--help : Display the command usage.
--size <size> : Number of results to return. (default: 1000)
--yield : Yield the newly created nodes.
--traditional : Specifies that the query uses "traditional" syntax. See Flashpoint docs for details.
--no-tags : Skip creating tags on nodes.
--debug : Show verbose debug output.
--download-media : Download media files associated with results.
--no-parse : If --download-media is specified, skip parsing downloaded files with Fileparser.
--fields <fields> : Specify a list of fields to search. (default: enrichments, body.text/html+sanitized,
body.text/plain, user.names.handle, site_actor.names.handle, site_actor.names.aliases,
site_actor.fpid, title, container.fpid, container.title, container.container.title,
site.source_uri, site.title, native_id)
Arguments:
<query> : Search query string.
flashpoint.setup.apikey
Set the Flashpoint API key.
Usage: flashpoint.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set the key as a user variable. If not used, the key is set globally.
Arguments:
<apikey> : The Flashpoint API key string.
flashpoint.setup.tagprefix
Set the tag prefix used when recording Flashpoint data as tags.
The default tag prefix is "rep.flashpoint" if not specified.
For example, the Flashpoint tag "enrichments.lang.ru" would result in
"#rep.flashpoint.enrichments.lang.ru". Any characters incompatible with
tag names are replaced with "_".
Usage: flashpoint.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
Storm Modules
This package implements the following Storm Modules.
flashpoint
convertQuery(query)
Use the Flashpoint conversion API to convert an FPTools search query into an Ignite query object.
- Example:
Convert a query to Ignite syntax:
init { $flashpoint=$lib.import(flashpoint) } $fptools_query = "+(fp.tools search terms) +sort_date:[now-24h TO now]" $ignite_query = $flashpoint.convertQuery($fptools_query)- Args:
query (str): An FPTools query string.
- Returns:
An Ignite query object if the conversion was successful. The return type is
dict.