Package Documentation

Storm Package: synapse-group-ib

The following Commands are available from this package. This documentation is generated for version 0.6.0 of the package.

Storm Commands

This package implements the following Storm Commands.

groupib.ti.compromised.accounts.updated

Search for updated compromised accounts.

This command queries the Group IB TI Compromised Data/Accounts
updated endpoint (/api/v2/compromised/account_group/updated) and creates
nodes from the matching results.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.

The first time --since-last is used the --seqUpdate argument will define
the starting point.

Examples:
  // Search for accounts using a query string
  groupib.compromised.accounts.updated --query 'sourceType: botnet' --seqUpdate 17000645027033

  // Create a cron job to ingest any new results every day
  cron.add --name "GIB Accounts Feed" --hour 3 { groupib.compromised.accounts.updated --since-last }


Usage: groupib.ti.compromised.accounts.updated [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A search query string.
  --seqUpdate <seqUpdate>     : Search for results after a seqUpdate value.
  --since-last                : Retrieve results since the last run of the command with --since-last specified.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

groupib.ti.compromised.cards.updated

Search for updated compromised bank cards.

This command queries the Group IB TI Compromised Data/Bank Cards
updated endpoint (/api/v2/compromised/bank_card_group/updated) and creates
nodes from the matching results.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.

The first time --since-last is used the --seqUpdate argument will define
the starting point.

Examples:
  // Search for cards using a query string
  groupib.compromised.cards.updated --query 'sourceType: botnet' --seqUpdate 17000645027033

  // Create a cron job to ingest any new results every day
  cron.add --name "GIB Cards Feed" --hour 3 { groupib.compromised.cards.updated --since-last }


Usage: groupib.ti.compromised.cards.updated [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A search query string.
  --seqUpdate <seqUpdate>     : Search for results after a seqUpdate value.
  --since-last                : Retrieve results since the last run of the command with --since-last specified.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

groupib.ti.iocs.updated

Search for updated IOCs.

This command queries the Group IB TI IOC/Common updated endpoint
(/api/v2/ioc/common/updated) and creates nodes from the matching results.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.

The first time --since-last is used the --seqUpdate argument will define
the starting point.

Examples:
  // Search for IOCs using a query string
  groupib.ti.iocs.updated --query 'ip: 150.158.179.35' --seqUpdate 17000645027033

  // Search for IOCs using an inet:fqdn node
  inet:fqdn=t.ly | groupib.ti.iocs.updated --yield

  // Create a cron job to ingest any new results every day
  cron.add --name "GIB IOC Feed" --hour 3 { groupib.ti.iocs.updated --since-last }


Usage: groupib.ti.iocs.updated [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A search query string.
  --seqUpdate <seqUpdate>     : Search for results after a seqUpdate value.
  --since-last                : Retrieve results since the last run of the command with --since-last specified.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

groupib.ti.malware.configs.updated

Search for updated malware configs.

This command queries the Group IB TI malware config updated endpoint
(/api/v2/malware/config/updated) and creates it:sec:c2:config nodes from
the matching results.

This command will also create an it:exec:query node to represent the
query syntax and link resulting it:sec:c2:config nodes to it via -(found)>
edges.

The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.

The first time --since-last is used the --seqUpdate argument will define
the starting point.

Examples:

  // Search for malware configs using a hash:sha256 node
  hash:sha256#myhash | groupib.ti.malware.configs.updated --seqUpdate 17000645027033

  // Search for Cobalt Strike configs
  groupib.ti.malware.configs.updated --query 'malware: "Cobalt Strike"' --size 10

  // Create a cron job to ingest new results for a query every day
  cron.add --name "GIB Cobalt Strike config Feed" --hour 3
  { groupib.ti.malware.configs.updated --query 'malware: "Cobalt Strike"' --since-last }


Usage: groupib.ti.malware.configs.updated [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A search query string.
  --seqUpdate <seqUpdate>     : Search for results after a seqUpdate value.
  --since-last                : Retrieve results since the last run of the command with --since-last specified.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --download-large-configs    : Download large malware configs that Group IB TI does not automatically return.

groupib.ti.setup.apikey

Manage the Group-IB Threat Intelligence login and API key.

Examples

    // Set global Group-IB TI credentials
    groupib.ti.setup.apikey mylogin abcd1234

    // Set Group-IB TI credentials for the current user
    groupib.ti.setup.apikey --self mylogin abcd1234

    // Display the scope of the current credentials
    groupib.ti.setup.apikey --show-scope

    // Display the current credentials
    groupib.ti.setup.apikey --show-apikey

    // Remove the current global credentials
    groupib.ti.setup.apikey --remove

    // Remove the per-user credentials for the current user
    groupib.ti.setup.apikey --self --remove


Usage: groupib.ti.setup.apikey [options] <login> <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the credentials as a user variable. If not used, the credentials are set globally.
  --show-scope                : Display the credentials scope in use (global vs self).
  --show-apikey               : Display the credentials (requires admin perms or "self" scope credentials).
  --remove                    : Remove the configured credentials. May be used with --self.

Arguments:

  [login]                     : Login for authentication.
  [apikey]                    : The API key string.

groupib.ti.threat.actors.updated

Search for updated threat actors.

This command queries the Group IB TI threat actor updated endpoint
(/api/v2/common/threat_actor/updated) and creates risk:threat nodes
from the matching results.

This command will also create an it:exec:query node to represent the
query syntax and link resulting risk:threat nodes to it via -(found)>
edges.

The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.

The first time --since-last is used the --seqUpdate argument will define
the starting point.

Examples:
  // Search for threat actors named Conti
  groupib.ti.threat.actors.updated --query 'name: "Conti"' --seqUpdate 17000645027033

  // Search for threat actors using an inet:fqdn
  inet:fqdn=anydeskupdate.com | groupib.ti.threat.actors.updated

  // Create a cron job to ingest any new results every day
  cron.add --name "GIB Threat Actor Feed" --hour 3
  { groupib.ti.threat.actors.updated --since-last }


Usage: groupib.ti.threat.actors.updated [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A search query string.
  --seqUpdate <seqUpdate>     : Search for results after a seqUpdate value.
  --since-last                : Retrieve results since the last run of the command with --since-last specified.
  --include-targeted-orgs     : Add "targets" light edges to "ou:name" nodes for targeted companies when ingesting results (target names are highly denormalized and may be unreliable).
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

groupib.ti.threat.reports.byid

Ingest a threat report by ID.

This command queries the Group IB TI threat report endpoint
(/api/v2/common/threat/{id}) to retrieve a threat report by ID an
creates media:news nodes from the results. The ID of the report to
retrieve can be specified as a command argument, or with inbound
media:news nodes with :type=groupib.threat.report that have an :ext:id
property value.

Examples:
  // Ingest a report by ID
  groupib.ti.threat.reports.byid 7f730132f83fb0feadcaa351cbf1656dc6adeb52

  // Use a media:news node with an :ext:id prop to retrieve a report.
  media:news#groupib.report | groupib.ti.threat.reports.byid


Usage: groupib.ti.threat.reports.byid [options] <id>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.

Arguments:

  [id]                        : ID of the report to ingest.

groupib.ti.threat.reports.updated

Search for updated threat reports.

This command queries the Group IB TI threat report updated endpoint
(/api/v2/common/threat/updated) and creates media:news nodes from the
matching results.

This command will also create an it:exec:query node to represent the
query syntax and link resulting risk:threat nodes to it via -(found)>
edges.

The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.

The first time --since-last is used the --seqUpdate argument will define
the starting point.

Examples:
  // Search for threat reports about the actor Conti
  groupib.ti.threat.reports.updated --query 'threat_actor: "Conti"' --seqUpdate 17000645027033

  // Search for threat actors using a pol:country node
  pol:country:iso2=AU | groupib.ti.threat.reports.updated --yield

  // Create a cron job to ingest new results for a query every day
  cron.add --name "GIB Threat Report (AU) Feed" --hour 3
  { pol:country:iso2=AU | groupib.ti.threat.reports.updated --since-last }


Usage: groupib.ti.threat.reports.updated [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A search query string.
  --seqUpdate <seqUpdate>     : Search for results after a seqUpdate value.
  --since-last                : Retrieve results since the last run of the command with --since-last specified.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

groupib.ti.vulns.updated

Search for updated vulnerabilities.

This command queries the Group IB TI Vulnerabilities updated endpoint
(/api/v2/osi/vulnerability/updated) and creates nodes from the matching
results.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.

The first time --since-last is used the --seqUpdate argument will define
the starting point.

Examples:
  // Search for vulnerabilities using a query string
  groupib.ti.vulns.updated --query 'id: CVE-2023-34362' --seqUpdate 17000645027033

  // Search for vulnerabilities using an it:sec:cve node
  it:sec:cve=CVE-2023-34362 | groupib.ti.vulns.updated --yield

  // Create a cron job to ingest any new results every day
  cron.add --name "GIB Vuln Feed" --hour 3 { groupib.ti.vulns.updated --since-last }


Usage: groupib.ti.vulns.updated [options]

Options:

  --help                      : Display the command usage.
  --query <query>             : A search query string.
  --seqUpdate <seqUpdate>     : Search for results after a seqUpdate value.
  --since-last                : Retrieve results since the last run of the command with --since-last specified.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

Storm Modules

This package does not export any Storm APIs.