Package Documentation
Storm Package: synapse-group-ib
The following Commands are available from this package. This documentation is generated for version 0.4.0 of the package.
Storm Commands
This package implements the following Storm Commands.
groupib.ti.compromised.accounts.search
Search for compromised accounts.
This command queries the Group IB TI Compromised Data/Accounts
endpoint (/api/v2/compromised/account_group) and creates nodes from
the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note: Time range query defaults and limits may vary depending on account type.
Examples:
// Search for accounts using a query string
groupib.compromised.accounts.search --query 'sourceType: botnet' --yield
Usage: groupib.ti.compromised.accounts.search [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--from <from> : Search for results after this datetime.
--until <until> : Search for results before this datetime.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.compromised.accounts.updated
Search for updated compromised accounts.
This command queries the Group IB TI Compromised Data/Accounts
updated endpoint (/api/v2/compromised/account_group/updated) and creates
nodes from the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.
The first time --since-last is used the --seqUpdate argument will define
the starting point.
Examples:
// Search for accounts using a query string
groupib.compromised.accounts.updated --query 'sourceType: botnet' --seqUpdate 17000645027033
// Create a cron job to ingest any new results every day
cron.add --name "GIB Accounts Feed" --hour 3 { groupib.compromised.accounts.updated --since-last }
Usage: groupib.ti.compromised.accounts.updated [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--seqUpdate <seqUpdate> : Search for results after a seqUpdate value.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.compromised.cards.search
Search for compromised bank cards.
This command queries the Group IB TI Compromised Data/Bank Cards
endpoint (/api/v2/compromised/bank_card_group) and creates nodes from
the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note: Time range query defaults and limits may vary depending on account type.
Examples:
// Search for cards using a query string
groupib.compromised.cards.search --query 'sourceType: botnet' --yield
Usage: groupib.ti.compromised.cards.search [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--from <from> : Search for results after this datetime.
--until <until> : Search for results before this datetime.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.compromised.cards.updated
Search for updated compromised bank cards.
This command queries the Group IB TI Compromised Data/Bank Cards
updated endpoint (/api/v2/compromised/bank_card_group/updated) and creates
nodes from the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.
The first time --since-last is used the --seqUpdate argument will define
the starting point.
Examples:
// Search for cards using a query string
groupib.compromised.cards.updated --query 'sourceType: botnet' --seqUpdate 17000645027033
// Create a cron job to ingest any new results every day
cron.add --name "GIB Cards Feed" --hour 3 { groupib.compromised.cards.updated --since-last }
Usage: groupib.ti.compromised.cards.updated [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--seqUpdate <seqUpdate> : Search for results after a seqUpdate value.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.iocs.search
Search for IOCs.
This command queries the Group IB TI IOC/Common endpoint
(/api/v2/ioc/common) and creates nodes from the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note: Time range query defaults and limits may vary depending on account type.
Examples:
// Search for IOCs using a query string
groupib.ti.iocs.search --query 'ip: 150.158.179.35' --yield
// Search for IOCs using an inet:fqdn node
inet:fqdn=t.ly | groupib.ti.iocs.search --yield
Usage: groupib.ti.iocs.search [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--from <from> : Search for results after this datetime.
--until <until> : Search for results before this datetime.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.iocs.updated
Search for updated IOCs.
This command queries the Group IB TI IOC/Common updated endpoint
(/api/v2/ioc/common/updated) and creates nodes from the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.
The first time --since-last is used the --seqUpdate argument will define
the starting point.
Examples:
// Search for IOCs using a query string
groupib.ti.iocs.updated --query 'ip: 150.158.179.35' --seqUpdate 17000645027033
// Search for IOCs using an inet:fqdn node
inet:fqdn=t.ly | groupib.ti.iocs.updated --yield
// Create a cron job to ingest any new results every day
cron.add --name "GIB IOC Feed" --hour 3 { groupib.ti.iocs.updated --since-last }
Usage: groupib.ti.iocs.updated [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--seqUpdate <seqUpdate> : Search for results after a seqUpdate value.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.malware.configs.search
Search for malware configs.
This command queries the Group IB TI malware config search endpoint
(/api/v2/malware/config) and creates it:sec:c2:config nodes from the
matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting it:sec:c2:config nodes to it via -(found)>
edges.
Note: Time range defaults and limits may vary depending on account type.
Examples:
// Search for malware configs using a hash:sha256 node
hash:sha256#myhash | groupib.ti.malware.configs.search --yield
// Search for Cobalt Strike configs
groupib.ti.malware.configs.search --query 'malware: "Cobalt Strike"' --size 10 --yield
Usage: groupib.ti.malware.configs.search [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--from <from> : Search for results after this datetime.
--until <until> : Search for results before this datetime.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.malware.configs.updated
Search for updated malware configs.
This command queries the Group IB TI malware config updated endpoint
(/api/v2/malware/config/updated) and creates it:sec:c2:config nodes from
the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting it:sec:c2:config nodes to it via -(found)>
edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.
The first time --since-last is used the --seqUpdate argument will define
the starting point.
Examples:
// Search for malware configs using a hash:sha256 node
hash:sha256#myhash | groupib.ti.malware.configs.updated --seqUpdate 17000645027033
// Search for Cobalt Strike configs
groupib.ti.malware.configs.updated --query 'malware: "Cobalt Strike"' --size 10
// Create a cron job to ingest new results for a query every day
cron.add --name "GIB Cobalt Strike config Feed" --hour 3
{ groupib.ti.malware.configs.updated --query 'malware: "Cobalt Strike"' --since-last }
Usage: groupib.ti.malware.configs.updated [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--seqUpdate <seqUpdate> : Search for results after a seqUpdate value.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.setup.apikey
Manage the Group-IB Threat Intelligence login and API key.
Examples
// Set global Group-IB TI credentials
groupib.ti.setup.apikey mylogin abcd1234
// Set Group-IB TI credentials for the current user
groupib.ti.setup.apikey --self mylogin abcd1234
// Display the scope of the current credentials
groupib.ti.setup.apikey --show-scope
// Display the current credentials
groupib.ti.setup.apikey --show-apikey
// Remove the current global credentials
groupib.ti.setup.apikey --remove
// Remove the per-user credentials for the current user
groupib.ti.setup.apikey --self --remove
Usage: groupib.ti.setup.apikey [options] <login> <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the credentials as a user variable. If not used, the credentials are set globally.
--show-scope : Display the credentials scope in use (global vs self).
--show-apikey : Display the credentials (requires admin perms or "self" scope credentials).
--remove : Remove the configured credentials. May be used with --self.
Arguments:
[login] : Login for authentication.
[apikey] : The API key string.
groupib.ti.threat.actors.search
Search for threat actors.
This command queries the Group IB TI threat actor search endpoint
(/api/v2/common/threat_actor) and creates risk:threat nodes from
the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting risk:threat nodes to it via -(found)>
edges.
Note: Time range query defaults and limits may vary depending on account type.
Examples:
// Search for threat actors named Conti
groupib.ti.threat.actors.search --query 'name: "Conti"' --yield
// Search for threat actors using an inet:fqdn
inet:fqdn=anydeskupdate.com | groupib.ti.threat.actors.search --yield
Usage: groupib.ti.threat.actors.search [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--from <from> : Search for results after this datetime.
--until <until> : Search for results before this datetime.
--include-targeted-orgs : Add "targets" light edges to "ou:name" nodes for targeted companies when ingesting results (target names are highly denormalized and may be unreliable).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.threat.actors.updated
Search for updated threat actors.
This command queries the Group IB TI threat actor updated endpoint
(/api/v2/common/threat_actor/updated) and creates risk:threat nodes
from the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting risk:threat nodes to it via -(found)>
edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.
The first time --since-last is used the --seqUpdate argument will define
the starting point.
Examples:
// Search for threat actors named Conti
groupib.ti.threat.actors.updated --query 'name: "Conti"' --seqUpdate 17000645027033
// Search for threat actors using an inet:fqdn
inet:fqdn=anydeskupdate.com | groupib.ti.threat.actors.updated
// Create a cron job to ingest any new results every day
cron.add --name "GIB Threat Actor Feed" --hour 3
{ groupib.ti.threat.actors.updated --since-last }
Usage: groupib.ti.threat.actors.updated [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--seqUpdate <seqUpdate> : Search for results after a seqUpdate value.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--include-targeted-orgs : Add "targets" light edges to "ou:name" nodes for targeted companies when ingesting results (target names are highly denormalized and may be unreliable).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.threat.reports.byid
Ingest a threat report by ID.
This command queries the Group IB TI threat report endpoint
(/api/v2/common/threat/{id}) to retrieve a threat report by ID an
creates media:news nodes from the results. The ID of the report to
retrieve can be specified as a command argument, or with inbound
media:news nodes with :type=groupib.threat.report that have an :ext:id
property value.
Examples:
// Ingest a report by ID
groupib.ti.threat.reports.byid 7f730132f83fb0feadcaa351cbf1656dc6adeb52
// Use a media:news node with an :ext:id prop to retrieve a report.
media:news#groupib.report | groupib.ti.threat.reports.byid
Usage: groupib.ti.threat.reports.byid [options] <id>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
Arguments:
[id] : ID of the report to ingest.
groupib.ti.threat.reports.search
Search for threat reports.
This command queries the Group IB TI threat report endpoint
(/api/v2/common/threat) and creates media:news nodes from the
matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting risk:threat nodes to it via -(found)>
edges.
Note: Time range query defaults and limits may vary depending on account type.
Examples:
// Search for threat reports about the actor Conti
groupib.ti.threat.reports.search --query 'threat_actor: "Conti"' --yield
// Search for threat actors using a pol:country node
pol:country:iso2=AU | groupib.ti.threat.reports.search --yield
Usage: groupib.ti.threat.reports.search [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--from <from> : Search for results after this datetime.
--until <until> : Search for results before this datetime.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.threat.reports.updated
Search for updated threat reports.
This command queries the Group IB TI threat report updated endpoint
(/api/v2/common/threat/updated) and creates media:news nodes from the
matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting risk:threat nodes to it via -(found)>
edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.
The first time --since-last is used the --seqUpdate argument will define
the starting point.
Examples:
// Search for threat reports about the actor Conti
groupib.ti.threat.reports.updated --query 'threat_actor: "Conti"' --seqUpdate 17000645027033
// Search for threat actors using a pol:country node
pol:country:iso2=AU | groupib.ti.threat.reports.updated --yield
// Create a cron job to ingest new results for a query every day
cron.add --name "GIB Threat Report (AU) Feed" --hour 3
{ pol:country:iso2=AU | groupib.ti.threat.reports.updated --since-last }
Usage: groupib.ti.threat.reports.updated [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--seqUpdate <seqUpdate> : Search for results after a seqUpdate value.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.vulns.search
Search for vulnerabilities.
This command queries the Group IB TI Vulnerabilities endpoint
(/api/v2/osi/vulnerability) and creates nodes from the matching results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note: Time range query defaults and limits may vary depending on account type.
Examples:
// Search for vulnerabilities using a query string
groupib.ti.vulns.search --query 'id: CVE-2023-34362' --yield
// Search for vulnerabilities using an it:sec:cve node
it:sec:cve=CVE-2023-34362 | groupib.ti.vulns.search --yield
Usage: groupib.ti.vulns.search [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--from <from> : Search for results after this datetime.
--until <until> : Search for results before this datetime.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
groupib.ti.vulns.updated
Search for updated vulnerabilities.
This command queries the Group IB TI Vulnerabilities updated endpoint
(/api/v2/osi/vulnerability/updated) and creates nodes from the matching
results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
The --since-last option can be used to retrieve new results since the last
run of the command with a specified query string.
The first time --since-last is used the --seqUpdate argument will define
the starting point.
Examples:
// Search for vulnerabilities using a query string
groupib.ti.vulns.updated --query 'id: CVE-2023-34362' --seqUpdate 17000645027033
// Search for vulnerabilities using an it:sec:cve node
it:sec:cve=CVE-2023-34362 | groupib.ti.vulns.updated --yield
// Create a cron job to ingest any new results every day
cron.add --name "GIB Vuln Feed" --hour 3 { groupib.ti.vulns.updated --since-last }
Usage: groupib.ti.vulns.updated [options]
Options:
--help : Display the command usage.
--query <query> : A search query string.
--seqUpdate <seqUpdate> : Search for results after a seqUpdate value.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
Storm Modules
This package does not export any Storm APIs.