Package Documentation

Storm Package: synapse-hybridanalysis

The following Commands are available from this package. This documentation is generated for version 2.1.0 of the package.

Storm Commands

This package implements the following Storm Commands.

hybridanalysis.byhash

Query the Hybrid Analysis API for jobs by a file:bytes or hash form.

Examples:

  // Query by hash and yield it:exec:proc nodes
  hash:md5#foo | hybridanalysis.byhash --yield

  // Query by SHA-256, MD5, or SHA-1 from a file:bytes node
  file:bytes#foo | hybridanalysis.byhash --yield

  // Bypass cache
  hash:md5#foo | hybridanalysis.byhash --asof now


Usage: hybridanalysis.byhash [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now.
                                (default: -30days)

hybridanalysis.overview

Query the Hybrid Analysis API overview endpoint by SHA-256.

Examples:

  // Query by hash and yield file:bytes node
  hash:sha256#foo | hybridanalysis.overview --yield

  // Query by file:bytes SHA-256
  file:bytes#foo | hybridanalysis.overview

  // Query by file:bytes and pivot to it:av:scan:result
  file:bytes#foo | hybridanalysis.overview | -> it:av:scan:result

  // Do not add Hybrid Analysis tags to file:bytes node
  file:bytes#foo | hybridanalysis.overview --no-tags

  // Bypass cache
  hash:sha256#foo | hybridanalysis.overview --asof now


Usage: hybridanalysis.overview [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now.
                                (default: -30days)
  --no-tags                   : Construct nodes but do not record tags returned by the Hybrid Analysis API.

hybridanalysis.reportsummary

Query the Hybrid Analysis API for report summaries by a file:bytes or hash form.

Note: it:mitre:attack:technique nodes for the techniques used by a file will
be linked with -(uses)> edges from the file:bytes node.

Examples:

  // Query by hash and yield it:exec:proc nodes
  hash:md5#foo | hybridanalysis.reportsummary --yield

  // Query by SHA-256, MD5, or SHA-1 from a file:bytes node
  file:bytes#foo | hybridanalysis.reportsummary --yield

  // Bypass cache
  hash:md5#foo | hybridanalysis.reportsummary --asof now


Usage: hybridanalysis.reportsummary [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now.
                                (default: -30days)

hybridanalysis.samples

Download sample files from the Hybrid Analysis API overview endpoint by SHA-256.

The response is saved directly to the Axon, and is typically a gzip of the actual file
represented by the input SHA-256.

Examples:

  // Query by hash and yield file:bytes node
  hash:sha256#foo | hybridanalysis.samples --yield

  // Query by file:bytes SHA-256
  file:bytes#foo | hybridanalysis.samples

  // Extract gzip sample using Synapse-FileParser and pivot
  hash:sha256#foo | hybridanalysis.samples --yield | fileparser.parse
  | -> file:subfile :child -> file:bytes


Usage: hybridanalysis.samples [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now.
                                (default: -30days)

hybridanalysis.setup.apikey

Set the Hybrid Analysis API key.


Usage: hybridanalysis.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set the key as a user variable. If not used, the key is set globally.

Arguments:

  <apikey>                    : The Hybrid Analysis API key string.

hybridanalysis.setup.tagprefix

Set the tag prefix used when recording Hybrid Analysis tags.
The default tag prefix is "rep.hybridanalysis" if not specified.

Any tags provided by a Hybrid Analysis API will be added within the given namespace.
For example, the Hybrid Analysis tag "foo" would result in "#rep.hybridanalysis.foo".
Any characters incompatible with tag names are replaced with "_".


Usage: hybridanalysis.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

Storm Modules

This package does not export any Storm APIs.