Package Documentation
Storm Package: synapse-intel471
The following Commands are available from this package. This documentation is generated for version 0.9.0 of the package.
Storm Commands
This package implements the following Storm Commands.
intel471.breach.search
Search for breach alerts matching filter criteria.
At least one of --breachalert, --actor, or --victim must be specified
to perform the search.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Free text search for alerts
intel471.breach.search --breachalert Communications
// Search by victim and filter using a time range
intel471.breach.search --victim "BCN Telecom" --from "-30days"
Usage: intel471.breach.search [options]
Options:
--help : Display the command usage.
--breachalert <breachalert> : Free text search for breach alerts.
--actor <actor> : Search by actor or actor group names.
--victim <victim> : Search by victim name.
--confidence <confidence> : Specify a confidence level (high, medium, low).
--gir <gir> : Specify a General Intel Requirement.
--from <from> : Search for breach alerts created after a specified time.
--until <until> : Search for breach alerts created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for breach alerts updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for breach alerts updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--filterbygirset <filterbygirset>: Specify a GIR set ("my_girs" or "company_pirs").
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
intel471.dataleak.post.search
Search for data leak blog posts matching filter criteria.
At least one of --post, --postsbythreaduid, or --blog must be specified
to perform the search.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search by blog and filter using a time range
intel471.dataleak.post.search --blog "Blackout RaaS operator(s)" --from "-30days"
// Free text search for data leak posts and do not download file listing archives
intel471.dataleak.post.search --post financial --skip-attachments
Usage: intel471.dataleak.post.search [options]
Options:
--help : Display the command usage.
--post <post> : Search text in data leak posts and topics.
--postsbythreaduid <postsbythreaduid>: Search data leak posts by thread uid.
--blog <blog> : Search data leak posts in a given data leak blog.
--from <from> : Search for data leak posts created after a specified time.
--until <until> : Search for data leak posts created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for data leak posts updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for data leak posts updated before a specified time.
--sort <sort> : Specify sort order. (default: relevance, choices: relevance, earliest, latest)
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--skip-attachments : Skip downloading file listing archives included in results (if present).
intel471.forum.message.search
Search for forum private messages matching filter criteria.
At least one of --privatemessage, --privatemessagesubject, --actor, or
--forum must be specified to perform the search.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search text in private messages
intel471.forum.message.search --privatemessage hacked
// Search by forum and filter using a time range
intel471.forum.message.search --forum opensc.ws --from "-30days"
Usage: intel471.forum.message.search [options]
Options:
--help : Display the command usage.
--privatemessage <privatemessage>: Search text in private messages.
--privatemessagesubject <privatemessagesubject>: Search text in subjects of private messages.
--actor <actor> : Search messages authored or recieved by a given actor handle.
--forum <forum> : Search messages in a given forum.
--from <from> : Search for messages created after a specified time.
--until <until> : Search for messages created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for messages updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for messages updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
intel471.forum.post.search
Search for forum posts matching filter criteria.
At least one of --post, --postsbythreaduid, or --forum must be specified
to perform the search.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search text in posts and topics
intel471.forum.post.search --post hacked
// Search by forum and filter using a time range
intel471.forum.post.search --forum opensc.ws --from "-30days"
Usage: intel471.forum.post.search [options]
Options:
--help : Display the command usage.
--post <post> : Search text in posts and topics.
--postsbythreaduid <postsbythreaduid>: Search posts by thread uid.
--actor <actor> : Search posts authored by given actor handle.
--forum <forum> : Search posts in a given forum.
--from <from> : Search for posts created after a specified time.
--until <until> : Search for posts created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for posts updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for posts updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
intel471.girs.sync
Download and populate Intel471 GIR definitions.
Examples:
// Download and populate the GIR definitions.
intel471.girs.sync
Usage: intel471.girs.sync [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
intel471.global.search
Perform a global search for results matching filter criteria.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Currently this command will ingest results of following types:
iocs - Indicator of Compromise
indicators - Malware Intelligence Indicators
cveReports - Vulnerability Reports
breachAlerts - Breach Alerts
posts - Forum Posts
privateMessages - Forum Private Messages
dataLeakPosts - Data Leak Blog Posts
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search for malicious domains with specific text
intel471.global.search --yield (iocType, MaliciousDomain) (text, vertex)
Usage: intel471.global.search [options] <params>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
Arguments:
[<params> ...] : Query parameters as tuples of (param_name, value).
intel471.indicators.search
Search for malware indicators matching filter criteria.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search for an IP
intel471.indicators.search --indicator 188.130.163.218
// Filter using a time range
intel471.indicators.search --from "-30days" --until "-7days"
Usage: intel471.indicators.search [options]
Options:
--help : Display the command usage.
--indicator <indicator> : Free text search for indicators.
--indicatortype <indicatortype>: Specify an indicator type.
--threattype <threattype> : Specify a threat type.
--threatuid <threatuid> : Specify a threat uid.
--malwarefamily <malwarefamily>: Specify a malware family.
--malwarefamilyprofileuid <malwarefamilyprofileuid>: Specify a malware family profile uid.
--confidence <confidence> : Specify a confidence level (high, medium, low).
--gir <gir> : Specify a General Intel Requirement.
--filterbygirset <filterbygirset>: Specify a GIR set ("my_girs" or "company_pirs").
--from <from> : Search for IOCs created after a specified time.
--until <until> : Search for IOCs created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for IOCs updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for IOCs updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
intel471.inforeport.get
Retrieve an information or fintel report by UID.
This command takes an information or fintel report UID as input and queries the Intel471
API to retrieve the report. An incomplete media:news node created by other Intel471
commands may also be used as input to populate the full report details.
Examples:
// Retrieve a report by UID
intel471.inforeport.get ce1c92f84040f1ad008b55665bfde326
// Use media:news nodes to retrieve reports
media:news:publisher:name=intel471 | intel471.inforeport.get
// Retrieve a report by UID and do not download attachments
intel471.inforeport.get ce1c92f84040f1ad008b55665bfde326 --skip-attachments
Usage: intel471.inforeport.get [options] <uid>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--skip-attachments : Skip downloading files attached to reports.
Arguments:
[uid] : The report identifier to retrieve.
intel471.inforeport.search
Search for information or fintel reports matching filter criteria.
By default this command will query the Intel471 API to retrieve the full
report for each summary in the search results. The --skip-detail argument can be
used to skip retrieving the full report for each result and only ingest the
summary results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search for 10 results related to "malware" and yield the results
intel471.inforeport.search --yield --report malware --size 10
// Search for 100 results related to "malware" and do not retrieve each full report
intel471.inforeport.search --yield --report malware --size 100 --skip-detail
// Search for 2 results related to "ccweb" and skip downloading attachments
intel471.inforeport.search --yield --report ccweb --size 2 --skip-attachments')
Usage: intel471.inforeport.search [options]
Options:
--help : Display the command usage.
--report <report> : Search text in reports, subjects, and entities.
--reportlocation <reportlocation>: Search reports by country or region.
--reporttag <reporttag> : Search reports by tag.
--reportadmiraltycode <reportadmiraltycode>: Search reports by admiralty code.
--reporttitle <reporttitle> : Search reports by title.
--victim <victim> : Search reports by purported victim.
--documenttype <documenttype>: Search reports by document type.
--documentfamily <documentfamily>: Search reports by document family.
--gir <gir> : Specify a General Intel Requirement.
--filterbygirset <filterbygirset>: Specify a GIR set. (choices: my_girs, company_pirs)
--from <from> : Search for reports created after a specified time.
--until <until> : Search for reports created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for reports updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for reports updated before a specified time.
--sort <sort> : Specify sort order. (default: relevance, choices: relevance, earliest, latest)
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--skip-detail : Only ingest data returned by the initial search, do not retrieve detailed reports or
attachments for each result.
--skip-attachments : Skip downloading files attached to detailed reports.
intel471.iocs.search
Search for indicators of compromise matching filter criteria.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Valid IOC types:
MaliciousURL
MaliciousDomain
IpAddress
AutonomousSystem
MD5
SHA256
SHA1
FileType
FileSize
FileName
SSLCertificate
SSLCertificateID
SSLCertificateFingerprint
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search for an IP
intel471.iocs.search --yield 188.130.163.218
// Filter using a time range
intel471.iocs.search --from "-30days" --until "-7days" .com
Usage: intel471.iocs.search [options] <query>
Options:
--help : Display the command usage.
--ioctype <ioctype> : Specify an IOC type.
--from <from> : Search for IOCs created after a specified time.
--until <until> : Search for IOCs created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for IOCs updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for IOCs updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
Arguments:
<query> : The query string.
intel471.setup.apikey
Manage the Intel471 user email and API key.
Examples
// Configure global Intel471 credentials
intel471.setup.apikey [email protected] abcd1234
// Configure Intel471 credentials for the current user
intel471.setup.apikey --self [email protected] abcd1234
// Display the scope of the current credentials
intel471.setup.apikey --show-scope
// Display the current credentials.
intel471.setup.apikey --show-apikey
// Remove the current global credentials.
intel471.setup.apikey --remove
// Remove the per-user credentials for the current user.
intel471.setup.apikey --self --remove
Usage: intel471.setup.apikey [options] <email> <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the credentials as a user variable. If not used, set them globally.
--show-scope : Display the credentials scope in use (global vs self).
--show-apikey : Display the credentials (requires admin perms or a "self" scope key).
--remove : Remove the configured credentials. May be used with --self.
Arguments:
[email] : Email address for authentication.
[apikey] : The API key string.
intel471.setup.tagprefix
Set the tag prefix used when recording Intel471 data as tags.
The default tag prefix is "rep.intel471" if not specified.
Any tags provided by the Intel471 API will be added within the given namespace.
For example, the item "foo" would result in "#rep.intel471.foo". Any
characters incompatible with tag names are replaced with "_".
Usage: intel471.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
intel471.vulns.get
Retrieve a vulnerability report by UID.
This command takes a vulnerability report UID as input and queries the Intel471
API to retrieve the report.
Examples:
// Retrieve a report by UID
intel471.vulns.get ce1c92f84040f1ad008b55665bfde326
// Use risk:vuln nodes to retrieve reports
risk:vuln:_intel471:uid | intel471.vulns.get :_intel471:uid
Usage: intel471.vulns.get [options] <uid>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
Arguments:
[uid] : The vulnerability report identifier to retrieve.
intel471.vulns.search
Search for vulnerability reports matching filter criteria.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search for a CVE
intel471.vulns.search --cvename "CVE-2015-6435"
// Filter using a time range
intel471.vulns.search --from "-30days" --until "-7days"
Usage: intel471.vulns.search [options]
Options:
--help : Display the command usage.
--cvereport <cvereport> : Free text search for CVE reports.
--cvetype <cvetype> : Specify a CVE type.
--cvestatus <cvestatus> : Specify a CVE status.
--cvename <cvename> : Specify a CVE name.
--risklevel <risklevel> : Specify a CVE risk level (high, medium, or low).
--patchstatus <patchstatus> : Specify a CVE patch status (available, some_available, or unavailable).
--vendorname <vendorname> : Specify a CVE vendor name.
--productname <productname> : Specify a CVE product name.
--gir <gir> : Specify a General Intel Requirement.
--filterbygirset <filterbygirset>: Specify a GIR set ("my_girs" or "company_pirs").
--from <from> : Search for CVEs created after a specified time.
--until <until> : Search for CVEs created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for CVEs updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for CVEs updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
Storm Modules
This package does not export any Storm APIs.