Package Documentation
Storm Package: synapse-intel471
The following Commands are available from this package. This documentation is generated for version 0.7.0 of the package.
Storm Commands
This package implements the following Storm Commands.
intel471.breach.search
Search for breach alerts matching filter criteria.
At least one of --breachalert, --actor, or --victim must be specified
to perform the search.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Free text search for alerts
intel471.breach.search --breachalert Communications
// Search by victim and filter using a time range
intel471.breach.search --victim "BCN Telecom" --from "-30days"
Usage: intel471.breach.search [options]
Options:
--help : Display the command usage.
--breachalert <breachalert> : Free text search for breach alerts.
--actor <actor> : Search by actor or actor group names.
--victim <victim> : Search by victim name.
--confidence <confidence> : Specify a confidence level (high, medium, low).
--gir <gir> : Specify a General Intel Requirement.
--from <from> : Search for breach alerts created after a specified time.
--until <until> : Search for breach alerts created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for breach alerts updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for breach alerts updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--filterbygirset <filterbygirset>: Specify a GIR set ("my_girs" or "company_pirs").
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
intel471.forum.message.search
Search for forum private messages matching filter criteria.
At least one of --privatemessage, --privatemessagesubject, --actor, or
--forum must be specified to perform the search.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search text in private messages
intel471.forum.message.search --privatemessage hacked
// Search by forum and filter using a time range
intel471.forum.message.search --forum opensc.ws --from "-30days"
Usage: intel471.forum.message.search [options]
Options:
--help : Display the command usage.
--privatemessage <privatemessage>: Search text in private messages.
--privatemessagesubject <privatemessagesubject>: Search text in subjects of private messages.
--actor <actor> : Search messages authored or recieved by a given actor handle.
--forum <forum> : Search messages in a given forum.
--from <from> : Search for messages created after a specified time.
--until <until> : Search for messages created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for messages updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for messages updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
intel471.forum.post.search
Search for forum posts matching filter criteria.
At least one of --post, --postsbythreaduid, or --forum must be specified
to perform the search.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search text in posts and topics
intel471.forum.post.search --post hacked
// Search by forum and filter using a time range
intel471.forum.post.search --forum opensc.ws --from "-30days"
Usage: intel471.forum.post.search [options]
Options:
--help : Display the command usage.
--post <post> : Search text in posts and topics.
--postsbythreaduid <postsbythreaduid>: Search posts by thread uid.
--actor <actor> : Search posts authored by given actor handle.
--forum <forum> : Search posts in a given forum.
--from <from> : Search for posts created after a specified time.
--until <until> : Search for posts created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for posts updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for posts updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
intel471.girs.sync
Download and populate Intel471 GIR definitions.
Examples:
// Download and populate the GIR definitions.
intel471.girs.sync
Usage: intel471.girs.sync [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
intel471.global.search
Perform a global search for results matching filter criteria.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Currently this command will ingest results of following types:
iocs - Indicator of Compromise
indicators - Malware Intelligence Indicators
cveReports - Vulnerability Reports
breachAlerts - Breach Alerts
posts - Forum Posts
privateMessages - Forum Private Messages
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search for malicious domains with specific text
intel471.global.search --yield (iocType, MaliciousDomain) (text, vertex)
Usage: intel471.global.search [options] <params>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
Arguments:
[<params> ...] : Query parameters as tuples of (param_name, value).
intel471.indicators.search
Search for malware indicators matching filter criteria.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search for an IP
intel471.indicators.search --indicator 188.130.163.218
// Filter using a time range
intel471.indicators.search --from "-30days" --until "-7days"
Usage: intel471.indicators.search [options]
Options:
--help : Display the command usage.
--indicator <indicator> : Free text search for indicators.
--indicatortype <indicatortype>: Specify an indicator type.
--threattype <threattype> : Specify a threat type.
--threatuid <threatuid> : Specify a threat uid.
--malwarefamily <malwarefamily>: Specify a malware family.
--malwarefamilyprofileuid <malwarefamilyprofileuid>: Specify a malware family profile uid.
--confidence <confidence> : Specify a confidence level (high, medium, low).
--gir <gir> : Specify a General Intel Requirement.
--filterbygirset <filterbygirset>: Specify a GIR set ("my_girs" or "company_pirs").
--from <from> : Search for IOCs created after a specified time.
--until <until> : Search for IOCs created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for IOCs updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for IOCs updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
intel471.iocs.search
Search for indicators of compromise matching filter criteria.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Valid IOC types:
MaliciousURL
MaliciousDomain
IpAddress
AutonomousSystem
MD5
SHA256
SHA1
FileType
FileSize
FileName
SSLCertificate
SSLCertificateID
SSLCertificateFingerprint
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search for an IP
intel471.iocs.search --yield 188.130.163.218
// Filter using a time range
intel471.iocs.search --from "-30days" --until "-7days" .com
Usage: intel471.iocs.search [options] <query>
Options:
--help : Display the command usage.
--ioctype <ioctype> : Specify an IOC type.
--from <from> : Search for IOCs created after a specified time.
--until <until> : Search for IOCs created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for IOCs updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for IOCs updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
Arguments:
<query> : The query string.
intel471.setup.apikey
Manage the Intel471 user email and API key.
Examples
// Configure global Intel471 credentials
intel471.setup.apikey [email protected] abcd1234
// Configure Intel471 credentials for the current user
intel471.setup.apikey --self [email protected] abcd1234
// Display the scope of the current credentials
intel471.setup.apikey --show-scope
// Display the current credentials.
intel471.setup.apikey --show-apikey
// Remove the current global credentials.
intel471.setup.apikey --remove
// Remove the per-user credentials for the current user.
intel471.setup.apikey --self --remove
Usage: intel471.setup.apikey [options] <email> <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the credentials as a user variable. If not used, set them globally.
--show-scope : Display the credentials scope in use (global vs self).
--show-apikey : Display the credentials (requires admin perms or a "self" scope key).
--remove : Remove the configured credentials. May be used with --self.
Arguments:
[email] : Email address for authentication.
[apikey] : The API key string.
intel471.setup.tagprefix
Set the tag prefix used when recording Intel471 data as tags.
The default tag prefix is "rep.intel471" if not specified.
Any tags provided by the Intel471 API will be added within the given namespace.
For example, the item "foo" would result in "#rep.intel471.foo". Any
characters incompatible with tag names are replaced with "_".
Usage: intel471.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
intel471.vulns.get
Retrieve a vulnerability report by UID.
This command takes a vulnerability report UID as input and queries the Intel471
API to retrieve the report.
Examples:
// Retrieve a report by UID
intel471.vulns.get ce1c92f84040f1ad008b55665bfde326
// Use risk:vuln nodes to retrieve reports
risk:vuln:_intel471:uid | intel471.vulns.get :_intel471:uid
Usage: intel471.vulns.get [options] <uid>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
Arguments:
[uid] : The vulnerability report identifier to retrieve.
intel471.vulns.search
Search for vulnerability reports matching filter criteria.
This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.
Note:
Intel471 queries return a maximum of 1100 items.
Examples:
// Search for a CVE
intel471.vulns.search --cvename "CVE-2015-6435"
// Filter using a time range
intel471.vulns.search --from "-30days" --until "-7days"
Usage: intel471.vulns.search [options]
Options:
--help : Display the command usage.
--cvereport <cvereport> : Free text search for CVE reports.
--cvetype <cvetype> : Specify a CVE type.
--cvestatus <cvestatus> : Specify a CVE status.
--cvename <cvename> : Specify a CVE name.
--risklevel <risklevel> : Specify a CVE risk level (high, medium, or low).
--patchstatus <patchstatus> : Specify a CVE patch status (available, some_available, or unavailable).
--vendorname <vendorname> : Specify a CVE vendor name.
--productname <productname> : Specify a CVE product name.
--gir <gir> : Specify a General Intel Requirement.
--filterbygirset <filterbygirset>: Specify a GIR set ("my_girs" or "company_pirs").
--from <from> : Search for CVEs created after a specified time.
--until <until> : Search for CVEs created before a specified time.
--lastupdatedfrom <lastupdatedfrom>: Search for CVEs updated after a specified time.
--lastupdateduntil <lastupdateduntil>: Search for CVEs updated before a specified time.
--sort <sort> : Specify sort order (relevance, earliest, or latest).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
Storm Modules
This package does not export any Storm APIs.