Package Documentation

Storm Package: synapse-intel471

The following Commands are available from this package. This documentation is generated for version 0.7.0 of the package.

Storm Commands

This package implements the following Storm Commands.

intel471.forum.post.search

Search for forum posts matching filter criteria.

At least one of --post, --postsbythreaduid, or --forum must be specified
to perform the search.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

Note:

  Intel471 queries return a maximum of 1100 items.

Examples:

  // Search text in posts and topics
  intel471.forum.post.search --post hacked

  // Search by forum and filter using a time range
  intel471.forum.post.search --forum opensc.ws --from "-30days"


Usage: intel471.forum.post.search [options]

Options:

  --help                      : Display the command usage.
  --post <post>               : Search text in posts and topics.
  --postsbythreaduid <postsbythreaduid>: Search posts by thread uid.
  --actor <actor>             : Search posts authored by given actor handle.
  --forum <forum>             : Search posts in a given forum.
  --from <from>               : Search for posts created after a specified time.
  --until <until>             : Search for posts created before a specified time.
  --lastupdatedfrom <lastupdatedfrom>: Search for posts updated after a specified time.
  --lastupdateduntil <lastupdateduntil>: Search for posts updated before a specified time.
  --sort <sort>               : Specify sort order (relevance, earliest, or latest).
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

intel471.girs.sync

Download and populate Intel471 GIR definitions.

Examples:

  // Download and populate the GIR definitions.
  intel471.girs.sync


Usage: intel471.girs.sync [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.

intel471.setup.apikey

Manage the Intel471 user email and API key.

Examples

    // Configure global Intel471 credentials
    intel471.setup.apikey [email protected] abcd1234

    // Configure Intel471 credentials for the current user
    intel471.setup.apikey --self [email protected] abcd1234

    // Display the scope of the current credentials
    intel471.setup.apikey --show-scope

    // Display the current credentials.
    intel471.setup.apikey --show-apikey

    // Remove the current global credentials.
    intel471.setup.apikey --remove

    // Remove the per-user credentials for the current user.
    intel471.setup.apikey --self --remove


Usage: intel471.setup.apikey [options] <email> <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the credentials as a user variable. If not used, set them globally.
  --show-scope                : Display the credentials scope in use (global vs self).
  --show-apikey               : Display the credentials (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured credentials. May be used with --self.

Arguments:

  [email]                     : Email address for authentication.
  [apikey]                    : The API key string.

intel471.setup.tagprefix

Set the tag prefix used when recording Intel471 data as tags.
The default tag prefix is "rep.intel471" if not specified.
Any tags provided by the Intel471 API will be added within the given namespace.
For example, the item "foo" would result in "#rep.intel471.foo".  Any
characters incompatible with tag names are replaced with "_".


Usage: intel471.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

intel471.vulns.get

Retrieve a vulnerability report by UID.

This command takes a vulnerability report UID as input and queries the Intel471
API to retrieve the report.

Examples:

  // Retrieve a report by UID
  intel471.vulns.get ce1c92f84040f1ad008b55665bfde326

  // Use risk:vuln nodes to retrieve reports
  risk:vuln:_intel471:uid | intel471.vulns.get :_intel471:uid


Usage: intel471.vulns.get [options] <uid>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.

Arguments:

  [uid]                       : The vulnerability report identifier to retrieve.

Storm Modules

This package does not export any Storm APIs.