User Guide

Synapse-Intel471 User Guide

Synapse-Intel471 adds new Storm commands to allow you to query the Intel471 API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> intel471.setup.apikey --self myemail myapikey
Setting Intel471 credentials for the current user.

Populate GIR definitions

Download GIR definitions to populate meta:rule nodes:

> intel471.girs.sync
WARNING: Intel471 API returned HTTP code: -1

> meta:rule | limit 3

Search for IOCs

Search for IOCs matching a filter criteria:

> intel471.iocs.search ".com" --from "2022-11-01" --until "2022-12-01" --yield --size 2
WARNING: Intel471 API returned HTTP code: -1

Search for Malware Indicators

Search for Indicators matching a filter criteria:

> intel471.indicators.search --from "2022-11-01" --until "2022-12-01" --yield --size 2
WARNING: Intel471 API returned HTTP code: -1

Search for Vulnerabilities

Search for Vulnerability Reports matching a filter criteria:

> intel471.vulns.search --vendorname microsoft --yield --size 2
WARNING: Intel471 API returned HTTP code: -1

Perform a Global Search

Specify a list of (param, value) tuples to perform a search for any entity types.

> intel471.global.search --yield --size 2 (iocType, MaliciousDomain) (text, ".net")
WARNING: Intel471 API returned HTTP code: -1

Use of `meta:source` nodes

Synapse-Intel471 uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Intel471 API.

> meta:source=1af648f200c0e9238260040855b534e5
meta:source=1af648f200c0e9238260040855b534e5
        .created = 2025/12/04 01:10:21.623
        :name = intel471 api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Intel471. The following example shows how to filter the results of a query to include only results observed by Synapse-Intel471:

> inet:ipv4#my.tag +{ <(seen)- meta:source=1af648f200c0e9238260040855b534e5 }

Model Extensions

The following extended props are created by the Synapse-Intel471 Power-Up:

risk:vuln:_intel471:uid
    str - The Intel471 vulnerability report identifier.

media:news:_intel471:admiralty
    str - The Intel471 admiralty code.

media:news:_intel471:source:characterization
    str - The Intel471 source characterization.

risk:tool:software:_intel471:version
    str - The version of the tool reported by Intel471.

risk:tool:software:_intel471:variant
    str - The variant of the tool reported by Intel471.

risk:tool:software:_intel471:malware:family:uid
    str - The Intel471 malware family profile UID.

risk:compromise:_intel471:confidence
    int - The confidence level of a breach.