User Guide
Synapse-Intel471 User Guide
Synapse-Intel471 adds new Storm commands to allow you to query the Intel471 API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> intel471.setup.apikey --self myemail myapikey
Setting Intel471 credentials for the current user.
Populate GIR definitions
Download GIR definitions to populate meta:rule nodes:
> intel471.girs.sync
WARNING: Intel471 API returned HTTP code: -1
> meta:rule | limit 3
Search for IOCs
Search for IOCs matching a filter criteria:
> intel471.iocs.search ".com" --from "2022-11-01" --until "2022-12-01" --yield --size 2
WARNING: Intel471 API returned HTTP code: -1
Search for Malware Indicators
Search for Indicators matching a filter criteria:
> intel471.indicators.search --from "2022-11-01" --until "2022-12-01" --yield --size 2
WARNING: Intel471 API returned HTTP code: -1
Search for Vulnerabilities
Search for Vulnerability Reports matching a filter criteria:
> intel471.vulns.search --vendorname microsoft --yield --size 2
WARNING: Intel471 API returned HTTP code: -1
Perform a Global Search
Specify a list of (param, value) tuples to perform a search for any entity types.
> intel471.global.search --yield --size 2 (iocType, MaliciousDomain) (text, ".net")
WARNING: Intel471 API returned HTTP code: -1
Use of meta:source
nodes
Synapse-Intel471 uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the Intel471 API.
> meta:source=1af648f200c0e9238260040855b534e5
meta:source=1af648f200c0e9238260040855b534e5
.created = 2024/11/19 21:18:14.247
:name = intel471 api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Intel471. The following example shows how to filter the results of a query to include only results observed by Synapse-Intel471:
> inet:ipv4#my.tag +{ <(seen)- meta:source=1af648f200c0e9238260040855b534e5 }