User Guide
Synapse-Intel471 User Guide
Synapse-Intel471 adds new Storm commands to allow you to query the Intel471 API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> intel471.setup.apikey --self myemail myapikey
Setting Intel471 credentials for the current user.
Populate GIR definitions
Download GIR definitions to populate meta:rule nodes:
> intel471.girs.sync
> meta:rule | limit 3
meta:rule=033b5c51fbf94f1fecf3e1c4aecd1759
.created = 2026/04/10 20:08:37.526
:desc = Information-stealer (or info stealer) malware is designed to gather information from a system such as login credentials, keystrokes and screenshots of sensitive information.
:ext:id = 1.1.5
:name = information-stealer malware
meta:rule=039e2135c5a71925afc74a2f9667dea7
.created = 2026/04/10 20:08:38.023
:ext:id = 6.2.1.15
:name = djibouti
meta:rule=04a9693a20816c4460a135bba5d45c57
.created = 2026/04/10 20:08:37.984
:ext:id = 6.1.8.5
:name = cloud services industry
Search for IOCs
Search for IOCs matching a filter criteria:
> intel471.iocs.search ".com" --from "2022-11-01" --until "2022-12-01" --yield --size 2
inet:fqdn=ldver09.com
.created = 2026/04/10 20:08:38.571
.seen = ('2022/11/14 14:23:08.000', '2022/11/14 14:23:08.001')
:domain = com
:host = ldver09
:issuffix = false
:iszone = true
:zone = ldver09.com
#rep.intel471.malicious
inet:fqdn=ldver263.com
.created = 2026/04/10 20:08:38.584
.seen = ('2022/11/14 14:23:08.000', '2022/11/14 14:23:08.001')
:domain = com
:host = ldver263
:issuffix = false
:iszone = true
:zone = ldver263.com
#rep.intel471.malicious
Search for Malware Indicators
Search for Indicators matching a filter criteria:
> intel471.indicators.search --from "2022-11-01" --until "2022-12-01" --yield --size 2
inet:url=http://211.138.30.200:443
.created = 2026/04/10 20:08:38.623
.seen = ('2022/09/17 06:49:06.000', '2022/12/08 18:31:47.001')
:base = http://211.138.30.200:443
:ipv4 = 211.138.30.200
:params =
:path =
:port = 443
:proto = http
#rep.intel471.redline:intel471:confidence = medium
#rep.intel471.redline:intel471:expiration = 2023/01/07 18:31:47.000
inet:url=https://78.180.100.59:443
.created = 2026/04/10 20:08:38.634
.seen = ('2022/07/01 16:22:34.000', '2022/12/08 18:11:04.001')
:base = https://78.180.100.59:443
:ipv4 = 78.180.100.59
:params =
:path =
:port = 443
:proto = https
#rep.intel471.qbot:intel471:confidence = medium
#rep.intel471.qbot:intel471:expiration = 2023/01/07 18:11:04.000
Search for Vulnerabilities
Search for Vulnerability Reports matching a filter criteria:
> intel471.vulns.search --vendorname microsoft --yield --size 2
risk:vuln=1151f2b87452247da5ba11c684d7c52d
.created = 2026/04/10 20:08:38.680
.seen = ('2023/02/13 09:16:57.000', '2023/02/13 09:16:57.001')
:_intel471:uid = ce1c92f84040f1ad008b55665bfde326
:cve = cve-2021-28312
:cvss:v2_0:score = 4.3
:cvss:v3_0:score = 6.5
:desc = CVE-2021-28312 is an unspecified vulnerability impacting multiple products and versions of Microsoft Windows. A proof of concept (PoC) was not observed publicly or in the underground.
:exploited = false
:mitigated = true
:reporter = 0847739e5e2f2ecd1c57961af850fc6e
:reporter:name = intel471
:severity = low
risk:vuln=55924023b0830b548766f2970bdca691
.created = 2026/04/10 20:08:38.802
.seen = ('2022/05/31 06:42:19.000', '2022/05/31 06:42:19.001')
:_intel471:uid = 569ec70b8c51b7983f98b04f6559ead5
:cve = cve-2022-30190
:cvss:v2_0:score = 9.3
:cvss:v3_0:score = 7.8
:desc = CVE-2022-30190 aka Follina is an arbitrary code execution vulnerability impacting multiple products and versions of Microsoft Windows. A Metasploit module, a proof of concept (PoC) and an exploit generator tool was observed in open source and subsequently shared in the underground. Further, a walk-through demo of a PoC was shared via Twitter and YouTube. Additionally, Microsoft claimed to be aware of the vulnerability being actively exploited in the wild.
:exploited = true
:mitigated = true
:reporter = 0847739e5e2f2ecd1c57961af850fc6e
:reporter:name = intel471
:severity = high
:type = arbitrary_code_execution
Perform a Global Search
Specify a list of (param, value) tuples to perform a search for any entity types.
> intel471.global.search --yield --size 2 (iocType, MaliciousDomain) (text, ".net")
inet:fqdn=herseyvatanicin2023.net
.created = 2026/04/10 20:08:38.974
.seen = ('2020/09/04 10:42:18.000', '2020/09/04 10:42:18.001')
:domain = net
:host = herseyvatanicin2023
:issuffix = false
:iszone = true
:zone = herseyvatanicin2023.net
#rep.intel471.malicious
inet:fqdn=bingoroll3.net
.created = 2026/04/10 20:08:38.985
.seen = ('2021/04/20 16:16:29.000', '2021/04/20 16:16:29.001')
:domain = net
:host = bingoroll3
:issuffix = false
:iszone = true
:zone = bingoroll3.net
#rep.intel471.malicious
Search for Credentials
Search for credentials matching a filter criteria:
> intel471.credential.search --yield --domain "example.com" --size 2
risk:leak=10973136a1f005e4f83c1bcb0fffdda4
.created = 2026/04/10 20:08:39.024
.seen = ('2023/11/13 18:26:40.000', '2023/11/13 18:26:40.001')
:disclosed = 2023/11/12 14:40:00.000
:name = synthetic log collection
:reporter = 0847739e5e2f2ecd1c57961af850fc6e
:reporter:name = intel471
WARNING: Intel471 API credentialSets returned HTTP code: -1 - Exception occurred during request: CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/home/docs/checkouts/readthedocs.org/user_builds/vertex-storm-packages/checkouts/latest/packages/synapse-intel471/docs/mocks/userguide-credentials.yaml') in your current record mode (<RecordMode.ONCE: 'once'>).
No match for the request (<Request (GET) https://api.intel471.com/v1/credentialSets?credentialSetUid=11223344556677889900aabbccddeeff&v=1.20.0>) was found.
Found 1 similar requests with 0 different matcher(s) :
1 - (<Request (GET) https://api.intel471.com/v1/credentialSets?credentialSetUid=11223344556677889900aabbccddeeff&v=1.20.0>).
Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'query']
Matchers failed :
Search for Instant Messages
Search for instant messages matching a filter criteria:
> intel471.message.search --yield --message "credit card" --size 2
inet:service:message=d5df6eae51069575d460ac00d687360a
.created = 2026/04/10 20:08:39.099
.seen = ('2023/11/13 18:26:40.000', '2023/11/13 18:26:40.001')
:account = 0baaff479a1ccdb8f089d3e26b0d0fb7
:channel = 01d31ffff8c371f7683fc87d0d7d794a
:platform = e1f45e580ac26d7da15f9d4291567ff2
:text = Looking to buy credit card data, DM for details.
:time = 2023/11/13 18:26:40.000
inet:service:message=da6547adabbe396cfe8ad150d55c01c2
.created = 2026/04/10 20:08:39.119
.seen = ('2023/11/13 18:26:40.100', '2023/11/13 18:26:40.101')
:account = 1b8746b9f4120416bae75a143bac744c
:channel = ff14acd46d22882a0b9daf145b80a6d1
:platform = e1f45e580ac26d7da15f9d4291567ff2
:text = Selling credit card info in bulk, contact via DM.
:time = 2023/11/13 18:26:40.100
Use of meta:source nodes
Synapse-Intel471 uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the Intel471 API.
> meta:source=1af648f200c0e9238260040855b534e5
meta:source=1af648f200c0e9238260040855b534e5
.created = 2026/04/10 20:08:37.491
:name = intel471 api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Intel471. The following example shows how to filter the results of a query to include only results observed by Synapse-Intel471:
> inet:ipv4#my.tag +{ <(seen)- meta:source=1af648f200c0e9238260040855b534e5 }
Model Extensions
The following extended props are created by the Synapse-Intel471 Power-Up:
risk:vuln:_intel471:uid
str - The Intel471 vulnerability report identifier.
media:news:_intel471:admiralty
str - The Intel471 admiralty code.
media:news:_intel471:source:characterization
str - The Intel471 source characterization.
risk:tool:software:_intel471:version
str - The version of the tool reported by Intel471.
risk:tool:software:_intel471:variant
str - The variant of the tool reported by Intel471.
risk:tool:software:_intel471:malware:family:uid
str - The Intel471 malware family profile UID.
risk:compromise:_intel471:confidence
int - The confidence level of a breach.