Package Documentation
Storm Package: synapse-intezer-analyze
The following Commands are available from this package. This documentation is generated for version 1.5.0 of the package.
Storm Commands
This package implements the following Storm Commands.
intezer.analyze.enrich
Query Intezer Analyze for the latest available analysis results for a file.
Examples:
// Query using a hash:sha256 node and yield the results
hash:sha256#myhash | intezer.analyze.enrich --yield
// Include sub-analysis results
file:bytes#myfile | intezer.analyze.enrich --sub-analyses
// Include dynamic execution results
file:bytes#myfile | intezer.analyze.enrich --dynamic
Usage: intezer.analyze.enrich [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--asof <asof> : Specify the maximum age for a cached result. To disable caching, use --asof now.
(default: -30days)
--sub-analyses : Query and ingest results of sub-analyses.
--dynamic : Ingest results of dynamic exeuction.
intezer.analyze.info
Get information about the Intezer Analyze API key in use.
This command queries the /current-quota-usage endpoint to get information
about the permissions and current quota status for the Intezer Analyze API key in use.
Usage: intezer.analyze.info [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
intezer.analyze.malwarefamily
Query Intezer for additional information about a malware family.
The malware family can be specified using either the ``--name`` argument to
search by family name, or by using an inbound ``risk:tool:software`` node which
was created by this power-up.
Examples:
// Get additional info about a malware family
risk:tool:software:soft:name=Turla | intezer.analyze.malwarefamily
intezer.analyze.malwarefamily --name Turla
Usage: intezer.analyze.malwarefamily [options]
Options:
--help : Display the command usage.
--name <name> : Name of the malware family to get information about.
--debug : Show verbose debug output.
--asof <asof> : Specify the maximum age for a cached result. To disable caching, use --asof now.
(default: -30days)
intezer.analyze.setup.apikey
Manage the Intezer-Analyze API key.
Examples:
// Set a global Intezer-Analyze API key
intezer.analyze.setup.apikey abcd1234
// Set a Intezer-Analyze API key for the current user
intezer.analyze.setup.apikey --self abcd1234
// Display the API key scope of the current key
intezer.analyze.setup.apikey --show-scope
// Display the current API key.
intezer.analyze.setup.apikey --show-apikey
// Remove the current global API key.
intezer.analyze.setup.apikey --remove
// Remove the per-user API key for the current user.
intezer.analyze.setup.apikey --self --remove
Usage: intezer.analyze.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key).
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apikey] : The API key string.
intezer.analyze.setup.tagprefix
Set the tag prefix used when recording Intezer-Analyze tags.
The default tag prefix is "rep.intezer.analyze" if not specified.
Any tags provided by the Intezer-Analyze API will be added within the given namespace.
For example, the tag "malicious" would result in "#rep.intezer.analyze.malicious". Any
characters incompatible with tag names are replaced with "_".
Usage: intezer.analyze.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
intezer.analyze.submit
Submit a file to Intezer Analyze for analysis.
Examples:
// Submit a file by hash:sha256 and yield the results
hash:sha256#myhash | intezer.analyze.submit --yield
// Include sub-analysis results
file:bytes#myfile | intezer.analyze.submit --sub-analyses
// Provide a password to extract a zip file for analysis
file:bytes#myfile | intezer.analyze.submit --zip-password foobar
Usage: intezer.analyze.submit [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
--asof <asof> : Specify the maximum age for a cached result. To disable caching, use --asof now.
(default: -30days)
--zip-password <zip_password>: Provide a password for extraction of a zip file submission.
--sub-analyses : Query and ingest results of sub-analyses.
--dynamic : Ingest results of dynamic exeuction.
intezer.analyze.submit.byhash
Submit the hash of a file to Intezer Analyze for analysis.
Examples:
// Submit a file by hash:sha256 and yield the results
hash:sha256#myhash | intezer.analyze.submit.byhash --yield
// Include sub-analysis results
file:bytes#myfile | intezer.analyze.submit.byhash --sub-analyses
Usage: intezer.analyze.submit.byhash [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
--asof <asof> : Specify the maximum age for a cached result. To disable caching, use --asof now.
(default: -30days)
--sub-analyses : Query and ingest results of sub-analyses.
--dynamic : Ingest results of dynamic exeuction.
Storm Modules
This package does not export any Storm APIs.