User Guide

Synapse-Intezer-Analyze User Guide

Synapse-Intezer-Analyze adds new Storm commands to allow you to query the Intezer-Analyze API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> intezer.analyze.setup.apikey --self myapikey
Setting Intezer-Analyze API key for the current user.

Query for an existing analysis

Query using a hash:sha256 node:

> [ hash:sha256=21c97688730d666e13f8b52aeec94371b7996cef7afcd2dd80d0ea1b76b5f3ec ] | intezer.analyze.enrich --yield
WARNING: Error getting Intezer Analyze API token: HTTP code -1

Include sub-analysis results:

> [ hash:sha256=01fe11c86a69bca1d91f1d6f3aa776bd7871c57973e6f98915f60dd514ddd913 ] | intezer.analyze.enrich --yield --sub-analyses
WARNING: Error getting Intezer Analyze API token: HTTP code 400

Get additional information about a malware family

> intezer.analyze.malwarefamily --name turla
WARNING: Error getting Intezer Analyze API token: HTTP code -1

Display information about the API key in use

> intezer.analyze.info
WARNING: Error getting Intezer Analyze API token: HTTP code -1

Use of `meta:source` nodes

Synapse-Intezer-Analyze uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Intezer-Analyze API.

> meta:source=a9d556da6effb68642c7e353655d7da4
meta:source=a9d556da6effb68642c7e353655d7da4
        .created = 2024/04/25 15:18:05.774
        :name = intezer-analyze api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Intezer-Analyze. The following example shows how to filter the results of a query to include only results observed by Synapse-Intezer-Analyze:

> it:prod:softver +{ <(seen)- meta:source=a9d556da6effb68642c7e353655d7da4 } | limit 3