Package Documentation
Storm Package: synapse-netcraft
The following Commands are available from this package. This documentation is generated for version 0.1.0 of the package.
Storm Commands
This package implements the following Storm Commands.
netcraft.config.add
Add a Synapse-Netcraft configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Add a global configuration
netcraft.config.add global_config apikey1234
// Add a configuration for the current user
netcraft.config.add --scope self my_config apikey5678
Usage: netcraft.config.add [options] <name> <apikey>
Options:
--help : Display the command usage.
--ssl-noverify : Do not perform SSL/TLS verification.
--proxy <proxy> : Configure the proxy usage. (default: True)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Netcraft. (default: rep.netcraft)
--scope <scope> : Set the scope on the configuration. (default: global, choices: global, self, unscoped)
Arguments:
<name> : A unique name for the configuration.
<apikey> : The API key string.
netcraft.config.del
Delete a Synapse-Netcraft configuration.
Examples:
// Delete the "fooconfig" configuration
netcraft.config.del fooconfig
Usage: netcraft.config.del [options] <name>
Options:
--help : Display the command usage.
Arguments:
<name> : The name of the configuration.
netcraft.config.list
Display the list of Synapse-Netcraft configurations you have access to.
Usage: netcraft.config.list [options]
Options:
--help : Display the command usage.
netcraft.config.migrate
Migrate options for all Synapse-Netcraft configurations.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Migrate the tag prefix for all configurations
netcraft.config.migrate --tag-prefix my.tagpref
Usage: netcraft.config.migrate [options]
Options:
--help : Display the command usage.
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Netcraft. (default: None)
netcraft.config.show
Show the details of a configuration.
Examples:
// Show the in-use configuration for the current user
netcraft.config.show
// Show a configuration by name
netcraft.config.show myconfig
Usage: netcraft.config.show [options] <name>
Options:
--help : Display the command usage.
Arguments:
[name] : The name of the configuration.
netcraft.config.update
Update the configuration of a defined Synapse-Netcraft configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Set the permission level for user "myuser" to "admin" on the "fooconfig"
// configuration
netcraft.config.update fooconfig --perm user myuser admin
// Set the permission level for the "all" role to "deny" on the
// "fooconfig" configuration
netcraft.config.update fooconfig --perm role all deny
// Do not verify the SSL certificate when connecting to "fooconfig"
netcraft.config.update fooconfig --ssl-verify (false)
// Change the name of the "fooconfig" configuration to "barconfig"
netcraft.config.update fooconfig --name barconfig
Usage: netcraft.config.update [options] <config>
Options:
--help : Display the command usage.
--apikey <apikey> : The API key string. (default: None)
--perm <perm> : Set the permission level for a user or role on this configuration.
Arguments to this option are ``scope``, ``name``, ``level``:
<scope>: The scope for the permission, either "user" or "role".
<name>: The user/role name depending on scope.
<level>: The $lib.auth.easyperm.level, or None to remove the permission.
(default: None)
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Netcraft. (default: None)
--name <name> : Rename the configuration. (default: None)
Arguments:
<config> : The name of the configuration to modify.
netcraft.takedown.attack.get
Ingest a single takedown attack by ID.
Examples:
// Ingest Takedown ID #74506974
netcraft.takedown.attack.get 74506974
// Ingest Takedown ID #74506974 and yield the risk:alert node
netcraft.takedown.attack.get 74506974 --yield
// Ingest Takedown ID #74506974 and yield the risk:alert node
risk:alert:ext:id=74506974 | netcraft.takedown.attack.get --config myconfig
Usage: netcraft.takedown.attack.get [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
--id <id> : The takedown ID to retrieve.
--no-relationships : Do not ingest takedown relationships.
netcraft.takedown.attack.submit
Report a new attack in the Takedown service.
NOTE: If you have access to more than one Netcraft region, the ``--region``
parameter is required when submitting a new takedown.
Examples:
// Submit the URL https://malicious.com to the takedown service
inet:url=https://malicious.com | netcraft.takedown.attack.submit "malicious URL"
// Submit the URL https://malicious.com to the takedown service in the "west" region
inet:url=https://malicious.com | netcraft.takedown.attack.submit "malicious URL" --region west
Usage: netcraft.takedown.attack.submit [options] <comment>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
--type <type> : The type of attack being reported. (default: phishing_url)
--region <region> : The name of the region to create a takedown under.
Arguments:
<comment> : The reason for your report, such as a description of the attack.
netcraft.takedown.attack.update
Update one or more fields related to a takedown.
This command takes one or more inbound risk:alert nodes and updates the
specified fields on the Netcraft Takedown service. Confirmed updates are
applied to the node.
Examples:
// Update the description of a specified takedown
risk:alert=12345 | netcraft.takedown.attack.update --desc "my new description"
// Update the label of a specified takedown and yield the updated node
risk:alert=12345 | netcraft.takedown.attack.update --label "my new label" --yield
// Update the tags of a specified takedown
risk:alert=12345 | netcraft.takedown.attack.update --tags-add (["nc_tag00", "nc_tag01"])
Usage: netcraft.takedown.attack.update [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
--desc <desc> : Update the takedown description.
--label <label> : Update the takedown label.
--tags-add <tags_add> : One or more tags to add to the takedown group.
--tags-rem <tags_rem> : One or more tags to remove from a takedown group.
netcraft.takedown.attacks.feed
Ingest existing takedowns as a feed.
The --since-last option can be used to retrieve new results since the last run of
the command. When using --since-last, the time of the query execution will be
stored in the :offset property of an associated it:exec:query node. This means
the offset will be tracked per-view and may be overwritten if the same query is
run in multiple forks and subsequently merged.
If --since-last is not used and instead --reported-after and/or --reported-before is used,
reports from the specified time range will be ingested, and the :offset property of the
associated it:exec:query node will not be updated.
When using --since-last, the --reported-after and --reported-before options are ignored.
Examples:
// Ingest the takedowns for Feb 12, 2024 to Feb 14, 2024
netcraft.takedown.attacks.feed --reported-after 2024-02-12 --reported-before 2024-02-14
// Ingest all takedowns that completed in the last four days and yield the results
netcraft.takedown.attacks.feed --reported-after "-4days" --yield
// Use the stored value on the it:exec:query node to retrieve new takedowns, and print any debug output
netcraft.takedown.attacks.feed --since-last --debug
// Create a cron job to ingest new takedowns every day
cron.add --name netcraft.takedown.attacks.feed --hour 3 { netcraft.takedown.attacks.feed --since-last }
Usage: netcraft.takedown.attacks.feed [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
--group-id <group_id> : Filter to all takedowns that share a group with the given takedown. You can specify the
ID for any takedown
within the group, as well as the group ID.
--reported-after <reported_after>: Filter to takedowns that were submitted on or after the date/time provided. (default:
-1day)
--reported-before <reported_before>: Filter to takedowns that were submitted on or before the date/time provided. (default:
now)
--auth-given <auth_given> : Filter based on whether a takedown has been authorised. (choices: True, yes:customer,
yes:netcraft, False)
--status <status> : Filter to takedowns that are currently in the given status. Multiple values may be
provided as a list.
--type <type> : Filter to takedowns of the given attack type. Multiple values may be provided as a
list.
--region <region> : Filter to takedowns residing under the given region. If the provided region is invalid
then takedowns from
all accessible regions will be shown.
--since-last : Retrieve results since the last run of the command with --since-last specified.
--no-relationships : Do not ingest takedown relationships.
netcraft.takedown.attacks.search
Search existing takedowns.
The arguments for this command are applied as filters to the search. Specifying several
different filters at once may result in fewer matches (or none) than expected.
Examples:
// Search takedowns reported in the last seven days
netcraft.takedown.attacks.search --reported-after -7days
// Search takedowns reported in March 2025
netcraft.takedown.attacks.search --reported-after 20250301 --reported-before 20250401
// Search takedowns with url or email types
netcraft.takedown.attacks.search --type (["url", "email"])
Usage: netcraft.takedown.attacks.search [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
--group-id <group_id> : Filter to all takedowns that share a group with the given takedown. You can specify the
ID for any takedown
within the group, as well as the group ID.
--reported-after <reported_after>: Filter to takedowns that were submitted on or after the date/time provided. (default:
-365days)
--reported-before <reported_before>: Filter to takedowns that were submitted on or before the date/time provided. (default:
now)
--auth-given <auth_given> : Filter based on whether a takedown has been authorised. (choices: True, yes:customer,
yes:netcraft, False)
--status <status> : Filter to takedowns that are currently in the given status. Multiple values may be
provided as a list.
--type <type> : Filter to takedowns of the given attack type. Multiple values may be provided as a
list.
--region <region> : Filter to takedowns residing under the given region. If the provided region is invalid
then takedowns from
all accessible regions will be shown.
--no-relationships : Do not ingest takedown relationships.
netcraft.takedown.evidence.submit
Upload supporting evidence to a takedown.
This command submits the inbound file:bytes node as evidence to the specified takedown.
NOTE: The evidence will be uploaded to Netcraft from the Axon, not the Cortex. This means
the Axon must have access to the Netcraft API URL.
Examples:
// Submit the file as evidence to takedown ID 12345
file:bytes:sha256=$sha256 | netcraft.takedown.evidence.submit 12345
// Submit the file as evidence to takedown ID 12345 and label it as malicious
file:bytes:sha256=$sha256 | netcraft.takedown.evidence.submit 12345 --label malicious
Usage: netcraft.takedown.evidence.submit [options] <id>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
--label <label> : A brief description for the evidence file.
Arguments:
<id> : The takedown ID to submit evidence to.
Storm Modules
This package does not export any Storm APIs.