Package Documentation

Storm Package: synapse-pwc-threatintel

The following Commands are available from this package. This documentation is generated for version 0.3.1 of the package.

Storm Commands

This package implements the following Storm Commands.

pwc.threatintel.enrich

Enrich a node with additional information from PwC.

This command accepts inet:fqdn, inet:ipv4, hash:md5, hash:sha1, and
hash:sha256 nodes as input and queries the PwC API to pull related
information. Partially populated media:news nodes created by other pwc.threatintel
commands may also be enriched to pull the full report data.

Examples:

  // Enrich an inet:ipv4 node
  inet:ipv4=163.197.34.221 | pwc.threatintel.enrich

  // Enrich a hash:md5 node, bypassing caching
  hash:md5=768f322a93dffd0d979b9c3614e6181e | pwc.threatintel.enrich --asof now


Usage: pwc.threatintel.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now. (default: -30days)
  --download-pdf              : When enriching a media:news node for a PwC report, download the PDF for the report as well.

pwc.threatintel.ioc.feed

Ingest IOCs from the PwC indicator feeds.

The --since-last option can be used to set up a cron job that will automatically increment
the min-time with a globally stored value. Only a single cron job using --since-last
should be implemented to ensure that results are contiguous in the view it is running.

The first time --since-last is used the --min-time argument will define the starting point,
otherwise both --min-time and --max-time are ignored.

Examples:

  // Use the globally stored value to retrieve new results
  pwc.threatintel.ioc.feed --since-last

  // Create a cron job to ingest new results every day
  cron.add --name "PwC IOC Feed" --hour 3 { pwc.threatintel.ioc.feed --since-last }


Usage: pwc.threatintel.ioc.feed [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : This argument is deprecated and no longer has any effect.
  --min-time <min_time>       : Specify the minimum time to limit feed results. (default: -24hours)
  --max-time <max_time>       : Specify the maximum time to limit feed results. (default: now)
  --since-last                : Retrieve results since the last run of the command with --since-last specified.

pwc.threatintel.report.feed

Ingest reports from the PwC report feed.

YARA rules for reports will also be downloaded and parsed by Synapse-FileParser (if available).

The --since-last option can be used to set up a cron job that will automatically increment
the min-time with a globally stored value. Only a single cron job using --since-last
should be implemented to ensure that results are contiguous in the view it is running.

The first time --since-last is used the --min-time argument will define the starting point,
otherwise both --min-time and --max-time are ignored.

Examples:

  // Use the globally stored value to retrieve new results
  pwc.threatintel.report.feed --since-last

  // Create a cron job to ingest new results every day
  cron.add --name "PwC Report Feed" --hour 3 { pwc.threatintel.report.feed --since-last }


Usage: pwc.threatintel.report.feed [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : This argument is deprecated and no longer has any effect.
  --min-time <min_time>       : Specify the minimum time to limit feed results. (default: -24hours)
  --max-time <max_time>       : Specify the maximum time to limit feed results. (default: now)
  --since-last                : Retrieve results since the last run of the command with --since-last specified.
  --download-pdf              : Additionally download PDF versions of ingested reports.

pwc.threatintel.setup.apikey

Manage the PwC Threat Intel client id and secret.

Examples

    // Set a global PwC Threat Intel client id and secret
    pwc.threatintel.setup.apikey client_id client_secret

    // Set a PwC Threat Intel client id and secret for the current user
    pwc.threatintel.setup.apikey --self client_id client_secret

    // Display the scope of the current client id and secret
    pwc.threatintel.setup.apikey --show-scope

    // Display the current client id and secret.
    pwc.threatintel.setup.apikey --show-apikey

    // Remove the current global client id and secret.
    pwc.threatintel.setup.apikey --remove

    // Remove the per-user client id and secret for the current user.
    pwc.threatintel.setup.apikey --self --remove


Usage: pwc.threatintel.setup.apikey [options] <clientid> <clientsecret>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove as user variables. If not used, set globally.
  --show-scope                : Display the scope of the client id and secret in use (global vs self).
  --show-apikey               : Display the client id and secret value (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured client id and secret. May be used with --self.

Arguments:

  [clientid]                  : The client id string.
  [clientsecret]              : The client secret string.

pwc.threatintel.setup.tagprefix

Set the tag prefix used when recording PwC Threat Intel tags.
The default tag prefix is "rep.pwc" if not specified.

Any tags provided by the PwC Threat Intel API will be added within the given namespace.
For example, the tag "Espionage" would result in "#rep.pwc.espionage".  Any
characters incompatible with tag names are replaced with "_".


Usage: pwc.threatintel.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

Storm Modules

This package does not export any Storm APIs.