Package Documentation
Storm Package: synapse-pwc-threatintel
The following Commands are available from this package. This documentation is generated for version 0.3.3 of the package.
Storm Commands
This package implements the following Storm Commands.
pwc.threatintel.enrich
Enrich a node with additional information from PwC.
This command accepts inet:fqdn, inet:ipv4, hash:md5, hash:sha1, and
hash:sha256 nodes as input and queries the PwC API to pull related
information. Partially populated media:news nodes created by other pwc.threatintel
commands may also be enriched to pull the full report data.
Examples:
// Enrich an inet:ipv4 node
inet:ipv4=163.197.34.221 | pwc.threatintel.enrich
// Enrich a hash:md5 node, bypassing caching
hash:md5=768f322a93dffd0d979b9c3614e6181e | pwc.threatintel.enrich --asof now
Usage: pwc.threatintel.enrich [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--asof <asof> : Specify the maximum age for a cached result. To disable caching, use --asof now.
(default: -30days)
--download-pdf : When enriching a media:news node for a PwC report, download the PDF for the report as
well.
pwc.threatintel.ioc.feed
Ingest IOCs from the PwC indicator feeds.
The --since-last option can be used to set up a cron job that will automatically increment
the min-time with a globally stored value. Only a single cron job using --since-last
should be implemented to ensure that results are contiguous in the view it is running.
The first time --since-last is used the --min-time argument will define the starting point,
otherwise both --min-time and --max-time are ignored.
Examples:
// Use the globally stored value to retrieve new results
pwc.threatintel.ioc.feed --since-last
// Create a cron job to ingest new results every day
cron.add --name "PwC IOC Feed" --hour 3 { pwc.threatintel.ioc.feed --since-last }
Usage: pwc.threatintel.ioc.feed [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--asof <asof> : This argument is deprecated and no longer has any effect.
--min-time <min_time> : Specify the minimum time to limit feed results. (default: -24hours)
--max-time <max_time> : Specify the maximum time to limit feed results. (default: now)
--since-last : Retrieve results since the last run of the command with --since-last specified.
pwc.threatintel.report.feed
Ingest reports from the PwC report feed.
YARA rules for reports will also be downloaded and parsed by Synapse-FileParser (if available).
The --since-last option can be used to set up a cron job that will automatically increment
the min-time with a globally stored value. Only a single cron job using --since-last
should be implemented to ensure that results are contiguous in the view it is running.
The first time --since-last is used the --min-time argument will define the starting point,
otherwise both --min-time and --max-time are ignored.
Examples:
// Use the globally stored value to retrieve new results
pwc.threatintel.report.feed --since-last
// Create a cron job to ingest new results every day
cron.add --name "PwC Report Feed" --hour 3 { pwc.threatintel.report.feed --since-last }
Usage: pwc.threatintel.report.feed [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size.
--yield : Yield the newly created nodes.
--asof <asof> : This argument is deprecated and no longer has any effect.
--min-time <min_time> : Specify the minimum time to limit feed results. (default: -24hours)
--max-time <max_time> : Specify the maximum time to limit feed results. (default: now)
--since-last : Retrieve results since the last run of the command with --since-last specified.
--download-pdf : Additionally download PDF versions of ingested reports.
pwc.threatintel.setup.apikey
Manage the PwC Threat Intel client id and secret.
Examples
// Set a global PwC Threat Intel client id and secret
pwc.threatintel.setup.apikey client_id client_secret
// Set a PwC Threat Intel client id and secret for the current user
pwc.threatintel.setup.apikey --self client_id client_secret
// Display the scope of the current client id and secret
pwc.threatintel.setup.apikey --show-scope
// Display the current client id and secret.
pwc.threatintel.setup.apikey --show-apikey
// Remove the current global client id and secret.
pwc.threatintel.setup.apikey --remove
// Remove the per-user client id and secret for the current user.
pwc.threatintel.setup.apikey --self --remove
Usage: pwc.threatintel.setup.apikey [options] <clientid> <clientsecret>
Options:
--help : Display the command usage.
--self : Set or remove as user variables. If not used, set globally.
--show-scope : Display the scope of the client id and secret in use (global vs self).
--show-apikey : Display the client id and secret value (requires admin perms or a "self" scope key).
--remove : Remove the configured client id and secret. May be used with --self.
Arguments:
[clientid] : The client id string.
[clientsecret] : The client secret string.
pwc.threatintel.setup.tagprefix
Set the tag prefix used when recording PwC Threat Intel tags.
The default tag prefix is "rep.pwc" if not specified.
Any tags provided by the PwC Threat Intel API will be added within the given namespace.
For example, the tag "Espionage" would result in "#rep.pwc.espionage". Any
characters incompatible with tag names are replaced with "_".
Usage: pwc.threatintel.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
Storm Modules
This package does not export any Storm APIs.