User Guide

Synapse-PwC-ThreatIntel User Guide

Synapse-PwC-ThreatIntel adds new Storm commands to allow you to query the PwC Threat Intel API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> pwc.threatintel.setup.apikey --self myclientid myclientsecret
Setting PwC Threat Intel client id and secret for the current user.

Enrich an inet:fqdn node

Enrich an inet:fqdn node with pwc.threatintel.enrich:

> [ inet:fqdn=root.anynucleus.com ] | pwc.threatintel.enrich
inet:fqdn=root.anynucleus.com
        .created = 2024/12/20 18:12:26.782
        .seen = ('2022/11/11 17:22:55.396', '2022/11/11 17:22:55.397')
        :domain = anynucleus.com
        :host = root
        :issuffix = false
        :iszone = false
        :zone = anynucleus.com
        #rep.pwc.malicious
        #rep.pwc.red_dev_14
        #rep.pwc.tlp.amber

Ingest reports by time range

If Synapse-FileParser is installed on the Cortex, YARA rules for reports will also be downloaded and parsed to create it:app:yara:rule nodes. In the example below it is not available, and therefore a warning is produced.

Pull reports from the report feed using pwc.threatintel.report.feed:

> pwc.threatintel.report.feed --min-time 2022-11-10 --max-time 2022-11-15 --yield | limit 1
WARNING: Synapse-FileParser >=4.2.1,<5.0.0 is required for parsing YARA rules.
media:news=29d273f2fe0c9b92105714dc13f9486e
        .created = 2024/12/20 18:12:26.951
        :ext:id = CTO-TIB-20221111-01A
        :published = 2022/11/11 17:22:23.141
        :publisher:name = pwc
        :summary = In this report, PwC analysts detail infrastructure and recent victimology of entities based in the government and telecommunications sectors within the APAC region, connected to intrusions by China-based actor Red Dev 14.
        :title = red dev 14 keeping in touch with friends
        :type = tib
        #rep.pwc.apt
        #rep.pwc.asyncrat
        #rep.pwc.china
        #rep.pwc.cobaltstrike
        #rep.pwc.espionage
        #rep.pwc.india
        #rep.pwc.kyrgyzstan
        #rep.pwc.nepal
        #rep.pwc.philippines
        #rep.pwc.red_dev_14
        #rep.pwc.shadowpad
        #rep.pwc.tlp.amber

Ingest indicators by time range

Pull indicators from the ioc feed using pwc.threatintel.ioc.feed:

> pwc.threatintel.ioc.feed --min-time "2022-11-10 14:00"  --max-time "2022-11-10 15:00" --yield | limit 3
inet:fqdn=audi-a7-tuning.ru
        .created = 2024/12/20 18:12:34.220
        .seen = ('2022/11/10 14:27:05.878', '2022/11/10 14:27:05.879')
        :domain = ru
        :host = audi-a7-tuning
        :issuffix = false
        :iszone = true
        :zone = audi-a7-tuning.ru
        #rep.pwc.white_dev_131
inet:ipv4=95.213.145.101
        .created = 2024/12/20 18:12:34.335
        .seen = ('2022/11/10 14:27:05.913', '2022/11/10 14:27:05.914')
        :type = unicast
        #rep.pwc.tlp.amber
        #rep.pwc.white_dev_131
inet:ipv4=95.213.145.101
        .created = 2024/12/20 18:12:34.335
        .seen = ('2022/11/10 14:27:05.913', '2022/11/10 14:27:06.768')
        :type = unicast
        #rep.pwc.tlp.amber
        #rep.pwc.white_dev_131

Use of meta:source nodes

Synapse-PwC-ThreatIntel uses a meta:source node and -(seen)> light weight edges to track nodes observed from the PwC Threat Intel API.

> meta:source=be4af1ebfda6b73a7ce0099e27566daf
meta:source=be4af1ebfda6b73a7ce0099e27566daf
        .created = 2024/12/20 18:12:27.157
        :name = pwc threat intel api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-PwC-ThreatIntel. The following example shows how to filter the results of a query to include only results observed by Synapse-PwC-ThreatIntel:

> risk:threat +{ <(seen)- meta:source=be4af1ebfda6b73a7ce0099e27566daf }
risk:threat=82366163483a78a37d792a7a3a4592ac
        .created = 2024/12/20 18:12:34.262
        :org:name = white_dev_131
        :reporter:name = pwc
        :tag = rep.pwc.white_dev_131