User Guide
Synapse-PwC-ThreatIntel User Guide
Synapse-PwC-ThreatIntel adds new Storm commands to allow you to query the PwC Threat Intel API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> pwc.threatintel.setup.apikey --self myclientid myclientsecret
Setting PwC Threat Intel client id and secret for the current user.
Enrich an inet:fqdn node
Enrich an inet:fqdn node with pwc.threatintel.enrich:
> [ inet:fqdn=root.anynucleus.com ] | pwc.threatintel.enrich
inet:fqdn=root.anynucleus.com
.created = 2024/11/19 21:26:26.942
.seen = ('2022/11/11 17:22:55.396', '2022/11/11 17:22:55.397')
:domain = anynucleus.com
:host = root
:issuffix = false
:iszone = false
:zone = anynucleus.com
#rep.pwc.malicious
#rep.pwc.red_dev_14
#rep.pwc.tlp.amber
Ingest reports by time range
If Synapse-FileParser is installed on the Cortex, YARA rules for reports will also be
downloaded and parsed to create it:app:yara:rule nodes. In the example below it is not
available, and therefore a warning is produced.
Pull reports from the report feed using pwc.threatintel.report.feed:
> pwc.threatintel.report.feed --min-time 2022-11-10 --max-time 2022-11-15 --yield | limit 1
WARNING: Synapse-FileParser >=4.2.1,<5.0.0 is required for parsing YARA rules.
media:news=29d273f2fe0c9b92105714dc13f9486e
.created = 2024/11/19 21:26:27.129
:ext:id = CTO-TIB-20221111-01A
:published = 2022/11/11 17:22:23.141
:publisher:name = pwc
:summary = In this report, PwC analysts detail infrastructure and recent victimology of entities based in the government and telecommunications sectors within the APAC region, connected to intrusions by China-based actor Red Dev 14.
:title = red dev 14 keeping in touch with friends
:type = tib
#rep.pwc.apt
#rep.pwc.asyncrat
#rep.pwc.china
#rep.pwc.cobaltstrike
#rep.pwc.espionage
#rep.pwc.india
#rep.pwc.kyrgyzstan
#rep.pwc.nepal
#rep.pwc.philippines
#rep.pwc.red_dev_14
#rep.pwc.shadowpad
#rep.pwc.tlp.amber
Ingest indicators by time range
Pull indicators from the ioc feed using pwc.threatintel.ioc.feed:
> pwc.threatintel.ioc.feed --min-time "2022-11-10 14:00" --max-time "2022-11-10 15:00" --yield | limit 3
inet:fqdn=audi-a7-tuning.ru
.created = 2024/11/19 21:26:35.056
.seen = ('2022/11/10 14:27:05.878', '2022/11/10 14:27:05.879')
:domain = ru
:host = audi-a7-tuning
:issuffix = false
:iszone = true
:zone = audi-a7-tuning.ru
#rep.pwc.white_dev_131
inet:ipv4=95.213.145.101
.created = 2024/11/19 21:26:35.179
.seen = ('2022/11/10 14:27:05.913', '2022/11/10 14:27:05.914')
:type = unicast
#rep.pwc.tlp.amber
#rep.pwc.white_dev_131
inet:ipv4=95.213.145.101
.created = 2024/11/19 21:26:35.179
.seen = ('2022/11/10 14:27:05.913', '2022/11/10 14:27:06.768')
:type = unicast
#rep.pwc.tlp.amber
#rep.pwc.white_dev_131
Use of meta:source nodes
Synapse-PwC-ThreatIntel uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the PwC Threat Intel API.
> meta:source=be4af1ebfda6b73a7ce0099e27566daf
meta:source=be4af1ebfda6b73a7ce0099e27566daf
.created = 2024/11/19 21:26:27.352
:name = pwc threat intel api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-PwC-ThreatIntel. The following example shows how to filter the results of a query to include only results observed by Synapse-PwC-ThreatIntel:
> risk:threat +{ <(seen)- meta:source=be4af1ebfda6b73a7ce0099e27566daf }
risk:threat=c5793d05efe26d52ff5f3f819506a5db
.created = 2024/11/19 21:26:35.100
:org:name = white_dev_131
:reporter:name = pwc
:tag = rep.pwc.white_dev_131