Package Documentation
Storm Package: synapse-recordedfuture
The following Commands are available from this package. This documentation is generated for version 1.0.0 of the package.
Storm Commands
This package implements the following Storm Commands.
recordedfuture.alert.rules
Retrieve Alert rules from Recorded Future.
This command retrieves the currently configured Alert rules from
Recorded Future and creates meta:rule nodes to represent them.
Examples:
// Populate all current alert rules
recordedfuture.alert.rules
// Search for rules matching a string and yield the meta:rule nodes
recordedfuture.alert.rules banking --yield
Usage: recordedfuture.alert.rules [options] <freetext>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
Arguments:
[freetext] : A freetext string to search for.
recordedfuture.alert.search
Retrieve Alerts from Recorded Future.
This command retrieves Alerts matching the specified filters from the
Recorded Future API and creates risk:alert nodes to represent them.
When filtering by triggered time, the syntax for open-end and closed-ended
ranges is as follows:
--triggered "[2017-07-30,2017-07-31]"
// same as 7/30/2017 <= triggered <= 7/31/2017
--triggered "(2017-07-30,2017-07-31)"
// same as 7/30/2017 < triggered < 7/31/2017
--triggered "[2017-07-30,2017-07-31)"
// same as 7/30/2017 <= triggered < 7/31/2017
--triggered "[2017-07-30,)"
// same as 7/30/2017 <= triggered
--triggered "[,2017-07-31)"
// same as triggered < 7/31/2017
Relative time expressions are also supported, such as -2d for two days
prior to today and yesterday. As with absolute time references, both ends
of the range still need to be specified. For example, to search for alerts
that fired within the last 24 hrs, use --triggered "[-24h,]".
Examples:
// Search for unassigned alerts
recordedfuture.alert.search --assignee NONE
// Search for alerts triggered in a specific time range
recordedfuture.alert.search --triggered "[2023-03-16,2023-03-17]"
Usage: recordedfuture.alert.search [options]
Options:
--help : Display the command usage.
--triggered <triggered> : Filter by triggered datetime range.
--assignee <assignee> : Filter by assignee email, or 'NONE' to match unassigned alerts.
--alertrule <alertrule> : Filter by Alert Rule ID.
--freetext <freetext> : Freetext search.
--status <status> : Filter by review status. (choices: unassigned, assigned, pending, dismiss, no-action,
actionable)
--orderby <orderby> : Specify the sorting method. (default: triggered, choices: triggered)
--direction <direction> : Specify the sorting direction. (default: desc, choices: asc, desc)
--size <size> : Limit the number of results ingested to the given size (1000 max). (default: 1000)
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
recordedfuture.alert.update
Update a Recorded Future Alert.
This command updates a Recorded Future alert with the specified values. The
alert to be updated can be specified with an inbound risk:alert node, or
by specifying the Alert ID to update with the --id argument.
When updating the status of an Alert, either the --status or --status-in-portal
argument may be used. Attempting to specify both will cause an error.
Examples:
// Update the assignee for an alert
recorded.alert.update --id qYtLYr --assignee [email protected]
// Dismiss all alerts with a status of pending
risk:alert:_recordedfuture:alert:status=pending | recorded.alert.update --status dismiss
Usage: recordedfuture.alert.update [options]
Options:
--help : Display the command usage.
--id <id> : The Alert ID to update.
--assignee <assignee> : The new assignee for the alert.
--status <status> : The new status for the alert. (choices: unassigned, assigned, pending, dismiss,
no-action, actionable)
--status-in-portal <status_in_portal>: The same as "status", but expected enumerated values match what is available via the
Portal. (choices: New, Unassigned, Pending, Dismissed, Resolved)
--note <note> : New note text for the alert (1000 character limit).
--yield : Yield the updated risk:alert nodes.
recordedfuture.corefs
Retrieve related entities for an indicator from Recorded Future.
An it:exec:query node will be created with the text property set to the
repr() of the inbound node used to search and a -(refs)> light edge to the
inbound node itself. Nodes created for related entities will be linked
with -(found)> edges from the it:exec:query node.
Examples:
// Yield related entities for an inet:fqdn
inet:fqdn=vertex.link | recordedfuture.corefs --yield
// Limit to 50 results when querying
inet:ipv4=1.2.3.4 | recordedfuture.corefs --size 50
Usage: recordedfuture.corefs [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--asof <asof> : This argument is deprecated and no longer has any effect.
recordedfuture.daily.ransomware
Retrieve Daily Ransomware Roundups from Recorded Future.
This command searches for Daily Ransomware Roundup articles and
creates media:news nodes to represent them, with -(refs)> edges
to the entities referenced.
When filtering by published time, the syntax for open-end and closed-ended
ranges is as follows:
--published "[2017-07-30,2017-07-31]"
// same as 7/30/2017 <= published <= 7/31/2017
--published "(2017-07-30,2017-07-31)"
// same as 7/30/2017 < published < 7/31/2017
--published "[2017-07-30,2017-07-31)"
// same as 7/30/2017 <= published < 7/31/2017
--published "[2017-07-30,)"
// same as 7/30/2017 <= published
--published "[,2017-07-31)"
// same as published < 7/31/2017
Relative time expressions are also supported, for example "-7d" to return
rules published in the 7 days.
Examples:
// Ingest all Daily Ransomware Roundup articles.
recordedfuture.daily.ransomware
// Ingest Daily Ransomware Roundup articles published in the last day.
recordedfuture.daily.ransomware --published -1d
Usage: recordedfuture.daily.ransomware [options]
Options:
--help : Display the command usage.
--published <published> : Filter by published datetime range.
--size <size> : Limit the number of results ingested to the given size (1000 max). (default: 1000)
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
recordedfuture.enrich
Enrich an indicator with data from Recorded Future.
If the --yield argument is specified, the command will yield media:news nodes
which are created from the results.
Examples:
// Enrich an inet:fqdn node
inet:fqdn=vertex.link | recordedfuture.enrich
// Enrich an inet:ipv4 node and yield media:news nodes created
inet:ipv4=1.2.3.4 | recordedfuture.enrich --yield
Usage: recordedfuture.enrich [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--asof <asof> : This argument is deprecated and no longer has any effect.
recordedfuture.feed.c2
Ingest C2 Feeds from Recorded Future.
This command downloads and ingests the Detect (c2_scanned_ips.json) and Prevent
(c2_communicating_ips.json) datasets for C2 IP addresses from Recorded Future.
inet:server nodes will be created for each address in the datasets with a
<(matches)- light edge from the corresponding meta:rule node for the dataset.
The inet:server nodes will also be tagged with the malware the dataset associates
with that address.
This feed is constantly being updated and refreshed, and Recorded Future recommends
that clients should expect to pull this data daily for optimal usage.
Examples:
// Ingest C2 feeds
recordedfuture.feed.c2
// Pivot to all inet:server nodes in the "Prevent" dataset
meta:rule:name="Command and Control - IP Addresses [Prevent]" -(matches)> inet:server
// Create a cron job to ingest the feed every day
cron.add --name recordedfuture.feed.c2 --hour 4 { recordedfuture.feed.c2 }
Usage: recordedfuture.feed.c2 [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
recordedfuture.hunting.rules
Retrieve rules from Recorded Future Hunting Packages.
By default, this command retrieves YARA rules from Recorded Future
Hunting Packages and creates it:app:yara:rule nodes to represent them.
The --ruletype option may be specified to retrieve other types rules
(currently "snort" is the only other option).
When filtering by published time, the syntax for open-end and closed-ended
ranges is as follows:
--published "[2017-07-30,2017-07-31]"
// same as 7/30/2017 <= published <= 7/31/2017
--published "(2017-07-30,2017-07-31)"
// same as 7/30/2017 < published < 7/31/2017
--published "[2017-07-30,2017-07-31)"
// same as 7/30/2017 <= published < 7/31/2017
--published "[2017-07-30,)"
// same as 7/30/2017 <= published
--published "[,2017-07-31)"
// same as published < 7/31/2017
Relative time expressions are also supported, for example "-7d" to return
rules published in the 7 days.
Examples:
// Ingest all YARA rules
recordedfuture.hunting.rules
// Ingest all Snort rules published in the last 30 days
recordedfuture.hunting.rules --ruletype snort --published -30d
Usage: recordedfuture.hunting.rules [options]
Options:
--help : Display the command usage.
--published <published> : Filter by published datetime range.
--ruletype <ruletype> : Specify the type of rules to ingest. (default: yara)
--size <size> : Limit the number of results ingested to the given size (1000 max). (default: 1000)
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
recordedfuture.ip.geo
Enrich an IP address with VPN and Geographical Information.
This command takes an inet:ipv4 or inet:ipv6 node as input and queries
the Recorded Future VPN and Geographical Information extension to
retrieve the location of an IP and if it is associated with the
exit node of any VPN services.
Examples:
// Enrich an inet:ipv4 node
inet:ipv4=1.2.3.4 | recordedfuture.ip.geo
Usage: recordedfuture.ip.geo [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--asof <asof> : This argument is deprecated and no longer has any effect.
recordedfuture.notes.search
Search for Analyst Notes from Recorded Future.
This command queries the Recorded Future Analyst Notes search endpoint to
retrieve notes matching the specified search parameters.
An it:exec:query node will be created with the opts used to perform the search.
Nodes created for related entities will be linked with -(found)> edges from the
it:exec:query node.
Additional information about the syntax used for filters can be found in the
Recorded Future documentation at
https://support.recordedfuture.com/hc/en-us/articles/115001351947-Connect-API-Overview
Examples:
// Search for notes with "botnet" in the title published in the last 30 days
recordedfuture.notes.search --title botnet --published -30d --yield
// Search for notes from the "Insikt Group" source with "malware" in the title
recordedfuture.notes.search --source VKz42X --title malware --size 100
Usage: recordedfuture.notes.search [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (1000 max). (default: 1000)
--yield : Yield the newly created nodes.
--published <published> : Search for notes published after this date, absolute or relative.
--entity <entity> : RF ID of an entity to search for notes about.
--author <author> : RF ID of an author to search for notes by.
--title <title> : Search for notes by title.
--topic <topic> : RF ID of a topic to search for notes by.
--label <label> : Search for notes with this label name.
--source <source> : Search for notes from this source.
recordedfuture.riskrules
Retrieve Risk Rules from Recorded Future.
This command retrieves IP, Domain, URL, Hash, and Vulnerability Risk Rules from
Recorded Future and creates meta:rule nodes to represent them. Any MITRE codes
associated with the rules will have the corresponding it:mitre:attack:* nodes
created as well and linked to the meta:rule node with a -(refs)> light edge.
Examples:
// Populate risk rules for all types
recordedfuture.riskrules
// Only populate IP risk rules
recordedfuture.riskrules --type ip
Usage: recordedfuture.riskrules [options]
Options:
--help : Display the command usage.
--type [<type> ...] : Only populate the specified risk rules. Valid types are ip, domain, url, hash, and
vulnerability.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--asof <asof> : This argument is deprecated and no longer has any effect.
recordedfuture.sandbox.sample.del
Delete a sample in the Recorded Future Sandbox.
Examples:
recordedfuture.sandbox.sample.del "230717-y2genshnjw"
Usage: recordedfuture.sandbox.sample.del [options] <id>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
Arguments:
<id> : ID of the sample to delete.
recordedfuture.sandbox.sample.ingest
Ingest a sample by ID from Recorded Future Sandbox.
Examples:
recordedfuture.sandbox.sample.ingest "230717-y2genshnjw"
Usage: recordedfuture.sandbox.sample.ingest [options] <id>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
Arguments:
<id> : ID of the sample to ingest.
recordedfuture.sandbox.sample.list
Queries the collection of samples available in the Recorded Future Sandbox API.
By default, this will display summary information about the samples owned by
the API key in use.
Examples:
// Print the list of samples.
recordedfuture.sandbox.sample.list
// Print the list of samples in the current organization
recordedfuture.sandbox.sample.list --subset org
Usage: recordedfuture.sandbox.sample.list [options]
Options:
--help : Display the command usage.
--subset <subset> : The set of samples to display (owned/public/org). (default: owned)
--size <size> : Limit the number of results to the given size.
recordedfuture.sandbox.sample.search
Search for samples in the Recorded Future Sandbox API.
By default this will display summary information about samples
matching the query. The --ingest option can be specified to ingest
the sandbox reports associated with the samples, and the --download
option can be used to download the actual samples.
Examples:
// Search for samples with a specific tag
recordedfuture.sandbox.sample.search "tag:ransomware"
// Search for emotet or trickbot samples
recordedfuture.sandbox.sample.search "family:emotet OR family:trickbot"
// Search for samples analyzed after a specific date
recordedfuture.sandbox.sample.search "from:2023-07-18"
Usage: recordedfuture.sandbox.sample.search [options] <query>
Options:
--help : Display the command usage.
--size <size> : Limit the number of results to the given size.
--ingest : Ingest the sandbox reports for the samples.
--download : Download the sample files.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
Arguments:
<query> : A search query.
recordedfuture.sandbox.sample.submit
Submit a sample to Recorded Future Sandbox for analysis.
This command takes a file:bytes or hash:sha256 node as input and submits the
file from the Axon to Recorded Future Sandbox for analysis. After submitting
the file, the command will wait for the analysis to be complete and ingest
the results.
Additional optional parameters to may be specified by providing a Storm dictionary
object to the --options argument.
Examples:
// Submit a file:bytes node for analysis
file:bytes:name="cobalt.zip" | recordedfuture.sandbox.submit
// Specify additional options for a submission
$opts = ({"password": "infected"})
file:bytes:name="malware.zip" | recordedfuture.sandbox.submit --yield --options $opts
Usage: recordedfuture.sandbox.sample.submit [options]
Options:
--help : Display the command usage.
--options <options> : Specify a dictionary containing additional options for the submission.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
recordedfuture.sandbox.setup.apikey
Manage the Recorded Future Sandbox API key.
Examples:
// Set a global Recorded Future Sandbox API key.
recordedfuture.sandbox.setup.apikey abcd1234
// Set a Recorded Future Sandbox API key for the current user.
recordedfuture.sandbox.setup.apikey --self abcd1234
// Display the API key scope of the current key.
recordedfuture.sandbox.setup.apikey --show-scope
// Display the current API key.
recordedfuture.sandbox.setup.apikey --show-apikey
// Remove the current global API key.
recordedfuture.sandbox.setup.apikey --remove
// Remove the per-user API key for the current user.
recordedfuture.sandbox.setup.apikey --self --remove
Usage: recordedfuture.sandbox.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key).
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apikey] : The API key string.
recordedfuture.sandbox.setup.fakenet
Define IPv4 addresses to exclude when ingesting data with the sandbox commands.
This command accepts individual IP addresses, CIDR blocks, and ranges.
inet:ipv4 nodes are not created if they are within the specified range.
Additionally, the following properties will not be set if the IPv4 is within the specified range:
- inet:flow:dst
- inet:dns:request:query:name (which can auto-add :query:name:ipv4)
- inet:dns:answer:a and :rev
Examples:
// Set a single CIDR block to be excluded
recordedfuture.sandbox.setup.fakenet 100.64.0.0/10
// Set multiple fakenets
recordedfuture.sandbox.setup.fakenet (10.0.0.1, 100.64.0.0/10, 192.168.0.0-192.168.0.10)
// Show the current configuration
recordedfuture.sandbox.setup.fakenet --show
// Remove the configuration
recordedfuture.sandbox.setup.fakenet --remove
Usage: recordedfuture.sandbox.setup.fakenet [options] <fakenets>
Options:
--help : Display the command usage.
--show : Display the fakenet configuration.
--remove : Remove the fakenet configuration.
Arguments:
[fakenets] : The fakenet IPs.
recordedfuture.sandbox.setup.url
Manage the Recorded Future Sandbox API base URL.
By default, the base API URL used will be the Recorded Future Sandbox API
at https://sandbox.recordedfuture.com
The public cloud API lives at https://tria.ge
The private cloud API lives at https://private.tria.ge
Examples:
// Set the Recorded Future Sandbox API URL to the private cloud
recordedfuture.sandbox.setup.url https://private.tria.ge
// Display the current API URL.
recordedfuture.sandbox.setup.url --show-url
// Remove the current API URL.
recordedfuture.sandbox.setup.url --remove
Usage: recordedfuture.sandbox.setup.url [options] <url>
Options:
--help : Display the command usage.
--show-url : Display the API URL value (requires admin perms).
--remove : Remove the configured API URL.
Arguments:
[url] : The base API URL.
recordedfuture.search
Search for indicators from Recorded Future.
This command queries the Recorded Future search endpoint specified by the --type
argument to retrieve indicators matching the specified search parameters.
A meta:rule node created by the recordedfuture.riskrules may also be used as input
to this command to specify a risk rule to retrieve indicators for. When using an
inbound meta:rule node, the --type argument is not required as the created rules
already have a type associated with them.
Note: When specifying a risk rule with the --riskrule argument rather than an inbound
meta:rule node, the name is case sensitive. For example to search for IPs matching the
"Actively Communicating C&C Server" risk rule, you would need to specify
--type ip --riskrule recentActiveCnc
An it:exec:query node will be created with the opts used to perform the search
and a -(refs)> light edge to the inbound meta:rule node if one was used.
Nodes created for related entities will be linked with -(found)> edges from the
it:exec:query node.
Allowed values for the --orderby argument:
created
criticality
firstseen
lastseen
modified
riskscore
rules
sevendayshits
sixtydayshits
totalhits
Additional information about the syntax used for filters can be found in the
Recorded Future documentation at
https://support.recordedfuture.com/hc/en-us/articles/115001351947-Connect-API-Overview
Examples:
// Search for 100 domain indicators with a risk score >= 50 matching a string
recordedfuture.search --size 100 --type domain --riskscore "[50,)" --freetext cloud
// Yield indicators matching a specific risk rule
recordedfuture.search --yield --type ip --riskrule recentActiveCnc
// Use an inbound meta:rule node to specify a risk rule to match
meta:rule:name=ip:recentactivecnc | recordedfuture.search --yield
// Retrieve 50 indicators for each risk rule with criticality level 4
meta:rule:_recordedfuture:risk:criticality=4 | recordedfuture.search --size 50
Usage: recordedfuture.search [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node, 1000 max). (default:
1000)
--yield : Yield the newly created nodes.
--asof <asof> : This argument is deprecated and no longer has any effect.
--type <type> : Specify a type to search for (domain/hash/ip/url/vulnerability).
--riskrule <riskrule> : Search for indicators matching a specific risk rule.
--freetext <freetext> : Specify a freetext string to search for.
--riskscore <riskscore> : Specify a risk score filter.
--firstseen <firstseen> : Specify a first seen filter.
--lastseen <lastseen> : Specify a last seen filter.
--list <list> : Specify a list ID filter.
--orderby <orderby> : Specify the sorting method.
--direction <direction> : Specify the sorting direction (asc/desc)
--cpe <cpe> : Specify a CPE string to search for (Only applies to vulnerability searches)
--product <product> : Specify the RF ID of an affected product (Only applies to vulnerability searches)
--cvssscore <cvssscore> : Specify a CVSS v2 score filter (Only applies to vulnerability searches)
--cvssv3score <cvssv3score> : Specify a CVSS v3 score filter (Only applies to vulnerability searches)
recordedfuture.setup.apikey
Manage the Recorded Future API key.
Examples:
// Set a global Recorded Future API key
recordedfuture.setup.apikey abcd1234
// Set a Recorded Future API key for the current user
recordedfuture.setup.apikey --self abcd1234
// Display the API key scope of the current key
recordedfuture.setup.apikey --show-scope
// Display the current API key.
recordedfuture.setup.apikey --show-apikey
// Remove the current global API key.
recordedfuture.setup.apikey --remove
// Remove the per-user API key for the current user.
recordedfuture.setup.apikey --self --remove
Usage: recordedfuture.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key).
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apikey] : The API key string.
recordedfuture.setup.tagprefix
Set the tag prefix used when recording Recorded Future data as tags.
The default tag prefix is "rep.recordedfuture" if not specified.
Any tags provided by the Recorded Future API will be added within the given namespace.
For example, the item "foo" would result in "#rep.recordedfuture.foo". Any
characters incompatible with tag names are replaced with "_".
Usage: recordedfuture.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
Storm Modules
This package does not export any Storm APIs.