Package Documentation

Storm Package: synapse-recordedfuture

The following Commands are available from this package. This documentation is generated for version 1.0.0 of the package.

Storm Commands

This package implements the following Storm Commands.

recordedfuture.alert.rules

Retrieve Alert rules from Recorded Future.

This command retrieves the currently configured Alert rules from
Recorded Future and creates meta:rule nodes to represent them.

Examples:

  // Populate all current alert rules
  recordedfuture.alert.rules

  // Search for rules matching a string and yield the meta:rule nodes
  recordedfuture.alert.rules banking --yield


Usage: recordedfuture.alert.rules [options] <freetext>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.

Arguments:

  [freetext]                  : A freetext string to search for.

recordedfuture.alert.update

Update a Recorded Future Alert.

This command updates a Recorded Future alert with the specified values. The
alert to be updated can be specified with an inbound risk:alert node, or
by specifying the Alert ID to update with the --id argument.

When updating the status of an Alert, either the --status or --status-in-portal
argument may be used. Attempting to specify both will cause an error.

Examples:

  // Update the assignee for an alert
  recorded.alert.update --id qYtLYr --assignee [email protected]

  // Dismiss all alerts with a status of pending
  risk:alert:_recordedfuture:alert:status=pending | recorded.alert.update --status dismiss


Usage: recordedfuture.alert.update [options]

Options:

  --help                      : Display the command usage.
  --id <id>                   : The Alert ID to update.
  --assignee <assignee>       : The new assignee for the alert.
  --status <status>           : The new status for the alert. (choices: unassigned, assigned, pending, dismiss,
                                no-action, actionable)
  --status-in-portal <status_in_portal>: The same as "status", but expected enumerated values match what is available via the
                                Portal. (choices: New, Unassigned, Pending, Dismissed, Resolved)
  --note <note>               : New note text for the alert (1000 character limit).
  --yield                     : Yield the updated risk:alert nodes.

recordedfuture.corefs

Retrieve related entities for an indicator from Recorded Future.

An it:exec:query node will be created with the text property set to the
repr() of the inbound node used to search and a -(refs)> light edge to the
inbound node itself. Nodes created for related entities will be linked
with -(found)> edges from the it:exec:query node.

Examples:

  // Yield related entities for an inet:fqdn
  inet:fqdn=vertex.link | recordedfuture.corefs --yield

  // Limit to 50 results when querying
  inet:ipv4=1.2.3.4 | recordedfuture.corefs --size 50


Usage: recordedfuture.corefs [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : This argument is deprecated and no longer has any effect.

recordedfuture.daily.ransomware

Retrieve Daily Ransomware Roundups from Recorded Future.

This command searches for Daily Ransomware Roundup articles and
creates media:news nodes to represent them, with -(refs)> edges
to the entities referenced.

When filtering by published time, the syntax for open-end and closed-ended
ranges is as follows:

  --published "[2017-07-30,2017-07-31]"
  // same as 7/30/2017 <= published <= 7/31/2017

  --published "(2017-07-30,2017-07-31)"
  // same as 7/30/2017 < published < 7/31/2017

  --published "[2017-07-30,2017-07-31)"
  // same as 7/30/2017 <= published < 7/31/2017

  --published "[2017-07-30,)"
  // same as 7/30/2017 <= published

  --published "[,2017-07-31)"
  // same as published < 7/31/2017

Relative time expressions are also supported, for example "-7d" to return
rules published in the 7 days.

Examples:

  // Ingest all Daily Ransomware Roundup articles.
  recordedfuture.daily.ransomware

  // Ingest Daily Ransomware Roundup articles published in the last day.
  recordedfuture.daily.ransomware --published -1d


Usage: recordedfuture.daily.ransomware [options]

Options:

  --help                      : Display the command usage.
  --published <published>     : Filter by published datetime range.
  --size <size>               : Limit the number of results ingested to the given size (1000 max). (default: 1000)
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.

recordedfuture.enrich

Enrich an indicator with data from Recorded Future.

If the --yield argument is specified, the command will yield media:news nodes
which are created from the results.

Examples:

  // Enrich an inet:fqdn node
  inet:fqdn=vertex.link | recordedfuture.enrich

  // Enrich an inet:ipv4 node and yield media:news nodes created
  inet:ipv4=1.2.3.4 | recordedfuture.enrich --yield


Usage: recordedfuture.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : This argument is deprecated and no longer has any effect.

recordedfuture.feed.c2

Ingest C2 Feeds from Recorded Future.

This command downloads and ingests the Detect (c2_scanned_ips.json) and Prevent
(c2_communicating_ips.json) datasets for C2 IP addresses from Recorded Future.
inet:server nodes will be created for each address in the datasets with a
<(matches)- light edge from the corresponding meta:rule node for the dataset.
The inet:server nodes will also be tagged with the malware the dataset associates
with that address.

This feed is constantly being updated and refreshed, and Recorded Future recommends
that clients should expect to pull this data daily for optimal usage.

Examples:

  // Ingest C2 feeds
  recordedfuture.feed.c2

  // Pivot to all inet:server nodes in the "Prevent" dataset
  meta:rule:name="Command and Control - IP Addresses [Prevent]" -(matches)> inet:server

  // Create a cron job to ingest the feed every day
  cron.add --name recordedfuture.feed.c2 --hour 4 { recordedfuture.feed.c2 }


Usage: recordedfuture.feed.c2 [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --size <size>               : Limit the number of results ingested to the given size (per-node).

recordedfuture.hunting.rules

Retrieve rules from Recorded Future Hunting Packages.

By default, this command retrieves YARA rules from Recorded Future
Hunting Packages and creates it:app:yara:rule nodes to represent them.
The --ruletype option may be specified to retrieve other types rules
(currently "snort" is the only other option).

When filtering by published time, the syntax for open-end and closed-ended
ranges is as follows:

  --published "[2017-07-30,2017-07-31]"
  // same as 7/30/2017 <= published <= 7/31/2017

  --published "(2017-07-30,2017-07-31)"
  // same as 7/30/2017 < published < 7/31/2017

  --published "[2017-07-30,2017-07-31)"
  // same as 7/30/2017 <= published < 7/31/2017

  --published "[2017-07-30,)"
  // same as 7/30/2017 <= published

  --published "[,2017-07-31)"
  // same as published < 7/31/2017

Relative time expressions are also supported, for example "-7d" to return
rules published in the 7 days.

Examples:

  // Ingest all YARA rules
  recordedfuture.hunting.rules

  // Ingest all Snort rules published in the last 30 days
  recordedfuture.hunting.rules --ruletype snort --published -30d


Usage: recordedfuture.hunting.rules [options]

Options:

  --help                      : Display the command usage.
  --published <published>     : Filter by published datetime range.
  --ruletype <ruletype>       : Specify the type of rules to ingest. (default: yara)
  --size <size>               : Limit the number of results ingested to the given size (1000 max). (default: 1000)
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.

recordedfuture.ip.geo

Enrich an IP address with VPN and Geographical Information.

This command takes an inet:ipv4 or inet:ipv6 node as input and queries
the Recorded Future VPN and Geographical Information extension to
retrieve the location of an IP and if it is associated with the
exit node of any VPN services.

Examples:

  // Enrich an inet:ipv4 node
  inet:ipv4=1.2.3.4 | recordedfuture.ip.geo


Usage: recordedfuture.ip.geo [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --asof <asof>               : This argument is deprecated and no longer has any effect.

recordedfuture.riskrules

Retrieve Risk Rules from Recorded Future.

This command retrieves IP, Domain, URL, Hash, and Vulnerability Risk Rules from
Recorded Future and creates meta:rule nodes to represent them. Any MITRE codes
associated with the rules will have the corresponding it:mitre:attack:* nodes
created as well and linked to the meta:rule node with a -(refs)> light edge.

Examples:

  // Populate risk rules for all types
  recordedfuture.riskrules

  // Only populate IP risk rules
  recordedfuture.riskrules --type ip


Usage: recordedfuture.riskrules [options]

Options:

  --help                      : Display the command usage.
  --type [<type> ...]         : Only populate the specified risk rules. Valid types are ip, domain, url, hash, and
                                vulnerability.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : This argument is deprecated and no longer has any effect.

recordedfuture.sandbox.sample.del

Delete a sample in the Recorded Future Sandbox.

Examples:

  recordedfuture.sandbox.sample.del "230717-y2genshnjw"


Usage: recordedfuture.sandbox.sample.del [options] <id>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.

Arguments:

  <id>                        : ID of the sample to delete.

recordedfuture.sandbox.sample.ingest

Ingest a sample by ID from Recorded Future Sandbox.

Examples:

  recordedfuture.sandbox.sample.ingest "230717-y2genshnjw"


Usage: recordedfuture.sandbox.sample.ingest [options] <id>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.

Arguments:

  <id>                        : ID of the sample to ingest.

recordedfuture.sandbox.sample.list

Queries the collection of samples available in the Recorded Future Sandbox API.

By default, this will display summary information about the samples owned by
the API key in use.

Examples:

    // Print the list of samples.
    recordedfuture.sandbox.sample.list

    // Print the list of samples in the current organization
    recordedfuture.sandbox.sample.list --subset org


Usage: recordedfuture.sandbox.sample.list [options]

Options:

  --help                      : Display the command usage.
  --subset <subset>           : The set of samples to display (owned/public/org). (default: owned)
  --size <size>               : Limit the number of results to the given size.

recordedfuture.sandbox.sample.submit

Submit a sample to Recorded Future Sandbox for analysis.

This command takes a file:bytes or hash:sha256 node as input and submits the
file from the Axon to Recorded Future Sandbox for analysis. After submitting
the file, the command will wait for the analysis to be complete and ingest
the results.

Additional optional parameters to may be specified by providing a Storm dictionary
object to the --options argument.

Examples:

  // Submit a file:bytes node for analysis
  file:bytes:name="cobalt.zip" | recordedfuture.sandbox.submit

  // Specify additional options for a submission
  $opts = ({"password": "infected"})
  file:bytes:name="malware.zip" | recordedfuture.sandbox.submit --yield --options $opts


Usage: recordedfuture.sandbox.sample.submit [options]

Options:

  --help                      : Display the command usage.
  --options <options>         : Specify a dictionary containing additional options for the submission.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.

recordedfuture.sandbox.setup.apikey

Manage the Recorded Future Sandbox API key.

Examples:

    // Set a global Recorded Future Sandbox API key.
    recordedfuture.sandbox.setup.apikey abcd1234

    // Set a Recorded Future Sandbox API key for the current user.
    recordedfuture.sandbox.setup.apikey --self abcd1234

    // Display the API key scope of the current key.
    recordedfuture.sandbox.setup.apikey --show-scope

    // Display the current API key.
    recordedfuture.sandbox.setup.apikey --show-apikey

    // Remove the current global API key.
    recordedfuture.sandbox.setup.apikey --remove

    // Remove the per-user API key for the current user.
    recordedfuture.sandbox.setup.apikey --self --remove


Usage: recordedfuture.sandbox.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the key as a user variable. If not used, the key is set globally.
  --show-scope                : Display the API key scope in use (global vs self).
  --show-apikey               : Display the API key value (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured API key. May be used with --self.

Arguments:

  [apikey]                    : The API key string.

recordedfuture.sandbox.setup.fakenet

Define IPv4 addresses to exclude when ingesting data with the sandbox commands.

This command accepts individual IP addresses, CIDR blocks, and ranges.

inet:ipv4 nodes are not created if they are within the specified range.

Additionally, the following properties will not be set if the IPv4 is within the specified range:
  - inet:flow:dst
  - inet:dns:request:query:name (which can auto-add :query:name:ipv4)
  - inet:dns:answer:a and :rev

Examples:

  // Set a single CIDR block to be excluded
  recordedfuture.sandbox.setup.fakenet 100.64.0.0/10

  // Set multiple fakenets
  recordedfuture.sandbox.setup.fakenet (10.0.0.1, 100.64.0.0/10, 192.168.0.0-192.168.0.10)

  // Show the current configuration
  recordedfuture.sandbox.setup.fakenet --show

  // Remove the configuration
  recordedfuture.sandbox.setup.fakenet --remove


Usage: recordedfuture.sandbox.setup.fakenet [options] <fakenets>

Options:

  --help                      : Display the command usage.
  --show                      : Display the fakenet configuration.
  --remove                    : Remove the fakenet configuration.

Arguments:

  [fakenets]                  : The fakenet IPs.

recordedfuture.sandbox.setup.url

Manage the Recorded Future Sandbox API base URL.

By default, the base API URL used will be the Recorded Future Sandbox API
at https://sandbox.recordedfuture.com

The public cloud API lives at https://tria.ge

The private cloud API lives at https://private.tria.ge

Examples:

    // Set the Recorded Future Sandbox API URL to the private cloud
    recordedfuture.sandbox.setup.url https://private.tria.ge

    // Display the current API URL.
    recordedfuture.sandbox.setup.url --show-url

    // Remove the current API URL.
    recordedfuture.sandbox.setup.url --remove


Usage: recordedfuture.sandbox.setup.url [options] <url>

Options:

  --help                      : Display the command usage.
  --show-url                  : Display the API URL value (requires admin perms).
  --remove                    : Remove the configured API URL.

Arguments:

  [url]                       : The base API URL.

recordedfuture.setup.apikey

Manage the Recorded Future API key.

Examples:

    // Set a global Recorded Future API key
    recordedfuture.setup.apikey abcd1234

    // Set a Recorded Future API key for the current user
    recordedfuture.setup.apikey --self abcd1234

    // Display the API key scope of the current key
    recordedfuture.setup.apikey --show-scope

    // Display the current API key.
    recordedfuture.setup.apikey --show-apikey

    // Remove the current global API key.
    recordedfuture.setup.apikey --remove

    // Remove the per-user API key for the current user.
    recordedfuture.setup.apikey --self --remove


Usage: recordedfuture.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the key as a user variable. If not used, the key is set globally.
  --show-scope                : Display the API key scope in use (global vs self).
  --show-apikey               : Display the API key value (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured API key. May be used with --self.

Arguments:

  [apikey]                    : The API key string.

recordedfuture.setup.tagprefix

Set the tag prefix used when recording Recorded Future data as tags.
The default tag prefix is "rep.recordedfuture" if not specified.
Any tags provided by the Recorded Future API will be added within the given namespace.
For example, the item "foo" would result in "#rep.recordedfuture.foo".  Any
characters incompatible with tag names are replaced with "_".


Usage: recordedfuture.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

Storm Modules

This package does not export any Storm APIs.