Package Documentation
Storm Package: synapse-vmray
The following Commands are available from this package. This documentation is generated for version 2.2.0 of the package.
Storm Commands
This package implements the following Storm Commands.
vmray.sample.iocs
Retrieve the IOCs from the VMRay IOC samples endpoint.
The IOCs that can be pulled back are files, filenames, mutexes, registry data, urls,
domains, IP addresses, emails, email addresses, and processes.
Can take as input a file:bytes/hash* node, or retrieve a sample directly by id using
the --id parameter
Examples:
// Retrieve all the IOCs associated with all the files tagged with cno.tag
file:bytes#cno.tag | vmray.sample.iocs --yield
// Retrieve an IOC report for a specific VMRay sample ID, bypassing caching
vmray.sample.iocs --id 95248 --yield --asof now | limit 10
Usage: vmray.sample.iocs [options]
Options:
--help : Display the command usage.
--id <id> : A VMRay sample ID to query for
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--asof <asof> : Specify the maximum age for a cached result. To disable caching, use --asof now.
(default: -30days)
--severity <severity> : Filter IOC results to one of VMRay's verdicts (malicious, suspicious, clean, or null)
--type <type> : Filter results by IOC type (files/mutexes/emails/etc), or return everything if not
specified.
Inputs:
file:bytes : Retrieve VMRay IOCs for a file:bytes node
hash:md5 : Retrieve VMRay IOCs for a hash:md5 node
hash:sha1 : Retrieve VMRay IOCs for a hash:sha1 node
hash:sha256 : Retrieve VMRay IOCs for a hash:sha256 node
hash:sha512 : Retrieve VMRay IOCs for a hash:sha512 node
inet:fqdn : Retrieve VMRay IOCs for an inet:fqdn node
inet:url : Retrieve VMRay IOCs for an inet:url node
The command is accessible to users with one or more of the following permissions:
power-ups.vmray.user
vmray.sample.mitre
Retrieve the Mitre ATT&CK techniques for a given sample.
Can take as input a file:bytes/hash* node, or retrieve a sample directly by id using
the --id parameter
Examples:
// Retrieve all the MITRE ATT&CK techniques associated with a set of binaries
file:bytes#interesting.files | vmray.sample.mitre --yield
// Retrieve all the MITRE ATT&CK techniques for a specific VMRay sample ID
vmray.sample.mitre --id 280013
Usage: vmray.sample.mitre [options]
Options:
--help : Display the command usage.
--id <id> : A VMRay sample ID to query for
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
--asof <asof> : Specify the maximum age for a cached result. To disable caching, use --asof now.
(default: -30days)
Inputs:
file:bytes : Retrieve the Mitre ATT&CK indicators about a file:bytes node
The command is accessible to users with one or more of the following permissions:
power-ups.vmray.user
vmray.sample.submit
Submit the full bytes for a file to VMRay for analysis. The file must live in the configured Axon.
Examples:
// Submit a single file to VMRay for analysis.
file:bytes | vmray.sample.submit --size 1
Usage: vmray.sample.submit [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--passwd <passwd> : A password to hand to VMRay for extracting an already encrypted or password-protected
archive or document.
--archive-action <archive_action>: Tell VMRay how to deal with archive files. "sample" for treating as singular sample,
"compound_sample" to run multiple files as one sample, and "separate_samples" to treat
every file in an archive as a separate sample.
--static-only : Only run static analysis on the sample, not static and dynamic.
Inputs:
file:bytes : Submit a file:bytes that has bytes in the configured Axon to VMRay for analysis.
hash:sha256 : Submit a hash:sha256 that has bytes in the configured Axon to VMRay for analysis.
The command is accessible to users with one or more of the following permissions:
power-ups.vmray.submitter
vmray.sample.vtis
Retrieve the VMRay Threat Identifiers for a given sample.
Can take as input a file:bytes/hash* node, or retrieve a sample directly by id using
the --id parameter
Examples:
// Retrieve all the VMRay Threat Identifiers for a set of hashes
hash:sha1#my.cool.tag | vmray.sample.vtis --yield
// Retrieve the VMRay Threat identifiers for a specific sample ID
vmray.sample.vtis --id 57293 --yield
Usage: vmray.sample.vtis [options]
Options:
--help : Display the command usage.
--id <id> : A VMRay sample ID to query for
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
--asof <asof> : Specify the maximum age for a cached result. To disable caching, use --asof now.
(default: -30days)
Inputs:
file:bytes : Retrieve VMRay Threat Identifiers about a file:bytes node
inet:fqdn : Retrieve VMRay Threat Identifiers about an inet:fqdn node
inet:url : Retrieve VMRay Threat Identifiers about an inet:url node
The command is accessible to users with one or more of the following permissions:
power-ups.vmray.user
vmray.setup.apikey
Set the VMRay API key.
Usage: vmray.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set the key as a user variable. If not used, the key is set globally.
Arguments:
<apikey> : The VMRay API key string.
The command is accessible to users with one or more of the following permissions:
power-ups.vmray.user
vmray.setup.endpoint
Set which VMRay Cloud/On Premises to forward REST requests to.
Per their documentation, if you're Europe based, use "https://eu.cloud.vmray.com".
If you're US based, use "https://us.cloud.vmray.com". If you use the On Premises
version of VMRay, consult your Administrator for the endpoint.
Usage: vmray.setup.endpoint [options] <endpoint>
Options:
--help : Display the command usage.
--self : Set the endpoint as a user variable. If not used, the key is set globally.
Arguments:
<endpoint> : The VMRay API endpoint to use.
The command is accessible to users with one or more of the following permissions:
power-ups.vmray.user
Storm Modules
This package does not export any Storm APIs.