User Guide

Synapse-VXIntel

Synapse-VXIntel adds new storm commands for downloading files from the VXIntel data feed using your existing API key.

Getting Started

Check with your Global Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> vxintel.setup.apikey --self myapikey
Setting VXIntel API key for the current user.

Downloading Files

Download files for hash:md5 nodes:

> hash:md5=e4855693722de3856421b1b6920ba54d | vxintel.download --yield
file:bytes=sha256:0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe
        .created = 2024/03/28 14:58:58.871
        :md5 = e4855693722de3856421b1b6920ba54d
        :sha1 = 9c50313f3b6d84a2b063d0acca64417bfe283d6d
        :sha256 = 0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe
        :size = 612352

Enriching Nodes

Download the details report for a file:bytes nodes:

> file:bytes=e2f3035409f48a0963a2aa4e01405537a950f5de8b86d2729511705183a733b0 | vxintel.details --yield
file:bytes=sha256:e2f3035409f48a0963a2aa4e01405537a950f5de8b86d2729511705183a733b0
        .created = 2024/03/28 14:58:58.907
        :md5 = c8ae83e0f0e9a31df31a2b084708a5a7
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:compiled = 2017/08/11 07:18:35.000
        :mime:pe:imphash = f27c77301e898335ae7da41a32da6a92
        :sha1 = 12415d38d381575096d545332fd22f288dbb3565
        :sha256 = e2f3035409f48a0963a2aa4e01405537a950f5de8b86d2729511705183a733b0
        :sha512 = 814de781adc62ce6816d38526e126b1c6dfee3c5bf089cab6afb379acf9899fef13efb2a625d93267af62bc4fba738412064e07b50eed59e115879242ca4a003
        :size = 396800

Query the VXIntel API for a hash and create a file:bytes out of the report, but return the original hash node

> hash:sha1=8a833496b6e152edc5eb88fb9ec32999505d9811 | vxintel.details
hash:sha1=8a833496b6e152edc5eb88fb9ec32999505d9811
        .created = 2024/03/28 14:58:59.219

Query the VXIntel API for the AV scan reports for a file:bytes node:

> file:bytes=050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a  | vxintel.avreport --yield
WARNING: The form it:av:filehit is deprecated or using a deprecated type and will be removed in 3.0.0
WARNING: The property it:av:filehit:sig is deprecated or using a deprecated type and will be removed in 3.0.0
WARNING: The form it:av:sig is deprecated or using a deprecated type and will be removed in 3.0.0
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('5422bc0e2ec325acbb66a80d6729660f', 'trojan/win64.turla'))
        .created = 2024/03/28 14:58:59.582
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('5422bc0e2ec325acbb66a80d6729660f', 'trojan/win64.turla')
        :sig:name = trojan/win64.turla
        :sig:soft = 5422bc0e2ec325acbb66a80d6729660f
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('996d4df3f48fb64cb7b49a36cdab5991', 'trojan.generic.16722028'))
        .created = 2024/03/28 14:58:59.620
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('996d4df3f48fb64cb7b49a36cdab5991', 'trojan.generic.16722028')
        :sig:name = trojan.generic.16722028
        :sig:soft = 996d4df3f48fb64cb7b49a36cdab5991
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('2ce61c275487639c675ea1956fecc872', 'malware'))
        .created = 2024/03/28 14:58:59.651
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('2ce61c275487639c675ea1956fecc872', 'malware')
        :sig:name = malware
        :sig:soft = 2ce61c275487639c675ea1956fecc872
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('419a2a4627199177e0a05b9c6a01b931', 'w64/turla.m'))
        .created = 2024/03/28 14:58:59.681
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('419a2a4627199177e0a05b9c6a01b931', 'w64/turla.m')
        :sig:name = w64/turla.m
        :sig:soft = 419a2a4627199177e0a05b9c6a01b931
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('814907ece80041698e09a941505f4212', 'trojan.win64.turla'))
        .created = 2024/03/28 14:58:59.711
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('814907ece80041698e09a941505f4212', 'trojan.win64.turla')
        :sig:name = trojan.win64.turla
        :sig:soft = 814907ece80041698e09a941505f4212
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('ea71f3a3782d6b65f7709c6bada0a3f1', 'trojan ( 004f724f1 )'))
        .created = 2024/03/28 14:58:59.741
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('ea71f3a3782d6b65f7709c6bada0a3f1', 'trojan ( 004f724f1 )')
        :sig:name = trojan ( 004f724f1 )
        :sig:soft = ea71f3a3782d6b65f7709c6bada0a3f1
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('c622378d8e0da358ef4424c88765ecda', 'heur:trojan.win32.generic'))
        .created = 2024/03/28 14:58:59.771
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('c622378d8e0da358ef4424c88765ecda', 'heur:trojan.win32.generic')
        :sig:name = heur:trojan.win32.generic
        :sig:soft = c622378d8e0da358ef4424c88765ecda
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('26f1aa20c5946df74e47ffcb4d7f155d', 'trojan.win64.turla.elehyu'))
        .created = 2024/03/28 14:58:59.802
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('26f1aa20c5946df74e47ffcb4d7f155d', 'trojan.win64.turla.elehyu')
        :sig:name = trojan.win64.turla.elehyu
        :sig:soft = 26f1aa20c5946df74e47ffcb4d7f155d
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('8078a1554324abef163521d1e2b74133', 'trojan.generic.16722028'))
        .created = 2024/03/28 14:58:59.832
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('8078a1554324abef163521d1e2b74133', 'trojan.generic.16722028')
        :sig:name = trojan.generic.16722028
        :sig:soft = 8078a1554324abef163521d1e2b74133
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('fa10d0ff97ecd62f601c713e69a5ed36', 'trojan.turla.win64.20'))
        .created = 2024/03/28 14:58:59.862
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('fa10d0ff97ecd62f601c713e69a5ed36', 'trojan.turla.win64.20')
        :sig:name = trojan.turla.win64.20
        :sig:soft = fa10d0ff97ecd62f601c713e69a5ed36
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('07007f19ad8c7c4b33550e7baacef03d', 'backdoor.win32.turla.da'))
        .created = 2024/03/28 14:58:59.892
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('07007f19ad8c7c4b33550e7baacef03d', 'backdoor.win32.turla.da')
        :sig:name = backdoor.win32.turla.da
        :sig:soft = 07007f19ad8c7c4b33550e7baacef03d
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('665a1d9381c41be7ff5660bf4174bb2a', 'trojan.generic.16722028 (b)'))
        .created = 2024/03/28 14:58:59.922
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('665a1d9381c41be7ff5660bf4174bb2a', 'trojan.generic.16722028 (b)')
        :sig:name = trojan.generic.16722028 (b)
        :sig:soft = 665a1d9381c41be7ff5660bf4174bb2a
it:av:filehit=('sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a', ('a76c943b021a3a1cc0d3a2cc1d01e097', 'win/malicious_confidence_100'))
        .created = 2024/03/28 14:58:59.952
        :file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :sig = ('a76c943b021a3a1cc0d3a2cc1d01e097', 'win/malicious_confidence_100')
        :sig:name = win/malicious_confidence_100
        :sig:soft = a76c943b021a3a1cc0d3a2cc1d01e097

Use of meta:source nodes

Synapse-VXIntel uses a meta:source node and -(seen)> light weight edges to track files observed from the VXIntel API.

> meta:source=115811adce1dedc6306e6f554ac65f43
meta:source=115811adce1dedc6306e6f554ac65f43
        .created = 2024/03/28 14:58:58.855
        :name = vxintel api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-VXIntel. The following example shows how to filter the results of a query to include only results observed by Synapse-VXIntel:

> file:bytes#mytag +{ <(seen)- meta:source=115811adce1dedc6306e6f554ac65f43 }