User Guide

Synapse-VXIntel

Synapse-VXIntel adds new storm commands for downloading files from the VXIntel data feed using your existing API key.

Getting Started

Check with your Global Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> vxintel.setup.apikey --self myapikey
Setting VXIntel API key for the current user.

Downloading Files

Download files for hash:md5 nodes:

> hash:md5=e4855693722de3856421b1b6920ba54d | vxintel.download --yield
file:bytes=sha256:0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe
        .created = 2025/01/21 19:54:58.255
        :md5 = e4855693722de3856421b1b6920ba54d
        :sha1 = 9c50313f3b6d84a2b063d0acca64417bfe283d6d
        :sha256 = 0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe
        :size = 612352

Enriching Nodes

Download the details report for a file:bytes nodes:

> file:bytes=e2f3035409f48a0963a2aa4e01405537a950f5de8b86d2729511705183a733b0 | vxintel.details --yield
file:bytes=sha256:e2f3035409f48a0963a2aa4e01405537a950f5de8b86d2729511705183a733b0
        .created = 2025/01/21 19:54:58.279
        :md5 = c8ae83e0f0e9a31df31a2b084708a5a7
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:compiled = 2017/08/11 07:18:35.000
        :mime:pe:imphash = f27c77301e898335ae7da41a32da6a92
        :sha1 = 12415d38d381575096d545332fd22f288dbb3565
        :sha256 = e2f3035409f48a0963a2aa4e01405537a950f5de8b86d2729511705183a733b0
        :sha512 = 814de781adc62ce6816d38526e126b1c6dfee3c5bf089cab6afb379acf9899fef13efb2a625d93267af62bc4fba738412064e07b50eed59e115879242ca4a003
        :size = 396800

Query the VXIntel API for a hash and create a file:bytes out of the report, but return the original hash node

> hash:sha1=8a833496b6e152edc5eb88fb9ec32999505d9811 | vxintel.details
hash:sha1=8a833496b6e152edc5eb88fb9ec32999505d9811
        .created = 2025/01/21 19:54:58.406

Query the VXIntel API for the AV scan reports for a file:bytes node:

> file:bytes=050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a  | vxintel.avreport --yield
it:av:scan:result=027918f69d918d15035abb692e47ba24
        .created = 2025/01/21 19:54:58.780
        :scanner:name = vxintel/ahnlab
        :signame = vxintel/ahnlab/trojan/win64.turla
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=5f20ba16255f485c3050ef01a1fd571f
        .created = 2025/01/21 19:54:58.845
        :scanner:name = vxintel/bitdefender
        :signame = vxintel/bitdefender/trojan.generic.16722028
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=88fdf219ee60a19d4e30eb6e6398bdcb
        .created = 2025/01/21 19:54:58.904
        :scanner:name = vxintel/comodo
        :signame = vxintel/comodo/malware
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=d889bafc663e969043c1c01c018fabaf
        .created = 2025/01/21 19:54:58.964
        :scanner:name = vxintel/cyren
        :signame = vxintel/cyren/w64/turla.m
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=cad7af0114db9bd79b87880860f46923
        .created = 2025/01/21 19:54:59.023
        :scanner:name = vxintel/ikarus
        :signame = vxintel/ikarus/trojan.win64.turla
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=507ca63582a35a5997fcb87bb5dda36d
        .created = 2025/01/21 19:54:59.082
        :scanner:name = vxintel/k7
        :signame = vxintel/k7/trojan ( 004f724f1 )
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=692243cbf17b9524aaf74f02b7ddef33
        .created = 2025/01/21 19:54:59.143
        :scanner:name = vxintel/kaspersky
        :signame = vxintel/kaspersky/heur:trojan.win32.generic
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=396e951ab5f9d8679de5d1dc5d3607f3
        .created = 2025/01/21 19:54:59.204
        :scanner:name = vxintel/nanoav
        :signame = vxintel/nanoav/trojan.win64.turla.elehyu
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=d0e4fa3f07aed8da946d35d21d04dcea
        .created = 2025/01/21 19:54:59.263
        :scanner:name = vxintel/tachyon
        :signame = vxintel/tachyon/trojan.generic.16722028
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=f9d4ffcfcbe599e104ab5272777bfdfa
        .created = 2025/01/21 19:54:59.323
        :scanner:name = vxintel/zillya!
        :signame = vxintel/zillya!/trojan.turla.win64.20
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=a6a80c6ddfdaf5c4e1becfaaaf22471b
        .created = 2025/01/21 19:54:59.384
        :scanner:name = vxintel/vir_it explorer
        :signame = vxintel/vir_it explorer/backdoor.win32.turla.da
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=c4cadc8f48a5be0fb75f8fdbed507798
        .created = 2025/01/21 19:54:59.444
        :scanner:name = vxintel/emsisoft
        :signame = vxintel/emsisoft/trojan.generic.16722028 (b)
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000
it:av:scan:result=acc635cf49d936ab446b34f1a3bbafbc
        .created = 2025/01/21 19:54:59.503
        :scanner:name = vxintel/crowdstrike falcon ml
        :signame = vxintel/crowdstrike falcon ml/win/malicious_confidence_100
        :target:file = sha256:050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a
        :time = 2021/02/19 04:19:35.000

Use of meta:source nodes

Synapse-VXIntel uses a meta:source node and -(seen)> light weight edges to track files observed from the VXIntel API.

> meta:source=115811adce1dedc6306e6f554ac65f43
meta:source=115811adce1dedc6306e6f554ac65f43
        .created = 2025/01/21 19:54:58.244
        :name = vxintel api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-VXIntel. The following example shows how to filter the results of a query to include only results observed by Synapse-VXIntel:

> file:bytes#mytag +{ <(seen)- meta:source=115811adce1dedc6306e6f554ac65f43 }