User Guide

Synapse Rapid7 SonarSSL adds new Storm commands to download, index, and query Rapid7 SonarSSL data.

Getting Started

Check with your Admin to enable permissions.

Examples

Download files by a pattern

This requires the user has the power-ups.rapid7.sonarssl.download permission for downloading and indexing files.

> rapid7.sonar.ssl.download 2020-11-30-1606761591

Query SonarSSL data and yield inet:ssl:cert nodes

This requires the user has the power-ups.rapid7.sonarssl.user permission for downloading and indexing files.

> [ inet:fqdn=capsula.com ] | rapid7.sonar.ssl.enrich --yield | limit 2
WARNING: The form inet:ssl:cert is deprecated or using a deprecated type and will be removed in 3.0.0
inet:ssl:cert=('tcp://107.154.151.230:7002', 'guid:49349ef82f7f3e1a5d500ecda1540673')
        .created = 2024/04/09 17:41:42.683
        .seen = ('2020/11/30 00:00:00.000', '2020/11/30 00:00:00.001')
        :file = guid:49349ef82f7f3e1a5d500ecda1540673
        :server = tcp://107.154.151.230:7002
        :server:ipv4 = 107.154.151.230
        :server:port = 7002
inet:ssl:cert=('tcp://45.60.33.206:7002', 'guid:5e33068fc82ad37679537187f7bde48b')
        .created = 2024/04/09 17:41:42.790
        .seen = ('2020/11/30 00:00:00.000', '2020/11/30 00:00:00.001')
        :file = guid:5e33068fc82ad37679537187f7bde48b
        :server = tcp://45.60.33.206:7002
        :server:ipv4 = 45.60.33.206
        :server:port = 7002

Use of meta:source nodes

Synapse Rapid7 SonarSSL uses a meta:source node and -(seen)> light weight edges to track nodes observed from the indexed Rapid7 SonarSSL data.

> meta:source=6105fdeb648a21a2152e45713bee319e
meta:source=6105fdeb648a21a2152e45713bee319e
        .created = 2024/04/09 17:41:41.197
        :name = rapid7 open data

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse Rapid7 SonarSSL. The following example shows how to filter the results of a query to include only results observed by Synapse Rapid7 SonarSSL:

> inet:ipv4=107.154.151.230 -> inet:ssl:cert +{ <(seen)- meta:source=6105fdeb648a21a2152e45713bee319e }
inet:ssl:cert=('tcp://107.154.151.230:7002', 'guid:49349ef82f7f3e1a5d500ecda1540673')
        .created = 2024/04/09 17:41:42.683
        .seen = ('2020/11/30 00:00:00.000', '2020/11/30 00:00:00.001')
        :file = guid:49349ef82f7f3e1a5d500ecda1540673
        :server = tcp://107.154.151.230:7002
        :server:ipv4 = 107.154.151.230
        :server:port = 7002