# Synapse Pivots Cheat Sheet Pivoting from one form to another in Synapse is a common practice but can become verbose very quickly. Unfortunately this can leave pivots one has to do regularly hard to remember. This is a reference page containing snippets of Storm queries that can be used to get from one type of Synapse node to others. My intent is to eventually codify these pivots into a `StormLib++` Storm Package. All examples assume that the inbound nodes have the correct form in the pipeline to begin the pivot. ## Immediate neighbors of each inbound node ``` | tee {--> *} {<-- *} ``` ## DNS resolutions Domains related to an `inet:ipv4`: ``` -> inet:dns:a:ipv4 :fqdn -> inet:fqdn ``` `inet:ipv4` nodes a domain resolved to: ``` -> inet:dns:a:fqdn :ipv4 -> inet:ipv4 ``` Subdomains of an `inet:fqdn` - also includes subdomains of subdomains: ``` <- * +inet:fqdn:domain | uniq ``` Whois records for an fqdn ``` <- * +inet:whois:rec:fqdn ``` ## files from an inet:url ``` <- * +inet:urlfile:file -> file:bytes ``` ## SSL Certificates (`crypto:x509:cert`) Show all SSL certificates that are associated with a domain: ``` | tee {crypto:x509:cert:subject~=`CN={$node.value()}`} {crypto:x509:cert:ext:sans*[=(dns, $node.value())]} {crypto:x509:cert:ext:sans*[=(DNS, $node.value())]} {crypto:x509:cert:identities:fqdns *[ = $node.value() ]} | -inet:fqdn | uniq ``` Infrastructure hosting an SSL certificate: ``` :file -> file:bytes <- * +inet:ssl:cert | tee {:server:ipv4 -> inet:ipv4} {:server:ipv6 -> inet:ipv6} | uniq ``` ## Yara Yara rules matching a file: ``` <- * +it:app:yara:match :rule -> it:app:yara:rule ``` Files that match a Yara rule: ``` <- * +it:app:yara:match :file -> file:bytes ``` ## inet:server stuff Infrastructure hosted on a domain (`inet:fqdn`): ``` | tee {-> inet:dns:rev:fqdn :ipv4 -> inet:ipv4} {-> inet:dns:a:fqdn :ipv4 -> inet:ipv4} | <- * +inet:server ``` The domain used by an `inet:server`: ``` :ipv4 -> inet:ipv4 -> inet:dns:a:ipv4 :fqdn -> inet:fqdn ``` ## Emails with a certain inet:fqdn ``` <- * +inet:email:fqdn ``` ## Related threat actor (risk:threat) nodes from tagged nodes ``` #cno.thr.* | +syn:tag <- * +risk:threat:tag | uniq ```