Synapse Pivots Cheat Sheet
Pivoting from one form to another in Synapse is a common practice but can become verbose very quickly. Unfortunately this can leave pivots one has to do regularly hard to remember. This is a reference page containing snippets of Storm queries that can be used to get from one type of Synapse node to others.
My intent is to eventually codify these pivots into a StormLib++ Storm Package.
All examples assume that the inbound nodes have the correct form in the pipeline to begin the pivot.
Immediate neighbors of each inbound node
| tee {--> *} {<-- *}
DNS resolutions
Domains related to an inet:ipv4:
-> inet:dns:a:ipv4 :fqdn -> inet:fqdn
inet:ipv4 nodes a domain resolved to:
-> inet:dns:a:fqdn :ipv4 -> inet:ipv4
Subdomains of an inet:fqdn - also includes subdomains of subdomains:
<- * +inet:fqdn:domain | uniq
Whois records for an fqdn
<- * +inet:whois:rec:fqdn
files from an inet:url
<- * +inet:urlfile:file -> file:bytes
SSL Certificates (crypto:x509:cert)
Show all SSL certificates that are associated with a domain:
| tee {crypto:x509:cert:subject~=`CN={$node.value()}`} {crypto:x509:cert:ext:sans*[=(dns, $node.value())]} {crypto:x509:cert:ext:sans*[=(DNS, $node.value())]} {crypto:x509:cert:identities:fqdns *[ = $node.value() ]} | -inet:fqdn | uniq
Infrastructure hosting an SSL certificate:
:file -> file:bytes <- * +inet:ssl:cert | tee {:server:ipv4 -> inet:ipv4} {:server:ipv6 -> inet:ipv6} | uniq
Yara
Yara rules matching a file:
<- * +it:app:yara:match :rule -> it:app:yara:rule
Files that match a Yara rule:
<- * +it:app:yara:match :file -> file:bytes
inet:server stuff
Infrastructure hosted on a domain (inet:fqdn):
| tee {-> inet:dns:rev:fqdn :ipv4 -> inet:ipv4} {-> inet:dns:a:fqdn :ipv4 -> inet:ipv4} | <- * +inet:server
The domain used by an inet:server:
:ipv4 -> inet:ipv4 -> inet:dns:a:ipv4 :fqdn -> inet:fqdn
Emails with a certain inet:fqdn
<- * +inet:email:fqdn