lookup-storm
Lookup common atomic indicators in Synapse as strings rather than a <form>=<valu>
pair.
Not every Synapse user can, or should be expected to, know the necessary form names for common atomic indicators that analysts use. They need a way to query for these values quickly and without the form.
Adds a lookup
command to a Synapse instance that accepts multiple input strings and yields Synapse nodes that have the input items as primary values. The nodes are created if they don’t already exist. The input items are used to attempt to lift nodes of the following forms, in this order, using ?=
:
hash:md5
hash:sha1
hash:sha256
inet:cidr4
inet:ipv4
inet:ipv6
inet:fqdn
inet:email
inet:server
inet:url
file:path
Examples
Lookup a single IP address by string
lookup 1.1.1.1
Lookup a hash, an IP address, and a file path in one command
lookup "d41d8cd98f00b204e9800998ecf8427e" "1.1.1.1" "C:\Windows\System32\calc.exe"
Lookup a url and a tcp server
lookup http://example.com tcp://1.1.1.1:80
Installation
Install this package in Synapse by running the following Storm command:
pkg.load --raw https://raw.githubusercontent.com/gormaniac/stormlibpp/main/src/pkgs/lookup-storm/lookup-storm.json
Or, build and install this package locally (assumes you’re in the root dir of the project):
python3 -m synapse.tools.genpkg --no-docs --push "<Cortex Telepath URL>" src/pkgs/lookup-storm/lookup-storm.yaml