CIFv3 API PowerShell Wrapper

Collective Intelligence Framework (CIF) is a threat intelligence framework. This project is a CIFv3 client for PowerShell Core and Windows PowerShell.

https://csirtgadgets.com/collective-intelligence-framework

https://github.com/csirtgadgets/bearded-avenger

Getting Started

Install the module:

Install-Module CIF3

Load the module:

Import-Module CIF3

See what functions are available:

Get-Command -Module CIF3

If you have an existing .cif.yml in your $env:HOME dir, its contents will be read and used automatically. If you've never setup your config file (.cif.yml) before, do so now. At a minimum you must set the Uri and Token parameters.

Set-CIF3Config -Uri https://feeds.cif.domain.com -Token aaaabbbbccccdddd

Using the Module

CIF Instance Configuration

Retrieve your CIFv3 config settings:

Get-CIF3Config

Set the URI and authorization token to communicate with the desired CIF instance:

Set-CIF3Config -Uri 'https://cif.domain.local:5000' -Token 'd81830def81a871f2adbf00c5000000'

Test the connection to your configured CIF instance URI (returns $true if working, $false otherwise):

Test-CIF3Auth

Tokens

Tokens in CIF are like API keys, used for authenticating and authorizing a user to perform various actions.

List all tokens on the CIF instance:

Get-CIF3Token

Find a token with username = 'user1@domain.local'

Get-CIF3Token -Name user1@domain.local

Create a new token called 'writeonly' on the CIF instance. It will have write permissions but no read permissions:

New-CIF3Token -Name 'writeonly' -Permission 'Write'

Remove the specified token from the CIF instance:

Remove-CIF3Token -Id 'abcdef9999888855553333'

Update token to be in groups 'everyone' and 'admins':

Set-CIF3TokenGroup -Id 'abcdef9999888855553333' -Group everyone, admins

Indicators

Get a list of all indicators (default ResultSize is 100, so 100 will be returned):

Get-CIF3Indicator

Get up to 500 indicator results that have a Confidence of 8 or greater:

Get-CIF3Indicator -Confidence 8 -ResultSize 500

Get all fqdn indicators reported in the last week that have a 'malware' or 'botnet' tag:

Get-CIF3Indicator -IType fqdn -StartTime (Get-Date).AddDays(-7) -EndTime (Get-Date) -Tag malware, botnet

Add an indicator for 'baddomain.xyz' at a confidence of 7, an amber TLP, and tagged as 'malware'

Add-CIF3Indicator -Indicator baddomain.xyz -Confidence 7 -Tag malware -TLP amber

Search for the indicator 44.227.178.5 and include any matching parent CIDRs that are known. Results are sorted by confidence highest to lowest, with any equal-confidence indicators being further sorted by reporttime oldest to newest before being returned:

Get-CIF3Indicator -Indicator '44.227.178.5' -IncludeRelatives -Sort '-confidence', 'reporttime'

Feeds

Feeds are aggregated, deduplicated, and filtered datasets that have had allowlists applied before being returned. Indicator type is the only mandatory parameter when generating a feed.

Get a feed of all fqdn indicators with a confidence of 7.5 or greater:

Get-CIF3Feed -IType fqdn -Confidence 7.5

Get a feed of all md5 indicators with a confidence of 9 or greater tagged as 'malware.' Additionally, add the ?apiParam=paramValue string to the final REST request:

Get-CIF3Feed -IType md5 -Confidence 9 -Tag 'malware' -ExtraParams @{ 'apiParam' = 'paramValue' }

Acknowledgments

• Warren Frame's PSSlack pwsh module for powershell framework ideas.
• The official csirtgadgets' CIFv3 Python SDK for reference.