In [1]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [2]:
# Get a temp cortex
core = await getTempCoreCmdr()

In [3]:
# Run the command and display output
q = 'help'
podes = await core.eval(q, cmdr=True)

cli> storm help

count: Iterate through query results, and print the resulting number of nodes
delnode: Delete nodes produced by the previous query logic.
graph: Generate a subgraph from the given input nodes and command line options.
help: List available commands and a brief description for each.
iden: Lift nodes by iden.
limit: Limit the number of nodes generated by the query in the given position.
max: Consume nodes and yield only the one node with the highest value for a property.
min: Consume nodes and yield only the one node with the lowest value for a property.
movetag: Rename an entire tag tree and preserve time intervals.
reindex: Use admin privileges to re index/normalize node properties.
sleep: Introduce a delay between returning each result for the storm query.
spin: Iterate through all query results, but do not yield any.
sudo: Use admin privileges to bypass standard query permissions.
uniq: Filter nodes by their uniq iden values.

For detailed help on any command, use <cm

In [4]:
# Run the command and display output
q = 'count --help'
podes = await core.eval(q, cmdr=True)

cli> storm count --help

usage: count [-h]

    Iterate through query results, and print the resulting number of nodes
    which were lifted. This does yield the nodes counted.

    Example:

        foo:bar:size=20 | count

    

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 3 ms (0/sec).


In [5]:
# Make some email nodes
q = '[inet:email=me@gmail.com inet:email=you@yahoo.com]'
# Run the query and test
podes = await core.eval(q, num=2, cmdr=False)

In [6]:
# Define and print test query
q = 'inet:email | count'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:email | count


In [7]:
# Make some DNS A records
q = '[inet:dns:a=(woot.com,1.2.3.4) inet:dns:a=(woot.com,5.6.7.8)]'
# Run the query and test
podes = await core.eval(q, num=2, cmdr=False)

In [8]:
# Define and print test query
q = 'inet:dns:a:fqdn=woot.com | count'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:dns:a:fqdn=woot.com | count


In [9]:
# Run the command and display output
q = 'delnode --help'
podes = await core.eval(q, cmdr=True)

cli> storm delnode --help

usage: delnode [-h] [--force]

    Delete nodes produced by the previous query logic.

    (no nodes are returned)

    Example

        inet:fqdn=vertex.link | delnode
    

optional arguments:
  -h, --help  show this help message and exit
  --force     Force delete even if it causes broken references (requires
              admin).

complete. 0 nodes in 4 ms (0/sec).


In [10]:
# Make a node
q = '[inet:fqdn=woowoo.com]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

In [11]:
# Define and print test query
q = 'inet:fqdn=woowoo.com | delnode'
print(q)
# Execute the query and test
podes = await core.eval(q, num=0, cmdr=False)

inet:fqdn=woowoo.com | delnode


In [12]:
# Make and tag some nodes
q = '[inet:dns:a=(woowoo.com,1.2.3.4)]'
q1 = '[inet:fqdn=woowoo.com inet:fqdn=hurr.com inet:fqdn=derp.com +#testing]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)
podes = await core.eval(q1, num=3, cmdr=False)

In [13]:
# Define and print test query
q = '#testing | delnode --force'
print(q)
# Execute the query and test
podes = await core.eval(q, num=0, cmdr=False)

#testing | delnode --force


In [14]:
# Run the command and display output
q = 'graph --help'
podes = await core.eval(q, cmdr=True)

cli> storm graph --help

usage: graph [-h] [--degrees DEGREES] [--pivot PIVOT] [--filter FILTER]
             [--form-pivot FORM_PIVOT FORM_PIVOT]
             [--form-filter FORM_FILTER FORM_FILTER]

    Generate a subgraph from the given input nodes and command line options.
    

optional arguments:
  -h, --help            show this help message and exit
  --degrees DEGREES     How many degrees to graph out.
  --pivot PIVOT         Specify a storm pivot for all nodes. (must quote)
  --filter FILTER       Specify a storm filter for all nodes. (must quote)
  --form-pivot FORM_PIVOT FORM_PIVOT
                        Specify a <form> <pivot> form specific pivot.
  --form-filter FORM_FILTER FORM_FILTER
                        Specify a <form> <filter> form specific filter.

complete. 0 nodes in 5 ms (0/sec).


In [15]:
# Run the command and display output
q = 'iden --help'
podes = await core.eval(q, cmdr=True)

cli> storm iden --help

usage: iden [-h] [iden [iden ...]]

    Lift nodes by iden.

    Example:

        iden b25bc9eec7e159dce879f9ec85fb791f83b505ac55b346fcb64c3c51e98d1175 | count
    

positional arguments:
  iden        Iden to lift nodes by. May be specified multiple times.

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 4 ms (0/sec).


In [16]:
# Define and print test query
q = 'iden d7fb3ae625e295c9279c034f5d91a7ad9132c79a9c2b16eecffc8d1609d75849'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

iden d7fb3ae625e295c9279c034f5d91a7ad9132c79a9c2b16eecffc8d1609d75849


In [17]:
# Run the command and display output
q = 'limit --help'
podes = await core.eval(q, cmdr=True)

cli> storm limit --help

usage: limit [-h] count

    Limit the number of nodes generated by the query in the given position.

    Example:

        inet:ipv4 | limit 10
    

positional arguments:
  count       The maximum number of nodes to yield.

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 3 ms (0/sec).


In [18]:
# Make some nodes
q = '[inet:ipv4=192.168.0.0/24]'
# Run the query and test
podes = await core.eval(q, num=256, cmdr=False)

In [19]:
# Define and print test query
q = 'inet:ipv4 | limit 10'
print(q)
# Execute the query and test
podes = await core.eval(q, num=10, cmdr=False)

inet:ipv4 | limit 10


In [20]:
# Run the command and display output
q = 'max --help'
podes = await core.eval(q, cmdr=True)

cli> storm max --help

usage: max [-h] propname

    Consume nodes and yield only the one node with the highest value for a property.

    Examples:

        file:bytes +#foo.bar | max :size

        file:bytes +#foo.bar | max file:bytes:size

    

positional arguments:
  propname

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 5 ms (0/sec).


In [21]:
# Make some DNS A nodes
q = '[inet:dns:a=(woot.com,107.21.53.159) .seen=(2014/08/13,2014/08/14)]'
q1 = '[inet:dns:a=(woot.com,75.101.146.4) .seen=(2013/09/21,2013/09/22)]'
q2 = '[inet:dns:a=(woot.com,52.206.255.234) .seen=(2018/01/23,2018/01/24)]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)
podes = await core.eval(q1, num=1, cmdr=False)
podes = await core.eval(q2, num=1, cmdr=False)

In [22]:
# Define and print test query
q = 'inet:dns:a:fqdn=woot.com | max .seen'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)
max_seen =(1516665600000, 1516752000000)
assert max_seen == podes[0][1].get('props', {}).get('.seen')

inet:dns:a:fqdn=woot.com | max .seen


In [23]:
# Make some WHOIS records
q = '[inet:whois:rec=(woot.com,2018/05/22) :text="domain name: woot.com"]'
q1 = '[inet:whois:rec=(woot.com,2018/01/17) :text="domain name: woot.com"]'
q2 = '[inet:whois:rec=(woot.com,2018/03/30) :text="domain name: woot.com"]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)
podes = await core.eval(q1, num=1, cmdr=False)
podes = await core.eval(q2, num=1, cmdr=False)

In [24]:
# Define and print test query
q = 'inet:whois:rec:fqdn=woot.com | max :asof'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)
max_asof = 1526947200000
assert max_asof == podes[0][1].get('props', {}).get('asof')

inet:whois:rec:fqdn=woot.com | max :asof


In [25]:
# Define and print test query
q = 'inet:whois:rec:fqdn=woot.com | max inet:whois:rec:asof'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)
max_asof = 1526947200000
assert max_asof == podes[0][1].get('props', {}).get('asof')

inet:whois:rec:fqdn=woot.com | max inet:whois:rec:asof


In [26]:
# Run the command and display output
q = 'min --help'
podes = await core.eval(q, cmdr=True)

cli> storm min --help

usage: min [-h] propname

    Consume nodes and yield only the one node with the lowest value for a property.

    Examples:

        file:bytes +#foo.bar | min :size

        file:bytes +#foo.bar | min file:bytes:size

    

positional arguments:
  propname

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 4 ms (0/sec).


In [27]:
# Define and print test query
q = 'inet:dns:a:fqdn=woot.com | min .seen'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)
min_seen = (1379721600000, 1379808000000)
assert min_seen  == podes[0][1].get('props', {}).get('.seen')

inet:dns:a:fqdn=woot.com | min .seen


In [28]:
# Define and print test query
q = 'inet:whois:rec:fqdn=woot.com | min :asof'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)
min_asof = 1516147200000
assert min_asof  == podes[0][1].get('props', {}).get('asof')

inet:whois:rec:fqdn=woot.com | min :asof


In [29]:
# Define and print test query
q = 'inet:whois:rec:fqdn=woot.com | min inet:whois:rec:asof'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)
min_asof = 1516147200000
assert min_asof  == podes[0][1].get('props', {}).get('asof')

inet:whois:rec:fqdn=woot.com | min inet:whois:rec:asof


In [30]:
# Run the command and display output
q = 'movetag --help'
podes = await core.eval(q, cmdr=True)

cli> storm movetag --help

usage: movetag [-h] oldtag newtag

    Rename an entire tag tree and preserve time intervals.

    Example:

        movetag #foo.bar #baz.faz.bar
    

positional arguments:
  oldtag      The tag tree to rename.
  newtag      The new tag tree name.

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 9 ms (0/sec).


In [31]:
# Make some tagged nodes
q = '[inet:fqdn=hurr.com inet:fqdn=derp.com inet:fqdn=umwut.com +#research]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=False)

In [32]:
# Define and print test query
q = 'movetag #research #internal.research'
print(q)
# Execute the query and test
podes = await core.eval(q, num=0, cmdr=False)
podes = await core.eval('#research', num=0, cmdr=False)
podes = await core.eval('#internal.research', num=3, cmdr=False)

movetag #research #internal.research


In [33]:
# Make some tagged nodes
q = '[inet:fqdn=newsonet.net inet:fqdn=staycools.net inet:fqdn=firefoxupdata.com +#aka.fireeye.malware]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=False)

In [34]:
# Define and print test query
q = 'movetag aka.fireeye.malware aka.feye.mal'
print(q)
# Execute the query and test
podes = await core.eval(q, num=0, cmdr=False)
podes = await core.eval('#aka', num=3, cmdr=False)
podes = await core.eval('#aka.fireeye', num=3, cmdr=False)
podes = await core.eval('#aka.fireeye.malware', num=0, cmdr=False)
podes = await core.eval('#aka.feye', num=3, cmdr=False)
podes = await core.eval('#aka.feye.mal', num=3, cmdr=False)

movetag aka.fireeye.malware aka.feye.mal


In [35]:
# Run the command and display output
q = 'reindex --help'
podes = await core.eval(q, cmdr=True)

cli> storm reindex --help

usage: reindex [-h]
               (--type TYPE | --subs | --form-counts | --fire-handler FIRE_HANDLER)

    Use admin privileges to re index/normalize node properties.

    Example:

        foo:bar | reindex --subs

        reindex --type inet:ipv4

    NOTE: This is mostly for model updates and migrations.
          Use with caution and be very sure of what you are doing.
    

optional arguments:
  -h, --help            show this help message and exit
  --type TYPE           Re-index all properties of a specified type.
  --subs                Re-parse and set sub props.
  --form-counts         Re-calculate all form counts.
  --fire-handler FIRE_HANDLER
                        Fire onAdd/wasSet/runTagAdd commands for a fully
                        qualified form/property or tag name on inbound nodes.

complete. 0 nodes in 7 ms (0/sec).


In [36]:
# Run the command and display output
q = 'sleep --help'
podes = await core.eval(q, cmdr=True)

cli> storm sleep --help

usage: sleep [-h] delay

    Introduce a delay between returning each result for the storm query.

    NOTE: This is mostly used for testing / debugging.

    Example:

        #foo.bar | sleep 0.5

    

positional arguments:
  delay       Delay in floating point seconds.

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 3 ms (0/sec).


In [37]:
# Make some nodes
q = '[inet:email=me@gmail.com inet:email=you@yahoo.com inet:email=him@live.com inet:email=her@gmx.com]'
# Run the query and test
podes = await core.eval(q, num=4, cmdr=False)

In [38]:
# Define and print test query
q = 'inet:email | sleep 1.0'
print(q)
# Execute the query and test
podes = await core.eval(q, num=4, cmdr=False)

inet:email | sleep 1.0


In [39]:
# Run the command and display output
q = 'spin --help'
podes = await core.eval(q, cmdr=True)

cli> storm spin --help

usage: spin [-h]

    Iterate through all query results, but do not yield any.
    This can be used to operate on many nodes without returning any.

    Example:

        foo:bar:size=20 [ +#hehe ] | spin

    

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 4 ms (0/sec).


In [40]:
# Define and print test query
q = 'inet:email | count | spin'
print(q)
# Execute the query and test
# This may not be a good test because it only checks that 'spin' returns zero nodes
podes = await core.eval(q, num=0, cmdr=False)
podes = await core.eval('inet:email | count', num=4, cmdr=False)

inet:email | count | spin


In [41]:
# Make some domains
q = '[inet:fqdn=myfirefox.com inet:fqdn=fakefirefox.net inet:fqdn=usefirefoxbrowser.org]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=False)

In [42]:
# Define and print test query
q = 'inet:fqdn~=firefox [+#int.research] | spin'
print(q)
# Execute the query and test
podes = await core.eval(q, num=0, cmdr=False)
podes = await core.eval('inet:fqdn~=firefox', num=4, cmdr=False)

inet:fqdn~=firefox [+#int.research] | spin


In [43]:
# Run the command and display output
q = 'sudo --help'
podes = await core.eval(q, cmdr=True)

cli> storm sudo --help

usage: sudo [-h]

    Use admin privileges to bypass standard query permissions.

    Example:

        sudo | [ inet:fqdn=vertex.link ]
    

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 4 ms (0/sec).


In [44]:
# Make a node
q = '[inet:fqdn=mydomain.com]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

In [45]:
# Define and print test query
q = 'sudo | inet:fqdn=mydomain.com | delnode'
print(q)
# Execute the query and test
podes = await core.eval('inet:fqdn=mydomain.com', num=1, cmdr=False)
podes = await core.eval(q, num=0, cmdr=False)
podes = await core.eval('inet:fqdn=mydomain.com', num=0, cmdr=False)

sudo | inet:fqdn=mydomain.com | delnode


In [46]:
# Run the command and display output
q = 'uniq --help'
podes = await core.eval(q, cmdr=True)

cli> storm uniq --help

usage: uniq [-h]

    Filter nodes by their uniq iden values.
    When this is used a Storm pipeline, only the first instance of a
    given node is allowed through the pipeline.

    Examples:

        #badstuff +inet:ipv4 ->* | uniq

    

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 3 ms (0/sec).


In [47]:
# Make some tagged nodes and A records
q = '[inet:fqdn=autoupdater.org inet:fqdn=actblues.com inet:fqdn=euronews24.info +#aka.threatconnect.thr.fancybear]'
q1 = '[inet:dns:a=(autoupdater.org,1.2.3.4) inet:dns:a=(autoupdater.org,5.6.7.8) inet:dns:a=(actblues.com,5.6.7.8) inet:dns:a=(euronews24.info,1.2.3.4) inet:dns:a=(euronews24.info,8.8.8.8) inet:dns:a=(euronews24.info,255.255.255.254)]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=False)
podes = await core.eval(q1, num=6, cmdr=False)

In [48]:
# Define and print test query
q = 'inet:fqdn#aka.threatconnect.thr.fancybear -> inet:dns:a -> inet:ipv4 | uniq'
print(q)
# Execute the query and test
podes = await core.eval(q, num=4, cmdr=False)
q = 'inet:fqdn#aka.threatconnect.thr.fancybear -> inet:dns:a -> inet:ipv4'
podes = await core.eval(q, num=6, cmdr=False)

inet:fqdn#aka.threatconnect.thr.fancybear -> inet:dns:a -> inet:ipv4 | uniq


In [49]:
# Close cortex because done
_ = await core.fini()