In [1]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [2]:
# Get a temp cortex and preload some data into it.
core = await getTempCoreCmdr()
q = '[inet:fqdn=woot.com]'
# This runs the query via the CLI, rips out the nodes, makes sure we got 1 node on the output :)
podes = await core.eval(q, num=1, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [inet:fqdn=woot.com]

inet:fqdn=woot.com
        .created = 2019/01/02 21:29:33.975
        :domain = com
        :host = woot
        :issuffix = False
        :iszone = True
        :zone = woot.com
complete. 1 nodes in 11 ms (90/sec).


In [3]:
# Run the command and display output
q = 'help'
podes = await core.eval(q, cmdr=True)

cli> storm help

count: Iterate through query results, and print the resulting number of nodes
delnode: Delete nodes produced by the previous query logic.
graph: Generate a subgraph from the given input nodes and command line options.
help: List available commands and a brief description for each.
iden: Lift nodes by iden.
limit: Limit the number of nodes generated by the query in the given position.
max: Consume nodes and yield only the one node with the highest value for a property.
min: Consume nodes and yield only the one node with the lowest value for a property.
movetag: Rename an entire tag tree and preserve time intervals.
noderefs: Get nodes adjacent to inbound nodes, up to n degrees away.
reindex: Use admin privileges to re index/normalize node properties.
sleep: Introduce a delay between returning each result for the storm query.
spin: Iterate through all query results, but do not yield any.
sudo: Use admin privileges to bypass standard query permissions.
uniq: Filter nodes 

In [4]:
# Run the command and display output
q = 'count --help'
podes = await core.eval(q, cmdr=True)

cli> storm count --help

usage: count [-h]

    Iterate through query results, and print the resulting number of nodes
    which were lifted. This does yield the nodes counted.

    Example:

        foo:bar:size=20 | count

    

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 3 ms (0/sec).


In [5]:
# Make some email nodes
q = '[inet:email=me@gmail.com inet:email=you@yahoo.com]'
# Run the query and test
podes = await core.eval(q, num=2, cmdr=True)

cli> storm [inet:email=me@gmail.com inet:email=you@yahoo.com]

inet:email=me@gmail.com
        .created = 2019/01/02 21:29:34.036
        :fqdn = gmail.com
        :user = me
inet:email=you@yahoo.com
        .created = 2019/01/02 21:29:34.039
        :fqdn = yahoo.com
        :user = you
complete. 2 nodes in 14 ms (142/sec).


In [6]:
# Define and print test query
q = 'inet:email | count'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:email | count


In [7]:
# Make some DNS A records
q = '[inet:dns:a=(woot.com,1.2.3.4) inet:dns:a=(woot.com,5.6.7.8)]'
# Run the query and test
podes = await core.eval(q, num=2, cmdr=True)

cli> storm [inet:dns:a=(woot.com,1.2.3.4) inet:dns:a=(woot.com,5.6.7.8)]

inet:dns:a=('woot.com', '1.2.3.4')
        .created = 2019/01/02 21:29:34.081
        :fqdn = woot.com
        :ipv4 = 1.2.3.4
inet:dns:a=('woot.com', '5.6.7.8')
        .created = 2019/01/02 21:29:34.084
        :fqdn = woot.com
        :ipv4 = 5.6.7.8
complete. 2 nodes in 13 ms (153/sec).


In [8]:
# Define and print test query
q = 'inet:dns:a:fqdn=woot.com | count'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:dns:a:fqdn=woot.com | count


In [9]:
# Run the command and display output
q = 'delnode --help'
podes = await core.eval(q, cmdr=True)

cli> storm delnode --help

usage: delnode [-h] [--force]

    Delete nodes produced by the previous query logic.

    (no nodes are returned)

    Example

        inet:fqdn=vertex.link | delnode
    

optional arguments:
  -h, --help  show this help message and exit
  --force     Force delete even if it causes broken references (requires
              admin).

complete. 0 nodes in 3 ms (0/sec).


In [10]:
# Make a node
q = '[inet:fqdn=woowoo.com]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [inet:fqdn=woowoo.com]

inet:fqdn=woowoo.com
        .created = 2019/01/02 21:29:34.150
        :domain = com
        :host = woowoo
        :issuffix = False
        :iszone = True
        :zone = woowoo.com
complete. 1 nodes in 14 ms (71/sec).


In [11]:
# Define and print test query
q = 'inet:fqdn=woowoo.com | delnode'
print(q)
# Execute the query and test
podes = await core.eval(q, num=0, cmdr=False)

inet:fqdn=woowoo.com | delnode


In [12]:
# Make and tag some nodes
q = '[inet:dns:a=(woowoo.com,1.2.3.4)]'
q1 = '[inet:fqdn=woowoo.com inet:fqdn=hurr.com inet:fqdn=derp.com +#testing]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=3, cmdr=True)

cli> storm [inet:dns:a=(woowoo.com,1.2.3.4)]

inet:dns:a=('woowoo.com', '1.2.3.4')
        .created = 2019/01/02 21:29:34.211
        :fqdn = woowoo.com
        :ipv4 = 1.2.3.4
complete. 1 nodes in 14 ms (71/sec).
cli> storm [inet:fqdn=woowoo.com inet:fqdn=hurr.com inet:fqdn=derp.com +#testing]

inet:fqdn=woowoo.com
        .created = 2019/01/02 21:29:34.209
        :domain = com
        :host = woowoo
        :issuffix = False
        :iszone = True
        :zone = woowoo.com
        #testing
inet:fqdn=hurr.com
        .created = 2019/01/02 21:29:34.238
        :domain = com
        :host = hurr
        :issuffix = False
        :iszone = True
        :zone = hurr.com
        #testing
inet:fqdn=derp.com
        .created = 2019/01/02 21:29:34.240
        :domain = com
        :host = derp
        :issuffix = False
        :iszone = True
        :zone = derp.com
        #testing
complete. 3 nodes in 16 ms (187/sec).


In [13]:
# Define and print test query
q = '#testing | delnode --force'
print(q)
# Execute the query and test
podes = await core.eval(q, num=0, cmdr=False)

#testing | delnode --force


In [14]:
# Run the command and display output
q = 'graph --help'
podes = await core.eval(q, cmdr=True)

cli> storm graph --help

usage: graph [-h] [--degrees DEGREES] [--pivot PIVOT] [--filter FILTER]
             [--form-pivot FORM_PIVOT FORM_PIVOT]
             [--form-filter FORM_FILTER FORM_FILTER]

    Generate a subgraph from the given input nodes and command line options.
    

optional arguments:
  -h, --help            show this help message and exit
  --degrees DEGREES     How many degrees to graph out.
  --pivot PIVOT         Specify a storm pivot for all nodes. (must quote)
  --filter FILTER       Specify a storm filter for all nodes. (must quote)
  --form-pivot FORM_PIVOT FORM_PIVOT
                        Specify a <form> <pivot> form specific pivot.
  --form-filter FORM_FILTER FORM_FILTER
                        Specify a <form> <filter> form specific filter.

complete. 0 nodes in 5 ms (0/sec).


In [15]:
# Run the command and display output
q = 'iden --help'
podes = await core.eval(q, cmdr=True)

cli> storm iden --help

usage: iden [-h] [iden [iden ...]]

    Lift nodes by iden.

    Example:

        iden b25bc9eec7e159dce879f9ec85fb791f83b505ac55b346fcb64c3c51e98d1175 | count
    

positional arguments:
  iden        Iden to lift nodes by. May be specified multiple times.

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 3 ms (0/sec).


In [16]:
# Define and print test query
q = 'iden d7fb3ae625e295c9279c034f5d91a7ad9132c79a9c2b16eecffc8d1609d75849'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

iden d7fb3ae625e295c9279c034f5d91a7ad9132c79a9c2b16eecffc8d1609d75849


In [17]:
# Run the command and display output
q = 'limit --help'
podes = await core.eval(q, cmdr=True)

cli> storm limit --help

usage: limit [-h] count

    Limit the number of nodes generated by the query in the given position.

    Example:

        inet:ipv4 | limit 10
    

positional arguments:
  count       The maximum number of nodes to yield.

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 8 ms (0/sec).


In [18]:
# Make some nodes
q = '[inet:ipv4=192.168.0.0/24]'
# Run the query and test
podes = await core.eval(q, num=256, cmdr=True)

cli> storm [inet:ipv4=192.168.0.0/24]

inet:ipv4=192.168.0.0
        .created = 2019/01/02 21:29:34.405
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.1
        .created = 2019/01/02 21:29:34.406
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.2
        .created = 2019/01/02 21:29:34.407
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.3
        .created = 2019/01/02 21:29:34.409
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.4
        .created = 2019/01/02 21:29:34.412
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.5
        .created = 2019/01/02 21:29:34.413
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.6
        .created = 2019/01/02 21:29:34.416
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.7
        .created = 2019/01/02 21:29:34.418
        :asn = 0
        :lo

inet:ipv4=192.168.0.70
        .created = 2019/01/02 21:29:34.539
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.71
        .created = 2019/01/02 21:29:34.540
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.72
        .created = 2019/01/02 21:29:34.541
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.73
        .created = 2019/01/02 21:29:34.543
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.74
        .created = 2019/01/02 21:29:34.544
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.75
        .created = 2019/01/02 21:29:34.545
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.76
        .created = 2019/01/02 21:29:34.547
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.77
        .created = 2019/01/02 21:29:34.547
        :asn = 0
        :loc = ??
        :type = private


inet:ipv4=192.168.0.136
        .created = 2019/01/02 21:29:34.623
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.137
        .created = 2019/01/02 21:29:34.624
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.138
        .created = 2019/01/02 21:29:34.625
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.139
        .created = 2019/01/02 21:29:34.626
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.140
        .created = 2019/01/02 21:29:34.628
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.141
        .created = 2019/01/02 21:29:34.628
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.142
        .created = 2019/01/02 21:29:34.629
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.143
        .created = 2019/01/02 21:29:34.630
        :asn = 0
        :loc = ??
        :type = 

inet:ipv4=192.168.0.210
        .created = 2019/01/02 21:29:34.733
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.211
        .created = 2019/01/02 21:29:34.734
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.212
        .created = 2019/01/02 21:29:34.737
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.213
        .created = 2019/01/02 21:29:34.739
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.214
        .created = 2019/01/02 21:29:34.741
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.215
        .created = 2019/01/02 21:29:34.742
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.216
        .created = 2019/01/02 21:29:34.743
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.217
        .created = 2019/01/02 21:29:34.744
        :asn = 0
        :loc = ??
        :type = 

In [19]:
# Define and print test query
q = 'inet:ipv4 | limit 10'
print(q)
# Execute the query and test
podes = await core.eval(q, num=10, cmdr=False)

inet:ipv4 | limit 10


In [20]:
# Run the command and display output
q = 'max --help'
podes = await core.eval(q, cmdr=True)

cli> storm max --help

usage: max [-h] propname

    Consume nodes and yield only the one node with the highest value for a property.

    Examples:

        file:bytes +#foo.bar | max size

    

positional arguments:
  propname

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 4 ms (0/sec).


In [21]:
# Make some DNS A nodes
q = '[inet:dns:a=(woot.com,107.21.53.159) .seen=(2014/08/13,2014/08/13)]'
q1 = '[inet:dns:a=(woot.com,75.101.146.4) .seen=(2013/09/21,2013/09/21)]'
q2 = '[inet:dns:a=(woot.com,52.206.255.234) .seen=(2018/01/23,2018/01/23)]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:dns:a=(woot.com,107.21.53.159) .seen=(2014/08/13,2014/08/13)]

inet:dns:a=('woot.com', '107.21.53.159')
        .created = 2019/01/02 21:29:34.886
        .seen = ('2014/08/13 00:00:00.000', '2014/08/13 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 107.21.53.159
complete. 1 nodes in 12 ms (83/sec).
cli> storm [inet:dns:a=(woot.com,75.101.146.4) .seen=(2013/09/21,2013/09/21)]

inet:dns:a=('woot.com', '75.101.146.4')
        .created = 2019/01/02 21:29:34.910
        .seen = ('2013/09/21 00:00:00.000', '2013/09/21 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 75.101.146.4
complete. 1 nodes in 15 ms (66/sec).
cli> storm [inet:dns:a=(woot.com,52.206.255.234) .seen=(2018/01/23,2018/01/23)]

inet:dns:a=('woot.com', '52.206.255.234')
        .created = 2019/01/02 21:29:34.928
        .seen = ('2018/01/23 00:00:00.000', '2018/01/23 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 52.206.255.234
complete. 1 nodes in 8 ms (125/sec).


In [22]:
# Define and print test query
q = 'inet:dns:a:fqdn=woot.com | max .seen'
print(q)
# Execute the query and test
# Note this is actually a bad test b/c it doesn't check for the max value
podes = await core.eval(q, num=1, cmdr=False)

inet:dns:a:fqdn=woot.com | max .seen


In [23]:
# Make some WHOIS records
q = '[inet:whois:rec=(woot.com,2018/05/22) :text="domain name: woot.com"]'
q1 = '[inet:whois:rec=(woot.com,2018/01/17) :text="domain name: woot.com"]'
q2 = '[inet:whois:rec=(woot.com,2018/03/30) :text="domain name: woot.com"]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:whois:rec=(woot.com,2018/05/22) :text="domain name: woot.com"]

inet:whois:rec=('woot.com', '2018/05/22 00:00:00.000')
        .created = 2019/01/02 21:29:35.048
        :asof = 2018/05/22 00:00:00.000
        :fqdn = woot.com
        :registrant = ??
        :registrar = ??
        :text = domain name: woot.com
complete. 1 nodes in 14 ms (71/sec).
cli> storm [inet:whois:rec=(woot.com,2018/01/17) :text="domain name: woot.com"]

inet:whois:rec=('woot.com', '2018/01/17 00:00:00.000')
        .created = 2019/01/02 21:29:35.070
        :asof = 2018/01/17 00:00:00.000
        :fqdn = woot.com
        :registrant = ??
        :registrar = ??
        :text = domain name: woot.com
complete. 1 nodes in 11 ms (90/sec).
cli> storm [inet:whois:rec=(woot.com,2018/03/30) :text="domain name: woot.com"]

inet:whois:rec=('woot.com', '2018/03/30 00:00:00.000')
        .created = 2019/01/02 21:29:35.090
        :asof = 2018/03/30 00:00:00.000
        :fqdn = woot.com
        :registrant 

In [24]:
# Define and print test query
q = 'inet:whois:rec:fqdn=woot.com | max :asof'
print(q)
# Execute the query and test
# Note this is actually a bad test b/c it doesn't check for the max value
podes = await core.eval(q, num=1, cmdr=False)

inet:whois:rec:fqdn=woot.com | max :asof


In [25]:
# Run the command and display output
q = 'min --help'
podes = await core.eval(q, cmdr=True)

cli> storm min --help

usage: min [-h] propname

    Consume nodes and yield only the one node with the lowest value for a property.

    Examples:

        file:bytes +#foo.bar | min size

    

positional arguments:
  propname

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 4 ms (0/sec).


In [26]:
# Define and print test query
q = 'inet:dns:a:fqdn=woot.com | min .seen'
print(q)
# Execute the query and test
# Note this is actually a bad test b/c it doesn't check for the min value
podes = await core.eval(q, num=1, cmdr=False)

inet:dns:a:fqdn=woot.com | min .seen


In [27]:
# Define and print test query
q = 'inet:whois:rec:fqdn=woot.com | min :asof'
print(q)
# Execute the query and test
# Note this is actually a bad test b/c it doesn't check for the min value
podes = await core.eval(q, num=1, cmdr=False)

inet:whois:rec:fqdn=woot.com | min :asof


In [28]:
# Run the command and display output
q = 'movetag --help'
podes = await core.eval(q, cmdr=True)

cli> storm movetag --help

usage: movetag [-h] oldtag newtag

    Rename an entire tag tree and preserve time intervals.

    Example:

        movetag #foo.bar #baz.faz.bar
    

positional arguments:
  oldtag      The tag tree to rename.
  newtag      The new tag tree name.

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 3 ms (0/sec).


In [29]:
# Make some tagged nodes
q = '[inet:fqdn=hurr.com inet:fqdn=derp.com inet:fqdn=umwut.com +#research]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:fqdn=hurr.com inet:fqdn=derp.com inet:fqdn=umwut.com +#research]

inet:fqdn=hurr.com
        .created = 2019/01/02 21:29:35.224
        :domain = com
        :host = hurr
        :issuffix = False
        :iszone = True
        :zone = hurr.com
        #research
inet:fqdn=derp.com
        .created = 2019/01/02 21:29:35.226
        :domain = com
        :host = derp
        :issuffix = False
        :iszone = True
        :zone = derp.com
        #research
inet:fqdn=umwut.com
        .created = 2019/01/02 21:29:35.228
        :domain = com
        :host = umwut
        :issuffix = False
        :iszone = True
        :zone = umwut.com
        #research
complete. 3 nodes in 14 ms (214/sec).


In [30]:
# Define and print test query
q = 'movetag #research #internal.research'
print(q)
# Execute the query and test
# This may not be a good test because it only checks that there are no nodes left with the old tag
podes = await core.eval(q, num=0, cmdr=False)

movetag #research #internal.research


In [31]:
# Make some tagged nodes
q = '[inet:fqdn=newsonet.net inet:fqdn=staycools.net inet:fqdn=firefoxupdata.com +#aka.fireeye.malware]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:fqdn=newsonet.net inet:fqdn=staycools.net inet:fqdn=firefoxupdata.com +#aka.fireeye.malware]

inet:fqdn=newsonet.net
        .created = 2019/01/02 21:29:35.296
        :domain = net
        :host = newsonet
        :issuffix = False
        :iszone = True
        :zone = newsonet.net
        #aka.fireeye.malware
inet:fqdn=staycools.net
        .created = 2019/01/02 21:29:35.304
        :domain = net
        :host = staycools
        :issuffix = False
        :iszone = True
        :zone = staycools.net
        #aka.fireeye.malware
inet:fqdn=firefoxupdata.com
        .created = 2019/01/02 21:29:35.310
        :domain = com
        :host = firefoxupdata
        :issuffix = False
        :iszone = True
        :zone = firefoxupdata.com
        #aka.fireeye.malware
complete. 3 nodes in 29 ms (103/sec).


In [32]:
# Define and print test query
q = 'movetag aka.fireeye.malware aka.feye.mal'
print(q)
# Execute the query and test
# This may not be a good test because it only checks that there are no nodes left with the old tag
podes = await core.eval(q, num=0, cmdr=False)

movetag aka.fireeye.malware aka.feye.mal


In [33]:
# Run the command and display output
q = 'noderefs --help'
podes = await core.eval(q, cmdr=True)

cli> storm noderefs --help

usage: noderefs [-h] [-d DEGREES] [-te] [-j] [-otf OMIT_TRAVERSAL_FORM]
                [-ott OMIT_TRAVERSAL_TAG] [-of OMIT_FORM] [-ot OMIT_TAG] [-u]

    Get nodes adjacent to inbound nodes, up to n degrees away.

    Examples:
        The following examples show long-form options. Short form options exist and
        should be easier for regular use.

        Get all nodes 1 degree away from a input node:

            ask inet:ipv4=1.2.3.4 | noderefs

        Get all nodes 1 degree away from a input node and include the source node:

            ask inet:ipv4=1.2.3.4 | noderefs --join

        Get all nodes 3 degrees away from a input node and include the source node:

            ask inet:ipv4=1.2.3.4 | noderefs --join --degrees 3

        Do not include nodes of a given form in the output or traverse across them:

            ask inet:ipv4=1.2.3.4 | noderefs --omit-form inet:dns:a

        Do not traverse across nodes of a given form (but include them in

In [34]:
# Run the command and display output
q = 'reindex --help'
podes = await core.eval(q, cmdr=True)

cli> storm reindex --help

usage: reindex [-h] [--type TYPE] [--subs] [--form-counts]

    Use admin privileges to re index/normalize node properties.

    Example:

        foo:bar | reindex --subs

        reindex --type inet:ipv4

    NOTE: This is mostly for model updates and migrations.
          Use with caution and be very sure of what you are doing.
    

optional arguments:
  -h, --help     show this help message and exit
  --type TYPE    Re-index all properties of a specified type.
  --subs         Re-parse and set sub props.
  --form-counts  Re-calculate all form counts.

complete. 0 nodes in 5 ms (0/sec).


In [35]:
# Run the command and display output
q = 'sleep --help'
podes = await core.eval(q, cmdr=True)

cli> storm sleep --help

usage: sleep [-h] delay

    Introduce a delay between returning each result for the storm query.

    NOTE: This is mostly used for testing / debugging.

    Example:

        #foo.bar | sleep 0.5

    

positional arguments:
  delay       Delay in floating point seconds.

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 5 ms (0/sec).


In [36]:
# Make some nodes
q = '[inet:email=me@gmail.com inet:email=you@yahoo.com inet:email=him@live.com inet:email=her@gmx.com]'
# Run the query and test
podes = await core.eval(q, num=4, cmdr=True)

cli> storm [inet:email=me@gmail.com inet:email=you@yahoo.com inet:email=him@live.com inet:email=her@gmx.com]

inet:email=me@gmail.com
        .created = 2019/01/02 21:29:34.036
        :fqdn = gmail.com
        :user = me
inet:email=you@yahoo.com
        .created = 2019/01/02 21:29:34.039
        :fqdn = yahoo.com
        :user = you
inet:email=him@live.com
        .created = 2019/01/02 21:29:35.459
        :fqdn = live.com
        :user = him
inet:email=her@gmx.com
        .created = 2019/01/02 21:29:35.462
        :fqdn = gmx.com
        :user = her
complete. 4 nodes in 16 ms (250/sec).


In [37]:
# Define and print test query
q = 'inet:email | sleep 1.0'
print(q)
# Execute the query and test
# This may not be a good test because it only checks that there are no nodes left with the old tag
podes = await core.eval(q, num=4, cmdr=False)

inet:email | sleep 1.0


In [38]:
# Run the command and display output
q = 'spin --help'
podes = await core.eval(q, cmdr=True)

cli> storm spin --help

usage: spin [-h]

    Iterate through all query results, but do not yield any.
    This can be used to operate on many nodes without returning any.

    Example:

        foo:bar:size=20 [ +#hehe ] | spin

    

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 3 ms (0/sec).


In [39]:
# Define and print test query
q = 'inet:email | count | spin'
print(q)
# Execute the query and test
# This may not be a good test because it only checks that 'spin' returns zero nodes
podes = await core.eval(q, num=0, cmdr=False)

inet:email | count | spin


In [40]:
# Make some domains
q = '[inet:fqdn=myfirefox.com inet:fqdn=fakefirefox.net inet:fqdn=usefirefoxbrowser.org]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:fqdn=myfirefox.com inet:fqdn=fakefirefox.net inet:fqdn=usefirefoxbrowser.org]

inet:fqdn=myfirefox.com
        .created = 2019/01/02 21:29:39.602
        :domain = com
        :host = myfirefox
        :issuffix = False
        :iszone = True
        :zone = myfirefox.com
inet:fqdn=fakefirefox.net
        .created = 2019/01/02 21:29:39.606
        :domain = net
        :host = fakefirefox
        :issuffix = False
        :iszone = True
        :zone = fakefirefox.net
inet:fqdn=usefirefoxbrowser.org
        .created = 2019/01/02 21:29:39.611
        :domain = org
        :host = usefirefoxbrowser
        :issuffix = False
        :iszone = True
        :zone = usefirefoxbrowser.org
complete. 3 nodes in 20 ms (150/sec).


In [41]:
# Define and print test query
q = 'inet:fqdn~=firefox [+#int.research] | spin'
print(q)
# Execute the query and test
# This may not be a good test because it only checks that 'spin' returns zero nodes
podes = await core.eval(q, num=0, cmdr=False)

inet:fqdn~=firefox [+#int.research] | spin


In [42]:
# Run the command and display output
q = 'sudo --help'
podes = await core.eval(q, cmdr=True)

cli> storm sudo --help

usage: sudo [-h]

    Use admin privileges to bypass standard query permissions.

    Example:

        sudo | [ inet:fqdn=vertex.link ]
    

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 4 ms (0/sec).


In [43]:
# Make a node
q = '[inet:fqdn=mydomain.com]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [inet:fqdn=mydomain.com]

inet:fqdn=mydomain.com
        .created = 2019/01/02 21:29:39.700
        :domain = com
        :host = mydomain
        :issuffix = False
        :iszone = True
        :zone = mydomain.com
complete. 1 nodes in 10 ms (100/sec).


In [44]:
# Define and print test query
q = 'sudo | inet:fqdn=mydomain.com | delnode'
print(q)
# Execute the query and test
podes = await core.eval(q, num=0, cmdr=False)

sudo | inet:fqdn=mydomain.com | delnode


In [45]:
# Run the command and display output
q = 'uniq --help'
podes = await core.eval(q, cmdr=True)

cli> storm uniq --help

usage: uniq [-h]

    Filter nodes by their uniq iden values.
    When this is used a Storm pipeline, only the first instance of a
    given node is allowed through the pipeline.

    Examples:

        #badstuff +inet:ipv4 ->* | uniq

    

optional arguments:
  -h, --help  show this help message and exit

complete. 0 nodes in 3 ms (0/sec).


In [46]:
# Make some tagged nodes and A records
q = '[inet:fqdn=autoupdater.org inet:fqdn=actblues.com inet:fqdn=euronews24.info +#aka.threatconnect.thr.fancybear]'
q1 = '[inet:dns:a=(autoupdater.org,1.2.3.4) inet:dns:a=(autoupdater.org,5.6.7.8) inet:dns:a=(actblues.com,5.6.7.8) inet:dns:a=(euronews24.info,1.2.3.4) inet:dns:a=(euronews24.info,8.8.8.8) inet:dns:a=(euronews24.info,255.255.255.254)]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=True)
podes = await core.eval(q1, num=6, cmdr=True)

cli> storm [inet:fqdn=autoupdater.org inet:fqdn=actblues.com inet:fqdn=euronews24.info +#aka.threatconnect.thr.fancybear]

inet:fqdn=autoupdater.org
        .created = 2019/01/02 21:29:39.781
        :domain = org
        :host = autoupdater
        :issuffix = False
        :iszone = True
        :zone = autoupdater.org
        #aka.threatconnect.thr.fancybear
inet:fqdn=actblues.com
        .created = 2019/01/02 21:29:39.789
        :domain = com
        :host = actblues
        :issuffix = False
        :iszone = True
        :zone = actblues.com
        #aka.threatconnect.thr.fancybear
inet:fqdn=euronews24.info
        .created = 2019/01/02 21:29:39.799
        :domain = info
        :host = euronews24
        :issuffix = False
        :iszone = True
        :zone = euronews24.info
        #aka.threatconnect.thr.fancybear
complete. 3 nodes in 30 ms (100/sec).
cli> storm [inet:dns:a=(autoupdater.org,1.2.3.4) inet:dns:a=(autoupdater.org,5.6.7.8) inet:dns:a=(actblues.com,5.6.7.8) inet:

In [47]:
# Define and print test query
q = 'inet:fqdn#aka.threatconnect.thr.fancybear -> inet:dns:a -> inet:ipv4 | uniq'
print(q)
# Execute the query and test
podes = await core.eval(q, num=4, cmdr=False)

inet:fqdn#aka.threatconnect.thr.fancybear -> inet:dns:a -> inet:ipv4 | uniq


In [48]:
# Close cortex because done
await core.fini()

0