In [None]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [None]:
# Get a temp cortex
core = await getTempCoreCmdr()

In [None]:
# Make some nodes
q = '[ inet:fqdn = woot.com ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

In [None]:
# Make some nodes
q = '[ inet:dns:a=(woot.com, 12.34.56.78) ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

In [None]:
# Make some nodes
guid = '2f92bc913918f6598bcf310972ebf32e'
q = f'[ ou:org={guid} ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

In [None]:
# Make some nodes
q = '[ ou:org="*" ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)
assert podes[0][0] != ('ou:org', guid)

In [None]:
# Make some nodes
q = '[ edge:refs=((media:news, 00a1f0d928e25729b9e86e2d08c127ce), (inet:fqdn, woot.com)) ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

In [None]:
# Make some nodes
q = '[ inet:fqdn=woot.com inet:ipv4=12.34.56.78 hash:md5=d41d8cd98f00b204e9800998ecf8427e ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=3, cmdr=False)

In [None]:
# Use previous data, define and print test query
q = '<inet:ipv4> '
q1 = 'inet:ipv4=12.34.56.78 '
q2 = '[ :loc=us.oh.wilmington ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('props').get('loc') == 'us.oh.wilmington'

In [None]:
# Use previous data, define and print test query
q = '<inet:dns:a> '
q1 = 'inet:dns:a=(woot.com,12.34.56.78) '
q2 = '[ .seen=("2017/08/01 01:23", "2017/08/01 04:56") ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

In [None]:
# Use previous data, define and print test query
q = '<media:news> '
q1 = 'media:news=00a1f0d928e25729b9e86e2d08c127ce '
q2 = '[ :summary="" ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('props').get('summary') == ''

In [None]:
# Make a node
q = '[ inet:ipv4=94.75.194.194 :loc=nl :asn=60781 ]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
assert podes[0][1].get('props').get('asn') == 60781
assert podes[0][1].get('props').get('loc') == 'nl'

In [None]:
# Use previous data, define and print test query
q = '<inet:ipv4> '
q1 = 'inet:ipv4=94.75.194.194 '
q2 = '[ -:loc ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('props').get('loc') is None

In [None]:
# Use previous data, define and print test query
q = '<media:news> '
q1 = 'media:news=00a1f0d928e25729b9e86e2d08c127ce '
q2 = '[ -:author -:summary ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('props').get('author') is None
assert podes[0][1].get('props').get('summary') is None

In [None]:
# Make a node
q = '[inet:fqdn=blackcake.net]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)

In [None]:
# Use previous data, define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn=blackcake.net '
q2 = '[ +#aka.feye.thr.apt1 +#cno.infra.sink.hole ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert 'aka.feye.thr.apt1' in podes[0][1].get('tags')
assert 'cno.infra.sink.hole' in podes[0][1].get('tags')

In [None]:
# Make a node
q = '[inet:fqdn=aoldaily.com]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)

In [None]:
# Use previous data, define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn=aoldaily.com '
q2 = '[ +#cno.infra.sink.hole=2018/11/27 ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

In [None]:
# Use previous data, define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn=blackcake.net '
q2 = '[ +#cno.infra.sink.hole=(2014/11/06, 2016/11/06) ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('tags').get('cno.infra.sink.hole') != (None, None)

In [None]:
# Create a custom tag property
await core.core.addTagProp('risk', ('int', {'minval': 0, 'maxval': 100}), {'doc': 'Risk score'})

In [None]:
# Use previous data, define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn=blackcake.net '
q2 = '[ +#rep.symantec:risk = 87 ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

In [None]:
# Make a node
q = '[inet:ipv4=54.38.219.150 +#cno.infra.anon.tor]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)

In [None]:
# Define and print test query
q = '<inet:ipv4> '
q1 = 'inet:ipv4=54.38.219.150 '
q2 = '[ -#cno.infra.anon.tor ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert 'cno.infra.anon.tor' not in podes[0][1].get('tags')

In [None]:
# Make some nodes
q = '[ inet:ipv4=94.75.194.194 :loc=nl :asn=60781 ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)
assert podes[0][1].get('props').get('loc') == 'nl'
assert podes[0][1].get('props').get('asn') == 60781

In [None]:
# Make some nodes
q = '[ inet:fqdn=blackcake.net +#aka.feye.thr.apt1 ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)
assert 'aka.feye.thr.apt1' in podes[0][1].get('tags')

In [None]:
# Remove some nodes
q = 'inet:fqdn=blackcake.net | delnode'
# Run the query and test
podes = await core.eval(q, num=0, cmdr=True)

In [None]:
# Define and print test query
q = 'inet:fqdn#aka.feye.thr.apt1 [ inet:fqdn=somedomain.com +#aka.eset.thr.sednit ]'
print(q)
# Execute the query and test
podes = await core.eval(q, cmdr=False)

In [None]:
# Make some nodes
q = '[inet:fqdn=hugesoft.org inet:fqdn=purpledaily.com +#aka.feye.thr.apt1]'
# Run the query and test
podes = await core.eval(q, num=2, cmdr=True)

In [None]:
# Define and print test query
q = 'inet:fqdn#aka.feye.thr.apt1 [ inet:fqdn=somedomain.com +#aka.eset.thr.sednit ]'
# Execute the query and test
podes = await core.eval(q, cmdr=True)

In [None]:
# Remove some tags for our next example
q = 'inet:fqdn#aka.feye.thr.apt1 [-#aka.eset]'
# Run the query and test
podes = await core.eval(q, num=2, cmdr=True)

In [None]:
# Define and print test query
q = 'inet:fqdn#aka.feye.thr.apt1 [(inet:fqdn=somedomain.com +#aka.eset.thr.sednit)]'
print(q)
# Execute the query and test
podes = await core.eval(q, cmdr=False)

In [None]:
# Define and print test query
q = 'inet:fqdn#aka.feye.thr.apt1 [(inet:fqdn=somedomain.com +#aka.eset.thr.sednit)]'
# Execute the query and test
podes = await core.eval(q, cmdr=True)

In [None]:
# Define and print test query
q = '[inet:ipv4=1.2.3.4 :asn=1111 inet:ipv4=5.6.7.8 :asn=2222]'
print(q)
# Execute the query and test
podes = await core.eval(q, cmdr=False)

In [None]:
# Define and print test query
q = '[inet:ipv4=1.2.3.4 :asn=1111 inet:ipv4=5.6.7.8 :asn=2222]'
# Execute the query and test
podes = await core.eval(q, cmdr=True)

In [None]:
# Delete some nodes for our next example
q = 'inet:ipv4=1.2.3.4 inet:ipv4=5.6.7.8 | delnode'
# Run the query and test
podes = await core.eval(q, num=0, cmdr=True)

In [None]:
# Define and print test query
q = '[ (inet:ipv4=1.2.3.4 :asn=1111) (inet:ipv4=5.6.7.8 :asn=2222) ]'
print(q)
# Execute the query and test
podes = await core.eval(q, cmdr=False)

In [None]:
# Define and print test query
q = '[ (inet:ipv4=1.2.3.4 :asn=1111) (inet:ipv4=5.6.7.8 :asn=2222) ]'
# Execute the query and test
podes = await core.eval(q, cmdr=True)

In [None]:
# Close cortex because done
await core.fini()