In [1]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [2]:
# Get a temp cortex and make some nodes
core = await getTempCoreCmdr()
q = '[inet:fqdn=hurr.derp.woot.com inet:fqdn=um.wut.woot.com inet:fqdn=vertex.link inet:ipv4=1.2.3.4 inet:ipv4=5.6.7.8]'
# This runs the query via the CLI, rips out the nodes, makes sure we got the right # of nodes on the output :)
podes = await core.eval(q, num=5, cmdr=True)

cli> storm [inet:fqdn=hurr.derp.woot.com inet:fqdn=um.wut.woot.com inet:fqdn=vertex.link inet:ipv4=1.2.3.4 inet:ipv4=5.6.7.8]

inet:fqdn=hurr.derp.woot.com
        .created = 2019/01/08 02:40:48.599
        :domain = derp.woot.com
        :host = hurr
        :issuffix = False
        :iszone = False
        :zone = woot.com
inet:fqdn=um.wut.woot.com
        .created = 2019/01/08 02:40:48.601
        :domain = wut.woot.com
        :host = um
        :issuffix = False
        :iszone = False
        :zone = woot.com
inet:fqdn=vertex.link
        .created = 2019/01/08 02:40:48.603
        :domain = link
        :host = vertex
        :issuffix = False
        :iszone = True
        :zone = vertex.link
inet:ipv4=1.2.3.4
        .created = 2019/01/08 02:40:48.604
        :asn = 0
        :loc = ??
        :type = unicast
inet:ipv4=5.6.7.8
        .created = 2019/01/08 02:40:48.605
        :asn = 0
        :loc = ??
        :type = unicast
complete. 5 nodes in 17 ms (294/sec).


In [3]:
# Use previous temp cortex, define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn=woot.com '
q2 = '-> inet:fqdn:zone'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=5, cmdr=False)

<inet:fqdn> -> inet:fqdn:zone


In [4]:
# Make some DNS A records:
q = '[inet:dns:a=(woot.com,1.2.3.4)]'
q1 = '[inet:dns:a=(woot.com,5.6.7.8)]'
q2 = '[inet:dns:a=(woot.com,8.8.8.8)]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:dns:a=(woot.com,1.2.3.4)]

inet:dns:a=('woot.com', '1.2.3.4')
        .created = 2019/01/08 02:40:48.639
        :fqdn = woot.com
        :ipv4 = 1.2.3.4
complete. 1 nodes in 10 ms (100/sec).
cli> storm [inet:dns:a=(woot.com,5.6.7.8)]

inet:dns:a=('woot.com', '5.6.7.8')
        .created = 2019/01/08 02:40:48.666
        :fqdn = woot.com
        :ipv4 = 5.6.7.8
complete. 1 nodes in 16 ms (62/sec).
cli> storm [inet:dns:a=(woot.com,8.8.8.8)]

inet:dns:a=('woot.com', '8.8.8.8')
        .created = 2019/01/08 02:40:48.683
        :fqdn = woot.com
        :ipv4 = 8.8.8.8
complete. 1 nodes in 12 ms (83/sec).


In [5]:
# Define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn=woot.com '
q2 = '-> inet:dns:a:fqdn'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<inet:fqdn> -> inet:dns:a:fqdn


In [6]:
# Define and print test query using previous data
q = '<inet:dns:a> '
q1 = 'inet:dns:a:fqdn=woot.com '
q2 = ':ipv4 -> inet:ipv4'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<inet:dns:a> :ipv4 -> inet:ipv4


In [7]:
# Make some WHOIS records and related nodes:
q = '[inet:whois:rec=(woot.com,2018/05/22) :registrant="woot hostmaaster" :registrar="markmonitor"]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [inet:whois:rec=(woot.com,2018/05/22) :registrant="woot hostmaaster" :registrar="markmonitor"]

inet:whois:rec=('woot.com', '2018/05/22 00:00:00.000')
        .created = 2019/01/08 02:40:48.767
        :asof = 2018/05/22 00:00:00.000
        :fqdn = woot.com
        :registrant = woot hostmaaster
        :registrar = markmonitor
complete. 1 nodes in 12 ms (83/sec).


In [8]:
# Define and print test query
q = '<inet:whois:rec> '
q1 = 'inet:whois:rec:fqdn=woot.com '
q2 = '-> *'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<inet:whois:rec> -> *


In [9]:
# Define and print test query using existing data
q = '<inet:whois:rec> '
q1 = 'inet:whois:rec:fqdn=woot.com '
q2 = ':fqdn -> inet:dns:a:fqdn'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<inet:whois:rec> :fqdn -> inet:dns:a:fqdn


In [10]:
# Define and print test query using existing data
q = '<inet:fqdn> '
q1 = 'inet:fqdn=woot.com '
q2 = '<- *'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=11, cmdr=False)

<inet:fqdn> <- *


In [11]:
# Use existing data
# Define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn=woot.com '
q2 = '-+> inet:fqdn:domain'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<inet:fqdn> -+> inet:fqdn:domain


In [12]:
# Define and print test query using previous data
q = '<inet:dns:a> '
q1 = 'inet:dns:a:fqdn=woot.com '
q2 = ':ipv4 -+> inet:ipv4'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=6, cmdr=False)

<inet:dns:a> :ipv4 -+> inet:ipv4


In [13]:
# Define and print test query
q = '<inet:whois:rec> '
q1 = 'inet:whois:rec:fqdn=woot.com '
q2 = '-+> *'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=4, cmdr=False)

<inet:whois:rec> -+> *


In [14]:
# Define and print test query using existing data
q = '<inet:whois:rec> '
q1 = 'inet:whois:rec:fqdn=woot.com '
q2 = ':fqdn -+> inet:dns:a:fqdn'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=4, cmdr=False)

<inet:whois:rec> :fqdn -+> inet:dns:a:fqdn


In [15]:
# Make some nodes:
q = '[ps:person="26786e8fb9b9e7050d0b8b4e38e1d431" :name="John Doe"]'
q1 = '[inet:email=john.doe@gmail.com]'
q2 = '[mat:item="32d0bea68c5e9ec82b8f0fc867ccacda" :name="John Doe\'s dog"]'
q3 = '[has=((ps:person, 26786e8fb9b9e7050d0b8b4e38e1d431), (inet:email,john.doe@gmail.com))]'
q4 = '[has=((ps:person, 26786e8fb9b9e7050d0b8b4e38e1d431), (mat:item, 32d0bea68c5e9ec82b8f0fc867ccacda))]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [ps:person="26786e8fb9b9e7050d0b8b4e38e1d431" :name="John Doe"]

ps:person=26786e8fb9b9e7050d0b8b4e38e1d431
        .created = 2019/01/08 02:40:48.930
        :name = john doe
complete. 1 nodes in 13 ms (76/sec).
cli> storm [inet:email=john.doe@gmail.com]

inet:email=john.doe@gmail.com
        .created = 2019/01/08 02:40:48.956
        :fqdn = gmail.com
        :user = john.doe
complete. 1 nodes in 12 ms (83/sec).
cli> storm [mat:item="32d0bea68c5e9ec82b8f0fc867ccacda" :name="John Doe's dog"]

mat:item=32d0bea68c5e9ec82b8f0fc867ccacda
        .created = 2019/01/08 02:40:48.969
        :name = john doe's dog
complete. 1 nodes in 6 ms (166/sec).
cli> storm [has=((ps:person, 26786e8fb9b9e7050d0b8b4e38e1d431), (inet:email,john.doe@gmail.com))]

has=((ps:person, "26786e8fb9b9e7050d0b8b4e38e1d431"), (inet:email, "john.doe@gmail.com"))
        .created = 2019/01/08 02:40:48.983
        :n1 = ('ps:person', '26786e8fb9b9e7050d0b8b4e38e1d431')
        :n1:form = ps:person
        :n2 

In [16]:
# Define and print test query
q = '<ps:person> '
q1 = 'ps:person=26786e8fb9b9e7050d0b8b4e38e1d431 '
q2 = '-> has'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<ps:person> -> has


In [17]:
# Make some nodes:
q = '[media:news=2aa767aebe9d0172601cef3c5867abea :title="Test article"]'
q1 = '[refs=((media:news,2aa767aebe9d0172601cef3c5867abea), (inet:fqdn,woot.com))]'
q2 = '[refs=((media:news,2aa767aebe9d0172601cef3c5867abea), (inet:ipv4,8.8.8.8))]'
q3 = '[refs=((media:news,2aa767aebe9d0172601cef3c5867abea), (inet:email,john.doe@gmail.com))]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [media:news=2aa767aebe9d0172601cef3c5867abea :title="Test article"]

media:news=2aa767aebe9d0172601cef3c5867abea
        .created = 2019/01/08 02:40:49.063
        :author = ?,?
        :published = 1970/01/01 00:00:00.000
        :summary = ??
        :title = test article
complete. 1 nodes in 9 ms (111/sec).
cli> storm [refs=((media:news,2aa767aebe9d0172601cef3c5867abea), (inet:fqdn,woot.com))]

refs=((media:news, "2aa767aebe9d0172601cef3c5867abea"), (inet:fqdn, "woot.com"))
        .created = 2019/01/08 02:40:49.086
        :n1 = ('media:news', '2aa767aebe9d0172601cef3c5867abea')
        :n1:form = media:news
        :n2 = ('inet:fqdn', 'woot.com')
        :n2:form = inet:fqdn
complete. 1 nodes in 17 ms (58/sec).
cli> storm [refs=((media:news,2aa767aebe9d0172601cef3c5867abea), (inet:ipv4,8.8.8.8))]

refs=((media:news, "2aa767aebe9d0172601cef3c5867abea"), (inet:ipv4, "8.8.8.8"))
        .created = 2019/01/08 02:40:49.105
        :n1 = ('media:news', '2aa767aebe9d0172601cef

In [18]:
# Define and print test query
q = '<media:news> '
q1 = 'media:news=2aa767aebe9d0172601cef3c5867abea '
q2 = '-+> refs'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=4, cmdr=False)

<media:news> -+> refs


In [19]:
# Make some nodes:
q = '[geo:place=5859abb1ba6e4a418bf31dfe2fc3c08a :name="test place" :latlong=(37.4168957,-121.9218271)]'
q1 = '[wentto=((ps:person, bb2a3e42ef3fc0d2b2a4e6145396cb65), (geo:place, 5859abb1ba6e4a418bf31dfe2fc3c08a), "2018/12/15 08:35:00")]'
q2 = '[wentto=((ps:person, bb9d1c4270ccd9076ea30f0bb2491bbd), (geo:place, 5859abb1ba6e4a418bf31dfe2fc3c08a), "2017/06/30 14:27:43")]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [geo:place=5859abb1ba6e4a418bf31dfe2fc3c08a :name="test place" :latlong=(37.4168957,-121.9218271)]

geo:place=5859abb1ba6e4a418bf31dfe2fc3c08a
        .created = 2019/01/08 02:40:49.162
        :latlong = 37.4168957,-121.9218271
        :name = test place
complete. 1 nodes in 10 ms (100/sec).
cli> storm [wentto=((ps:person, bb2a3e42ef3fc0d2b2a4e6145396cb65), (geo:place, 5859abb1ba6e4a418bf31dfe2fc3c08a), "2018/12/15 08:35:00")]

wentto=((ps:person, "bb2a3e42ef3fc0d2b2a4e6145396cb65"), (geo:place, "5859abb1ba6e4a418bf31dfe2fc3c08a"), "2018/12/15 08:35:00.000")
        .created = 2019/01/08 02:40:49.176
        :n1 = ('ps:person', 'bb2a3e42ef3fc0d2b2a4e6145396cb65')
        :n1:form = ps:person
        :n2 = ('geo:place', '5859abb1ba6e4a418bf31dfe2fc3c08a')
        :n2:form = geo:place
        :time = 2018/12/15 08:35:00.000
complete. 1 nodes in 12 ms (83/sec).
cli> storm [wentto=((ps:person, bb9d1c4270ccd9076ea30f0bb2491bbd), (geo:place, 5859abb1ba6e4a418bf31dfe2fc3c08a), "20

In [20]:
# Define and print test query
q = '<ps:person> '
q1 = 'ps:person '
q2 = '-> wentto'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<ps:person> -> wentto


In [21]:
# Make some nodes:
q = '[inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com]'
q1 = '[media:news=f3b5757d91855958341153032ec02f28 :title="Another test article"]'
q2 = '[refs=((media:news,2aa767aebe9d0172601cef3c5867abea), (inet:fqdn,woot.com))]'
q3 = '[refs=((media:news,2aa767aebe9d0172601cef3c5867abea), (inet:fqdn,google.com))]'
q4 = '[refs=((media:news,f3b5757d91855958341153032ec02f28), (inet:fqdn,vertex.link))]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com]

inet:fqdn=woot.com
        .created = 2019/01/08 02:40:48.598
        :domain = com
        :host = woot
        :issuffix = False
        :iszone = True
        :zone = woot.com
inet:fqdn=vertex.link
        .created = 2019/01/08 02:40:48.603
        :domain = link
        :host = vertex
        :issuffix = False
        :iszone = True
        :zone = vertex.link
inet:fqdn=google.com
        .created = 2019/01/08 02:40:49.239
        :domain = com
        :host = google
        :issuffix = False
        :iszone = True
        :zone = google.com
complete. 3 nodes in 9 ms (333/sec).
cli> storm [media:news=f3b5757d91855958341153032ec02f28 :title="Another test article"]

media:news=f3b5757d91855958341153032ec02f28
        .created = 2019/01/08 02:40:49.254
        :author = ?,?
        :published = 1970/01/01 00:00:00.000
        :summary = ??
        :title = another test article
complete. 1 nodes in 7 ms (142/se

In [22]:
# Define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn '
q2 = '-> refs:n2'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<inet:fqdn> -> refs:n2


In [23]:
# Make some nodes:
q = '[ps:person=bb2a3e42ef3fc0d2b2a4e6145396cb65 :name=Alice]'
q1 = '[ps:person=bb9d1c4270ccd9076ea30f0bb2491bbd :name=Bob]'
q2 = '[has=((ps:person, bb2a3e42ef3fc0d2b2a4e6145396cb65), (media:news, 2aa767aebe9d0172601cef3c5867abea))]'
q3 = '[has=((ps:person, bb9d1c4270ccd9076ea30f0bb2491bbd), (media:news, 2aa767aebe9d0172601cef3c5867abea))]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [ps:person=bb2a3e42ef3fc0d2b2a4e6145396cb65 :name=Alice]

ps:person=bb2a3e42ef3fc0d2b2a4e6145396cb65
        .created = 2019/01/08 02:40:49.175
        :name = alice
complete. 1 nodes in 10 ms (100/sec).
cli> storm [ps:person=bb9d1c4270ccd9076ea30f0bb2491bbd :name=Bob]

ps:person=bb9d1c4270ccd9076ea30f0bb2491bbd
        .created = 2019/01/08 02:40:49.193
        :name = bob
complete. 1 nodes in 14 ms (71/sec).
cli> storm [has=((ps:person, bb2a3e42ef3fc0d2b2a4e6145396cb65), (media:news, 2aa767aebe9d0172601cef3c5867abea))]

has=((ps:person, "bb2a3e42ef3fc0d2b2a4e6145396cb65"), (media:news, "2aa767aebe9d0172601cef3c5867abea"))
        .created = 2019/01/08 02:40:49.370
        :n1 = ('ps:person', 'bb2a3e42ef3fc0d2b2a4e6145396cb65')
        :n1:form = ps:person
        :n2 = ('media:news', '2aa767aebe9d0172601cef3c5867abea')
        :n2:form = media:news
complete. 1 nodes in 7 ms (142/sec).
cli> storm [has=((ps:person, bb9d1c4270ccd9076ea30f0bb2491bbd), (media:news, 2aa767aebe9d

In [24]:
# Define and print test query
q = '<media:news> '
q1 = 'media:news=2aa767aebe9d0172601cef3c5867abea '
q2 = '<- has'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<media:news> <- has
