Awesome
CIFv3 API PowerShell Wrapper
Collective Intelligence Framework (CIF) is a threat intelligence framework. This project is a CIFv3 client for PowerShell Core and Windows PowerShell.
https://csirtgadgets.com/collective-intelligence-framework
https://github.com/csirtgadgets/bearded-avenger
Getting Started
Install the module:
Install-Module CIF3
Load the module:
Import-Module CIF3
See what functions are available:
Get-Command -Module CIF3
If you have an existing .cif.yml in your $env:HOME dir, its contents will be read and used automatically. If you've never setup your config file (.cif.yml) before, do so now. At a minimum you must set the Uri and Token parameters.
Set-CIF3Config -Uri https://feeds.cif.domain.com -Token aaaabbbbccccdddd
Using the Module
CIF Instance Configuration
Retrieve your CIFv3 config settings:
Get-CIF3Config
Set the URI and authorization token to communicate with the desired CIF instance:
Set-CIF3Config -Uri 'https://cif.domain.local:5000' -Token 'd81830def81a871f2adbf00c5000000'
Test the connection to your configured CIF instance URI (returns $true if working, $false otherwise):
Test-CIF3Auth
Tokens
Tokens in CIF are like API keys, used for authenticating and authorizing a user to perform various actions.
List all tokens on the CIF instance:
Get-CIF3Token
Find a token with username = 'user1@domain.local'
Get-CIF3Token -Name user1@domain.local
Create a new token called 'writeonly' on the CIF instance. It will have write permissions but no read permissions:
New-CIF3Token -Name 'writeonly' -Permission 'Write'
Remove the specified token from the CIF instance:
Remove-CIF3Token -Id 'abcdef9999888855553333'
Update token to be in groups 'everyone' and 'admins':
Set-CIF3TokenGroup -Id 'abcdef9999888855553333' -Group everyone, admins
Indicators
Get a list of all indicators (default ResultSize is 100, so 100 will be returned):
Get-CIF3Indicator
Get up to 500 indicator results that have a Confidence
of 8 or greater:
Get-CIF3Indicator -Confidence 8 -ResultSize 500
Get all fqdn indicators reported in the last week that have a 'malware' or 'botnet' tag:
Get-CIF3Indicator -IType fqdn -StartTime (Get-Date).AddDays(-7) -EndTime (Get-Date) -Tag malware, botnet
Add an indicator for 'baddomain.xyz' at a confidence of 7, an amber TLP, and tagged as 'malware'
Add-CIF3Indicator -Indicator baddomain.xyz -Confidence 7 -Tag malware -TLP amber
Search for the indicator 44.227.178.5
and include any matching parent CIDRs that are known. Results are sorted by confidence highest to lowest, with any equal-confidence indicators being further sorted by reporttime oldest to newest before being returned:
Get-CIF3Indicator -Indicator '44.227.178.5' -IncludeRelatives -Sort '-confidence', 'reporttime'
Feeds
Feeds are aggregated, deduplicated, and filtered datasets that have had allowlists applied before being returned. Indicator type is the only mandatory parameter when generating a feed.
Get a feed of all fqdn indicators with a confidence of 7.5 or greater:
Get-CIF3Feed -IType fqdn -Confidence 7.5
Get a feed of all md5 indicators with a confidence of 9 or greater tagged as 'malware.'
Additionally, add the ?apiParam=paramValue
string to the final REST request:
Get-CIF3Feed -IType md5 -Confidence 9 -Tag 'malware' -ExtraParams @{ 'apiParam' = 'paramValue' }
Acknowledgments
- Warren Frame's PSSlack pwsh module for powershell framework ideas.
- The official csirtgadgets' CIFv3 Python SDK for reference.