Skip to content
/ CIF3-pwsh Public
forked from renisac/CIF3-pwsh

PowerShell module wrapper for the Collective Intelligence Framework (CIF) v3 API

License

MIT license
0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Geogboe/CIF3-pwsh

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
.github/workflows
.github/workflows
 
 
Private
Private
 
 
Public
Public
 
 
CIF3.psd1
CIF3.psd1
 
 
CIF3.psm1
CIF3.psm1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CIFv3 API PowerShell Wrapper

Collective Intelligence Framework (CIF) is a threat intelligence framework. This project is a CIFv3 client for PowerShell Core and Windows PowerShell.

https://csirtgadgets.com/collective-intelligence-framework

https://github.com/csirtgadgets/bearded-avenger

Getting Started

Install the module:

Install-Module CIF3

Load the module:

Import-Module CIF3

See what functions are available:

Get-Command -Module CIF3

If you have an existing .cif.yml in your $env:HOME dir, its contents will be read and used automatically. If you've never setup your config file (.cif.yml) before, do so now. At a minimum you must set the Uri and Token parameters.

Set-CIF3Config -Uri https://feeds.cif.domain.com -Token aaaabbbbccccdddd

Using the Module

CIF Instance Configuration

Retrieve your CIFv3 config settings:

Get-CIF3Config

Set the URI and authorization token to communicate with the desired CIF instance:

Set-CIF3Config -Uri 'https://cif.domain.local:5000' -Token 'd81830def81a871f2adbf00c5000000'

Test the connection to your configured CIF instance URI (returns $true if working, $false otherwise):

Test-CIF3Auth

Tokens

Tokens in CIF are like API keys, used for authenticating and authorizing a user to perform various actions.

List all tokens on the CIF instance:

Get-CIF3Token

Find a token with username = 'user1@domain.local'

Get-CIF3Token -Name user1@domain.local

Create a new token called 'writeonly' on the CIF instance. It will have write permissions but no read permissions:

New-CIF3Token -Name 'writeonly' -Permission 'Write'

Remove the specified token from the CIF instance:

Remove-CIF3Token -Id 'abcdef9999888855553333'

Update token to be in groups 'everyone' and 'admins':

Set-CIF3TokenGroup -Id 'abcdef9999888855553333' -Group everyone, admins

Indicators

Get a list of all indicators (default ResultSize is 100, so 100 will be returned):

Get-CIF3Indicator

Get up to 500 indicator results that have a Confidence of 8 or greater:

Get-CIF3Indicator -Confidence 8 -ResultSize 500

Get all fqdn indicators reported in the last week that have a 'malware' or 'botnet' tag:

Get-CIF3Indicator -IType fqdn -StartTime (Get-Date).AddDays(-7) -EndTime (Get-Date) -Tag malware, botnet

Add an indicator for 'baddomain.xyz' at a confidence of 7, a yellow TLP, and tagged as 'malware'

Add-CIF3Indicator -Indicator baddomain.xyz -Confidence 7 -Tag malware -TLP yellow

Feeds

Feeds are aggregated and filtered datasets that have had whitelists applied before being returned. Indicator type is the only mandatory parameter when generating a feed.

Get a feed of all fqdn indicators with a confidence of 7.5 or greater:

Get-CIF3Feed -IType fqdn -Confidence 7.5

Acknowledgments

  • Warren Frame's PSSlack pwsh module for powershell framework ideas.
  • The official csirtgadgets' CIFv3 Python SDK for reference.

About

PowerShell module wrapper for the Collective Intelligence Framework (CIF) v3 API

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • PowerShell 100.0%