Skip to content

Command Line Usage

Jump to bottom
MBromiley edited this page May 26, 2019 · 2 revisions

Pollen Logo

pollen command-line usage

In version 1.1, pollen now has the ability to perform a direct, from-the-command-line task log and task log file upload! This is a pretty cool feature and was actually the founding idea for pollen, despite being the second big feature to be added in.

Here's the overall concept:

  1. Via the config menu inside the pollen shell, the analyst can preconfigure a case and subsequent task for quick log entry. The config page discusses this more.
  2. An analyst is performing work in the command-line. They identify some indicators, find key data, finalize analysis, etc., and need to get that data into TheHive.
  3. With the new -l, --log OR -lf, --logfile options, the analyst can now run commands such as:
python3 pollen.py --logfile findings.txt --log Attacker IPs and C2 callouts, extracted from Apache web logs, sorted, and uniqued

The following command will perform the following:

  1. The phrase "Attacker IPs and C2 callouts, extracted from Apache web logs, sorted, and uniqued" will be stored as a log entry for the pre-configured task.
  2. Pollen will grab the findings.txt file, and attach it to a case task log.
  3. The above will be uploaded to TheHive!

Now, the analyst can go right back to work! This is an extremely useful feature that is meant to push analyst towards frequent case notes and updates, without needing to hop in and out of the shell all the time.

pollen wiki

Clone this wiki locally