Skip to content

PS Banshee

Recorded Future Logo

PS Banshee is a command-line tool for fast, efficient access to Recorded Future Intelligence, built for security professionals and SOC teams.

Welcome to PS Banshee!

Powered by PSEngine

PS Banshee is powered by the PSEngine library.

Key Features

  • IOC lookup and search
  • Packet capture (pcap) analysis
  • Recorded Future Alert search, lookup, and update
  • Recorded Future Detection Rules (YARA, Snort, Sigma) search and download
  • Recorded Future Entity search and lookup
  • Recorded Future List & Watch List management
  • Recorded Future Playbook Alert search, lookup, and update
  • Recorded Future Risk List download, and creation

Installation

PS Banshee is available on PyPI and can be installed using pip or pipx.

PS Banshee requires Python 3.9 or later (up to 3.13).

To install globally, run:

1
pipx install ps-banshee

Installing pipx

If you don't have pipx installed, see the installation guide.

Alternative: pip (current environment)

To install in the current environment, run: 

1
pip install ps-banshee

Dependencies

All required Python dependencies are resolved automatically by pipx.
To use the pcap command, ensure you have:

  • tshark 3.0.0 or later

Command Auto Completion

After installing PS Banshee, enable command auto completion with:

1
banshee --install-completion

Restart your shell to complete the installation. You can now use TAB to auto-complete commands.

Documentation

To view available commands, just run:

1
banshee

Authorization

Provide your Recorded Future API key using the -k or --api-key argument, or set it as the RF_TOKEN environment variable:

1
banshee -k <RF_TOKEN> <command> <sub-command> <arguments>

Proxies

If you are behind a proxy, set the HTTP_PROXY and HTTPS_PROXY environment variables.

To disable SSL verification, use the -s flag:

1
banshee -s ca rules

Next steps

Get started using PS Banshee now!