User Guide

Synapse-Cybersixgill User Guide

Synapse-Cybersixgill adds new Storm commands to allow you to query the Cybersixgill API using your existing API credentials.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> cybersixgill.setup.apikey --self myclientid myclientsecret
Setting Cybersixgill client id and secret for the current user.

Retrieve additional IOC data

Enrich a hash:md5 node with cybersixgill.iocs:

> [ hash:md5=ad49374e3c72613023fe420f0d6010d9 ] | cybersixgill.iocs
hash:md5=ad49374e3c72613023fe420f0d6010d9
        .created = 2024/03/28 14:39:42.662
        #rep.cybersixgill.3p.blog_paloaltounit42
        #rep.cybersixgill.build_capabilities
        #rep.cybersixgill.malicious_activity
        #rep.cybersixgill.malware

Search for IOCs by actor name and yield the results:

> cybersixgill.iocs --size 3 --yield --field actor=james
hash:md5=c012417c6e5d2210fbe0bc36a79d577b
        .created = 2024/03/28 14:39:43.629
        #rep.cybersixgill.3p.blog_fortinet
        #rep.cybersixgill.build_capabilities
        #rep.cybersixgill.malicious_activity
        #rep.cybersixgill.malware
hash:sha1=041ef39a95c810daf4f02f80e3e858175bb1902e
        .created = 2024/03/28 14:39:43.676
        #rep.cybersixgill.3p.blog_fortinet
        #rep.cybersixgill.build_capabilities
        #rep.cybersixgill.malicious_activity
        #rep.cybersixgill.malware
hash:sha256=14d52119459ef12be3a2f9a3a6578ee3255580f679b1b54de0990b6ba403b0fe
        .created = 2024/03/28 14:39:43.715
        #rep.cybersixgill.3p.blog_fortinet
        #rep.cybersixgill.build_capabilities
        #rep.cybersixgill.malicious_activity
        #rep.cybersixgill.malware

Use of meta:source nodes

Synapse-Cybersixgill uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Cybersixgill API.

> meta:source=928651817ba173f29e8e4d38c8834402
meta:source=928651817ba173f29e8e4d38c8834402
        .created = 2024/03/28 14:39:42.809
        :name = cybersixgill api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Cybersixgill. The following example shows how to filter the results of a query to include only results observed by Synapse-Cybersixgill:

> #mycontacts +{ <(seen)- meta:source=928651817ba173f29e8e4d38c8834402 }
ps:contact=ef6be59086b53f9920f16b5a52eab350
        .created = 2024/03/28 14:39:42.962
        :name = doel santos
        :type = cybersixgill
        #mycontacts
ps:contact=fcfc76721a8ad68e517bfbbe2dbd55c2
        .created = 2024/03/28 14:39:43.003
        :name = john martineau
        :type = cybersixgill
        #mycontacts
ps:contact=2a9ad4ededd87326161bdc54cf718595
        .created = 2024/03/28 14:39:43.547
        :name = james slaughter
        :type = cybersixgill
        #mycontacts