User Guide

Synapse-Flashpoint User Guide

Synapse-Flashpoint adds new Storm commands to allow you to query the Flashpoint API using your existing API key.

Getting Started

Check with your Global Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> flashpoint.setup.apikey --self myapikey
Setting Flashpoint API key for the current user.

Ingest bulk indicators

Query the Flashpoint API for bulk indicators and yield the results:

> flashpoint.indicators --size 10 --yield
hash:sha1=7643ed89f3a180e1bb0b43974a2a020c06c99c29
        .created = 2024/12/20 18:02:24.730
        .seen = ('2021/08/12 01:03:39.000', '2021/08/12 01:03:40.001')
hash:md5=c4de12a83203a8b25d8077c00a9c2bb9
        .created = 2024/12/20 18:02:24.762
        .seen = ('2021/08/12 01:03:39.000', '2021/08/12 01:03:40.001')
hash:md5=bd52ea5e27b88429e718105afaa8fa97
        .created = 2024/12/20 18:02:24.793
        .seen = ('2021/08/12 04:03:45.000', '2021/08/12 04:04:26.001')
hash:sha1=484437cd1b6f8fc7984d97023c2e7e4b2b90c077
        .created = 2024/12/20 18:02:24.824
        .seen = ('2021/08/12 04:03:47.000', '2021/08/12 04:04:28.001')
hash:sha1=9b1dee428b273fe00921b43821fd5deeadf9dd30
        .created = 2024/12/20 18:02:24.854
        .seen = ('2021/08/12 04:03:48.000', '2021/08/12 04:04:28.001')
hash:md5=4b9ea726f103977e15953192a2e90ca8
        .created = 2024/12/20 18:02:24.884
        .seen = ('2021/08/12 04:04:30.000', '2021/08/12 04:04:31.001')
hash:sha1=93d78f3a3b2537084f67e5d64819017d4d4173ee
        .created = 2024/12/20 18:02:24.915
        .seen = ('2021/08/12 02:04:47.000', '2021/08/12 02:05:21.001')
hash:sha512=b5cfaf04d8a6ba1bdf5a5c2fa2756f9b11332b740714f232caec7c5e2bc6e4d02e69694959e971f68c7a88744e3f2009717db0153e65f45ce2f4e9cca3c5f01b
        .created = 2024/12/20 18:02:24.947
        .seen = ('2021/08/12 02:04:48.000', '2021/08/12 02:05:23.001')
hash:md5=70e60106461356af54da6775d16b2497
        .created = 2024/12/20 18:02:24.977
        .seen = ('2021/08/12 10:03:43.000', '2021/08/12 10:05:45.001')
hash:sha1=137ad12caa38ff49d4eda59c8364b1c035f86ed9
        .created = 2024/12/20 18:02:25.007
        .seen = ('2021/08/12 10:03:43.000', '2021/08/12 10:05:46.001')

Pull bulk indicators from a specific timeframe:

> flashpoint.indicators --start-date 2021-01-03 --end-date 2021-01-04 --size 10 --yield
inet:server=tcp://2.237.76.249:80
        .created = 2024/12/20 18:02:25.233
        .seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:19.001')
        :ipv4 = 2.237.76.249
        :port = 80
        :proto = tcp
hash:md5=514e7e8b97c44b9e7ec3268e42c9c464
        .created = 2024/12/20 18:02:25.265
        .seen = ('2021/01/04 20:10:32.000', '2021/01/04 20:10:37.001')
inet:server=tcp://104.236.28.47:8080
        .created = 2024/12/20 18:02:25.294
        .seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:16.001')
        :ipv4 = 104.236.28.47
        :port = 8080
        :proto = tcp
inet:server=tcp://98.156.206.153:80
        .created = 2024/12/20 18:02:25.325
        .seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:17.001')
        :ipv4 = 98.156.206.153
        :port = 80
        :proto = tcp
inet:server=tcp://110.44.113.2:80
        .created = 2024/12/20 18:02:25.357
        .seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:17.001')
        :ipv4 = 110.44.113.2
        :port = 80
        :proto = tcp
hash:sha1=8d4114b6c35df2ff942e365ebbe6fc2dbb8be4e8
        .created = 2024/12/20 18:02:25.387
        .seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:16.001')
inet:server=tcp://87.106.139.101:8080
        .created = 2024/12/20 18:02:25.417
        .seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:17.001')
        :ipv4 = 87.106.139.101
        :port = 8080
        :proto = tcp
inet:server=tcp://181.13.24.82:80
        .created = 2024/12/20 18:02:25.449
        .seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:18.001')
        :ipv4 = 181.13.24.82
        :port = 80
        :proto = tcp
inet:server=tcp://180.92.239.110:8080
        .created = 2024/12/20 18:02:25.479
        .seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:18.001')
        :ipv4 = 180.92.239.110
        :port = 8080
        :proto = tcp
inet:server=tcp://209.137.209.84:443
        .created = 2024/12/20 18:02:25.511
        .seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:20.001')
        :ipv4 = 209.137.209.84
        :port = 443
        :proto = tcp

Search for keywords

Search for Flashpoint data matching a keyword:

> flashpoint.search.query --keyword "Carding Exploit" --size 2 --yield
WARNING: flashpoint.search.query is deprecated and will be removed in the next major release of the synapse-flashpoint power-up.
inet:web:post=29f93e6f30ff609c8ef67a4b4ab0a7d6
        .created = 2024/12/20 18:02:25.897
        .seen = ('2020/04/14 10:15:35.119', '2020/04/14 10:15:35.120')
        :acct = darkmarket.so/23007
        :acct:site = darkmarket.so
        :acct:user = 23007
        :channel = 4e0268cf55eda2dd03ee3b00b5179ce8
        :text = <article class="message-body js-selectToQuote">
                <div class="bbWrapper">куплю, пишите<br/>
                <a href="mailto:[email protected]">[email protected]</a><br/>
                <a href="mailto:[email protected]">[email protected]</a></div>
                <div class="js-selectToQuoteEnd"> </div>
                </article>
        :time = 2018/03/30 20:19:00.000
        :url = http://darkmarket.so/threads/akk-na-verified.15453/post-66480
        #rep.flashpoint.enrichments.lang.ru
inet:web:post=e0006545d17875c38b29f064936d9d92
        .created = 2024/12/20 18:02:26.336
        .seen = ('2020/09/10 02:01:30.525', '2020/10/28 07:14:43.315')
        :acct = web.telegram.org/1173148534
        :acct:site = web.telegram.org
        :acct:user = 1173148534
        :channel = fa84b3385c8d3ed8ec47953f8604fb28
        :deleted = false
        :text = Carding Exploit https://www.youtube.com/watch?v=4Y91dJ--1NM&t=580s
        :time = 2020/09/10 02:01:29.000

Search for Flashpoint data that has the ethereum_addresses enrichment:

> flashpoint.search.query --enrichment ethereum_addresses --size 2 --yield
WARNING: flashpoint.search.query is deprecated and will be removed in the next major release of the synapse-flashpoint power-up.
inet:web:post=cfbb20a0449301bd7b693afcf5b07bc7
        .created = 2024/12/20 18:02:26.732
        .seen = ('2018/06/06 00:50:55.000', '2018/06/06 00:50:55.001')
        :channel = 7242b7a36c7a89534cb2b7c577c65221
        :deleted = false
        :text = Proxy-Authorization:  v=4:e=1526177131:p=73ba862eb3c64529b773546de1e27875:o=bdf645305ee44cf6a2d28bcb50b3c3b8:v=40:k=94:n=tigoparaguay:x=1526436308:d=c4a849038b7816a9e9aa6c8c7ccb22b7:c=123:h=08aa3f1139e85c9313febebf02cc7383fa417dea:m=1389407715fdd1da51ac6215a8bbf84d317c0557\r\n
        :time = 2018/05/13 02:07:54.000
inet:web:post=4fd3fddbc3d1da4786d6b79339d62f53
        .created = 2024/12/20 18:02:27.029
        .seen = ('2019/10/05 20:36:02.317', '2019/10/05 20:36:02.318')
        :acct = web.telegram.org/955066636
        :acct:site = web.telegram.org
        :acct:user = 955066636
        :channel = 4da75876884f02677f417b57f6481442
        :deleted = false
        :file = guid:333aa0bedf9f2daa4d02be960c7d9310
        :text = ⠀    👇🏽Вся информация здесь👇🏽
                ⠀    👇🏽Вся информация здесь👇🏽
        :time = 2019/10/05 20:36:01.000
        #rep.flashpoint.enrichments.lang.ru

Search for Flashpoint data using a crypto:currency:address node as input:

> crypto:currency:address=('btc', '14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk') | flashpoint.search.query --size 1 --yield | -> inet:web:acct
WARNING: flashpoint.search.query is deprecated and will be removed in the next major release of the synapse-flashpoint power-up.
inet:web:acct=id-ransomware.blogspot.com/id_ransomware
        .created = 2024/12/20 18:02:27.536
        :aliases = ['id_ransomware']
        :name = id_ransomware
        :site = id-ransomware.blogspot.com
        :user = id_ransomware

Use of meta:source nodes

Synapse-Flashpoint uses a meta:source node and -(seen)> light edges to track nodes observed from the Flashpoint API.

> meta:source=726a771e307b89e5ad2ecf5248dda97c
meta:source=726a771e307b89e5ad2ecf5248dda97c
        .created = 2024/12/20 18:02:24.710
        :name = flashpoint package

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Flashpoint. The following example shows how to filter the results of a query to include only results observed by Synapse-Flashpoint:

> crypto:currency:address=('btc', '14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk') +{ <(seen)- meta:source=726a771e307b89e5ad2ecf5248dda97c }
crypto:currency:address=btc/14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
        .created = 2024/12/20 18:02:27.276
        :coin = btc
        :desc = P2PKH
        :iden = 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk