User Guide
Synapse-Flashpoint User Guide
Synapse-Flashpoint adds new Storm commands to allow you to query the Flashpoint API using your existing API key.
Getting Started
Check with your Global Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> flashpoint.setup.apikey --self myapikey
Setting Flashpoint API key for the current user.
Ingest bulk indicators
Query the Flashpoint API for bulk indicators and yield the results:
> flashpoint.indicators --size 10 --yield
hash:sha1=7643ed89f3a180e1bb0b43974a2a020c06c99c29
.created = 2024/04/25 15:15:37.967
.seen = ('2021/08/12 01:03:39.000', '2021/08/12 01:03:40.001')
hash:md5=c4de12a83203a8b25d8077c00a9c2bb9
.created = 2024/04/25 15:15:37.998
.seen = ('2021/08/12 01:03:39.000', '2021/08/12 01:03:40.001')
hash:md5=bd52ea5e27b88429e718105afaa8fa97
.created = 2024/04/25 15:15:38.027
.seen = ('2021/08/12 04:03:45.000', '2021/08/12 04:04:26.001')
hash:sha1=484437cd1b6f8fc7984d97023c2e7e4b2b90c077
.created = 2024/04/25 15:15:38.054
.seen = ('2021/08/12 04:03:47.000', '2021/08/12 04:04:28.001')
hash:sha1=9b1dee428b273fe00921b43821fd5deeadf9dd30
.created = 2024/04/25 15:15:38.081
.seen = ('2021/08/12 04:03:48.000', '2021/08/12 04:04:28.001')
hash:md5=4b9ea726f103977e15953192a2e90ca8
.created = 2024/04/25 15:15:38.109
.seen = ('2021/08/12 04:04:30.000', '2021/08/12 04:04:31.001')
hash:sha1=93d78f3a3b2537084f67e5d64819017d4d4173ee
.created = 2024/04/25 15:15:38.138
.seen = ('2021/08/12 02:04:47.000', '2021/08/12 02:05:21.001')
hash:sha512=b5cfaf04d8a6ba1bdf5a5c2fa2756f9b11332b740714f232caec7c5e2bc6e4d02e69694959e971f68c7a88744e3f2009717db0153e65f45ce2f4e9cca3c5f01b
.created = 2024/04/25 15:15:38.168
.seen = ('2021/08/12 02:04:48.000', '2021/08/12 02:05:23.001')
hash:md5=70e60106461356af54da6775d16b2497
.created = 2024/04/25 15:15:38.197
.seen = ('2021/08/12 10:03:43.000', '2021/08/12 10:05:45.001')
hash:sha1=137ad12caa38ff49d4eda59c8364b1c035f86ed9
.created = 2024/04/25 15:15:38.224
.seen = ('2021/08/12 10:03:43.000', '2021/08/12 10:05:46.001')
Pull bulk indicators from a specific timeframe:
> flashpoint.indicators --start-date 2021-01-03 --end-date 2021-01-04 --size 10 --yield
inet:server=tcp://2.237.76.249:80
.created = 2024/04/25 15:15:38.413
.seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:19.001')
:ipv4 = 2.237.76.249
:port = 80
:proto = tcp
hash:md5=514e7e8b97c44b9e7ec3268e42c9c464
.created = 2024/04/25 15:15:38.442
.seen = ('2021/01/04 20:10:32.000', '2021/01/04 20:10:37.001')
inet:server=tcp://104.236.28.47:8080
.created = 2024/04/25 15:15:38.469
.seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:16.001')
:ipv4 = 104.236.28.47
:port = 8080
:proto = tcp
inet:server=tcp://98.156.206.153:80
.created = 2024/04/25 15:15:38.497
.seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:17.001')
:ipv4 = 98.156.206.153
:port = 80
:proto = tcp
inet:server=tcp://110.44.113.2:80
.created = 2024/04/25 15:15:38.525
.seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:17.001')
:ipv4 = 110.44.113.2
:port = 80
:proto = tcp
hash:sha1=8d4114b6c35df2ff942e365ebbe6fc2dbb8be4e8
.created = 2024/04/25 15:15:38.554
.seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:16.001')
inet:server=tcp://87.106.139.101:8080
.created = 2024/04/25 15:15:38.582
.seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:17.001')
:ipv4 = 87.106.139.101
:port = 8080
:proto = tcp
inet:server=tcp://181.13.24.82:80
.created = 2024/04/25 15:15:38.610
.seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:18.001')
:ipv4 = 181.13.24.82
:port = 80
:proto = tcp
inet:server=tcp://180.92.239.110:8080
.created = 2024/04/25 15:15:38.638
.seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:18.001')
:ipv4 = 180.92.239.110
:port = 8080
:proto = tcp
inet:server=tcp://209.137.209.84:443
.created = 2024/04/25 15:15:38.666
.seen = ('2021/01/04 20:10:15.000', '2021/01/04 20:10:20.001')
:ipv4 = 209.137.209.84
:port = 443
:proto = tcp
Search for keywords
Search for Flashpoint data matching a keyword:
> flashpoint.search.query --keyword "Carding Exploit" --size 2 --yield
inet:web:post=29f93e6f30ff609c8ef67a4b4ab0a7d6
.created = 2024/04/25 15:15:38.994
.seen = ('2020/04/14 10:15:35.119', '2020/04/14 10:15:35.120')
:acct = darkmarket.so/23007
:acct:site = darkmarket.so
:acct:user = 23007
:channel = 4e0268cf55eda2dd03ee3b00b5179ce8
:text = <article class="message-body js-selectToQuote">
<div class="bbWrapper">куплю, пишите<br/>
<a href="mailto:[email protected]">[email protected]</a><br/>
<a href="mailto:[email protected]">[email protected]</a></div>
<div class="js-selectToQuoteEnd"> </div>
</article>
:time = 2018/03/30 20:19:00.000
:url = http://darkmarket.so/threads/akk-na-verified.15453/post-66480
#rep.flashpoint.enrichments.lang.ru
inet:web:post=e0006545d17875c38b29f064936d9d92
.created = 2024/04/25 15:15:39.412
.seen = ('2020/09/10 02:01:30.525', '2020/10/28 07:14:43.315')
:acct = web.telegram.org/1173148534
:acct:site = web.telegram.org
:acct:user = 1173148534
:channel = fa84b3385c8d3ed8ec47953f8604fb28
:deleted = false
:text = Carding Exploit https://www.youtube.com/watch?v=4Y91dJ--1NM&t=580s
:time = 2020/09/10 02:01:29.000
Search for Flashpoint data that has the ethereum_addresses enrichment:
> flashpoint.search.query --enrichment ethereum_addresses --size 2 --yield
inet:web:post=cfbb20a0449301bd7b693afcf5b07bc7
.created = 2024/04/25 15:15:39.759
.seen = ('2018/06/06 00:50:55.000', '2018/06/06 00:50:55.001')
:channel = 7242b7a36c7a89534cb2b7c577c65221
:deleted = false
:text = Proxy-Authorization: v=4:e=1526177131:p=73ba862eb3c64529b773546de1e27875:o=bdf645305ee44cf6a2d28bcb50b3c3b8:v=40:k=94:n=tigoparaguay:x=1526436308:d=c4a849038b7816a9e9aa6c8c7ccb22b7:c=123:h=08aa3f1139e85c9313febebf02cc7383fa417dea:m=1389407715fdd1da51ac6215a8bbf84d317c0557\r\n
:time = 2018/05/13 02:07:54.000
inet:web:post=4fd3fddbc3d1da4786d6b79339d62f53
.created = 2024/04/25 15:15:40.037
.seen = ('2019/10/05 20:36:02.317', '2019/10/05 20:36:02.318')
:acct = web.telegram.org/955066636
:acct:site = web.telegram.org
:acct:user = 955066636
:channel = 4da75876884f02677f417b57f6481442
:deleted = false
:file = guid:333aa0bedf9f2daa4d02be960c7d9310
:text = ⠀ 👇🏽Вся информация здесь👇🏽
⠀ 👇🏽Вся информация здесь👇🏽
:time = 2019/10/05 20:36:01.000
#rep.flashpoint.enrichments.lang.ru
Search for Flashpoint data using a crypto:currency:address node as input:
> crypto:currency:address=('btc', '14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk') | flashpoint.search.query --size 1 --yield | -> inet:web:acct
inet:web:acct=id-ransomware.blogspot.com/id_ransomware
.created = 2024/04/25 15:15:40.493
:aliases = ['id_ransomware']
:name = id_ransomware
:site = id-ransomware.blogspot.com
:user = id_ransomware
Use of meta:source nodes
Synapse-Flashpoint uses a meta:source node and -(seen)> light
edges to track nodes observed from the Flashpoint API.
> meta:source=726a771e307b89e5ad2ecf5248dda97c
meta:source=726a771e307b89e5ad2ecf5248dda97c
.created = 2024/04/25 15:15:37.950
:name = flashpoint package
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Flashpoint. The following example shows how to filter the results of a query to include only results observed by Synapse-Flashpoint:
> crypto:currency:address=('btc', '14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk') +{ <(seen)- meta:source=726a771e307b89e5ad2ecf5248dda97c }
crypto:currency:address=btc/14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
.created = 2024/04/25 15:15:40.267
:coin = btc
:desc = P2PKH
:iden = 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk