User Guide

Synapse-Flashpoint User Guide

Synapse-Flashpoint adds new Storm commands to allow you to query the Flashpoint API using your existing API key.

Getting Started

Check with your Global Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> flashpoint.setup.apikey --self myapikey
Setting Flashpoint API key for the current user.

Ingest bulk indicators

Query the Flashpoint Ignite API for bulk indicators and yield the results:

> flashpoint.ignite.indicators --size 10 --yield
hash:sha256=3078e46673b199fcaf3a6657a65eeb53e793f8fd4d959119c904bfe79b31dcf6
        .created = 2025/06/20 20:36:47.588
        .seen = ('2024/07/05 07:05:11.000', '2024/07/05 07:05:13.001')
hash:sha1=16a92fff68e14016ffbf4b3c10da432738520d92
        .created = 2025/06/20 20:36:47.593
        .seen = ('2024/07/05 07:05:15.000', '2024/07/05 07:05:16.001')
hash:sha512=59b2d893eb0366b7b7b9846e7814983ed0efc3f842b3af44dbf4bd6eabcfdad74a4e5ee67192e1785c800e11a397d428a837c8a3cefecdafafdd9934acc22543
        .created = 2025/06/20 20:36:47.596
        .seen = ('2024/07/05 07:05:16.000', '2024/07/05 07:05:17.001')
hash:md5=853f7b06cec0008f3720f5ab93a66fd0
        .created = 2025/06/20 20:36:47.600
        .seen = ('2024/07/05 07:05:17.000', '2024/07/05 07:05:19.001')
hash:sha256=33d109f97d28736bee0a77304eec866144d6d0977fcab1da84267708ef3eb638
        .created = 2025/06/20 20:36:47.603
        .seen = ('2024/07/05 07:05:17.000', '2024/07/05 07:05:19.001')
hash:sha256=38937ac5fe62d613c728fa5228ecf36f71241df3c82e5c28c7649b5577cddf92
        .created = 2025/06/20 20:36:47.606
        .seen = ('2024/07/05 07:05:24.000', '2024/07/05 07:05:25.001')
hash:sha256=280b94f5e300d22bdb34c3f9e9da53a0f187f3f8b0990537e92926c092782191
        .created = 2025/06/20 20:36:47.609
        .seen = ('2024/07/05 07:05:26.000', '2024/07/05 07:05:27.001')
hash:sha1=4b60f49bc4952c0c7af62d0344c5df86d46c3b83
        .created = 2025/06/20 20:36:47.612
        .seen = ('2024/07/05 07:05:26.000', '2024/07/05 07:05:27.001')
hash:sha256=2ea8e7ccce9ac061daf4d6cdaa8101cca661fce01f616179ccccb2b701a44502
        .created = 2025/06/20 20:36:47.615
        .seen = ('2024/07/05 07:05:32.000', '2024/07/05 07:05:33.001')
hash:md5=d79899b81743cf23aea8d6c3eb834e50
        .created = 2025/06/20 20:36:47.619
        .seen = ('2024/07/05 07:05:35.000', '2024/07/05 07:05:37.001')

Search for reports

Search for Flashpoint reports by actor:

> flashpoint.ignite.reports.search --size 5 --actors blacksuit --yield
media:news=1cf2e8cab5df5bb7f66c44f933093c09
        .created = 2025/06/20 20:36:47.654
        :ext:id = YKFqMpEBEVaUWv1Dmgwc
        :published = 2024/08/08 14:35:31.023
        :publisher = dbbff71864157ddc5e7f466bdc6fbe0f
        :publisher:name = flashpoint
        :summary = Threat Actor Advertises Philippine Health Department Database  //  Actor Advertises Indian Eye Hospital Database  //  Actor Advertises US Biopharma Company Access  //  Actor Advertises Italian Pharmacy Access  //  Ransomware Group Targets IT Workers  //  Organizations Warn of Ransomware Attacks on Critical Suppliers
        :title = biweekly roll-up: healthcare sector (july 25-august 8, 2024)
        :topics = ['biweekly roll-up: healthcare sector', 'central & south asia', 'central asia / south asia / southeast asia', 'cyber threats', 'cybercrime', 'data breaches', 'data breaches and network access', 'e-commerce', 'europe', 'healthcare', 'india', 'indicators of compromise', 'intelligence report', 'italy', 'malware', 'north america', 'pharmaceutical', 'phishing', 'physical threats', 'ransomware', 'social engineering', 'supply chain and third parties', 'technology', 'usa']
        :updated = 2024/08/08 14:35:31.023
        :url = https://fp.tools/cti/intelligence/report/YKFqMpEBEVaUWv1Dmgwc
        :url:fqdn = fp.tools
media:news=77ebec3ea943fb4dbe1a4709d845d497
        .created = 2025/06/20 20:36:47.868
        :ext:id = UAW9zJABBGdU9his-Rbn
        :published = 2024/07/19 20:45:19.050
        :publisher = dbbff71864157ddc5e7f466bdc6fbe0f
        :publisher:name = flashpoint
        :summary = "BlackSuit" ransomware group was first observed in May 2023. In the past year, it has posted 104 victims. More than 70 percent of those were in the United States. The top five industries BlackSuit targets are retail, technology, associations, education, and business services. It gained notoriety in mid-2024 for its disruptive ransomware attacks on KADOKAWA Group and CDK Global.
        :title = actor profile: "blacksuit" ransomware group
        :topics = ['actor profile', 'associations', 'business services and consulting', 'canada', 'cyber threats', 'data breaches', 'data breaches and network access', 'e-commerce', 'education', 'europe', 'malware', 'north america', 'ransomware', 'retail', 'social engineering', 'technology', 'united kingdom', 'usa']
        :updated = 2024/07/19 20:45:19.050
        :url = https://fp.tools/cti/intelligence/report/UAW9zJABBGdU9his-Rbn
        :url:fqdn = fp.tools
media:news=5b0045c66e07521a2079fbd63f04c104
        .created = 2025/06/20 20:36:47.940
        :ext:id = mRL1EY8Bc3MqT3ZMs7Bn
        :published = 2024/04/24 21:14:25.686
        :publisher = dbbff71864157ddc5e7f466bdc6fbe0f
        :publisher:name = flashpoint
        :summary = "BlackSuit" Ransoms Swiss Plasma Company  //  "RansomHub" Ransoms US Wealth Management Firm  //  Actor Sells "Samurai Stealer" Malware  //  Actor Advertises downloader "BOSSNET"  //  Actor Sells Database from Mexican Retail Chain  //  Actor Sells List of German Citizens
        :title = daily spark - april 24, 2024
        :topics = ['asia pacific', 'central & south america', 'cyber threats', 'daily spark', 'data breaches', 'data breaches and network access', 'e-commerce', 'east asia', 'energy', 'europe', 'financial', 'financial services', 'healthcare', 'japan', 'latin america and caribbean', 'malware', 'mexico', 'middle east & north africa', 'middle east and west asia', 'north america', 'ransomware', 'retail', 'switzerland', 'technology', 'usa']
        :updated = 2024/04/24 21:14:25.686
        :url = https://fp.tools/cti/intelligence/report/mRL1EY8Bc3MqT3ZMs7Bn
        :url:fqdn = fp.tools
media:news=fc470968fb1eefc44aae2fe317de0ff5
        .created = 2025/06/20 20:36:48.084
        :ext:id = P90n5I4BXUkkxfbRM4On
        :published = 2024/04/15 23:45:49.824
        :publisher = dbbff71864157ddc5e7f466bdc6fbe0f
        :publisher:name = flashpoint
        :summary = "Akira" Ransoms Ohio Bank  //  "8Base" Ransoms French and US Companies  //  "R00TK1T" and "CyberArmyofRussia" Announce Attack  //  "LummaC2" and "Vidar" Infostealers Publishe Updates  //  Actor Sells Exploit for Palo Alto Vulnerability  //  Accesses: Indonesian Hospitality Webshop, Iranian Energy Company, Russian IT Company, and More
        :title = daily spark - april 15, 2024
        :topics = ['asia pacific', 'automotive', 'business services and consulting', 'central & south america', 'central & south asia', 'central asia / south asia / southeast asia', 'cyber threats', 'daily spark', 'data breaches', 'data breaches and network access', 'defense', 'e-commerce', 'east asia', 'egypt', 'energy', 'entertainment', 'europe', 'exploits & vulnerabilities', 'financial', 'financial services', 'france', 'geopolitics', 'government', 'hacktivism', 'hacktivists', 'healthcare', 'hospitality', 'hospitality & gaming', 'india', 'insurance', 'latin america and caribbean', 'malware', 'manufacturing', 'media', 'media & telecom', 'middle east & north africa', 'middle east and west asia', 'north america', 'policy', 'ransomware', 'retail', 'russia', 'south korea', 'technology', 'telecommunications', 'transportation', 'united arab emirates', 'usa', 'vulnerabilities']
        :updated = 2024/08/01 15:32:15.815
        :url = https://fp.tools/cti/intelligence/report/P90n5I4BXUkkxfbRM4On
        :url:fqdn = fp.tools
media:news=e3d9be2c0e27908576dc896a3beb0c18
        .created = 2025/06/20 20:36:48.425
        :ext:id = b-U91I4B_di_r-K67eMR
        :published = 2024/04/12 21:36:51.297
        :publisher = dbbff71864157ddc5e7f466bdc6fbe0f
        :publisher:name = flashpoint
        :summary = "RansomHub" Claims to Ransom North Carolina Sheriff's Office  //  "ARES PRIVATE CHANNEL" For Sale  //  Crypto Drainer Source Code For Sale  //  Accesses: Latvian Swedbank, Russian Tour Operator, Irish Forex Trading Broker Database, UK Web Developer Database, US Experian Database, Indonesian Distributor Pharmacy, and More
        :title = daily spark - april 12, 2024
        :topics = ['aerospace and defense', 'blockchain and cryptocurrency', 'canada', 'central & south asia', 'central asia / south asia / southeast asia', 'cyber threats', 'cybersecurity & internet governance', 'daily spark', 'data breaches', 'data breaches and network access', 'e-commerce', 'education', 'europe', 'financial', 'financial services', 'industrial & scada', 'legal', 'malware', 'manufacturing', 'north america', 'pharmaceutical', 'ransomware', 'retail', 'russia', 'technology', 'united kingdom', 'usa']
        :updated = 2024/04/12 21:36:51.297
        :url = https://fp.tools/cti/intelligence/report/b-U91I4B_di_r-K67eMR
        :url:fqdn = fp.tools

Use of meta:source nodes

Synapse-Flashpoint uses a meta:source node and -(seen)> light edges to track nodes observed from the Flashpoint API.

> meta:source=726a771e307b89e5ad2ecf5248dda97c
meta:source=726a771e307b89e5ad2ecf5248dda97c
        .created = 2025/06/20 20:36:47.586
        :name = flashpoint package

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Flashpoint. The following example shows how to filter the results of a query to include only results observed by Synapse-Flashpoint:

> media:news:topics*[=automotive] +{ <(seen)- meta:source=726a771e307b89e5ad2ecf5248dda97c }
media:news=fc470968fb1eefc44aae2fe317de0ff5
        .created = 2025/06/20 20:36:48.084
        :ext:id = P90n5I4BXUkkxfbRM4On
        :published = 2024/04/15 23:45:49.824
        :publisher = dbbff71864157ddc5e7f466bdc6fbe0f
        :publisher:name = flashpoint
        :summary = "Akira" Ransoms Ohio Bank  //  "8Base" Ransoms French and US Companies  //  "R00TK1T" and "CyberArmyofRussia" Announce Attack  //  "LummaC2" and "Vidar" Infostealers Publishe Updates  //  Actor Sells Exploit for Palo Alto Vulnerability  //  Accesses: Indonesian Hospitality Webshop, Iranian Energy Company, Russian IT Company, and More
        :title = daily spark - april 15, 2024
        :topics = ['asia pacific', 'automotive', 'business services and consulting', 'central & south america', 'central & south asia', 'central asia / south asia / southeast asia', 'cyber threats', 'daily spark', 'data breaches', 'data breaches and network access', 'defense', 'e-commerce', 'east asia', 'egypt', 'energy', 'entertainment', 'europe', 'exploits & vulnerabilities', 'financial', 'financial services', 'france', 'geopolitics', 'government', 'hacktivism', 'hacktivists', 'healthcare', 'hospitality', 'hospitality & gaming', 'india', 'insurance', 'latin america and caribbean', 'malware', 'manufacturing', 'media', 'media & telecom', 'middle east & north africa', 'middle east and west asia', 'north america', 'policy', 'ransomware', 'retail', 'russia', 'south korea', 'technology', 'telecommunications', 'transportation', 'united arab emirates', 'usa', 'vulnerabilities']
        :updated = 2024/08/01 15:32:15.815
        :url = https://fp.tools/cti/intelligence/report/P90n5I4BXUkkxfbRM4On
        :url:fqdn = fp.tools