User Guide

Synapse-Google-CT User Guide

Synapse-Google-CT adds new Storm commands to allow you to query the Google Certificate Transparency API.

Getting Started

Check with your Admin to enable permissions.

Examples

Querying a domain for subdomains

Populate subdomains for a domain:

> [inet:fqdn=vertex.link] | google.ct.subdomains --yield --size 5
inet:fqdn=www.vertex.link
        .created = 2024/12/20 18:03:01.054
        :domain = vertex.link
        :host = www
        :issuffix = false
        :iszone = false
        :zone = vertex.link
inet:fqdn=demo0011.app.vertex.link
        .created = 2024/12/20 18:03:01.216
        :domain = app.vertex.link
        :host = demo0011
        :issuffix = false
        :iszone = false
        :zone = vertex.link
inet:fqdn=demo0010.app.vertex.link
        .created = 2024/12/20 18:03:01.289
        :domain = app.vertex.link
        :host = demo0010
        :issuffix = false
        :iszone = false
        :zone = vertex.link
inet:fqdn=optic.docs.vertex.link
        .created = 2024/12/20 18:03:01.387
        :domain = docs.vertex.link
        :host = optic
        :issuffix = false
        :iszone = false
        :zone = vertex.link
inet:fqdn=enterprise.docs.vertex.link
        .created = 2024/12/20 18:03:01.408
        :domain = docs.vertex.link
        :host = enterprise
        :issuffix = false
        :iszone = false
        :zone = vertex.link

Use of meta:source nodes

Synapse-Google-CT uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Google-CT API.

> meta:source=3f312b8e323b81c15c4280cc3f79d702
meta:source=3f312b8e323b81c15c4280cc3f79d702
        .created = 2024/12/20 18:03:01.045
        :name = google-ct api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Google-CT. The following example shows how to filter the results of a query to include only results observed by Synapse-Google-CT:

> #cool.tag.lift +{ <(seen)- meta:source=3f312b8e323b81c15c4280cc3f79d702 }