User Guide

Synapse-HYAS User Guide

Synapse-HYAS adds new Storm commands to allow you to query the HYAS API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> hyas.setup.apikey --self myapikey
Setting HYAS API key for the current user.

Ingest passive DNS data for an FQDN

Enrich some nodes with hyas.enrich and yield the results:

> [ inet:fqdn=vertex.link ] | hyas.dns.passive --yield
inet:dns:a=('synapse.docs.vertex.link', '188.114.98.229')
        .created = 2024/04/30 19:13:28.958
        .seen = ('2024/01/18 00:00:00.000', '2024/01/18 00:00:00.001')
        :fqdn = synapse.docs.vertex.link
        :ipv4 = 188.114.98.229
inet:dns:a=('synapse.docs.vertex.link', '188.114.99.229')
        .created = 2024/04/30 19:13:29.070
        .seen = ('2024/01/18 00:00:00.000', '2024/01/18 00:00:00.001')
        :fqdn = synapse.docs.vertex.link
        :ipv4 = 188.114.99.229
inet:dns:a=('opticexample.aws.vertex.link', '34.238.200.34')
        .created = 2024/04/30 19:13:29.212
        .seen = ('2024/01/18 00:00:00.000', '2024/01/18 00:00:00.001')
        :fqdn = opticexample.aws.vertex.link
        :ipv4 = 34.238.200.34
inet:dns:a=('opticexample.aws.vertex.link', '3.217.213.111')
        .created = 2024/04/30 19:13:29.324
        .seen = ('2024/01/18 00:00:00.000', '2024/01/18 00:00:00.001')
        :fqdn = opticexample.aws.vertex.link
        :ipv4 = 3.217.213.111
inet:dns:a=('_.demo03.optic.vertex.link', '167.99.21.119')
        .created = 2024/04/30 19:13:29.434
        .seen = ('2024/01/16 00:00:00.000', '2024/01/16 00:00:00.001')
        :fqdn = _.demo03.optic.vertex.link
        :ipv4 = 167.99.21.119
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2024/04/30 19:13:29.547
        .seen = ('2021/10/15 22:51:42.000', '2023/07/27 14:12:15.000')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9

Use of meta:source nodes

Synapse-HYAS uses a meta:source node and -(seen)> light weight edges to track nodes observed from the HYAS API.

> meta:source=7f0be4d00150f471348b7be1a413322b
meta:source=7f0be4d00150f471348b7be1a413322b
        .created = 2024/04/30 19:13:28.894
        :name = hyas api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-HYAS. The following example shows how to filter the results of a query to include only results observed by Synapse-HYAS:

> inet:asn:name^=cloudflare -> inet:ipv4 +{ <(seen)- meta:source=7f0be4d00150f471348b7be1a413322b }
inet:ipv4=188.114.99.229
        .created = 2024/04/30 19:13:29.070
        :asn = 13335
        :latlong = 37.7621,-122.3971
        :type = unicast
inet:ipv4=188.114.98.229
        .created = 2024/04/30 19:13:28.958
        :asn = 13335
        :latlong = 37.7621,-122.3971
        :type = unicast