Package Documentation

Storm Package: synapse-spycloud

The following Commands are available from this package. This documentation is generated for version 1.5.1 of the package.

Storm Commands

This package implements the following Storm Commands.

spycloud.consumer.ato

Enrich nodes with SpyCloud Consumer ATO Prevention breach data.

This command queries the SpyCloud Consumer ATO Prevention API to retrieve breach
records. Queries can be performed by email address, username, or IP address, which
can be provided by a relevant inbound node.

The results of the query are used to create it:account, ps:contact, and depending on
the data available in the breach record, an auth:creds node linking the it:account to
inet:passwd or it:auth:passwdhash nodes.

If infected user data is present, it:host, it:fs:file, it:exec:url, it:logon, and auth:access nodes
may also be created to represent the infected user assets.

Examples:

    // Use inbound inet:ipv4 node to search
    inet:ipv4=1.2.3.4 | spycloud.consumer.ato

    // Use inbound inet:ipv4 node to search and yield resulting it:account nodes
    inet:ipv4=1.2.3.4 | spycloud.consumer.ato --yield

    // Use inbound inet:ipv4 node to search and filter by severity
    inet:ipv4=1.2.3.4 | spycloud.consumer.ato --severity 20,25

    // Use inbound inet:ipv4 node to search and filter by severity using a list
    $sevs = (20, 25) inet:ipv4=1.2.3.4 | spycloud.consumer.ato --severity $sevs


Usage: spycloud.consumer.ato [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Output debug messages.
  --since <since>             : Starting point for a date range query on the spycloud_publish_date field. (default: None)
  --until <until>             : Ending point for a date range query on the spycloud_publish_date field. (default: None)
  --severity <severity>       : Filter results based on one or more severity codes. (default: None)
  --source-id <source_id>     : Filter results based on a particular breach source. (default: None)
  --yield                     : Yield the newly created nodes.
  --size <size>               : Limit the number of results ingested to the given size (per-node).

spycloud.investigations

Enrich nodes with SpyCloud Investigations v2 breach data.

This command queries the SpyCloud Investigations v2 API to retrieve breach records.
Queries can be performed by domain, email address, username, IP address, password
or phone number, which can be provided by a relevant inbound node.

The results of the query are used to create it:account, ps:contact, and depending on
the data available in the breach record, an auth:creds node linking the it:account to
inet:passwd or it:auth:passwdhash nodes.

If infected user data is present, it:host, it:fs:file, it:exec:url, it:logon, and auth:access nodes
may also be created to represent the infected user assets.

Examples:

    // Use inbound inet:ipv4 node to search
    inet:ipv4=1.2.3.4 | spycloud.investigations

    // Use inbound inet:ipv4 node to search and yield resulting it:account nodes
    inet:ipv4=1.2.3.4 | spycloud.investigations --yield

    // Use inbound inet:ipv4 node to search and filter by severity
    inet:ipv4=1.2.3.4 | spycloud.investigations --severity 20,25

    // Use inbound inet:ipv4 node to search and filter by severity using a list
    $sevs = (20, 25) inet:ipv4=1.2.3.4 | spycloud.investigations --severity $sevs


Usage: spycloud.investigations [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Output debug messages.
  --since <since>             : Starting point for a date range query on the spycloud_publish_date field. (default: None)
  --until <until>             : Ending point for a date range query on the spycloud_publish_date field. (default: None)
  --severity <severity>       : Filter results based on one or more severity codes. (default: None)
  --source-id <source_id>     : Filter results based on a particular breach source. (default: None)
  --salt <salt>               : Provide a dynamic salt to use if hashing result assets is enabled for your API key. (default: None)
  --type <type>               : Filter results by type. Valid values are 'corporate' and 'infected'. Only applies to domain queries. (default: None)
  --fuzzy                     : Use fuzzy matching when searching. Only applies to username and password queries.
  --yield                     : Yield the newly created nodes.
  --size <size>               : Limit the number of results ingested to the given size (per-node).

spycloud.setup.consumer.key

Set the SpyCloud Consumer API key.


Usage: spycloud.setup.consumer.key [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set the key as a user variable. If not used, the key is set globally.

Arguments:

  <apikey>                    : The SpyCloud Consumer API key string.

spycloud.setup.investigative.key

Set the SpyCloud Investigative API key.


Usage: spycloud.setup.investigative.key [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set the key as a user variable. If not used, the key is set globally.

Arguments:

  <apikey>                    : The SpyCloud Investigative API key string.

Storm Modules

This package does not export any Storm APIs.