Package Documentation
Storm Package: synapse-spycloud
The following Commands are available from this package. This documentation is generated for version 1.7.0 of the package.
Storm Commands
This package implements the following Storm Commands.
spycloud.consumer.ato
Enrich nodes with SpyCloud Consumer ATO Prevention breach data.
This command queries the SpyCloud Consumer ATO Prevention API to retrieve breach
records. Queries can be performed by email address, username, or IP address, which
can be provided by a relevant inbound node.
The results of the query are used to create it:account, ps:contact, and depending on
the data available in the breach record, an auth:creds node linking the it:account to
inet:passwd or it:auth:passwdhash nodes.
If infected user data is present, it:host, it:fs:file, it:exec:url, it:logon, and auth:access nodes
may also be created to represent the infected user assets.
This command will create an it:exec:query node to represent the query syntax,
with a -(refs)> edge to the node that was enriched and -(found)> edges to results.
Examples:
// Use inbound inet:ipv4 node to search
inet:ipv4=1.2.3.4 | spycloud.consumer.ato
// Use inbound inet:ipv4 node to search and yield resulting it:account nodes
inet:ipv4=1.2.3.4 | spycloud.consumer.ato --yield
// Use inbound inet:ipv4 node to search and filter by severity
inet:ipv4=1.2.3.4 | spycloud.consumer.ato --severity 20,25
// Use inbound inet:ipv4 node to search and filter by severity using a list
$sevs = (20, 25) inet:ipv4=1.2.3.4 | spycloud.consumer.ato --severity $sevs
Usage: spycloud.consumer.ato [options]
Options:
--help : Display the command usage.
--debug : Output debug messages.
--since <since> : Starting point for a date range query on the spycloud_publish_date field. (default:
None)
--until <until> : Ending point for a date range query on the spycloud_publish_date field. (default: None)
--severity <severity> : Filter results based on one or more severity codes. (default: None)
--source-id <source_id> : Filter results based on a particular breach source. (default: None)
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
spycloud.investigations
Enrich nodes with SpyCloud Investigations v2 breach data.
This command queries the SpyCloud Investigations v2 API to retrieve breach records.
Queries can be performed by domain, email address, username, IP address, password
or phone number, which can be provided by a relevant inbound node.
The results of the query are used to create it:account, ps:contact, and depending on
the data available in the breach record, an auth:creds node linking the it:account to
inet:passwd or it:auth:passwdhash nodes.
If infected user data is present, it:host, it:fs:file, it:exec:url, it:logon, and auth:access nodes
may also be created to represent the infected user assets.
This command will create an it:exec:query node to represent the query syntax,
with a -(refs)> edge to the node that was enriched and -(found)> edges to results.
Examples:
// Use inbound inet:ipv4 node to search
inet:ipv4=1.2.3.4 | spycloud.investigations
// Use inbound inet:ipv4 node to search and yield resulting it:account nodes
inet:ipv4=1.2.3.4 | spycloud.investigations --yield
// Use inbound inet:ipv4 node to search and filter by severity
inet:ipv4=1.2.3.4 | spycloud.investigations --severity 20,25
// Use inbound inet:ipv4 node to search and filter by severity using a list
$sevs = (20, 25) inet:ipv4=1.2.3.4 | spycloud.investigations --severity $sevs
Usage: spycloud.investigations [options]
Options:
--help : Display the command usage.
--debug : Output debug messages.
--since <since> : Starting point for a date range query on the spycloud_publish_date field. (default:
None)
--until <until> : Ending point for a date range query on the spycloud_publish_date field. (default: None)
--severity <severity> : Filter results based on one or more severity codes. (default: None)
--source-id <source_id> : Filter results based on a particular breach source. (default: None)
--salt <salt> : Provide a dynamic salt to use if hashing result assets is enabled for your API key.
(default: None)
--type <type> : Filter results by type. Valid values are 'corporate' and 'infected'. Only applies to
domain queries. (default: None)
--fuzzy : Use fuzzy matching when searching. Only applies to username and password queries.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
spycloud.setup.consumer.key
Set the SpyCloud Consumer API key.
Usage: spycloud.setup.consumer.key [options] <apikey>
Options:
--help : Display the command usage.
--self : Set the key as a user variable. If not used, the key is set globally.
Arguments:
<apikey> : The SpyCloud Consumer API key string.
spycloud.setup.investigative.key
Set the SpyCloud Investigative API key.
Usage: spycloud.setup.investigative.key [options] <apikey>
Options:
--help : Display the command usage.
--self : Set the key as a user variable. If not used, the key is set globally.
Arguments:
<apikey> : The SpyCloud Investigative API key string.
Storm Modules
This package does not export any Storm APIs.