User Guide
Synapse-SpyCloud User Guide
Synapse-Spycloud adds additional Storm commands for querying the Spycloud API using your existing API key to retrieve breach records and compromised accounts. For more information on how SpyCloud models breach data see SpyCloud Data Schema.
Getting Started
Check with your Global Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal API key, for the consumer
API endpoint:
> spycloud.setup.consumer.key --self myapikey
Setting SpyCloud Consumer API key for the current user.
To set-up a personal API key, for the investigations
API endpoint:
> spycloud.setup.investigative.key --self myapikey
Setting SpyCloud Investigative API key for the current user.
Enrich an inet:user
to discover compromised credentials
> inet:user=cb2d@la | spycloud.investigations --yield
it:account=2d4e339ad0a3cd39a9c317a687279968
.created = 2024/12/20 18:15:38.784
.seen = ('2021/03/25 00:00:00.000', '2021/03/25 00:00:00.001')
:contact = 7eefea44247c7174d1b49d7ba42a701e
:user = cb2d@la
You may also use the yielded it:account
nodes in subsequent storm operations. For example, you
may pivot directly to the compromised credentials for the yielded results:
> inet:user=cb2d@la | spycloud.investigations --yield | -> auth:creds
WARNING: queryInvestigations HTTP: 403 $lib.null
Once the command has completed, the results from the SpyCloud Investigations API have been fused with the
rest of your existing knowledge about the inet:user
. Subsequent queries will allow you to explore that
knowledge holistically, for example:
> inet:user=cb2d@la -> it:account -> auth:creds
auth:creds=540c68c88c2323b0bfd0fd6b7a3eb595
.created = 2024/12/20 18:15:38.783
.seen = ('2021/03/25 00:00:00.000', '2021/03/25 00:00:00.001')
:account = 2d4e339ad0a3cd39a9c317a687279968
:passwd = a937
:user = cb2d@la
The spycloud.investigations
command may add additional nodes such as it:host
and it:fs:file
when
context is available, all of which are automatically linked to the it:account
node.
Use of meta:source
nodes
Synapse-Spycloud uses a meta:source
node and -(seen)>
light
edges to track nodes observed from the SpyCloud API.
> meta:source=bcc6912a4688db874a0eaf78cfee212c
meta:source=bcc6912a4688db874a0eaf78cfee212c
.created = 2024/12/20 18:15:38.163
:name = spycloud api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-SpyCloud. The following example shows how to filter the results of a query to include only results observed by Synapse-SpyCloud:
> inet:user=cb2d@la -> it:account +{ <(seen)- meta:source=bcc6912a4688db874a0eaf78cfee212c }
it:account=2d4e339ad0a3cd39a9c317a687279968
.created = 2024/12/20 18:15:38.784
.seen = ('2021/03/25 00:00:00.000', '2021/03/25 00:00:00.001')
:contact = 7eefea44247c7174d1b49d7ba42a701e
:user = cb2d@la