User Guide

Synapse-SpyCloud User Guide

Synapse-Spycloud adds additional Storm commands for querying the Spycloud API using your existing API key to retrieve breach records and compromised accounts. For more information on how SpyCloud models breach data see SpyCloud Data Schema.

Getting Started

Check with your Global Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal API key, for the consumer API endpoint:

> spycloud.setup.consumer.key --self myapikey
Setting SpyCloud Consumer API key for the current user.

To set-up a personal API key, for the investigations API endpoint:

> spycloud.setup.investigative.key --self myapikey
Setting SpyCloud Investigative API key for the current user.

Enrich an inet:user to discover compromised credentials

> inet:user=cb2d@la | spycloud.investigations --yield
it:account=2d4e339ad0a3cd39a9c317a687279968
        .created = 2024/04/26 16:07:12.004
        .seen = ('2021/03/25 00:00:00.000', '2021/03/25 00:00:00.001')
        :contact = 7eefea44247c7174d1b49d7ba42a701e
        :user = cb2d@la

You may also use the yielded it:account nodes in subsequent storm operations. For example, you may pivot directly to the compromised credentials for the yielded results:

> inet:user=cb2d@la | spycloud.investigations --yield | -> auth:creds
WARNING: queryInvestigations HTTP: 403 $lib.null

Once the command has completed, the results from the SpyCloud Investigations API have been fused with the rest of your existing knowledge about the inet:user. Subsequent queries will allow you to explore that knowledge holistically, for example:

> inet:user=cb2d@la -> it:account -> auth:creds
auth:creds=a719962b5d03d7965e18188966a35bb1
        .created = 2024/04/26 16:07:11.976
        .seen = ('2021/03/25 00:00:00.000', '2021/03/25 00:00:00.001')
        :account = 2d4e339ad0a3cd39a9c317a687279968
        :passwd = a937
        :user = cb2d@la

The spycloud.investigations command may add additional nodes such as it:host and it:fs:file when context is available, all of which are automatically linked to the it:account node.

Use of meta:source nodes

Synapse-Spycloud uses a meta:source node and -(seen)> light edges to track nodes observed from the SpyCloud API.

> meta:source=bcc6912a4688db874a0eaf78cfee212c
meta:source=bcc6912a4688db874a0eaf78cfee212c
        .created = 2024/04/26 16:07:11.765
        :name = spycloud api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-SpyCloud. The following example shows how to filter the results of a query to include only results observed by Synapse-SpyCloud:

> inet:user=cb2d@la -> it:account +{ <(seen)- meta:source=bcc6912a4688db874a0eaf78cfee212c }
it:account=2d4e339ad0a3cd39a9c317a687279968
        .created = 2024/04/26 16:07:12.004
        .seen = ('2021/03/25 00:00:00.000', '2021/03/25 00:00:00.001')
        :contact = 7eefea44247c7174d1b49d7ba42a701e
        :user = cb2d@la