User Guide
Synapse-SpyCloud User Guide
Synapse-Spycloud adds additional Storm commands for querying the Spycloud API using your existing API key to retrieve breach records and compromised accounts. For more information on how SpyCloud models breach data see SpyCloud Data Schema.
Getting Started
Check with your Global Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal API key, for the consumer API endpoint:
> spycloud.setup.consumer.key --self myapikey
Setting SpyCloud Consumer API key for the current user.
To set-up a personal API key, for the investigations API endpoint:
> spycloud.setup.investigative.key --self myapikey
Setting SpyCloud Investigative API key for the current user.
Enrich an inet:user to discover compromised credentials
> inet:user=cb2d@la | spycloud.investigations --yield
it:account=2d4e339ad0a3cd39a9c317a687279968
.created = 2026/06/12 20:50:12.919
.seen = ('2021/03/25 00:00:00.000', '2021/03/25 00:00:00.001')
:contact = 7eefea44247c7174d1b49d7ba42a701e
:user = cb2d@la
You may also use the yielded it:account nodes in subsequent storm operations. For example, you
may pivot directly to the compromised credentials for the yielded results:
> inet:user=cb2d@la | spycloud.investigations --yield | -> auth:creds
WARNING: queryInvestigations HTTP: 403 $lib.null
Once the command has completed, the results from the SpyCloud Investigations API have been fused with the
rest of your existing knowledge about the inet:user. Subsequent queries will allow you to explore that
knowledge holistically, for example:
> inet:user=cb2d@la -> it:account -> auth:creds
auth:creds=540c68c88c2323b0bfd0fd6b7a3eb595
.created = 2026/06/12 20:50:12.918
.seen = ('2021/03/25 00:00:00.000', '2021/03/25 00:00:00.001')
:account = 2d4e339ad0a3cd39a9c317a687279968
:passwd = a937
:user = cb2d@la
The spycloud.investigations command may add additional nodes such as it:host and it:fs:file when
context is available, all of which are automatically linked to the it:account node.
Additional input forms
In addition to the forms shown above, spycloud.investigations accepts the following input forms:
econ:bank:account, econ:pay:pan, gov:us:ssn, hash:sha256, it:host,
ou:id:number, and transport:land:license.
For forms that use a secondary property as the lookup value, the property is extracted automatically. Three forms apply preprocessing before querying:
Credit card PANs are SHA1-hashed before the API call:
econ:pay:pan=4111111111111111 | spycloud.investigations --yield
SSNs are zero-padded to nine digits and SHA1-hashed before the API call:
gov:us:ssn=123456789 | spycloud.investigations --yield
For ou:id:number, the endpoint (National ID or Passport) is determined by the
ou:id:type:name property of the associated type node. Pivot from the type node
by name to enrich all IDs of that type:
ou:id:type +:name=passport -> ou:id:number | spycloud.investigations --yield
ou:id:type +:name="national-id" -> ou:id:number | spycloud.investigations --yield
The it:host form queries by infected machine ID using the :ext:id property:
it:host:ext:id=<machine-id> | spycloud.investigations --yield
Use of meta:source nodes
Synapse-Spycloud uses a meta:source node and -(seen)> light
edges to track nodes observed from the SpyCloud API.
> meta:source=bcc6912a4688db874a0eaf78cfee212c
meta:source=bcc6912a4688db874a0eaf78cfee212c
.created = 2026/06/12 20:50:12.788
:name = spycloud api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-SpyCloud. The following example shows how to filter the results of a query to include only results observed by Synapse-SpyCloud:
> inet:user=cb2d@la -> it:account +{ <(seen)- meta:source=bcc6912a4688db874a0eaf78cfee212c }
it:account=2d4e339ad0a3cd39a9c317a687279968
.created = 2026/06/12 20:50:12.919
.seen = ('2021/03/25 00:00:00.000', '2021/03/25 00:00:00.001')
:contact = 7eefea44247c7174d1b49d7ba42a701e
:user = cb2d@la