User Guide

Synapse-TeamCymru User Guide

Synapse-TeamCymru adds new Storm commands to allow you to query the Team-Cymru API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> teamcymru.recon.setup.apikey --self myapikey
Setting Team-Cymru RECON API key for the current user.

Use the Team-Cymru Pure-Signal Recon API to query and ingest flows

> [ inet:ipv4=1.2.3.4 ] | teamcymru.recon.flows --size 2 --yield
inet:flow=a58fa94b0c4584d371a21c5fd70d9da3
        .created = 2024/11/19 21:30:01.947
        :dst:ipv4 = 1.2.3.4
        :dst:port = 53
        :ip:proto = 17
        :ip:tcp:flags = 0
        :src:ipv4 = 45.175.114.245
        :src:port = 7196
        :time = 2023/06/07 10:14:07.000
        :tot:txbytes = 65
        :tot:txcount = 1
inet:flow=c125afa60a1e1a75208a95ffd1e37758
        .created = 2024/11/19 21:30:02.011
        :dst:ipv4 = 1.2.3.4
        :dst:port = 53
        :ip:proto = 17
        :ip:tcp:flags = 0
        :src:ipv4 = 168.228.179.214
        :src:port = 54552
        :time = 2023/06/07 10:33:39.000
        :tot:txbytes = 63
        :tot:txcount = 1

Use the Team-Cymru Pure-Signal Recon API to query and ingest PDNS data

> [ inet:fqdn=vertex.link ] | teamcymru.recon.pdns --size 2 --yield
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2024/11/19 21:30:06.165
        .seen = ('2023/06/05 12:18:25.000', '2023/06/05 12:18:25.001')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2024/11/19 21:30:06.165
        .seen = ('2023/06/05 12:18:25.000', '2023/06/06 20:09:24.001')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9
inet:dns:ns=('vertex.link', 'pdns2.registrar-servers.com')
        .created = 2024/11/19 21:30:09.450
        .seen = ('2023/06/07 15:08:42.000', '2023/06/07 15:08:42.001')
        :ns = pdns2.registrar-servers.com
        :zone = vertex.link
inet:dns:ns=('vertex.link', 'pdns1.registrar-servers.com')
        .created = 2024/11/19 21:30:09.525
        .seen = ('2023/06/07 15:08:42.000', '2023/06/07 15:08:42.001')
        :ns = pdns1.registrar-servers.com
        :zone = vertex.link

Use of meta:source nodes

Synapse-TeamCymru uses a meta:source node and -(seen)> light weight edges to track nodes observed from the TeamCymru API.

> meta:source=a4cd0e75c23bdf6beec9bb57e014dd51
meta:source=a4cd0e75c23bdf6beec9bb57e014dd51
        .created = 2024/11/19 21:29:58.424
        :name = teamcymru api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-TeamCymru. The following example shows how to filter the results of a query to include only results observed by Synapse-TeamCymru:

> inet:fqdn=vertex.link -> inet:dns:a +{ <(seen)- meta:source=a4cd0e75c23bdf6beec9bb57e014dd51 }
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2024/11/19 21:30:06.165
        .seen = ('2023/06/05 12:18:25.000', '2023/06/06 20:09:24.001')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9