User Guide

Synapse-TeamCymru User Guide

Synapse-TeamCymru adds new Storm commands to allow you to query the Team Cymru API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> teamcymru.recon.setup.apikey --self myapikey
Setting Team Cymru RECON API key for the current user.

Use the Team Cymru Pure-Signal Recon API to query and ingest flows

> [ inet:ipv4=1.2.3.4 ] | teamcymru.recon.flows --size 2 --yield
inet:flow=a58fa94b0c4584d371a21c5fd70d9da3
        .created = 2025/03/31 20:23:11.651
        :dst:ipv4 = 1.2.3.4
        :dst:port = 53
        :ip:proto = 17
        :ip:tcp:flags = 0
        :src:ipv4 = 45.175.114.245
        :src:port = 7196
        :time = 2023/06/07 10:14:07.000
        :tot:txbytes = 65
        :tot:txcount = 1
inet:flow=c125afa60a1e1a75208a95ffd1e37758
        .created = 2025/03/31 20:23:11.696
        :dst:ipv4 = 1.2.3.4
        :dst:port = 53
        :ip:proto = 17
        :ip:tcp:flags = 0
        :src:ipv4 = 168.228.179.214
        :src:port = 54552
        :time = 2023/06/07 10:33:39.000
        :tot:txbytes = 63
        :tot:txcount = 1

Use the Team Cymru Pure-Signal Recon API to query and ingest PDNS data

> [ inet:fqdn=vertex.link ] | teamcymru.recon.pdns --size 2 --yield
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2025/03/31 20:23:14.634
        .seen = ('2023/06/05 12:18:25.000', '2023/06/05 12:18:25.001')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2025/03/31 20:23:14.634
        .seen = ('2023/06/05 12:18:25.000', '2023/06/06 20:09:24.001')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9
inet:dns:ns=('vertex.link', 'pdns2.registrar-servers.com')
        .created = 2025/03/31 20:23:17.163
        .seen = ('2023/06/07 15:08:42.000', '2023/06/07 15:08:42.001')
        :ns = pdns2.registrar-servers.com
        :zone = vertex.link
inet:dns:ns=('vertex.link', 'pdns1.registrar-servers.com')
        .created = 2025/03/31 20:23:17.221
        .seen = ('2023/06/07 15:08:42.000', '2023/06/07 15:08:42.001')
        :ns = pdns1.registrar-servers.com
        :zone = vertex.link

Query the Team Cymru Scout API for information about an IP address

> [ inet:ipv6=2a05:d014:9da:8c10:306e:3e07:a16f:a552 ] | teamcymru.scout.details --yield --size 3 --timebox 2025-02-06,2025-02-20 --sections (summary,comms:client_server,pdns,x509,fingerprints,whois)
inet:ipv6=2a05:d014:9da:8c10:306e:3e07:a16f:a552
        .created = 2025/03/31 20:23:17.346
        :asn = 16509
        :loc = ie
        :scope = global
        :type = unicast
        #rep.teamcymru.cloud.amazon.ec2
        #rep.teamcymru.cloud.amazon.eu_central
        #rep.teamcymru.insight.no_rating
meta:note=c5e311a29fb4e7502bc00fe9dd5c3b35
        .created = 2025/03/31 20:23:17.676
        :created = 2025/03/31 20:23:17.676
        :text = 2a05:d014:9da:8c10:306e:3e07:a16f:a552 has been identified as an AWS EC2 cloud IP address (EU Central). A cloud service typically provides on-demand computing resources.
        :type = teamcymru.no_rating
inet:dns:aaaa=('dan.hosting', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
        .created = 2025/03/31 20:23:17.789
        .seen = ('2025/02/06 00:00:00.000', '2025/02/20 00:00:00.001')
        :fqdn = dan.hosting
        :ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('oneproxy.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
        .created = 2025/03/31 20:23:17.806
        .seen = ('2025/02/06 00:00:00.000', '2025/02/20 00:00:00.001')
        :fqdn = oneproxy.com
        :ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('landlordtech.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
        .created = 2025/03/31 20:23:17.822
        .seen = ('2025/02/07 00:00:00.000', '2025/02/20 00:00:00.001')
        :fqdn = landlordtech.com
        :ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('fvez.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
        .created = 2025/03/31 20:23:17.838
        .seen = ('2025/02/06 00:00:00.000', '2025/02/20 00:00:00.001')
        :fqdn = fvez.com
        :ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('landlordrescue.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
        .created = 2025/03/31 20:23:17.853
        .seen = ('2025/02/06 00:00:00.000', '2025/02/20 00:00:00.001')
        :fqdn = landlordrescue.com
        :ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:whois:iprec=648ada16ab22f16c51bdf69a9c61caa4
        .created = 2025/03/31 20:23:17.876
        :asn = 16509
        :asof = 2023/05/23 00:00:00.000
        :contacts = ['17ac2dcc002fe7c4a920ad36ac5855c8', '70cb9aca061bb4c1a4e72d3812fbf707', 'b6ccf480de5cb17f29feebefa31ae178']
        :country = eu
        :desc =
        :id =
        :name = EC2-AGGREGATE
        :net6 = ('2a05:d010::', '2a05:d01f:ffff:ffff:ffff:ffff:ffff:ffff')
        :net6:max = 2a05:d01f:ffff:ffff:ffff:ffff:ffff:ffff
        :net6:min = 2a05:d010::
        :updated = 2023/05/23 00:00:00.000
inet:dns:aaaa=('fnhe.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
        .created = 2025/03/31 20:23:18.050
        .seen = ('2025/02/07 00:00:00.000', '2025/02/20 00:00:00.001')
        :fqdn = fnhe.com
        :ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('icvv.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
        .created = 2025/03/31 20:23:18.065
        .seen = ('2025/02/09 00:00:00.000', '2025/02/15 00:00:00.001')
        :fqdn = icvv.com
        :ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('www.socium.net', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
        .created = 2025/03/31 20:23:18.081
        .seen = ('2025/02/14 00:00:00.000', '2025/02/14 00:00:00.001')
        :fqdn = www.socium.net
        :ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:flow=4fccaf8627b701a9182f0a705f207ae1
        .created = 2025/03/31 20:23:18.135
        .seen = ('2025/02/18 00:00:00.000', '2025/02/18 00:00:00.001')
        :_teamcymru:count = 1
        :dst:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
        :dst:port = 465
        :src:ipv6 = 2804:6ab0:0:1:0:8:5112:d286
        :src:port = 54795
        :src:proto = tcp
        :time = 2025/02/18 00:00:00.000
inet:flow=8dac3b550e40a0cd30ec0794c75cafeb
        .created = 2025/03/31 20:23:18.216
        .seen = ('2025/02/14 00:00:00.000', '2025/02/14 00:00:00.001')
        :_teamcymru:count = 1
        :dst:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
        :dst:port = 443
        :src:ipv6 = 2400:cb00:81:1000:e3f:852b:6c95:208f
        :src:port = 15644
        :src:proto = tcp
        :time = 2025/02/14 00:00:00.000

Query the Team Cymru Foundation API for information about IP address(es) that show up in alerts

> [(inet:ipv4=123.49.56.253) (inet:ipv6=2001:67c:4e8:1033:5:100:0:a)] | teamcymru.scout.foundation --yield
meta:note=21d49f9f9c2191754780037567387730
        .created = 2025/03/31 20:23:18.516
        :created = 2025/03/31 20:23:18.516
        :text = 123.49.56.253 has been identified as a Windows Share Scanner, scanning for associated services.
        :type = teamcymru.suspicious
meta:note=5a82304d146ce1e935f27b9782c769f5
        .created = 2025/03/31 20:23:18.525
        :created = 2025/03/31 20:23:18.525
        :text = 123.49.56.253 has been identified as VPN. These IPs are either identified as anonymization services or they could also be IP addresses providing remote access to a network.
        :type = teamcymru.no_rating
inet:ipv4=123.49.56.253
        .created = 2025/03/31 20:23:18.263
        :asn = 45607
        :loc = bd
        :type = unicast
        #rep.teamcymru.insight.suspicious
        #rep.teamcymru.scanner.winshare_scanner
        #rep.teamcymru.vpn.l2tp
        #rep.teamcymru.vpn.softether
inet:ipv6=2001:67c:4e8:1033:5:100:0:a
        .created = 2025/03/31 20:23:18.351
        :asn = 62041
        :loc = vg
        :scope = global
        :type = unicast
        #rep.teamcymru.insight.no_rating

Search the Team Cymru API for IP addresses via a query string

> $query = 'pdns.domain="*.gwadlup.fr"' teamcymru.scout.search $query  --size 5 --yield --debug --timebox 2025-02-01,2025-02-28
inet:dns:a=('ulysse.gwadlup.fr', '185.10.19.220')
        .created = 2025/03/31 20:23:18.912
        :fqdn = ulysse.gwadlup.fr
        :ipv4 = 185.10.19.220
inet:dns:a=('j2iits.com', '185.10.19.220')
        .created = 2025/03/31 20:23:18.940
        :fqdn = j2iits.com
        :ipv4 = 185.10.19.220
inet:dns:a=('gwadlup.com', '185.10.19.220')
        .created = 2025/03/31 20:23:18.962
        :fqdn = gwadlup.com
        :ipv4 = 185.10.19.220
inet:dns:a=('j2iits.fr', '185.10.19.220')
        .created = 2025/03/31 20:23:18.983
        :fqdn = j2iits.fr
        :ipv4 = 185.10.19.220
inet:dns:a=('gwadlup.fr', '185.10.19.220')
        .created = 2025/03/31 20:23:19.005
        :fqdn = gwadlup.fr
        :ipv4 = 185.10.19.220
WARNING: Skipping unsupported fingerprint: {'ip': '185.10.19.220', 'type': 'ja4x', 'signature': 'a373a9f83c6b_7022c563de38_821a8ec155c6', 'event_count': 20}
inet:flow=99b91940b616a74020eb2f1181f2adeb
        .created = 2025/03/31 20:23:19.021
        :_teamcymru:count = 204654
        :dst:ipv4 = 185.10.19.220
        :src:ipv4 = 204.16.174.145
inet:flow=841c094d053900100bd92cd3065b194b
        .created = 2025/03/31 20:23:19.030
        :_teamcymru:count = 46
        :dst:ipv4 = 185.10.19.220
        :src:ipv4 = 130.59.31.41
inet:flow=0b7a71d617dbdec5b0e46a0ec62a62e4
        .created = 2025/03/31 20:23:19.039
        :_teamcymru:count = 46
        :dst:ipv4 = 185.10.19.220
        :src:ipv4 = 130.59.31.43
inet:flow=bc712a2c863f6c1719e3121cff666a10
        .created = 2025/03/31 20:23:19.048
        :_teamcymru:count = 29
        :dst:ipv4 = 185.10.19.220
        :src:ipv4 = 204.188.228.247
inet:flow=5af594e45955a7682ce2fe648f81b029
        .created = 2025/03/31 20:23:19.057
        :_teamcymru:count = 27
        :dst:ipv4 = 185.10.19.220
        :src:ipv4 = 204.188.228.70
inet:server=tcp://185.10.19.220:80
        .created = 2025/03/31 20:23:19.074
        :ipv4 = 185.10.19.220
        :port = 80
        :proto = tcp
inet:server=tcp://185.10.19.220:5357
        .created = 2025/03/31 20:23:19.091
        :ipv4 = 185.10.19.220
        :port = 5357
        :proto = tcp
inet:server=tcp://185.10.19.220:47001
        .created = 2025/03/31 20:23:19.107
        :ipv4 = 185.10.19.220
        :port = 47001
        :proto = tcp
inet:server=tcp://185.10.19.220:443
        .created = 2025/03/31 20:23:19.124
        :ipv4 = 185.10.19.220
        :port = 443
        :proto = tcp
crypto:x509:cert=bf929c03c3950a7d78ffa31d973c05d2
        .created = 2025/03/31 20:23:19.156
        :issuer = CN=R10, O=Let's Encrypt, C=US
inet:tls:servercert=('tcp://185.10.19.220:443', 'bf929c03c3950a7d78ffa31d973c05d2')
        .created = 2025/03/31 20:23:19.164
        :cert = bf929c03c3950a7d78ffa31d973c05d2
        :server = tcp://185.10.19.220:443
crypto:x509:cert=9b550e227dec5d7039ac1844331b17b9
        .created = 2025/03/31 20:23:19.181
        :issuer = CN=R10, O=Let's Encrypt, C=US
inet:tls:servercert=('tcp://185.10.19.220:443', '9b550e227dec5d7039ac1844331b17b9')
        .created = 2025/03/31 20:23:19.189
        :cert = 9b550e227dec5d7039ac1844331b17b9
        :server = tcp://185.10.19.220:443
inet:tls:servercert=('tcp://185.10.19.220:886', 'bf929c03c3950a7d78ffa31d973c05d2')
        .created = 2025/03/31 20:23:19.213
        :cert = bf929c03c3950a7d78ffa31d973c05d2
        :server = tcp://185.10.19.220:886
crypto:x509:cert=912ce6d2b1c780a5b99ad036018d431b
        .created = 2025/03/31 20:23:19.229
        :issuer = CN=ulysse.gwadlup.fr
inet:tls:servercert=('tcp://185.10.19.220:3389', '912ce6d2b1c780a5b99ad036018d431b')
        .created = 2025/03/31 20:23:19.237
        :cert = 912ce6d2b1c780a5b99ad036018d431b
        :server = tcp://185.10.19.220:3389
crypto:x509:cert=83cb749d2457353975f613aac5acc38a
        .created = 2025/03/31 20:23:19.254
        :issuer = CN=R3, O=Let's Encrypt, C=US
inet:tls:servercert=('tcp://185.10.19.220:443', '83cb749d2457353975f613aac5acc38a')
        .created = 2025/03/31 20:23:19.262
        :cert = 83cb749d2457353975f613aac5acc38a
        :server = tcp://185.10.19.220:443
inet:whois:iprec=517b0cb5e49532956c9371f721e2266c
        .created = 2025/03/31 20:23:19.270
        :asn = 35661
        :asof = 2025/03/04 00:00:00.000
        :name = FR-VIRTUASYS-20121114
inet:ipv4=185.10.19.220
        .created = 2025/03/31 20:23:18.799
        :asn = 35661
        :loc = fr
        :type = unicast
        #rep.teamcymru.openresolvers
inet:dns:a=('ulysse.gwadlup.fr', '94.177.255.231')
        .created = 2025/03/31 20:23:19.381
        :fqdn = ulysse.gwadlup.fr
        :ipv4 = 94.177.255.231
inet:flow=1a666ba356809edbadea52bf2b4e9858
        .created = 2025/03/31 20:23:19.390
        :_teamcymru:count = 5
        :dst:ipv4 = 94.177.255.231
        :src:ipv4 = 168.253.90.155
inet:flow=6fcdd743aeeefa62f1f3f4a19e484b60
        .created = 2025/03/31 20:23:19.399
        :_teamcymru:count = 2
        :dst:ipv4 = 94.177.255.231
        :src:ipv4 = 103.103.194.85
inet:flow=9145b732bf2b16a10e77b717a6938479
        .created = 2025/03/31 20:23:19.408
        :_teamcymru:count = 1
        :dst:ipv4 = 94.177.255.231
        :src:ipv4 = 45.181.140.169
inet:flow=18e9fa7c4fdbaac99ab4a81a38e23adf
        .created = 2025/03/31 20:23:19.417
        :_teamcymru:count = 1
        :dst:ipv4 = 94.177.255.231
        :src:ipv4 = 67.21.83.13
inet:flow=20b1b0157e003a6dae23b892c7de4bac
        .created = 2025/03/31 20:23:19.426
        :_teamcymru:count = 1
        :dst:ipv4 = 94.177.255.231
        :src:ipv4 = 45.232.74.53
inet:whois:iprec=b622fe2aceacfa5e8e444a4f9a58ab5a
        .created = 2025/03/31 20:23:19.435
        :asn = 199883
        :asof = 2025/03/01 00:00:00.000
        :name = ARUBAUK-NET
inet:ipv4=94.177.255.231
        .created = 2025/03/31 20:23:19.301
        :asn = 199883
        :loc = gb
        :type = unicast
inet:dns:a=('thor.gwadlup.fr', '216.126.233.245')
        .created = 2025/03/31 20:23:19.546
        :fqdn = thor.gwadlup.fr
        :ipv4 = 216.126.233.245
inet:flow=2c40a8e5b9751b4aee3894467d5bd784
        .created = 2025/03/31 20:23:19.556
        :_teamcymru:count = 37
        :dst:ipv4 = 216.126.233.245
        :src:ipv4 = 216.230.19.210
inet:flow=4e659b0b2d5680b8c70221a97fc3e0da
        .created = 2025/03/31 20:23:19.565
        :_teamcymru:count = 4
        :dst:ipv4 = 216.126.233.245
        :src:ipv4 = 193.145.155.148
inet:flow=4c4a616bc7418b626f7b14eb1f3a204d
        .created = 2025/03/31 20:23:19.574
        :_teamcymru:count = 1
        :dst:ipv4 = 216.126.233.245
        :src:ipv4 = 138.186.142.79
inet:flow=be2ee2b3df088adf3529ffae2778712f
        .created = 2025/03/31 20:23:19.583
        :_teamcymru:count = 1
        :dst:ipv4 = 216.126.233.245
        :src:ipv4 = 204.188.228.211
inet:server=tcp://216.126.233.245:22
        .created = 2025/03/31 20:23:19.600
        :ipv4 = 216.126.233.245
        :port = 22
        :proto = tcp
inet:server=tcp://216.126.233.245:80
        .created = 2025/03/31 20:23:19.616
        :ipv4 = 216.126.233.245
        :port = 80
        :proto = tcp
inet:server=tcp://216.126.233.245:21
        .created = 2025/03/31 20:23:19.632
        :ipv4 = 216.126.233.245
        :port = 21
        :proto = tcp
inet:whois:iprec=0fc0fb9a9421e0f01acd48092d8b7805
        .created = 2025/03/31 20:23:19.672
        :asn = 400304
        :asof = 2025/03/03 00:00:00.000
        :name = REDOUBT
inet:ipv4=216.126.233.245
        .created = 2025/03/31 20:23:19.466
        :asn = 400304
        :loc = us
        :type = unicast
inet:dns:a=('jeronimo-dk.com', '85.239.245.210')
        .created = 2025/03/31 20:23:19.783
        :fqdn = jeronimo-dk.com
        :ipv4 = 85.239.245.210
inet:dns:a=('webbkatalogen.org', '85.239.245.210')
        .created = 2025/03/31 20:23:19.805
        :fqdn = webbkatalogen.org
        :ipv4 = 85.239.245.210
inet:dns:a=('printoriumprinters.com', '85.239.245.210')
        .created = 2025/03/31 20:23:19.827
        :fqdn = printoriumprinters.com
        :ipv4 = 85.239.245.210
inet:dns:a=('ct1new.neodns.info', '85.239.245.210')
        .created = 2025/03/31 20:23:19.849
        :fqdn = ct1new.neodns.info
        :ipv4 = 85.239.245.210
inet:dns:a=('itstimetopotty.com', '85.239.245.210')
        .created = 2025/03/31 20:23:19.872
        :fqdn = itstimetopotty.com
        :ipv4 = 85.239.245.210
WARNING: Skipping unsupported fingerprint: {'ip': '85.239.245.210', 'type': 'ja4x', 'signature': 'a373a9f83c6b_7022c563de38_821a8ec155c6', 'event_count': 1068}
WARNING: Skipping unsupported fingerprint: {'ip': '85.239.245.210', 'type': 'favicon.murmur3', 'signature': '-274049985', 'event_count': 63}
WARNING: Skipping unsupported fingerprint: {'ip': '85.239.245.210', 'type': 'ja4x', 'signature': '2bab15409345_7022c563de38_f0323fc993b9', 'event_count': 18}
inet:ssl:jarmsample=('tcp://85.239.245.210', '27d27d27d00027d00027d27d27d27d96d86b34e11c2d3d5508f7111adf9d91')
        .created = 2025/03/31 20:23:19.898
        :jarmhash = 27d27d27d00027d00027d27d27d27d96d86b34e11c2d3d5508f7111adf9d91
        :server = tcp://85.239.245.210
inet:flow=5c3e43da8e84e6d233fdc13ab64c19dc
        .created = 2025/03/31 20:23:19.907
        :_teamcymru:count = 715
        :dst:ipv4 = 85.239.245.210
        :src:ipv4 = 103.160.62.200
inet:flow=125ac89eacc55e5f7809b587fe129f30
        .created = 2025/03/31 20:23:19.917
        :_teamcymru:count = 601
        :dst:ipv4 = 85.239.245.210
        :src:ipv4 = 216.230.19.210
inet:flow=6043f2e31a9cd5be343c1f5a6a333dc9
        .created = 2025/03/31 20:23:19.926
        :_teamcymru:count = 285
        :dst:ipv4 = 85.239.245.210
        :src:ipv4 = 103.103.194.85
inet:flow=5707f8ffff0d83241a36db3099b1fe36
        .created = 2025/03/31 20:23:19.936
        :_teamcymru:count = 172
        :dst:ipv4 = 85.239.245.210
        :src:ipv4 = 31.47.72.21
inet:flow=2ea9d29f9e172141421fe6841e485ad1
        .created = 2025/03/31 20:23:19.945
        :_teamcymru:count = 122
        :dst:ipv4 = 85.239.245.210
        :src:ipv4 = 103.131.95.147
inet:server=tcp://85.239.245.210:443
        .created = 2025/03/31 20:23:19.962
        :ipv4 = 85.239.245.210
        :port = 443
        :proto = tcp
inet:server=tcp://85.239.245.210:2222
        .created = 2025/03/31 20:23:19.978
        :ipv4 = 85.239.245.210
        :port = 2222
        :proto = tcp
inet:server=tcp://85.239.245.210:80
        .created = 2025/03/31 20:23:19.995
        :ipv4 = 85.239.245.210
        :port = 80
        :proto = tcp
crypto:x509:cert=7683f96b90d8835b8969665e84e4b0dc
        .created = 2025/03/31 20:23:20.043
        :issuer = CN=E6, O=Let's Encrypt, C=US
inet:tls:servercert=('tcp://85.239.245.210:443', '7683f96b90d8835b8969665e84e4b0dc')
        .created = 2025/03/31 20:23:20.051
        :cert = 7683f96b90d8835b8969665e84e4b0dc
        :server = tcp://85.239.245.210:443
inet:tls:servercert=('tcp://85.239.245.210:2222', '7683f96b90d8835b8969665e84e4b0dc')
        .created = 2025/03/31 20:23:20.075
        :cert = 7683f96b90d8835b8969665e84e4b0dc
        :server = tcp://85.239.245.210:2222
inet:tls:servercert=('tcp://85.239.245.210:886', '7683f96b90d8835b8969665e84e4b0dc')
        .created = 2025/03/31 20:23:20.099
        :cert = 7683f96b90d8835b8969665e84e4b0dc
        :server = tcp://85.239.245.210:886
inet:tls:servercert=('tcp://85.239.245.210:4887', '7683f96b90d8835b8969665e84e4b0dc')
        .created = 2025/03/31 20:23:20.123
        :cert = 7683f96b90d8835b8969665e84e4b0dc
        :server = tcp://85.239.245.210:4887
inet:tls:servercert=('tcp://85.239.245.210:2665', '7683f96b90d8835b8969665e84e4b0dc')
        .created = 2025/03/31 20:23:20.147
        :cert = 7683f96b90d8835b8969665e84e4b0dc
        :server = tcp://85.239.245.210:2665
inet:whois:iprec=41c14bb7714d23156bc7a8884ec21a9c
        .created = 2025/03/31 20:23:20.156
        :asn = 40021
        :asof = 2025/03/04 00:00:00.000
        :name = TT-20221122
inet:ipv4=85.239.245.210
        .created = 2025/03/31 20:23:19.702
        :asn = 40021
        :loc = de
        :type = unicast
inet:dns:a=('thor.gwadlup.fr', '38.175.193.15')
        .created = 2025/03/31 20:23:20.268
        :fqdn = thor.gwadlup.fr
        :ipv4 = 38.175.193.15
inet:flow=7c145d10e2e544f3bc9a0e3d2549f94b
        .created = 2025/03/31 20:23:20.277
        :_teamcymru:count = 6
        :dst:ipv4 = 38.175.193.15
        :src:ipv4 = 41.94.30.4
inet:flow=46bc9ed7535dc70e9af5da2b922c1a77
        .created = 2025/03/31 20:23:20.286
        :_teamcymru:count = 2
        :dst:ipv4 = 38.175.193.15
        :src:ipv4 = 102.223.92.101
inet:flow=b51e92fffe351431cd8e1d585845a5b1
        .created = 2025/03/31 20:23:20.295
        :_teamcymru:count = 1
        :dst:ipv4 = 38.175.193.15
        :src:ipv4 = 45.191.4.249
inet:flow=bd1dc620983867aad294c711884c16a1
        .created = 2025/03/31 20:23:20.304
        :_teamcymru:count = 1
        :dst:ipv4 = 38.175.193.15
        :src:ipv4 = 157.10.141.17
inet:server=tcp://38.175.193.15:80
        .created = 2025/03/31 20:23:20.322
        :ipv4 = 38.175.193.15
        :port = 80
        :proto = tcp
inet:server=tcp://38.175.193.15:22
        .created = 2025/03/31 20:23:20.338
        :ipv4 = 38.175.193.15
        :port = 22
        :proto = tcp
inet:server=tcp://38.175.193.15:21
        .created = 2025/03/31 20:23:20.354
        :ipv4 = 38.175.193.15
        :port = 21
        :proto = tcp
inet:whois:iprec=f1a4696140237489e72f2719dd301d2e
        .created = 2025/03/31 20:23:20.363
        :asn = 174
        :asof = 2025/03/01 00:00:00.000
        :name = COGENT-A
inet:ipv4=38.175.193.15
        .created = 2025/03/31 20:23:20.186
        :asn = 400304
        :loc = us
        :type = unicast

Check Scout and Foundation API usages

> teamcymru.scout.usage
     API      |  Queries Used  |  Queries Remaining  |  Queries Limit
==============|================|=====================|=================
    Scout     |       33       |         967         |       1000
--------------|----------------|---------------------|-----------------
  Foundation  |       3        |          0          |        0

Use of meta:source nodes

Synapse-TeamCymru uses a meta:source node and -(seen)> light weight edges to track nodes observed from the TeamCymru API.

> meta:source=a4cd0e75c23bdf6beec9bb57e014dd51
meta:source=a4cd0e75c23bdf6beec9bb57e014dd51
        .created = 2025/03/31 20:23:09.130
        :name = teamcymru api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-TeamCymru. The following example shows how to filter the results of a query to include only results observed by Synapse-TeamCymru:

> inet:fqdn=vertex.link -> inet:dns:a +{ <(seen)- meta:source=a4cd0e75c23bdf6beec9bb57e014dd51 }
inet:dns:a=('vertex.link', '137.184.16.9')
        .created = 2025/03/31 20:23:14.634
        .seen = ('2023/06/05 12:18:25.000', '2023/06/06 20:09:24.001')
        :fqdn = vertex.link
        :ipv4 = 137.184.16.9