User Guide
Synapse-TeamCymru User Guide
Synapse-TeamCymru adds new Storm commands to allow you to query the Team Cymru API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> teamcymru.recon.setup.apikey --self myapikey
Setting Team Cymru RECON API key for the current user.
Use the Team Cymru Pure-Signal Recon API to query and ingest flows
> [ inet:ipv4=1.2.3.4 ] | teamcymru.recon.flows --size 2 --yield
inet:flow=a58fa94b0c4584d371a21c5fd70d9da3
.created = 2026/06/12 20:50:26.316
:dst:ipv4 = 1.2.3.4
:dst:port = 53
:ip:proto = 17
:ip:tcp:flags = 0
:src:ipv4 = 45.175.114.245
:src:port = 7196
:time = 2023/06/07 10:14:07.000
:tot:txbytes = 65
:tot:txcount = 1
inet:flow=c125afa60a1e1a75208a95ffd1e37758
.created = 2026/06/12 20:50:26.326
:dst:ipv4 = 1.2.3.4
:dst:port = 53
:ip:proto = 17
:ip:tcp:flags = 0
:src:ipv4 = 168.228.179.214
:src:port = 54552
:time = 2023/06/07 10:33:39.000
:tot:txbytes = 63
:tot:txcount = 1
Use the Team Cymru Pure-Signal Recon API to query and ingest PDNS data
> [ inet:fqdn=vertex.link ] | teamcymru.recon.pdns --size 2 --yield
inet:dns:a=('vertex.link', '137.184.16.9')
.created = 2026/06/12 20:50:29.812
.seen = ('2023/06/05 12:18:25.000', '2023/06/05 12:18:25.001')
:fqdn = vertex.link
:ipv4 = 137.184.16.9
inet:dns:a=('vertex.link', '137.184.16.9')
.created = 2026/06/12 20:50:29.812
.seen = ('2023/06/05 12:18:25.000', '2023/06/06 20:09:24.001')
:fqdn = vertex.link
:ipv4 = 137.184.16.9
inet:dns:ns=('vertex.link', 'pdns2.registrar-servers.com')
.created = 2026/06/12 20:50:33.250
.seen = ('2023/06/07 15:08:42.000', '2023/06/07 15:08:42.001')
:ns = pdns2.registrar-servers.com
:zone = vertex.link
inet:dns:ns=('vertex.link', 'pdns1.registrar-servers.com')
.created = 2026/06/12 20:50:33.256
.seen = ('2023/06/07 15:08:42.000', '2023/06/07 15:08:42.001')
:ns = pdns1.registrar-servers.com
:zone = vertex.link
Query the Team Cymru Scout API for information about an IP address
> [ inet:ipv6=2a05:d014:9da:8c10:306e:3e07:a16f:a552 ] | teamcymru.scout.details --yield --size 3 --timebox 2025-02-06,2025-02-20 --sections (summary,comms:client_server,pdns,x509,fingerprints,whois)
inet:ipv6=2a05:d014:9da:8c10:306e:3e07:a16f:a552
.created = 2026/06/12 20:50:33.286
:asn = 16509
:loc = ie
:scope = global
:type = unicast
#rep.teamcymru.cloud.amazon.ec2
#rep.teamcymru.cloud.amazon.eu_central
#rep.teamcymru.insight.no_rating
meta:note=c5e311a29fb4e7502bc00fe9dd5c3b35
.created = 2026/06/12 20:50:33.340
:created = 2026/06/12 20:50:33.341
:text = 2a05:d014:9da:8c10:306e:3e07:a16f:a552 has been identified as an AWS EC2 cloud IP address (EU Central). A cloud service typically provides on-demand computing resources.
:type = teamcymru.no_rating
inet:dns:aaaa=('dan.hosting', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
.created = 2026/06/12 20:50:33.369
.seen = ('2025/02/06 00:00:00.000', '2025/02/20 00:00:00.001')
:fqdn = dan.hosting
:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('oneproxy.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
.created = 2026/06/12 20:50:33.372
.seen = ('2025/02/06 00:00:00.000', '2025/02/20 00:00:00.001')
:fqdn = oneproxy.com
:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('landlordtech.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
.created = 2026/06/12 20:50:33.375
.seen = ('2025/02/07 00:00:00.000', '2025/02/20 00:00:00.001')
:fqdn = landlordtech.com
:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('fvez.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
.created = 2026/06/12 20:50:33.379
.seen = ('2025/02/06 00:00:00.000', '2025/02/20 00:00:00.001')
:fqdn = fvez.com
:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('landlordrescue.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
.created = 2026/06/12 20:50:33.382
.seen = ('2025/02/06 00:00:00.000', '2025/02/20 00:00:00.001')
:fqdn = landlordrescue.com
:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:whois:iprec=648ada16ab22f16c51bdf69a9c61caa4
.created = 2026/06/12 20:50:33.386
:asn = 16509
:asof = 2023/05/23 00:00:00.000
:contacts = ['17ac2dcc002fe7c4a920ad36ac5855c8', '70cb9aca061bb4c1a4e72d3812fbf707', 'b6ccf480de5cb17f29feebefa31ae178']
:country = eu
:desc =
:id =
:name = EC2-AGGREGATE
:net6 = ('2a05:d010::', '2a05:d01f:ffff:ffff:ffff:ffff:ffff:ffff')
:net6:max = 2a05:d01f:ffff:ffff:ffff:ffff:ffff:ffff
:net6:min = 2a05:d010::
:updated = 2023/05/23 00:00:00.000
inet:dns:aaaa=('fnhe.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
.created = 2026/06/12 20:50:33.415
.seen = ('2025/02/07 00:00:00.000', '2025/02/20 00:00:00.001')
:fqdn = fnhe.com
:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('icvv.com', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
.created = 2026/06/12 20:50:33.419
.seen = ('2025/02/09 00:00:00.000', '2025/02/15 00:00:00.001')
:fqdn = icvv.com
:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:dns:aaaa=('www.socium.net', '2a05:d014:9da:8c10:306e:3e07:a16f:a552')
.created = 2026/06/12 20:50:33.422
.seen = ('2025/02/14 00:00:00.000', '2025/02/14 00:00:00.001')
:fqdn = www.socium.net
:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
inet:flow=4fccaf8627b701a9182f0a705f207ae1
.created = 2026/06/12 20:50:33.432
.seen = ('2025/02/18 00:00:00.000', '2025/02/18 00:00:00.001')
:_teamcymru:count = 1
:dst:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
:dst:port = 465
:src:ipv6 = 2804:6ab0:0:1:0:8:5112:d286
:src:port = 54795
:src:proto = tcp
:time = 2025/02/18 00:00:00.000
inet:flow=8dac3b550e40a0cd30ec0794c75cafeb
.created = 2026/06/12 20:50:33.444
.seen = ('2025/02/14 00:00:00.000', '2025/02/14 00:00:00.001')
:_teamcymru:count = 1
:dst:ipv6 = 2a05:d014:9da:8c10:306e:3e07:a16f:a552
:dst:port = 443
:src:ipv6 = 2400:cb00:81:1000:e3f:852b:6c95:208f
:src:port = 15644
:src:proto = tcp
:time = 2025/02/14 00:00:00.000
Query the Team Cymru Foundation API for information about IP address(es) that show up in alerts
> [(inet:ipv4=123.49.56.253) (inet:ipv6=2001:67c:4e8:1033:5:100:0:a)] | teamcymru.scout.foundation --yield
meta:note=21d49f9f9c2191754780037567387730
.created = 2026/06/12 20:50:33.495
:created = 2026/06/12 20:50:33.495
:text = 123.49.56.253 has been identified as a Windows Share Scanner, scanning for associated services.
:type = teamcymru.suspicious
meta:note=5a82304d146ce1e935f27b9782c769f5
.created = 2026/06/12 20:50:33.496
:created = 2026/06/12 20:50:33.497
:text = 123.49.56.253 has been identified as VPN. These IPs are either identified as anonymization services or they could also be IP addresses providing remote access to a network.
:type = teamcymru.no_rating
inet:ipv4=123.49.56.253
.created = 2026/06/12 20:50:33.455
:asn = 45607
:loc = bd
:type = unicast
#rep.teamcymru.insight.suspicious
#rep.teamcymru.scanner.winshare_scanner
#rep.teamcymru.vpn.l2tp
#rep.teamcymru.vpn.softether
inet:ipv6=2001:67c:4e8:1033:5:100:0:a
.created = 2026/06/12 20:50:33.476
:asn = 62041
:loc = vg
:scope = global
:type = unicast
#rep.teamcymru.insight.no_rating
Search the Team Cymru API for IP addresses via a query string
> $query = 'pdns.domain="*.gwadlup.fr"' teamcymru.scout.search $query --size 5 --yield --debug --timebox 2025-02-01,2025-02-28
Team Cymru GET https://recon.cymru.com/api/scout/search
Team Cymru API raw response:
{'end_date': '2025-02-28',
'ip_details_pivot': 'pdns.domain = "*.gwadlup.fr"',
'ips': ({'as_info': ({'as_name': 'VIRTUASYS-EU, FR', 'asn': 35661},),
'comms_enrichment': {},
'country_codes': ('FR',),
'event_count': 2579,
'ip': '185.10.19.220',
'summary': {'certs': ({'common_name': 'j2iits.fr',
'event_count': 19,
'ip': '185.10.19.220',
'issuer': "CN=R10, O=Let's Encrypt, C=US",
'issuer_common_name': 'R10',
'port': 443},
{'common_name': 'www.j2iits.fr',
'event_count': 5,
'ip': '185.10.19.220',
'issuer': "CN=R10, O=Let's Encrypt, C=US",
'issuer_common_name': 'R10',
'port': 443},
{'common_name': 'j2iits.fr',
'event_count': 2,
'ip': '185.10.19.220',
'issuer': "CN=R10, O=Let's Encrypt, C=US",
'issuer_common_name': 'R10',
'port': 886},
{'common_name': 'ulysse.gwadlup.fr',
'event_count': 2,
'ip': '185.10.19.220',
'issuer': 'CN=ulysse.gwadlup.fr',
'issuer_common_name': 'ulysse.gwadlup.fr',
'port': 3389},
{'common_name': 'moodle.j2iits.fr',
'event_count': 1,
'ip': '185.10.19.220',
'issuer': "CN=R3, O=Let's Encrypt, C=US",
'issuer_common_name': 'R3',
'port': 443}),
'comms_total': 205169,
'fingerprints': ({'event_count': 20,
'ip': '185.10.19.220',
'signature': 'a373a9f83c6b_7022c563de38_821a8ec155c6',
'type': 'ja4x'},),
'last_seen': '2025-03-04',
'open_ports': ({'event_count': 26,
'ip': '185.10.19.220',
'port': 80,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'http'},
{'event_count': 24,
'ip': '185.10.19.220',
'port': 5357,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'wsdapi'},
{'event_count': 21,
'ip': '185.10.19.220',
'port': 47001,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'winrm'},
{'event_count': 20,
'ip': '185.10.19.220',
'port': 443,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'https'},
{'event_count': 16,
'ip': '185.10.19.220',
'port': 5357,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'http.header.raw'}),
'pdns': ({'domain': 'ulysse.gwadlup.fr',
'event_count': 2579,
'ip': '185.10.19.220'},
{'domain': 'j2iits.com',
'event_count': 26,
'ip': '185.10.19.220'},
{'domain': 'gwadlup.com',
'event_count': 17,
'ip': '185.10.19.220'},
{'domain': 'j2iits.fr',
'event_count': 8,
'ip': '185.10.19.220'},
{'domain': 'gwadlup.fr',
'event_count': 4,
'ip': '185.10.19.220'}),
'service_counts': ({'event_count': 170801,
'port': 443,
'proto': 6,
'proto_text': '',
'service': {'description': 'http '
'protocol '
'over '
'TLS/SSL',
'port': 443,
'proto_number': 6,
'service_name': 'https'}},
{'event_count': 4498,
'port': 40000,
'proto': 17,
'proto_text': '',
'service': {'description': 'SafetyNET '
'p',
'port': 40000,
'proto_number': 17,
'service_name': 'safetynetp'}},
{'event_count': 2720,
'port': 53,
'proto': 17,
'proto_text': '',
'service': {'description': 'Domain '
'Name '
'Server',
'port': 53,
'proto_number': 17,
'service_name': 'domain'}},
{'event_count': 86,
'port': 80,
'proto': 6,
'proto_text': '',
'service': {'description': 'World '
'Wide Web '
'HTTP',
'port': 80,
'proto_number': 6,
'service_name': 'http'}},
{'event_count': 38,
'port': 1433,
'proto': 6,
'proto_text': '',
'service': {'description': 'Microsoft-SQL-Server',
'port': 1433,
'proto_number': 6,
'service_name': 'ms-sql-s'}}),
'top_peers': ({'event_count': 204654,
'ip': '204.16.174.145'},
{'event_count': 46, 'ip': '130.59.31.41'},
{'event_count': 46, 'ip': '130.59.31.43'},
{'event_count': 29,
'ip': '204.188.228.247'},
{'event_count': 27,
'ip': '204.188.228.70'}),
'whois': {'as_name': 'VIRTUA SYSTEMS SAS',
'asn': 35661,
'net_name': 'FR-VIRTUASYS-20121114',
'org_name': 'VIRTUA SYSTEMS SAS'}},
'tags': ({'children': None, 'id': 4, 'name': 'openresolvers'},)},
{'as_info': ({'as_name': 'ARUBACLOUDLTD-ASN, GB', 'asn': 199883},),
'comms_enrichment': {},
'country_codes': ('GB',),
'event_count': 32,
'ip': '94.177.255.231',
'summary': {'certs': None,
'comms_total': 10,
'fingerprints': None,
'last_seen': '2025-03-01',
'open_ports': None,
'pdns': ({'domain': 'ulysse.gwadlup.fr',
'event_count': 32,
'ip': '94.177.255.231'},),
'service_counts': ({'event_count': 3,
'port': 80,
'proto': 6,
'proto_text': '',
'service': {'description': 'World '
'Wide Web '
'HTTP',
'port': 80,
'proto_number': 6,
'service_name': 'http'}},
{'event_count': 2,
'port': 23,
'proto': 6,
'proto_text': '',
'service': {'description': 'Telnet',
'port': 23,
'proto_number': 6,
'service_name': 'telnet'}},
{'event_count': 2,
'port': 443,
'proto': 6,
'proto_text': '',
'service': {'description': 'http '
'protocol '
'over '
'TLS/SSL',
'port': 443,
'proto_number': 6,
'service_name': 'https'}},
{'event_count': 2,
'port': 53,
'proto': 17,
'proto_text': '',
'service': {'description': 'Domain '
'Name '
'Server',
'port': 53,
'proto_number': 17,
'service_name': 'domain'}}),
'top_peers': ({'event_count': 5, 'ip': '168.253.90.155'},
{'event_count': 2, 'ip': '103.103.194.85'},
{'event_count': 1, 'ip': '45.181.140.169'},
{'event_count': 1, 'ip': '67.21.83.13'},
{'event_count': 1, 'ip': '45.232.74.53'}),
'whois': {'as_name': 'ArubaCloud Limited',
'asn': 199883,
'net_name': 'ARUBAUK-NET',
'org_name': 'Aruba S.p.A.'}},
'tags': None},
{'as_info': ({'as_name': 'REDOUBT-NET, US', 'asn': 400304},),
'comms_enrichment': {},
'country_codes': ('US',),
'event_count': 13,
'ip': '216.126.233.245',
'summary': {'certs': None,
'comms_total': 43,
'fingerprints': None,
'last_seen': '2025-03-03',
'open_ports': ({'event_count': 9,
'ip': '216.126.233.245',
'port': 22,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'ssh'},
{'event_count': 8,
'ip': '216.126.233.245',
'port': 80,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'http.server'},
{'event_count': 8,
'ip': '216.126.233.245',
'port': 21,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'ftp'},
{'event_count': 6,
'ip': '216.126.233.245',
'port': 80,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'http'},
{'event_count': 5,
'ip': '216.126.233.245',
'port': 80,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'http.header.hash'}),
'pdns': ({'domain': 'thor.gwadlup.fr',
'event_count': 13,
'ip': '216.126.233.245'},),
'service_counts': ({'event_count': 41,
'port': 22,
'proto': 6,
'proto_text': '',
'service': {'description': 'The '
'Secure '
'Shell '
'(SSH) '
'Protocol',
'port': 22,
'proto_number': 6,
'service_name': 'ssh'}},
{'event_count': 1,
'port': 80,
'proto': 6,
'proto_text': '',
'service': {'description': 'World '
'Wide Web '
'HTTP',
'port': 80,
'proto_number': 6,
'service_name': 'http'}}),
'top_peers': ({'event_count': 37, 'ip': '216.230.19.210'},
{'event_count': 4, 'ip': '193.145.155.148'},
{'event_count': 1, 'ip': '138.186.142.79'},
{'event_count': 1,
'ip': '204.188.228.211'}),
'whois': {'as_name': 'Redoubt Networks',
'asn': 400304,
'net_name': 'REDOUBT',
'org_name': 'Redoubt Networks'}},
'tags': None},
{'as_info': ({'as_name': 'NL-811-40021, US', 'asn': 40021},),
'comms_enrichment': {},
'country_codes': ('DE',),
'event_count': 11,
'ip': '85.239.245.210',
'summary': {'certs': ({'common_name': 'us1new.neodns.info',
'event_count': 191,
'ip': '85.239.245.210',
'issuer': "CN=E6, O=Let's Encrypt, C=US",
'issuer_common_name': 'E6',
'port': 443},
{'common_name': 'us1new.neodns.info',
'event_count': 94,
'ip': '85.239.245.210',
'issuer': "CN=E6, O=Let's Encrypt, C=US",
'issuer_common_name': 'E6',
'port': 2222},
{'common_name': 'us1new.neodns.info',
'event_count': 70,
'ip': '85.239.245.210',
'issuer': "CN=E6, O=Let's Encrypt, C=US",
'issuer_common_name': 'E6',
'port': 886},
{'common_name': 'us1new.neodns.info',
'event_count': 57,
'ip': '85.239.245.210',
'issuer': "CN=E6, O=Let's Encrypt, C=US",
'issuer_common_name': 'E6',
'port': 4887},
{'common_name': 'us1new.neodns.info',
'event_count': 48,
'ip': '85.239.245.210',
'issuer': "CN=E6, O=Let's Encrypt, C=US",
'issuer_common_name': 'E6',
'port': 2665}),
'comms_total': 3184,
'fingerprints': ({'event_count': 1068,
'ip': '85.239.245.210',
'signature': 'a373a9f83c6b_7022c563de38_821a8ec155c6',
'type': 'ja4x'},
{'event_count': 63,
'ip': '85.239.245.210',
'signature': '-274049985',
'type': 'favicon.murmur3'},
{'event_count': 18,
'ip': '85.239.245.210',
'signature': '2bab15409345_7022c563de38_f0323fc993b9',
'type': 'ja4x'},
{'event_count': 5,
'ip': '85.239.245.210',
'signature': '27d27d27d00027d00027d27d27d27d96d86b34e11c2d3d5508f7111adf9d91',
'type': 'jarm'}),
'last_seen': '2025-03-04',
'open_ports': ({'event_count': 1459,
'ip': '85.239.245.210',
'port': 443,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'https'},
{'event_count': 1159,
'ip': '85.239.245.210',
'port': 2222,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'EtherNet/IP-1'},
{'event_count': 619,
'ip': '85.239.245.210',
'port': 80,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'http'},
{'event_count': 601,
'ip': '85.239.245.210',
'port': 443,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'https.header.raw'},
{'event_count': 593,
'ip': '85.239.245.210',
'port': 443,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'https.server'}),
'pdns': ({'domain': 'jeronimo-dk.com',
'event_count': 73,
'ip': '85.239.245.210'},
{'domain': 'webbkatalogen.org',
'event_count': 59,
'ip': '85.239.245.210'},
{'domain': 'printoriumprinters.com',
'event_count': 54,
'ip': '85.239.245.210'},
{'domain': 'ct1new.neodns.info',
'event_count': 52,
'ip': '85.239.245.210'},
{'domain': 'itstimetopotty.com',
'event_count': 52,
'ip': '85.239.245.210'}),
'service_counts': ({'event_count': 1475,
'port': 53,
'proto': 17,
'proto_text': '',
'service': {'description': 'Domain '
'Name '
'Server',
'port': 53,
'proto_number': 17,
'service_name': 'domain'}},
{'event_count': 769,
'port': 443,
'proto': 6,
'proto_text': '',
'service': {'description': 'http '
'protocol '
'over '
'TLS/SSL',
'port': 443,
'proto_number': 6,
'service_name': 'https'}},
{'event_count': 620,
'port': 465,
'proto': 6,
'proto_text': '',
'service': {'description': 'URL '
'Rendezvous '
'Directory '
'for SSM',
'port': 465,
'proto_number': 6,
'service_name': 'urd'}},
{'event_count': 166,
'port': 80,
'proto': 6,
'proto_text': '',
'service': {'description': 'World '
'Wide Web '
'HTTP',
'port': 80,
'proto_number': 6,
'service_name': 'http'}},
{'event_count': 86,
'port': 22,
'proto': 6,
'proto_text': '',
'service': {'description': 'The '
'Secure '
'Shell '
'(SSH) '
'Protocol',
'port': 22,
'proto_number': 6,
'service_name': 'ssh'}}),
'top_peers': ({'event_count': 715,
'ip': '103.160.62.200'},
{'event_count': 601,
'ip': '216.230.19.210'},
{'event_count': 285,
'ip': '103.103.194.85'},
{'event_count': 172, 'ip': '31.47.72.21'},
{'event_count': 122,
'ip': '103.131.95.147'}),
'whois': {'as_name': 'Nubes, LLC',
'asn': 40021,
'net_name': 'TT-20221122',
'org_name': 'Contabo GmbH'}},
'tags': None},
{'as_info': ({'as_name': 'REDOUBT-NET, US', 'asn': 400304},),
'comms_enrichment': {},
'country_codes': ('US',),
'event_count': 5,
'ip': '38.175.193.15',
'summary': {'certs': None,
'comms_total': 10,
'fingerprints': None,
'last_seen': '2025-03-01',
'open_ports': ({'event_count': 12,
'ip': '38.175.193.15',
'port': 80,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'http'},
{'event_count': 4,
'ip': '38.175.193.15',
'port': 22,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'ssh'},
{'event_count': 4,
'ip': '38.175.193.15',
'port': 21,
'protocol': 6,
'protocol_text': 'TCP',
'service': 'ftp'}),
'pdns': ({'domain': 'thor.gwadlup.fr',
'event_count': 5,
'ip': '38.175.193.15'},),
'service_counts': ({'event_count': 8,
'port': 22,
'proto': 6,
'proto_text': '',
'service': {'description': 'The '
'Secure '
'Shell '
'(SSH) '
'Protocol',
'port': 22,
'proto_number': 6,
'service_name': 'ssh'}},
{'event_count': 1,
'port': 23,
'proto': 6,
'proto_text': '',
'service': {'description': 'Telnet',
'port': 23,
'proto_number': 6,
'service_name': 'telnet'}},
{'event_count': 1,
'port': 3397,
'proto': 6,
'proto_text': '',
'service': {'description': 'Cloanto '
'License '
'Manager',
'port': 3397,
'proto_number': 6,
'service_name': 'cloanto-lm'}}),
'top_peers': ({'event_count': 6, 'ip': '41.94.30.4'},
{'event_count': 2, 'ip': '102.223.92.101'},
{'event_count': 1, 'ip': '45.191.4.249'},
{'event_count': 1, 'ip': '157.10.141.17'}),
'whois': {'as_name': 'Cogent Communications',
'asn': 174,
'net_name': 'COGENT-A',
'org_name': 'PSINet, Inc.'}},
'tags': None}),
'query': 'pdns.domain="*.gwadlup.fr"',
'request_id': 'c6903803-1953-5a40-92fb-0b185c92da78',
'size': 5,
'start_date': '2025-02-01',
'total': 6,
'usage': {'ai_insights_usage': {'query_limit': 0,
'remaining_queries': 0,
'used_queries': 0},
'foundation_api_usage': {'query_limit': 0,
'remaining_queries': 0,
'used_queries': 0},
'query_limit': 1000,
'remaining_queries': 999,
'used_queries': 1}}
inet:dns:a=('ulysse.gwadlup.fr', '185.10.19.220')
.created = 2026/06/12 20:50:33.586
:fqdn = ulysse.gwadlup.fr
:ipv4 = 185.10.19.220
inet:dns:a=('j2iits.com', '185.10.19.220')
.created = 2026/06/12 20:50:33.591
:fqdn = j2iits.com
:ipv4 = 185.10.19.220
inet:dns:a=('gwadlup.com', '185.10.19.220')
.created = 2026/06/12 20:50:33.594
:fqdn = gwadlup.com
:ipv4 = 185.10.19.220
inet:dns:a=('j2iits.fr', '185.10.19.220')
.created = 2026/06/12 20:50:33.597
:fqdn = j2iits.fr
:ipv4 = 185.10.19.220
inet:dns:a=('gwadlup.fr', '185.10.19.220')
.created = 2026/06/12 20:50:33.600
:fqdn = gwadlup.fr
:ipv4 = 185.10.19.220
WARNING: Skipping unsupported fingerprint: {'ip': '185.10.19.220', 'type': 'ja4x', 'signature': 'a373a9f83c6b_7022c563de38_821a8ec155c6', 'event_count': 20}
inet:flow=99b91940b616a74020eb2f1181f2adeb
.created = 2026/06/12 20:50:33.603
:_teamcymru:count = 204654
:dst:ipv4 = 185.10.19.220
:src:ipv4 = 204.16.174.145
inet:flow=841c094d053900100bd92cd3065b194b
.created = 2026/06/12 20:50:33.605
:_teamcymru:count = 46
:dst:ipv4 = 185.10.19.220
:src:ipv4 = 130.59.31.41
inet:flow=0b7a71d617dbdec5b0e46a0ec62a62e4
.created = 2026/06/12 20:50:33.607
:_teamcymru:count = 46
:dst:ipv4 = 185.10.19.220
:src:ipv4 = 130.59.31.43
inet:flow=bc712a2c863f6c1719e3121cff666a10
.created = 2026/06/12 20:50:33.609
:_teamcymru:count = 29
:dst:ipv4 = 185.10.19.220
:src:ipv4 = 204.188.228.247
inet:flow=5af594e45955a7682ce2fe648f81b029
.created = 2026/06/12 20:50:33.611
:_teamcymru:count = 27
:dst:ipv4 = 185.10.19.220
:src:ipv4 = 204.188.228.70
inet:server=tcp://185.10.19.220:80
.created = 2026/06/12 20:50:33.614
:ipv4 = 185.10.19.220
:port = 80
:proto = tcp
inet:server=tcp://185.10.19.220:5357
.created = 2026/06/12 20:50:33.616
:ipv4 = 185.10.19.220
:port = 5357
:proto = tcp
inet:server=tcp://185.10.19.220:47001
.created = 2026/06/12 20:50:33.619
:ipv4 = 185.10.19.220
:port = 47001
:proto = tcp
inet:server=tcp://185.10.19.220:443
.created = 2026/06/12 20:50:33.621
:ipv4 = 185.10.19.220
:port = 443
:proto = tcp
crypto:x509:cert=bf929c03c3950a7d78ffa31d973c05d2
.created = 2026/06/12 20:50:33.625
:issuer = CN=R10, O=Let's Encrypt, C=US
inet:tls:servercert=('tcp://185.10.19.220:443', 'bf929c03c3950a7d78ffa31d973c05d2')
.created = 2026/06/12 20:50:33.626
:cert = bf929c03c3950a7d78ffa31d973c05d2
:server = tcp://185.10.19.220:443
crypto:x509:cert=9b550e227dec5d7039ac1844331b17b9
.created = 2026/06/12 20:50:33.628
:issuer = CN=R10, O=Let's Encrypt, C=US
inet:tls:servercert=('tcp://185.10.19.220:443', '9b550e227dec5d7039ac1844331b17b9')
.created = 2026/06/12 20:50:33.630
:cert = 9b550e227dec5d7039ac1844331b17b9
:server = tcp://185.10.19.220:443
inet:tls:servercert=('tcp://185.10.19.220:886', 'bf929c03c3950a7d78ffa31d973c05d2')
.created = 2026/06/12 20:50:33.633
:cert = bf929c03c3950a7d78ffa31d973c05d2
:server = tcp://185.10.19.220:886
crypto:x509:cert=912ce6d2b1c780a5b99ad036018d431b
.created = 2026/06/12 20:50:33.635
:issuer = CN=ulysse.gwadlup.fr
inet:tls:servercert=('tcp://185.10.19.220:3389', '912ce6d2b1c780a5b99ad036018d431b')
.created = 2026/06/12 20:50:33.637
:cert = 912ce6d2b1c780a5b99ad036018d431b
:server = tcp://185.10.19.220:3389
crypto:x509:cert=83cb749d2457353975f613aac5acc38a
.created = 2026/06/12 20:50:33.639
:issuer = CN=R3, O=Let's Encrypt, C=US
inet:tls:servercert=('tcp://185.10.19.220:443', '83cb749d2457353975f613aac5acc38a')
.created = 2026/06/12 20:50:33.641
:cert = 83cb749d2457353975f613aac5acc38a
:server = tcp://185.10.19.220:443
inet:whois:iprec=517b0cb5e49532956c9371f721e2266c
.created = 2026/06/12 20:50:33.642
:asn = 35661
:asof = 2025/03/04 00:00:00.000
:name = FR-VIRTUASYS-20121114
inet:ipv4=185.10.19.220
.created = 2026/06/12 20:50:33.551
:asn = 35661
:loc = fr
:type = unicast
#rep.teamcymru.openresolvers
inet:dns:a=('ulysse.gwadlup.fr', '94.177.255.231')
.created = 2026/06/12 20:50:33.653
:fqdn = ulysse.gwadlup.fr
:ipv4 = 94.177.255.231
inet:flow=1a666ba356809edbadea52bf2b4e9858
.created = 2026/06/12 20:50:33.655
:_teamcymru:count = 5
:dst:ipv4 = 94.177.255.231
:src:ipv4 = 168.253.90.155
inet:flow=6fcdd743aeeefa62f1f3f4a19e484b60
.created = 2026/06/12 20:50:33.657
:_teamcymru:count = 2
:dst:ipv4 = 94.177.255.231
:src:ipv4 = 103.103.194.85
inet:flow=9145b732bf2b16a10e77b717a6938479
.created = 2026/06/12 20:50:33.659
:_teamcymru:count = 1
:dst:ipv4 = 94.177.255.231
:src:ipv4 = 45.181.140.169
inet:flow=18e9fa7c4fdbaac99ab4a81a38e23adf
.created = 2026/06/12 20:50:33.661
:_teamcymru:count = 1
:dst:ipv4 = 94.177.255.231
:src:ipv4 = 67.21.83.13
inet:flow=20b1b0157e003a6dae23b892c7de4bac
.created = 2026/06/12 20:50:33.663
:_teamcymru:count = 1
:dst:ipv4 = 94.177.255.231
:src:ipv4 = 45.232.74.53
inet:whois:iprec=b622fe2aceacfa5e8e444a4f9a58ab5a
.created = 2026/06/12 20:50:33.666
:asn = 199883
:asof = 2025/03/01 00:00:00.000
:name = ARUBAUK-NET
inet:ipv4=94.177.255.231
.created = 2026/06/12 20:50:33.646
:asn = 199883
:loc = gb
:type = unicast
inet:dns:a=('thor.gwadlup.fr', '216.126.233.245')
.created = 2026/06/12 20:50:33.677
:fqdn = thor.gwadlup.fr
:ipv4 = 216.126.233.245
inet:flow=2c40a8e5b9751b4aee3894467d5bd784
.created = 2026/06/12 20:50:33.679
:_teamcymru:count = 37
:dst:ipv4 = 216.126.233.245
:src:ipv4 = 216.230.19.210
inet:flow=4e659b0b2d5680b8c70221a97fc3e0da
.created = 2026/06/12 20:50:33.682
:_teamcymru:count = 4
:dst:ipv4 = 216.126.233.245
:src:ipv4 = 193.145.155.148
inet:flow=4c4a616bc7418b626f7b14eb1f3a204d
.created = 2026/06/12 20:50:33.684
:_teamcymru:count = 1
:dst:ipv4 = 216.126.233.245
:src:ipv4 = 138.186.142.79
inet:flow=be2ee2b3df088adf3529ffae2778712f
.created = 2026/06/12 20:50:33.686
:_teamcymru:count = 1
:dst:ipv4 = 216.126.233.245
:src:ipv4 = 204.188.228.211
inet:server=tcp://216.126.233.245:22
.created = 2026/06/12 20:50:33.689
:ipv4 = 216.126.233.245
:port = 22
:proto = tcp
inet:server=tcp://216.126.233.245:80
.created = 2026/06/12 20:50:33.691
:ipv4 = 216.126.233.245
:port = 80
:proto = tcp
inet:server=tcp://216.126.233.245:21
.created = 2026/06/12 20:50:33.694
:ipv4 = 216.126.233.245
:port = 21
:proto = tcp
inet:whois:iprec=0fc0fb9a9421e0f01acd48092d8b7805
.created = 2026/06/12 20:50:33.699
:asn = 400304
:asof = 2025/03/03 00:00:00.000
:name = REDOUBT
inet:ipv4=216.126.233.245
.created = 2026/06/12 20:50:33.670
:asn = 400304
:loc = us
:type = unicast
inet:dns:a=('jeronimo-dk.com', '85.239.245.210')
.created = 2026/06/12 20:50:33.710
:fqdn = jeronimo-dk.com
:ipv4 = 85.239.245.210
inet:dns:a=('webbkatalogen.org', '85.239.245.210')
.created = 2026/06/12 20:50:33.713
:fqdn = webbkatalogen.org
:ipv4 = 85.239.245.210
inet:dns:a=('printoriumprinters.com', '85.239.245.210')
.created = 2026/06/12 20:50:33.716
:fqdn = printoriumprinters.com
:ipv4 = 85.239.245.210
inet:dns:a=('ct1new.neodns.info', '85.239.245.210')
.created = 2026/06/12 20:50:33.720
:fqdn = ct1new.neodns.info
:ipv4 = 85.239.245.210
inet:dns:a=('itstimetopotty.com', '85.239.245.210')
.created = 2026/06/12 20:50:33.724
:fqdn = itstimetopotty.com
:ipv4 = 85.239.245.210
WARNING: Skipping unsupported fingerprint: {'ip': '85.239.245.210', 'type': 'ja4x', 'signature': 'a373a9f83c6b_7022c563de38_821a8ec155c6', 'event_count': 1068}
WARNING: Skipping unsupported fingerprint: {'ip': '85.239.245.210', 'type': 'favicon.murmur3', 'signature': '-274049985', 'event_count': 63}
WARNING: Skipping unsupported fingerprint: {'ip': '85.239.245.210', 'type': 'ja4x', 'signature': '2bab15409345_7022c563de38_f0323fc993b9', 'event_count': 18}
inet:ssl:jarmsample=('tcp://85.239.245.210', '27d27d27d00027d00027d27d27d27d96d86b34e11c2d3d5508f7111adf9d91')
.created = 2026/06/12 20:50:33.729
:jarmhash = 27d27d27d00027d00027d27d27d27d96d86b34e11c2d3d5508f7111adf9d91
:server = tcp://85.239.245.210
inet:flow=5c3e43da8e84e6d233fdc13ab64c19dc
.created = 2026/06/12 20:50:33.731
:_teamcymru:count = 715
:dst:ipv4 = 85.239.245.210
:src:ipv4 = 103.160.62.200
inet:flow=125ac89eacc55e5f7809b587fe129f30
.created = 2026/06/12 20:50:33.733
:_teamcymru:count = 601
:dst:ipv4 = 85.239.245.210
:src:ipv4 = 216.230.19.210
inet:flow=6043f2e31a9cd5be343c1f5a6a333dc9
.created = 2026/06/12 20:50:33.735
:_teamcymru:count = 285
:dst:ipv4 = 85.239.245.210
:src:ipv4 = 103.103.194.85
inet:flow=5707f8ffff0d83241a36db3099b1fe36
.created = 2026/06/12 20:50:33.737
:_teamcymru:count = 172
:dst:ipv4 = 85.239.245.210
:src:ipv4 = 31.47.72.21
inet:flow=2ea9d29f9e172141421fe6841e485ad1
.created = 2026/06/12 20:50:33.739
:_teamcymru:count = 122
:dst:ipv4 = 85.239.245.210
:src:ipv4 = 103.131.95.147
inet:server=tcp://85.239.245.210:443
.created = 2026/06/12 20:50:33.742
:ipv4 = 85.239.245.210
:port = 443
:proto = tcp
inet:server=tcp://85.239.245.210:2222
.created = 2026/06/12 20:50:33.744
:ipv4 = 85.239.245.210
:port = 2222
:proto = tcp
inet:server=tcp://85.239.245.210:80
.created = 2026/06/12 20:50:33.746
:ipv4 = 85.239.245.210
:port = 80
:proto = tcp
crypto:x509:cert=7683f96b90d8835b8969665e84e4b0dc
.created = 2026/06/12 20:50:33.752
:issuer = CN=E6, O=Let's Encrypt, C=US
inet:tls:servercert=('tcp://85.239.245.210:443', '7683f96b90d8835b8969665e84e4b0dc')
.created = 2026/06/12 20:50:33.753
:cert = 7683f96b90d8835b8969665e84e4b0dc
:server = tcp://85.239.245.210:443
inet:tls:servercert=('tcp://85.239.245.210:2222', '7683f96b90d8835b8969665e84e4b0dc')
.created = 2026/06/12 20:50:33.756
:cert = 7683f96b90d8835b8969665e84e4b0dc
:server = tcp://85.239.245.210:2222
inet:tls:servercert=('tcp://85.239.245.210:886', '7683f96b90d8835b8969665e84e4b0dc')
.created = 2026/06/12 20:50:33.759
:cert = 7683f96b90d8835b8969665e84e4b0dc
:server = tcp://85.239.245.210:886
inet:tls:servercert=('tcp://85.239.245.210:4887', '7683f96b90d8835b8969665e84e4b0dc')
.created = 2026/06/12 20:50:33.762
:cert = 7683f96b90d8835b8969665e84e4b0dc
:server = tcp://85.239.245.210:4887
inet:tls:servercert=('tcp://85.239.245.210:2665', '7683f96b90d8835b8969665e84e4b0dc')
.created = 2026/06/12 20:50:33.765
:cert = 7683f96b90d8835b8969665e84e4b0dc
:server = tcp://85.239.245.210:2665
inet:whois:iprec=41c14bb7714d23156bc7a8884ec21a9c
.created = 2026/06/12 20:50:33.767
:asn = 40021
:asof = 2025/03/04 00:00:00.000
:name = TT-20221122
inet:ipv4=85.239.245.210
.created = 2026/06/12 20:50:33.702
:asn = 40021
:loc = de
:type = unicast
inet:dns:a=('thor.gwadlup.fr', '38.175.193.15')
.created = 2026/06/12 20:50:33.777
:fqdn = thor.gwadlup.fr
:ipv4 = 38.175.193.15
inet:flow=7c145d10e2e544f3bc9a0e3d2549f94b
.created = 2026/06/12 20:50:33.779
:_teamcymru:count = 6
:dst:ipv4 = 38.175.193.15
:src:ipv4 = 41.94.30.4
inet:flow=46bc9ed7535dc70e9af5da2b922c1a77
.created = 2026/06/12 20:50:33.781
:_teamcymru:count = 2
:dst:ipv4 = 38.175.193.15
:src:ipv4 = 102.223.92.101
inet:flow=b51e92fffe351431cd8e1d585845a5b1
.created = 2026/06/12 20:50:33.783
:_teamcymru:count = 1
:dst:ipv4 = 38.175.193.15
:src:ipv4 = 45.191.4.249
inet:flow=bd1dc620983867aad294c711884c16a1
.created = 2026/06/12 20:50:33.785
:_teamcymru:count = 1
:dst:ipv4 = 38.175.193.15
:src:ipv4 = 157.10.141.17
inet:server=tcp://38.175.193.15:80
.created = 2026/06/12 20:50:33.788
:ipv4 = 38.175.193.15
:port = 80
:proto = tcp
inet:server=tcp://38.175.193.15:22
.created = 2026/06/12 20:50:33.790
:ipv4 = 38.175.193.15
:port = 22
:proto = tcp
inet:server=tcp://38.175.193.15:21
.created = 2026/06/12 20:50:33.792
:ipv4 = 38.175.193.15
:port = 21
:proto = tcp
inet:whois:iprec=f1a4696140237489e72f2719dd301d2e
.created = 2026/06/12 20:50:33.794
:asn = 174
:asof = 2025/03/01 00:00:00.000
:name = COGENT-A
inet:ipv4=38.175.193.15
.created = 2026/06/12 20:50:33.770
:asn = 400304
:loc = us
:type = unicast
Check Scout and Foundation API usages
> teamcymru.scout.usage
API | Queries Used | Queries Remaining | Queries Limit
==============|================|=====================|=================
Scout | 33 | 967 | 1000
--------------|----------------|---------------------|-----------------
Foundation | 3 | 0 | 0
Use of meta:source nodes
Synapse-TeamCymru uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the TeamCymru API.
> meta:source=a4cd0e75c23bdf6beec9bb57e014dd51
meta:source=a4cd0e75c23bdf6beec9bb57e014dd51
.created = 2026/06/12 20:50:22.871
:name = teamcymru api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-TeamCymru. The following example shows how to filter the results of a query to include only results observed by Synapse-TeamCymru:
> inet:fqdn=vertex.link -> inet:dns:a +{ <(seen)- meta:source=a4cd0e75c23bdf6beec9bb57e014dd51 }
inet:dns:a=('vertex.link', '137.184.16.9')
.created = 2026/06/12 20:50:29.812
.seen = ('2023/06/05 12:18:25.000', '2023/06/06 20:09:24.001')
:fqdn = vertex.link
:ipv4 = 137.184.16.9