Skip to main content

Qintel QWatch

This Integration is part of the Qintel Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Qintel's QWatch system contains credentials obtained from dump sites, hacker collaboratives, and command and control infrastructures of eCrime- and APT-related malware. With this integration, users can fetch exposure alerts as incidents and discover exposed credentials associated with their organization. This integration was integrated and tested with version 1.1.6 of QWatch

Configure QintelQWatch on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for QintelQWatch.

  3. Click Add instance to create and configure a new integration instance.

    QWatch API URL (optional)False
    Qintel CredentialsTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch incidentsFalse
    Fetch plaintext passwordsFalse
    Limit number of records per fetchFalse
    First fetch timeFalse
    Incidents Fetch IntervalFalse
    Default Incident SeverityTrue
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Search QWatch for exposed credentials

Base Command#



Argument NameDescriptionRequired
emailEmail to search.Optional
domainDomain to search.Optional

Context Output#

Qintel.QWatch.ExposuresStringQWatch Exposure Records

Command Example#

!qintel-qwatch-exposures email=test@example.local

Context Example#

"Qintel": {
"QWatch": {
"Exposures": [
"email": "test@example.local",
"firstseen": "2020-03-25 09:38:40",
"lastseen": "2021-02-05 04:35:33",
"loaded": "2021-02-05 04:35:33",
"password": "SuperSecretPassword",
"source": "combo-BigComboList"
"email": "test@example.local",
"firstseen": "2020-03-25 09:38:40",
"lastseen": "2021-02-05 04:35:33",
"loaded": "2020-08-10 02:10:11",
"password": "SuperSecretPassword",
"source": "dump-example.local"
"email": "test@example.local",
"firstseen": "2020-03-25 09:38:40",
"lastseen": "2021-02-05 04:35:33",
"loaded": "2020-03-25 09:38:40",
"password": "SuperSecretPassword",
"source": "malware-evilbot_March_22_2020"

Human Readable Output#

Qintel QWatch exposures for: test@example.local#

EmailPasswordSourceLoadedFirst SeenLast Seen
test@example.localSuperSecretPasswordcombo-BigComboList2021-02-05 04:35:332020-03-25 09:38:402021-02-05 04:35:33
test@example.localSuperSecretPassworddump-example.local2020-08-10 02:10:112020-03-25 09:38:402021-02-05 04:35:33
test@example.localSuperSecretPasswordmalware-evilbot_March_22_20202020-03-25 09:38:402020-03-25 09:38:402021-02-05 04:35:33