SpyCloud
SpyCloud Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
With the SpyCloud integration, data from breaches can be pulled and further processed in Playbooks. Filtering parameters can be used to filter the data set This integration was integrated and tested with version 2 of SpyCloud
#
Configure SpyCloud in CortexParameter | Required |
---|---|
Base URL of SpyCloud | True |
API Key of SpyCloud | True |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
spycloud-list-breachesLists the breaches identified. By default this lists all breaches known in Spycloud. With the arguments it's possible to scope the results on date and keywords.
#
Base Commandspycloud-list-breaches
#
InputArgument Name | Description | Required |
---|---|---|
query | Give a keyword to search for in the dataset. Default is empty. | Optional |
since | Search the dataset since this date. Format is yyyy-mm-dd and default value is 2010-01-01. Default is 2010-01-01. | Optional |
until | Search the dataset until this date. Format is yyyy-mm-dd and default value is 2100-01-01 (aka get everything). Default is 2100-01-01. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.Breaches.uuid | String | unique ID |
SpyCloud.Breaches.title | String | Breach title |
SpyCloud.Breaches.type | String | Type of breach |
SpyCloud.Breaches.description | String | Summary of the breach/threat |
SpyCloud.Breaches.acquisition_date | Date | When the breach data was acquired |
SpyCloud.Breaches.site | String | The website that was breached |
SpyCloud.Breaches.spycloud_publish_date | Date | Publication date |
SpyCloud.Breaches.num_records | Number | Number of records in the breach |
SpyCloud.Breaches.id | Number | Unique breach ID |
#
Command example!spycloud-list-breaches
#
Context Example#
Human Readable Output#
Results
acquisition_date description id num_records site spycloud_publish_date title type uuid 2021-05-19T00:00:00Z In x time, site Y was breached 35911 45810 examplers.com 2022-05-19T00:00:00Z Cool title PRIVATE 1111111-2222-34567-aaaa-9282829dddde
#
spycloud-get-breach-dataRetrieves the breach details. While very similar to list-breaches, this command obtains one specific breach, which is easier for automation tasks
#
Base Commandspycloud-get-breach-data
#
InputArgument Name | Description | Required |
---|---|---|
id | The breach ID to filter on. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.Breaches.uuid | String | Unique ID |
SpyCloud.Breaches.title | String | Breach title |
SpyCloud.Breaches.type | String | Type of breach |
SpyCloud.Breaches.description | String | Summary of the breach |
SpyCloud.Breaches.acquisition_date | Date | Acquired date |
SpyCloud.Breaches.site | String | Title of the breach |
SpyCloud.Breaches.spycloud_publish_date | Date | Publication date |
SpyCloud.Breaches.num_records | Number | Number of records in breach |
SpyCloud.Breaches.id | Number | Unique breach ID |
#
Command example!spycloud-get-breach-data id=37666
#
Context Example#
Human Readable Output#
Results
acquisition_date description id num_records site spycloud_publish_date title type uuid 2021-05-13T00:00:00Z Cool description of the threat 37666 802751 n/a 2021-05-18T00:00:00Z Cool title PRIVATE 11111111-2222-3333-44444444444444444
#
spycloud-domain-dataGet all the data from a monitored domain and the breaches occurred that relates with it. Can be scoped by domain, type and severity
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandspycloud-domain-data
#
InputArgument Name | Description | Required |
---|---|---|
domain | The domain to search for in the data. | Required |
type | Allowed values: corporate, infected. Default is corporate. Infected returns the infected employees and customers. Default is corporate. | Optional |
severity | Allowed values: 2, 5, 10, 15, 20, 25. Default is 2. Default is 2. | Optional |
since | The starting point for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.Domain.document_id | String | The unique ID of the identified record |
SpyCloud.Domain.spycloud_publish_date | Date | The date SpyCloud has found the data record |
SpyCloud.Domain.username | String | The username that was found in the breach dataset |
SpyCloud.Domain.email | String | The email that was found in the breach dataset |
SpyCloud.Domain.infected_time | String | The date the user got infected |
SpyCloud.Domain.target_url | String | Which URL the credentials are for |
SpyCloud.Domain.source_id | String | breach source ID |
SpyCloud.Domain.password_plaintext | String | Plaintext password identified |
#
Command example!spycloud-domain-data domain=example.com since=2022-05-01
#
Context Example#
Human Readable Output#
Results
document_id infected_time password_plaintext source_id spycloud_publish_date target_domain username 11111111-2222-3333-4444-555555555555 sales@example.com empty empty 37518 2022-01-12T00:00:00Z empty empty 11111111-2222-3333-4444-555555555555 support@example.com empty empty 37518 2022-01-12T00:00:00Z empty empty
#
spycloud-email-dataGet all the data from a monitored email address and the breaches occurred that relates with it. Can be scoped by date, severity and breach
#
Base Commandspycloud-email-data
#
InputArgument Name | Description | Required |
---|---|---|
emailaddr | Email address to search for. | Required |
severity | Allowed values: 2, 5, 10, 15, 20, 25. Default is 2. Default is 2. | Optional |
breach_id | The breach ID to search in. Default is empty. | Optional |
since | The starting point for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd). | Required |
until | The until date for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd). Default is 2100-01-01. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.Emails.document_id | String | The unique ID of the identified record |
SpyCloud.Emails.spycloud_publish_date | Date | The date SpyCloud has found the data record |
SpyCloud.Emails.username | String | The username that was found in the breach dataset |
SpyCloud.Emails.email | String | The email that was found in the breach dataset |
SpyCloud.Emails.source_id | String | breach source ID |
SpyCloud.Emails.domain | String | The domain that the user/pass is used on |
SpyCloud.Emails.password | String | Password found. Can be plaintext or hashed, good to check |
SpyCloud.Emails.user_browser | String | The browser of the user |
SpyCloud.Emails.target_url | String | The target url of the credentials |
#
Command example!spycloud-email-data emailaddr=john.doe@example.com since=2020-08-01 until=2021-02-01
#
Context Example#
Human Readable Output#
Results
document_id domain password source_id spycloud_publish_date target_url user_browser username 11111111-2222-3333-4444-555555555555 example.com john.doe@example.com empty 38666 2021-10-21T00:00:00Z empty empty empty
#
spycloud-watchlist-dataGet all the data from a watchlist.
#
Base Commandspycloud-watchlist-data
#
InputArgument Name | Description | Required |
---|---|---|
watchlist_type | Allowed values are ip, domain, email. | Required |
type | Allowed values: corporate or infected. Default is corporate. Default is corporate. | Optional |
breach_id | The breach ID to search in. Default is empty. | Optional |
since | The starting point for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd). | Required |
until | The until date for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd). Default is 2100-01-01. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.Watchlist.document_id | String | The unique ID of the identified record |
SpyCloud.Watchlist.username | String | The username of the identified record |
SpyCloud.Watchlist.target_url | String | The targeted url |
SpyCloud.Watchlist.breach_id | String | The breach ID |
SpyCloud.Watchlist.password | String | The password of the user being exposed |
SpyCloud.Watchlist.spycloud_publish_date' | String | Date when Spycloud published the breach |
SpyCloud.Watchlist.email | String | The email address involved (if email watchlist type selected) |
SpyCloud.Watchlist.domain | String | The domain involved of the watchlist (if that type is selected) |
#
Command example!spycloud-watchlist-data watchlist_type=email since=2022-02-11
#
Context Example#
Human Readable Output#
Results
breach_id document_id domain password spycloud_publish_date target_url username 38666 11111111-2222-3333-4444-555555555555 hotmail.com john.doe@hotmail.com empty 2020-03-03T00:00:00Z empty empty