Skip to main content

SpyCloud

This Integration is part of the SpyCloud Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

With the SpyCloud integration, data from breaches can be pulled and further processed in Playbooks. Filtering parameters can be used to filter the data set This integration was integrated and tested with version 2 of SpyCloud

Configure SpyCloud in Cortex#

ParameterRequired
Base URL of SpyCloudTrue
API Key of SpyCloudTrue

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

spycloud-list-breaches#


Lists the breaches identified. By default this lists all breaches known in Spycloud. With the arguments it's possible to scope the results on date and keywords.

Base Command#

spycloud-list-breaches

Input#

Argument NameDescriptionRequired
queryGive a keyword to search for in the dataset. Default is empty.Optional
sinceSearch the dataset since this date. Format is yyyy-mm-dd and default value is 2010-01-01. Default is 2010-01-01.Optional
untilSearch the dataset until this date. Format is yyyy-mm-dd and default value is 2100-01-01 (aka get everything). Default is 2100-01-01.Optional

Context Output#

PathTypeDescription
SpyCloud.Breaches.uuidStringunique ID
SpyCloud.Breaches.titleStringBreach title
SpyCloud.Breaches.typeStringType of breach
SpyCloud.Breaches.descriptionStringSummary of the breach/threat
SpyCloud.Breaches.acquisition_dateDateWhen the breach data was acquired
SpyCloud.Breaches.siteStringThe website that was breached
SpyCloud.Breaches.spycloud_publish_dateDatePublication date
SpyCloud.Breaches.num_recordsNumberNumber of records in the breach
SpyCloud.Breaches.idNumberUnique breach ID

Command example#

!spycloud-list-breaches

Context Example#

{
"SpyCloud": {
"Breaches": [
{
"acquisition_date": "2021-01-22T00:00:00Z",
"description": "In x time, site Y was breached",
"id": 11111,
"num_records": 45810,
"site": "examplers.com",
"spycloud_publish_date": "2021-05-19T00:00:00Z",
"title": "Cool title",
"type": "PRIVATE",
"uuid": "1111111-2222-34567-aaaa-9282829dddde"
},
]
}
}

Human Readable Output#

Results#

acquisition_datedescriptionidnum_recordssitespycloud_publish_datetitletypeuuid
2021-05-19T00:00:00ZIn x time, site Y was breached3591145810examplers.com2022-05-19T00:00:00ZCool titlePRIVATE1111111-2222-34567-aaaa-9282829dddde

spycloud-get-breach-data#


Retrieves the breach details. While very similar to list-breaches, this command obtains one specific breach, which is easier for automation tasks

Base Command#

spycloud-get-breach-data

Input#

Argument NameDescriptionRequired
idThe breach ID to filter on.Required

Context Output#

PathTypeDescription
SpyCloud.Breaches.uuidStringUnique ID
SpyCloud.Breaches.titleStringBreach title
SpyCloud.Breaches.typeStringType of breach
SpyCloud.Breaches.descriptionStringSummary of the breach
SpyCloud.Breaches.acquisition_dateDateAcquired date
SpyCloud.Breaches.siteStringTitle of the breach
SpyCloud.Breaches.spycloud_publish_dateDatePublication date
SpyCloud.Breaches.num_recordsNumberNumber of records in breach
SpyCloud.Breaches.idNumberUnique breach ID

Command example#

!spycloud-get-breach-data id=37666

Context Example#

{
"SpyCloud": {
"Breaches": {
"acquisition_date": "2020-05-13T00:00:00Z",
"description": "Cool description of the threat",
"id": 37666,
"num_records": 802751,
"site": "n/a",
"spycloud_publish_date": "2021-05-18T00:00:00Z",
"title": "Cool title",
"type": "PRIVATE",
"uuid": "11111111-2222-3333-4444-555555555555"
}
}
}

Human Readable Output#

Results#

acquisition_datedescriptionidnum_recordssitespycloud_publish_datetitletypeuuid
2021-05-13T00:00:00ZCool description of the threat37666802751n/a2021-05-18T00:00:00ZCool titlePRIVATE11111111-2222-3333-44444444444444444

spycloud-domain-data#


Get all the data from a monitored domain and the breaches occurred that relates with it. Can be scoped by domain, type and severity

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

spycloud-domain-data

Input#

Argument NameDescriptionRequired
domainThe domain to search for in the data.Required
typeAllowed values: corporate, infected. Default is corporate. Infected returns the infected employees and customers. Default is corporate.Optional
severityAllowed values: 2, 5, 10, 15, 20, 25. Default is 2. Default is 2.Optional
sinceThe starting point for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd).Required

Context Output#

PathTypeDescription
SpyCloud.Domain.document_idStringThe unique ID of the identified record
SpyCloud.Domain.spycloud_publish_dateDateThe date SpyCloud has found the data record
SpyCloud.Domain.usernameStringThe username that was found in the breach dataset
SpyCloud.Domain.emailStringThe email that was found in the breach dataset
SpyCloud.Domain.infected_timeStringThe date the user got infected
SpyCloud.Domain.target_urlStringWhich URL the credentials are for
SpyCloud.Domain.source_idStringbreach source ID
SpyCloud.Domain.password_plaintextStringPlaintext password identified

Command example#

!spycloud-domain-data domain=example.com since=2022-05-01

Context Example#

{
"SpyCloud": {
"Results": [
{
"document_id": "11111111-2222-3333-4444-555555555555",
"email": "sales@example.com",
"infected_time": "empty",
"password_plaintext": "empty",
"source_id": 37666,
"spycloud_publish_date": "2021-01-12T00:00:00Z",
"target_domain": "empty",
"username": "empty"
},
{
"document_id": "11111111-2222-3333-4444-555555555555",
"email": "support@example.com",
"infected_time": "empty",
"password_plaintext": "empty",
"source_id": 37666,
"spycloud_publish_date": "2022-01-12T00:00:00Z",
"target_domain": "empty",
"username": "empty"
}
]
}
}

Human Readable Output#

Results#

document_idemailinfected_timepassword_plaintextsource_idspycloud_publish_datetarget_domainusername
11111111-2222-3333-4444-555555555555sales@example.comemptyempty375182022-01-12T00:00:00Zemptyempty
11111111-2222-3333-4444-555555555555support@example.comemptyempty375182022-01-12T00:00:00Zemptyempty

spycloud-email-data#


Get all the data from a monitored email address and the breaches occurred that relates with it. Can be scoped by date, severity and breach

Base Command#

spycloud-email-data

Input#

Argument NameDescriptionRequired
emailaddrEmail address to search for.Required
severityAllowed values: 2, 5, 10, 15, 20, 25. Default is 2. Default is 2.Optional
breach_idThe breach ID to search in. Default is empty.Optional
sinceThe starting point for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd).Required
untilThe until date for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd). Default is 2100-01-01.Optional

Context Output#

PathTypeDescription
SpyCloud.Emails.document_idStringThe unique ID of the identified record
SpyCloud.Emails.spycloud_publish_dateDateThe date SpyCloud has found the data record
SpyCloud.Emails.usernameStringThe username that was found in the breach dataset
SpyCloud.Emails.emailStringThe email that was found in the breach dataset
SpyCloud.Emails.source_idStringbreach source ID
SpyCloud.Emails.domainStringThe domain that the user/pass is used on
SpyCloud.Emails.passwordStringPassword found. Can be plaintext or hashed, good to check
SpyCloud.Emails.user_browserStringThe browser of the user
SpyCloud.Emails.target_urlStringThe target url of the credentials

Command example#

!spycloud-email-data emailaddr=john.doe@example.com since=2020-08-01 until=2021-02-01

Context Example#

{
"SpyCloud": {
"Emails": [
{
"document_id": "11111111-2222-3333-4444-555555555555",
"domain": "example.com",
"email": "john.doe@example.com",
"password": "empty",
"source_id": 38666,
"spycloud_publish_date": "2021-10-21T00:00:00Z",
"target_url": "empty",
"user_browser": "empty",
"username": "empty"
}
]
}
}

Human Readable Output#

Results#

document_iddomainemailpasswordsource_idspycloud_publish_datetarget_urluser_browserusername
11111111-2222-3333-4444-555555555555example.comjohn.doe@example.comempty386662021-10-21T00:00:00Zemptyemptyempty

spycloud-watchlist-data#


Get all the data from a watchlist.

Base Command#

spycloud-watchlist-data

Input#

Argument NameDescriptionRequired
watchlist_typeAllowed values are ip, domain, email.Required
typeAllowed values: corporate or infected. Default is corporate. Default is corporate.Optional
breach_idThe breach ID to search in. Default is empty.Optional
sinceThe starting point for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd).Required
untilThe until date for a date range query on the spycloud_publish_date. The value provided must follow the standard ISO 8601 date format (yyyy-mm-dd). Default is 2100-01-01.Optional

Context Output#

PathTypeDescription
SpyCloud.Watchlist.document_idStringThe unique ID of the identified record
SpyCloud.Watchlist.usernameStringThe username of the identified record
SpyCloud.Watchlist.target_urlStringThe targeted url
SpyCloud.Watchlist.breach_idStringThe breach ID
SpyCloud.Watchlist.passwordStringThe password of the user being exposed
SpyCloud.Watchlist.spycloud_publish_date'StringDate when Spycloud published the breach
SpyCloud.Watchlist.emailStringThe email address involved (if email watchlist type selected)
SpyCloud.Watchlist.domainStringThe domain involved of the watchlist (if that type is selected)

Command example#

!spycloud-watchlist-data watchlist_type=email since=2022-02-11

Context Example#

{
"SpyCloud": {
"Watchlist": {
"breach_id": 38666,
"document_id": "11111111-2222-3333-4444-555555555555",
"domain": "hotmail.com",
"email": "john.doe@hotmail.com",
"password": "empty",
"spycloud_publish_date": "2020-03-03T00:00:00Z",
"target_url": "empty",
"username": "empty"
}
}
}

Human Readable Output#

Results#

breach_iddocument_iddomainemailpasswordspycloud_publish_datetarget_urlusername
3866611111111-2222-3333-4444-555555555555hotmail.comjohn.doe@hotmail.comempty2020-03-03T00:00:00Zemptyempty