Skip to main content

SpyCloud Enterprise Protection Enrichment

This Integration is part of the SpyCloud Enterprise Protection Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

SpyCloud Enterprise Protection Enrichment#

Provide enrichment for domains, IPs, emails, usernames, and passwords using the SpyCloud Enterprise Protection API.

Configure SpyCloud Enterprise Protection Enrichment in Cortex#

ParameterRequired
API URLTrue
API KeyTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

spycloud-breach-catalog-list#


List the Breach Catalog. By default, this lists all breaches in SpyCloud. With the arguments, it's possible to scope the results.

Base Command#

spycloud-breach-catalog-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of records to return from the collection. Limit default value is 50.Optional
sinceThis parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. Example:- YYYY-MM-DD.Optional
untilThis parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.
Example:- YYYY-MM-DD.
Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
queryQuery value to search the breach catalog for.Optional
all_resultsFetch all results. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
SpyCloud.BreachList.siteStringWebsite of breached organization, when available.
SpyCloud.BreachList.confidenceNumberNumerical score representing the confidence in the source of the breach.
SpyCloud.BreachList.idNumberNumerical breach ID. This number correlates to source_id data point found in breach records.
SpyCloud.BreachList.acquisition_dateDateThe date on which our security research team first acquired the breached data.
SpyCloud.BreachList.uuidStringUUID v4 encoded version of breach ID. This is relevant for users of Firehose, where each deliverable (records file) is named using the breach UUID.
SpyCloud.BreachList.num_recordsNumberNumber of records we parsed and ingested from this particular breach. This is after parsing, normalization and deduplication take place.
SpyCloud.BreachList.typeStringDenotes if a breach is considered public or private. A public breach is one that is easily found on the internet, while a private breach is often exclusive to SpyCloud.
SpyCloud.BreachList.titleStringBreach title. For each ingested breach our security research team documents a breach title. This is only available when we can disclose the breach details, otherwise it will have a generic title.
SpyCloud.BreachList.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.BreachList.descriptionStringBreach description. For each ingested breach our security research team documents a breach description. This is only available when we can disclose the breach details, otherwise it will have a generic description.
SpyCloud.BreachList.site_descriptionStringDescription of the breached organization, when available.
SpyCloud.BreachList.assets.phoneNumberPhone number.
SpyCloud.BreachList.assets.genderNumberGender specifier. Typically set to 'M', 'F', 'Male', or 'Female'.
SpyCloud.BreachList.assets.company_nameNumberCompany name.
SpyCloud.BreachList.assets.user_agentNumberBrowser agent string.
SpyCloud.BreachList.assets.countryNumberCountry name.
SpyCloud.BreachList.assets.social_telegramNumberTelegram username.
SpyCloud.BreachList.assets.social_skypeNumberSkype username.
SpyCloud.BreachList.assets.stateNumberState name.
SpyCloud.BreachList.assets.account_login_timeNumberLast account login time. In ISO 8601 datetime format.
SpyCloud.BreachList.assets.ip_addressesNumberList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.BreachList.assets.postal_codeNumberPostal code, usually zip code in USA.
SpyCloud.BreachList.assets.dobNumberDate of birth. In ISO 8601 datetime format.
SpyCloud.BreachList.assets.account_signup_timeNumberAccount signup date. In ISO 8601 datetime format.
SpyCloud.BreachList.assets.homepageNumberUser's homepage URL.
SpyCloud.BreachList.assets.first_nameNumberFirst name.
SpyCloud.BreachList.assets.country_codeNumberCountry code; derived from country.
SpyCloud.BreachList.assets.account_modification_timeNumberAccount modification date. In ISO 8601 datetime format.
SpyCloud.BreachList.assets.full_nameNumberFull name.
SpyCloud.BreachList.assets.address_1NumberAddress line 1.
SpyCloud.BreachList.assets.last_nameNumberLast name.
SpyCloud.BreachList.assets.emailNumberEmail address.
SpyCloud.BreachList.assets.cityNumberCity name.
SpyCloud.BreachList.assets.passwordNumberAccount password.
SpyCloud.BreachList.assets.usernameNumberUsername.

Command example#

!spycloud-breach-catalog-list limit=2

Context Example#

{
"SpyCloud": {
"BreachList": [
{
"acquisition_date": "2023-04-14T00:00:00Z",
"assets": {
"account_login_time": 81547,
"account_modification_time": 53034,
"account_signup_time": 93646,
"city": 72289,
"dob": 80958,
"email": 199284,
"first_name": 63233,
"full_name": 60764,
"gender": 88517,
"ip_addresses": 154304,
"language": 70246,
"last_name": 60895,
"password": 178121,
"salt": 88487,
"state": 57089,
"timezone": 80714,
"username": 103341
},
"confidence": 3,
"description": "This source has been marked as sensitive due to one of the following reasons: Revealing the source may compromise an on-going investigation. The affected site is of a controversial nature but does not validate email addresses and could therefore be used to tarnish an employee's reputation.",
"id": 43120,
"num_records": 199705,
"spycloud_publish_date": "2023-05-05T00:00:00Z",
"title": "Sensitive Source",
"type": "PUBLIC",
"uuid": "0f9cfacd-f583-4b16-9eb6-e2b54bc51e43"
},
{
"acquisition_date": "2023-05-02T00:00:00Z",
"assets": {
"av_softwares": 22,
"country": 64688,
"country_code": 64331,
"email": 33124,
"infected_machine_id": 64759,
"infected_time": 64736,
"ip_addresses": 6194,
"password": 64759,
"target_url": 64759,
"user_hostname": 64685,
"user_os": 64759,
"user_sys_registered_owner": 64236,
"username": 31635
},
"confidence": 3,
"description": "stealc Stealer is a Windows-targeted stealer designed to grab form data such as IP addresses, browsing history, saved passwords, cryptocurrency, private messages and/or screenshots from affected users.",
"id": 43491,
"num_records": 64759,
"premium_flag": "YES",
"site": "n/a",
"site_description": "stealc Stealer is a Windows-targeted stealer designed to grab form data such as IP addresses, browsing history, saved passwords, cryptocurrency, private messages and/or screenshots from affected users.",
"spycloud_publish_date": "2023-05-05T00:00:00Z",
"title": "stealc Stealer",
"type": "PRIVATE",
"uuid": "16689989-fe33-49ec-b02f-0442963ef0b7"
}
]
}
}

Human Readable Output#

Breach List#

TitleSpyCloud Publish DateDescriptionConfidenceIDAcquisition DateUUIDType
Sensitive Source2023-05-05T00:00:00ZThis source has been marked as sensitive due to one of the following reasons: Revealing the source may compromise an on-going investigation. The affected site is of a controversial nature but does not validate email addresses and could therefore be used to tarnish an employee's reputation.3431202023-04-14T00:00:00Z0f9cfacd-f583-4b16-9eb6-e2b54bc51e43PUBLIC
stealc Stealer2023-05-05T00:00:00Zstealc Stealer is a Windows-targeted stealer designed to grab form data such as IP addresses, browsing history, saved passwords, cryptocurrency, private messages and/or screenshots from affected users.3434912023-05-02T00:00:00Z16689989-fe33-49ec-b02f-0442963ef0b7PRIVATE

spycloud-breach-catalog-get#


Get Breach Catalog Information by ID.

Base Command#

spycloud-breach-catalog-get

Input#

Argument NameDescriptionRequired
idNumerical ID of the breach. Both integer and UUIDv4 ID formats are supported. You may also use a comma delimiter to request more than one breach at a time.Required

Context Output#

PathTypeDescription
SpyCloud.BreachData.siteStringWebsite of breached organization, when available.
SpyCloud.BreachData.confidenceNumberNumerical score representing the confidence in the source of the breach.
SpyCloud.BreachData.idNumberNumerical breach ID. This number correlates to source_id data point found in breach records.
SpyCloud.BreachData.acquisition_dateDateThe date on which our security research team first acquired the breached data.
SpyCloud.BreachData.uuidStringUUID v4 encoded version of breach ID. This is relevant for users of Firehose, where each deliverable (records file) is named using the breach UUID.
SpyCloud.BreachData.num_recordsNumberNumber of records we parsed and ingested from this particular breach. This is after parsing, normalization and deduplication take place.
SpyCloud.BreachData.typeStringDenotes if a breach is considered public or private. A public breach is one that is easily found on the internet, while a private breach is often exclusive to SpyCloud.
SpyCloud.BreachData.titleStringBreach title. For each ingested breach our security research team documents a breach title. This is only available when we can disclose the breach details, otherwise it will have a generic title.
SpyCloud.BreachData.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.BreachData.descriptionStringBreach description. For each ingested breach our security research team documents a breach description. This is only available when we can disclose the breach details, otherwise it will have a generic description.
SpyCloud.BreachData.site_descriptionStringDescription of the breached organization, when available.
SpyCloud.BreachData.assets.phoneNumberPhone number.
SpyCloud.BreachData.assets.genderNumberGender specifier. Typically set to 'M', 'F', 'Male', or 'Female'.
SpyCloud.BreachData.assets.company_nameNumberCompany name.
SpyCloud.BreachData.assets.user_agentNumberBrowser agent string.
SpyCloud.BreachData.assets.countryNumberCountry name.
SpyCloud.BreachData.assets.social_telegramNumberTelegram username.
SpyCloud.BreachData.assets.social_skypeNumberSkype username.
SpyCloud.BreachData.assets.stateNumberState name.
SpyCloud.BreachData.assets.account_login_timeNumberLast account login time. In ISO 8601 datetime format.
SpyCloud.BreachData.assets.ip_addressesNumberList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.BreachData.assets.postal_codeNumberPostal code, usually zip code in USA.
SpyCloud.BreachData.assets.dobNumberDate of birth. In ISO 8601 datetime format.
SpyCloud.BreachData.assets.account_signup_timeNumberAccount signup date. In ISO 8601 datetime format.
SpyCloud.BreachData.assets.homepageNumberUser's homepage URL.
SpyCloud.BreachData.assets.first_nameNumberFirst name.
SpyCloud.BreachData.assets.country_codeNumberCountry code; derived from country.
SpyCloud.BreachData.assets.account_modification_timeNumberAccount modification date. In ISO 8601 datetime format.
SpyCloud.BreachData.assets.full_nameNumberFull name.
SpyCloud.BreachData.assets.address_1NumberAddress line 1.
SpyCloud.BreachData.assets.last_nameNumberLast name.
SpyCloud.BreachData.assets.emailNumberEmail address.
SpyCloud.BreachData.assets.cityNumberCity name.
SpyCloud.BreachData.assets.passwordNumberAccount password.
SpyCloud.BreachData.assets.usernameNumberUsername.

Command example#

!spycloud-breach-catalog-get id=39897 limit=2

Context Example#

{
"SpyCloud": {
"BreachData": {
"acquisition_date": "2022-10-04T00:00:00Z",
"assets": {
"address_1": 22037,
"city": 22037,
"dob": 56967,
"email": 61479,
"first_name": 62366,
"full_name": 62366,
"gender": 22041,
"job_title": 4642,
"last_name": 62366,
"middle_name": 13430,
"phone": 25997,
"postal_code": 22037,
"state": 22037
},
"confidence": 3,
"description": "On an unknown date, data allegedly belonging to Mansfield Independent School District, a U.S-based educational district, was leaked online. The data contains names, email addresses, phone numbers, addresses and additional personal information. This leak is being publicly shared on online forums.",
"id": 39897,
"num_records": 62366,
"site": "mansfieldisd.org",
"site_description": "Mansfield Independent School District is an educational district based in the U.S.",
"spycloud_publish_date": "2023-04-18T00:00:00Z",
"title": "Mansfield Independent School District",
"type": "PUBLIC",
"uuid": "c504f30a-6fe7-48df-becf-4e14f16e6c0d"
}
}
}

Human Readable Output#

Breach data for id 39897#

TitleSpyCloud Publish DateDescriptionConfidenceIDAcquisition DateUUIDType
Mansfield Independent School District2023-04-18T00:00:00ZOn an unknown date, data allegedly belonging to Mansfield Independent School District, a U.S-based educational district, was leaked online. The data contains names, email addresses, phone numbers, addresses and additional personal information. This leak is being publicly shared on online forums.3398972022-10-04T00:00:00Zc504f30a-6fe7-48df-becf-4e14f16e6c0dPUBLIC

spycloud-domain-data-get#


Get Breach Data by Domain.

Base Command#

spycloud-domain-data-get

Input#

Argument NameDescriptionRequired
domainDomain or Subdomain name to search for.Required
limitThe maximum number of records to return from the collection. Limit default value is 50.Optional
typeThis parameter lets you filter results by several types. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records, email_domain to just match against email domains, and target_domain to just match against target domains or subdomains. If no value has been provided the API function will, by default, return all record types. Possible values are: corporate, infected, , email_domain, target_domain.Optional
sinceThis parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. Example:- YYYY-MM-DD.Optional
untilThis parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.
Example:- YYYY-MM-DD.
Optional
severityThis parameter allows you to filter based on the numeric severity code.
Possible values are:
2 -> Email only severity. This record is part of an email-only list.
5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all.
20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password.
25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: .
Optional
source_idThis parameter allows you to filter based on a particular breach source.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
all_resultsFetch all results. Possible values are: True, False.Optional
since_modification_dateThis parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date).Optional
until_modification_dateThis parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date).Optional

Context Output#

PathTypeDescription
SpyCloud.Domain.usernameStringUsername.
SpyCloud.Domain.passwordStringAccount password.
SpyCloud.Domain.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.Domain.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.Domain.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.Domain.user_browserStringBrowser name.
SpyCloud.Domain.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.Domain.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.Domain.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.Domain.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.Domain.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.Domain.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.Domain.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.Domain.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.Domain.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.Domain.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.Domain.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.Domain.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.Domain.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.Domain.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.Domain.emailStringEmail address.
SpyCloud.Domain.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.Domain.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.Domain.domainStringDomain name.

Command example#

!spycloud-domain-data-get domain=dummy.com limit=2

Context Example#

{
"SpyCloud": {
"Domain": [
{
"company_name": "dummy",
"document_id": "0046c7e3-fcf4-4d24-9c45-255116054640",
"domain": "dummy.com",
"email": "Dummy Email",
"email_domain": "dummy.com",
"email_username": "smoolagiri",
"first_name": "Shyam",
"full_name": "Shyam Moolagiri",
"job_title": "Senior Team Lead Qa",
"last_name": "Moolagiri",
"phone": "7039567410",
"severity": 5,
"source_id": 41180,
"spycloud_publish_date": "2023-03-28T00:00:00Z"
},
{
"city": "Chantilly",
"company_name": "dummy",
"document_id": "0fa88054-5d74-412a-bc40-0935a6d6e2d5",
"domain": "dummy.com",
"email": "dummy Email",
"email_domain": "dummy.com",
"email_username": "srobert",
"first_name": "Sam",
"full_name": "Sam Robert",
"job_title": "Lead Recruiting Specialist",
"last_name": "Robert",
"phone": "7039567410",
"severity": 5,
"social_linkedin": [
"sam-robert-37746b35"
],
"source_id": 41180,
"spycloud_publish_date": "2023-03-28T00:00:00Z",
"state": "VA"
}
]
}
}

Human Readable Output#

Breach List for domain dummy.com#

Source IDEmailFull NameEmail DomainEmail UsernameSpyCloud Publish DateDomainDocument IDSeverity
41180Dummy EmailShyam Moolagiridummy.comsmoolagiri










2023-03-28T00:00:00Z
dummy.com0046c7e3-fcf4-4d24-9c45-2551160546405
41180Dummy EmailSam Robertdummy.comsrobert









2023-03-28T00:00:00Z

dummy.com
0fa88054-5d74-412a-bc40-0935a6d6e2d55

spycloud-username-data-get#


Get Breach Data by Username.

Base Command#

spycloud-username-data-get

Input#

Argument NameDescriptionRequired
sinceThis parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.Optional
untilThis parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.Optional
since_modification_dateThis parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date).Optional
until_modification_dateThis parameter allows you to define the ending point for a date range
query on the when an already published record was modified (record_modification_date).
Optional
severityThis parameter allows you to filter based on the numeric severity code.
Possible values are:
2 -> Email only severity. This record is part of an email-only list.
5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all.
20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password.
25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: .
Optional
source_idThis parameter allows you to filter based on a particular breach source.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50.Optional
usernameUsername you wish to search for.Required
all_resultsFetch all results. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
SpyCloud.Username.usernameStringUsername.
SpyCloud.Username.passwordStringAccount password.
SpyCloud.Username.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.Username.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.Username.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.Username.user_browserStringBrowser name.
SpyCloud.Username.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.Username.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.Username.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.Username.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.Username.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.Username.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.Username.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.Username.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.Username.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.Username.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.Username.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.Username.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.Username.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.Username.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.Username.emailStringEmail address.
SpyCloud.Username.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.Username.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.Username.domainStringDomain name.

Command example#

!spycloud-username-data-get username=abc limit=2

Human Readable Output#

No data to present.

spycloud-ip-address-data-get#


Get Breach Data by IP Address.

Base Command#

spycloud-ip-address-data-get

Input#

Argument NameDescriptionRequired
sinceThis parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.Optional
untilThis parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.Optional
since_modification_dateThis parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date).Optional
until_modification_dateThis parameter allows you to define the ending point for a date range
query on the when an already published record was modified (record_modification_date).
Optional
severityThis parameter allows you to filter based on the numeric severity code.
Possible values are:
2 -> Email only severity. This record is part of an email-only list.
5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all.
20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password.
25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: .
Optional
source_idThis parameter allows you to filter based on a particular breach source.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50.Optional
ipIP address or network CIDR notation to search for. For CIDR notation, use an underscore instead of a slash.Required
all_resultsFecth all results. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
SpyCloud.IPAddress.usernameStringUsername.
SpyCloud.IPAddress.passwordStringAccount password.
SpyCloud.IPAddress.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.IPAddress.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.IPAddress.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.IPAddress.user_browserStringBrowser name.
SpyCloud.IPAddress.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.IPAddress.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.IPAddress.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.IPAddress.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.IPAddress.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.IPAddress.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.IPAddress.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.IPAddress.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.IPAddress.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.IPAddress.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.IPAddress.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.IPAddress.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.IPAddress.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.IPAddress.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.IPAddress.emailStringEmail address.
SpyCloud.IPAddress.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.IPAddress.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.IPAddress.domainStringDomain name.

Command example#

!spycloud-ip-address-data-get ip=4.4.4.4 limit=2

Context Example#

{
"SpyCloud": {
"IPAddress": [
{
"account_last_activity_time": "2020-09-20T16:56:05Z",
"account_signup_time": "2020-09-20T16:56:05Z",
"country": "INDIA",
"country_code": "IN",
"document_id": "44a59857-49dd-445b-8d19-c9ddc12ecde5",
"domain": "gmail.com",
"email": "Dummy Email",
"email_domain": "gmail.com",
"email_username": "bossmsrao",
"ip_addresses": [
"4.4.4.4"
],
"severity": 5,
"source_id": 38326,
"spycloud_publish_date": "2021-12-02T00:00:00Z",
"username": "bossssomesh"
},
{
"account_login_time": "2018-04-09T09:56:39Z",
"account_modification_time": "2018-04-09T09:57:44Z",
"account_signup_time": "2018-04-09T09:56:39Z",
"document_id": "cb71703c-9447-421f-b53a-6a1e3508eadc",
"domain": "dummy.com",
"email": "Dummy Email",
"email_domain": "dummy.com",
"email_username": "sghouse",
"full_name": "Ghouse",
"ip_addresses": [
"4.4.4.4"
],
"password": "********",
"password_type": "bcrypt",
"severity": 5,
"sighting": 1,
"source_id": 16670,
"spycloud_publish_date": "2021-05-05T00:00:00Z",
"timezone": "La Paz",
"username": "ghouse260"
}
]
}
}

Human Readable Output#

Breach List for IP address#

Source IDEmailFull NameUser NameEmail DomainEmail UsernamePasswordPassword TypeIP AddressesSpyCloud Publish DateDomainDocument IDSeveritySighting
38326Dummy Emailbossssomeshgmail.combossmsrao4.4.4.42021-12-02T00:00:00Zgmail.com44a59857-49dd-445b-8d19-c9ddc12ecde55
16670Dummy EmailGhouseghouse260dummy.comsghouse****bcrypt4.4.4.42021-05-05T00:00:00Zdummy.comcb71703c-9447-421f-b53a-6a1e3508eadc51

spycloud-email-data-get#


Get Breach Data by Email.

Base Command#

spycloud-email-data-get

Input#

Argument NameDescriptionRequired
sinceThis parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.Optional
untilThis parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.Optional
since_modification_dateThis parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date).Optional
until_modification_dateThis parameter allows you to define the ending point for a date range
query on the when an already published record was modified (record_modification_date).
Optional
severityThis parameter allows you to filter based on the numeric severity code.
Possible values are:
2 -> Email only severity. This record is part of an email-only list.
5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all.
20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password.
25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: .
Optional
source_idThis parameter allows you to filter based on a particular breach source.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50.Optional
emailEmail address to search for.Required
all_resultsFetch all results. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
SpyCloud.EmailAddress.usernameStringUsername.
SpyCloud.EmailAddress.passwordStringAccount password.
SpyCloud.EmailAddress.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.EmailAddress.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.EmailAddress.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.EmailAddress.user_browserStringBrowser name.
SpyCloud.EmailAddress.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.EmailAddress.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.EmailAddress.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.EmailAddress.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.EmailAddress.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.EmailAddress.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.EmailAddress.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.EmailAddress.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.EmailAddress.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.EmailAddress.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.EmailAddress.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.EmailAddress.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.EmailAddress.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.EmailAddress.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.EmailAddress.emailStringEmail address.
SpyCloud.EmailAddress.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.EmailAddress.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.EmailAddress.domainStringDomain name.

Command example#

!spycloud-email-data-get email=Dummmy Email limit=2

Context Example#

{
"SpyCloud": {
"EmailAddress": {
"company_name": "dummy",
"document_id": "0046c7e3-fcf4-4d24-9c45-255116054640",
"domain": "dummy.com",
"email": "Dummy Email",
"email_domain": "dummy.com",
"email_username": "smoolagiri",
"first_name": "Shyam",
"full_name": "Shyam Moolagiri",
"job_title": "Senior Team Lead Qa",
"last_name": "Moolagiri",
"phone": "7039567410",
"severity": 5,
"source_id": 41180,
"spycloud_publish_date": "2023-03-28T00:00:00Z"
}
}
}

Human Readable Output#

Breach List for Email address Dummy Email#

Source IDEmailFull NameEmail DomainEmail UsernameSpyCloud Publish DateDomainDocument IDSeverity
41180Dummy EmailShyam Moolagiridummy.comsmoolagiri2023-03-28T00:00:00Zdummy.com0046c7e3-fcf4-4d24-9c45-2551160546405

spycloud-password-data-get#


Get Breach Data by Password.

Base Command#

spycloud-password-data-get

Input#

Argument NameDescriptionRequired
sinceThis parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.Optional
untilThis parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.Optional
since_modification_dateThis parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date).Optional
until_modification_dateThis parameter allows you to define the ending point for a date range
query on the when an already published record was modified (record_modification_date).
Optional
severityThis parameter allows you to filter based on the numeric severity code.
Possible values are:
2 -> Email only severity. This record is part of an email-only list.
5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all.
20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password.
25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: .
Optional
source_idThis parameter allows you to filter based on a particular breach source.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50.Optional
passwordPassword you wish to search for.Required
all_resultsFetch all results. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
SpyCloud.Password.usernameStringUsername.
SpyCloud.Password.passwordStringAccount password.
SpyCloud.Password.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.Password.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.Password.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.Password.user_browserStringBrowser name.
SpyCloud.Password.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.Password.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.Password.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.Password.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.Password.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.Password.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.Password.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.Password.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.Password.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.Password.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.Password.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.Password.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.Password.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.Password.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.Password.emailStringEmail address.
SpyCloud.Password.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.Password.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.Password.domainStringDomain name.

Command example#

!spycloud-password-data-get password=welcome@123 limit=2

Context Example#

{
"SpyCloud": {
"Password": {
"country": "INDIA",
"country_code": "IN",
"document_id": "bc436d97-395c-4b03-819b-9b8fad7711bd",
"domain": "dummy.com",
"email": "Dummy Email",
"email_domain": "dummy.com",
"email_username": "kummadisetti",
"infected_machine_id": "51aa3c3d-090e-417a-8e8c-3a94726e5fed",
"ip_addresses": [
"4.4.4.4"
],
"password": "welcome@123",
"password_plaintext": "welcome@123",
"password_type": "plaintext",
"record_modification_date": "2022-05-13T00:00:00Z",
"severity": 25,
"sighting": 1,
"source_id": 37732,
"spycloud_publish_date": "2021-06-24T00:00:00Z",
"target_domain": "slack.com",
"target_subdomain": "dummy.slack.com",
"target_url": "dummy.slack.com",
"user_sys_registered_owner": "saket"
}
}
}

Human Readable Output#

Breach List for Password welcome@123#

Source IDEmailEmail DomainEmail UsernameTarget DomainTarget SubdomainPasswordPassword PlaintextPassword TypeTarget URLIP AddressesInfected Machine IDUser SYS Registered OwnerSpyCloud Publish DateDomainDocument IDSeveritySighting
37732Dummy Emaildummy.comkummadisettislack.comdummy.slack.comwelcome@123welcome@123plaintextdummy.slack.com4.4.4.451aa3c3d-090e-417a-8e8c-3a94726e5fedsaket2021-06-24T00:00:00Zdummy.combc436d97-395c-4b03-819b-9b8fad7711bd251

spycloud-watchlist-data-list#


List Breach Data. By default, this lists all breach data for the customer's configured watchlist. With the arguments, it's possible to scope the results.

Base Command#

spycloud-watchlist-data-list

Input#

Argument NameDescriptionRequired
sinceThis parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.Optional
untilThis parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.Optional
since_modification_dateThis parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date).Optional
until_modification_dateThis parameter allows you to define the ending point for a date range
query on the when an already published record was modified (record_modification_date).
Optional
severityThis parameter allows you to filter based on the numeric severity code.
Possible values are:
2 -> Email only severity. This record is part of an email-only list.
5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all.
20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password.
25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: .
Optional
source_idThis parameter allows you to filter based on a particular breach source.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
limitThe maximum number of records to return from the collection. Limit default value is 50.Optional
typeThis parameter lets you filter results by type. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records (from botnet data). If no value has been provided the API function will, by default, return all record types. Possible values are: corporate, infected.Optional
watchlist_typeThis parameters lets you filter results for only emails or only domains on your watchlist. If no value has been provided, the API will return all watchlist types. Possible values are: email, domain, subdomain, ip.Optional
all_resultsFetch all results. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
SpyCloud.Watchlist.usernameStringUsername.
SpyCloud.Watchlist.passwordStringAccount password.
SpyCloud.Watchlist.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.Watchlist.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.Watchlist.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.Watchlist.user_browserStringBrowser name.
SpyCloud.Watchlist.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.Watchlist.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.Watchlist.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.Watchlist.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.Watchlist.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.Watchlist.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.Watchlist.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.Watchlist.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.Watchlist.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.Watchlist.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.Watchlist.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.Watchlist.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.Watchlist.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.Watchlist.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.Watchlist.emailStringEmail address.
SpyCloud.Watchlist.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.Watchlist.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.Watchlist.domainStringDomain name.

Command example#

!spycloud-watchlist-data-list limit=2

Context Example#

{
"SpyCloud": {
"Watchlist": [
{
"company_name": "dummy",
"document_id": "0046c7e3-fcf4-4d24-9c45-255116054640",
"domain": "dummy.com",
"email": "Dummy Email",
"email_domain": "dummy.com",
"email_username": "smoolagiri",
"first_name": "Shyam",
"full_name": "Shyam Moolagiri",
"job_title": "Senior Team Lead Qa",
"last_name": "Moolagiri",
"phone": "7039567410",
"severity": 5,
"source_id": 41180,
"spycloud_publish_date": "2023-03-28T00:00:00Z"
},
{
"city": "Chantilly",
"company_name": "dummy",
"document_id": "0fa88054-5d74-412a-bc40-0935a6d6e2d5",
"domain": "dummy.com",
"email": "Dummy Email",
"email_domain": "dummy.com",
"email_username": "srobert",
"first_name": "Sam",
"full_name": "Sam Robert",
"job_title": "Lead Recruiting Specialist",
"last_name": "Robert",
"phone": "7039567410",
"severity": 5,
"social_linkedin": [
"sam-robert-37746b35"
],
"source_id": 41180,
"spycloud_publish_date": "2023-03-28T00:00:00Z",
"state": "VA"
}
]
}
}

Human Readable Output#

Watchlist Data#

Source IDEmailFull NameEmail DomainEmail UsernameSpyCloud Publish DateDomainDocument IDSeverity
41180Dummy EmailShyam Moolagiridummy.comsmoolagiri2023-03-28T00:00:00Zdummy.com0046c7e3-fcf4-4d24-9c45-2551160546405
41180Dummy EmailSam Robertdummy.comsrobert2023-03-28T00:00:00Zdummy.com0fa88054-5d74-412a-bc40-0935a6d6e2d55

spycloud-compass-device-data-get#


Get Compass device data by infected_machine_id.

Base Command#

spycloud-compass-device-data-get

Input#

Argument NameDescriptionRequired
infected_machine_idOne or more comma delimited Infected Machine ID to search for compass breach records.Required
limitThe maximum number of records to return from the collection. Limit default value is 50.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional

Context Output#

PathTypeDescription
SpyCloud.CompassDeviceData.usernameStringUsername.
SpyCloud.CompassDeviceData.passwordStringAccount password.
SpyCloud.CompassDeviceData.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.CompassDeviceData.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.CompassDeviceData.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.CompassDeviceData.user_browserStringBrowser name.
SpyCloud.CompassDeviceData.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.CompassDeviceData.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.CompassDeviceData.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.CompassDeviceData.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.CompassDeviceData.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.CompassDeviceData.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.CompassDeviceData.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.CompassDeviceData.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.CompassDeviceData.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.CompassDeviceData.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.CompassDeviceData.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.CompassDeviceData.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.CompassDeviceData.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.CompassDeviceData.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.CompassDeviceData.emailStringEmail address.
SpyCloud.CompassDeviceData.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.CompassDeviceData.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.CompassDeviceData.domainStringDomain name.

Command example#

!spycloud-compass-device-data-get infected_machine_id=72aaaec1-afa1-4d9e-838f-abfcbbf3ff82 limit=2

Context Example#

{
"SpyCloud": {
"CompassDeviceData": {
"display_resolution": "1280x720",
"document_id": "c8a11837-808a-4b1e-b9d8-cfba0739c7f5",
"infected_machine_id": "72aaaec1-afa1-4d9e-838f-abfcbbf3ff82",
"ip_addresses": [
"4.4.4.4"
],
"password": "Tron99***018",
"password_plaintext": "Tron99***018",
"password_type": "plaintext",
"severity": 25,
"source_id": 41985,
"spycloud_publish_date": "2023-03-02T00:00:00Z",
"target_domain": "greythr.com",
"target_subdomain": "dummy.greythr.com",
"target_url": "dummy.greythr.com",
"user_browser": "Chrome (v109.0.5414.120-64, Profile: Profile 1)",
"user_os": "Windows 10 Pro",
"username": "345"
}
}
}

Human Readable Output#

Compass Devices - Data#

Source IDUser NameTarget DomainTarget SubdomainPasswordPassword PlaintextPassword TypeTarget URLUser BrowserIP AddressesInfected Machine IDUser OSSpyCloud Publish DateDocument IDSeverity
41985345greythr.comdummy.greythr.comTron99***018Tron99***018plaintextdummy.greythr.comChrome (v109.0.5414.120-64, Profile: Profile 1)4.4.4.472aaaec1-afa1-4d9e-838f-abfcbbf3ff82Windows 10 Pro2023-03-02T00:00:00Zc8a11837-808a-4b1e-b9d8-cfba0739c7f525

spycloud-compass-data-list#


List Compass data. By default, this lists all Compass data. With the arguments, it's possible to scope the results.

Base Command#

spycloud-compass-data-list

Input#

Argument NameDescriptionRequired
sinceThis parameter allows you to define the starting point for a date
range query on the spycloud_publish_date field.
Optional
untilThis parameter allows you to define the ending point for a date
range query on the spycloud_publish_date field.
Optional
since_infectedThis parameter allows you to define the starting point for a date range query on the infected_time field.Optional
until_infectedThis parameter allows you to define the ending point for a date range query on the infected_time field.Optional
source_idThis parameter allows you to filter based on a particular breach source.Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional
limitThe maximum number of records to return from the collection. Limit
default value is 50.
Optional
typeThis parameter will return records that are verified or unverified, meaning those that matched the watchlist or not. By default if type is not used, both types will be returned. Possible values are: verified, unverified.Optional
all_resultsFetch all results. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
SpyCloud.CompassDataList.usernameStringUsername.
SpyCloud.CompassDataList.passwordStringAccount password.
SpyCloud.CompassDataList.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.CompassDataList.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.CompassDataList.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.CompassDataList.user_browserStringBrowser name.
SpyCloud.CompassDataList.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.CompassDataList.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.CompassDataList.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.CompassDataList.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.CompassDataList.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.CompassDataList.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.CompassDataList.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.CompassDataList.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.CompassDataList.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.CompassDataList.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.CompassDataList.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.CompassDataList.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.CompassDataList.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.CompassDataList.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.CompassDataList.emailStringEmail address.
SpyCloud.CompassDataList.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.CompassDataList.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.CompassDataList.domainStringDomain name.

Command example#

!spycloud-compass-data-list limit=2

Context Example#

{
"SpyCloud": {
"CompassDataList": [
{
"display_resolution": "1280x720",
"document_id": "c8a11837-808a-4b1e-b9d8-cfba0739c7f5",
"infected_machine_id": "72aaaec1-afa1-4d9e-838f-abfcbbf3ff82",
"ip_addresses": [
"4.4.4.4"
],
"password": "Tron99***018",
"password_plaintext": "Tron99***018",
"password_type": "plaintext",
"severity": 25,
"source_id": 41985,
"spycloud_publish_date": "2023-03-02T00:00:00Z",
"target_domain": "greythr.com",
"target_subdomain": "dummy.greythr.com",
"target_url": "dummy.greythr.com",
"user_browser": "Chrome (v109.0.5414.120-64, Profile: Profile 1)",
"user_os": "Windows 10 Pro",
"username": "345"
},
{
"document_id": "89ed3bb4-b523-4037-9f1b-be49e99ce59f",
"domain": "gmail.com",
"email": "Dummy Email",
"email_domain": "gmail.com",
"email_username": "var*****2",
"infected_machine_id": "eb36d8f4-b802-416a-9e94-cdb419782b10",
"infected_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe",
"infected_time": "2022-12-29T11:01:47Z",
"ip_addresses": [
"4.4.4.4"
],
"keyboard_languages": "english (india) / english (united states)",
"password": "********",
"password_plaintext": "********",
"password_type": "plaintext",
"severity": 25,
"source_id": 40883,
"spycloud_publish_date": "2023-01-06T00:00:00Z",
"target_domain": "amazon.com",
"target_subdomain": "signin.aws.amazon.com",
"target_url": "signin.aws.amazon.com",
"user_browser": "Mozilla Firefox",
"user_hostname": "LAPPY",
"user_os": "Windows 10 Pro [x64]",
"user_sys_registered_owner": "Home"
}
]
}
}

Human Readable Output#

Compass Data List#

Source IDEmailUser NameEmail DomainEmail UsernameTarget DomainTarget SubdomainPasswordPassword PlaintextPassword TypeTarget URLUser BrowserIP AddressesInfected Machine IDInfected PathInfected TimeUser HostnameUser OSUser SYS Registered OwnerSpyCloud Publish DateDomainDocument IDSeverity
41985345greythr.comdummy.greythr.comTron99***018Tron99***018plaintextdummy.greythr.comChrome (v109.0.5414.120-64, Profile: Profile 1)4.4.4.472aaaec1-afa1-4d9e-838f-abfcbbf3ff82Windows 10 Pro2023-03-02T00:00:00Zc8a11837-808a-4b1e-b9d8-cfba0739c7f525
40883Dummy Emailgmail.comvar*2amazon.comsignin.


aws.

amazon.com
********plaintextsignin.aws.amazon.comMozilla Firefox4.4.4.4eb36d8f4-b802-416a-9e94-cdb419782b10C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2022-12-29T11:01:47ZLAPPYWindows 10 Pro [x64]Home2023-01-06T00:00:00Zgmail.com89ed3bb4-b523-4037-9f1b-be49e99ce59f25

spycloud-compass-device-list#


List Compass device data. By default, this lists all devices. With the arguments, it's possible to scope the results.

Base Command#

spycloud-compass-device-list

Input#

Argument NameDescriptionRequired
source_idThis parameter allows you to filter based on a particular breach source.Optional
sinceThis parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.Optional
untilThis parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.Optional
since_infectedThis parameter allows you to define the starting point for a date range query on the infected_time.Optional
until_infectedThis parameter allows you to define the ending point for a date range query on the infected_time field.Optional
limitThe maximum number of records to return from the collection. Limit
default value is 50.
Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional

Context Output#

PathTypeDescription
SpyCloud.CompassDeviceList.usernameStringUsername.
SpyCloud.CompassDeviceList.passwordStringAccount password.
SpyCloud.CompassDeviceList.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.CompassDeviceList.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.CompassDeviceList.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.CompassDeviceList.user_browserStringBrowser name.
SpyCloud.CompassDeviceList.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.CompassDeviceList.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.CompassDeviceList.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.CompassDeviceList.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.CompassDeviceList.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.CompassDeviceList.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.CompassDeviceList.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.CompassDeviceList.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.CompassDeviceList.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.CompassDeviceList.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.CompassDeviceList.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.CompassDeviceList.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.CompassDeviceList.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.CompassDeviceList.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.CompassDeviceList.emailStringEmail address.
SpyCloud.CompassDeviceList.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.CompassDeviceList.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.CompassDeviceList.domainStringDomain name.

Command example#

!spycloud-compass-device-list limit=2

Context Example#

{
"SpyCloud": {
"CompassDeviceList": [
{
"application_count": 1,
"infected_machine_id": "72aaaec1-afa1-4d9e-838f-abfcbbf3ff82",
"ip_addresses": [
"4.4.4.4"
],
"source_id": 41985,
"spycloud_publish_date": "2023-03-02T00:00:00Z",
"user_os": "Windows 10 Pro"
},
{
"application_count": 29,
"infected_machine_id": "eb36d8f4-b802-416a-9e94-cdb419782b10",
"infected_time": "2022-12-29T11:01:47Z",
"ip_addresses": [
"4.4.4.4"
],
"source_id": 40883,
"spycloud_publish_date": "2023-01-06T00:00:00Z",
"user_hostname": "LAPPY",
"user_os": "Windows 10 Pro [x64]"
}
]
}
}

Human Readable Output#

Compass Device List#

Source IDIP AddressesInfected Machine IDInfected TimeUser HostnameUser OSSpyCloud Publish Date
419854.4.4.472aaaec1-afa1-4d9e-838f-abfcbbf3ff82Windows 10 Pro2023-03-02T00:00:00Z
408834.4.4.4eb36d8f4-b802-416a-9e94-cdb419782b102022-12-29T11:01:47ZLAPPYWindows 10 Pro [x64]2023-01-06T00:00:00Z

spycloud-compass-application-data-get#


Get Compass application data for a specific application.

Base Command#

spycloud-compass-application-data-get

Input#

Argument NameDescriptionRequired
target_applicationOne or more comma delimited Compass target application (subdomain or domain) to search for.Required
sinceThis parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.Optional
untilThis parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.Optional
source_idThis parameter allows you to filter based on a particular breach source.Optional
limitThe maximum number of records to return from the collection. Limit
default value is 50.
Optional
pageThe page number. Default is 1.Optional
page_sizeThe number of requested results per page. Default is 50.Optional

Context Output#

PathTypeDescription
SpyCloud.CompassApplicationData.usernameStringUsername.
SpyCloud.CompassApplicationData.passwordStringAccount password.
SpyCloud.CompassApplicationData.password_plaintextStringThe cracked, plaintext version of the password (where the password is crackable).
SpyCloud.CompassApplicationData.password_typeStringPassword type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).
SpyCloud.CompassApplicationData.target_urlStringURL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.
SpyCloud.CompassApplicationData.user_browserStringBrowser name.
SpyCloud.CompassApplicationData.ip_addressesStringList of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.
SpyCloud.CompassApplicationData.infected_machine_idStringA unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud.
SpyCloud.CompassApplicationData.infected_pathStringThe local path to the malicious software installed on the infected user's system.
SpyCloud.CompassApplicationData.infected_timeDateThe time at which the user's system was infected with malicious software.
SpyCloud.CompassApplicationData.user_sys_domainStringSystem domain. This usually comes from Botnet data.
SpyCloud.CompassApplicationData.user_hostnameStringSystem hostname. This usually comes from Botnet data.
SpyCloud.CompassApplicationData.user_osStringSystem OS name. This usually comes from Botnet data.
SpyCloud.CompassApplicationData.user_sys_registered_ownerStringSystem registered owner name. This usually comes from Botnet data.
SpyCloud.CompassApplicationData.source_idNumberNumerical breach ID. This correlates directly with the id field in Breach Catalog objects.
SpyCloud.CompassApplicationData.spycloud_publish_dateDateThe date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.
SpyCloud.CompassApplicationData.target_domainStringSLD extracted from 'target_url' field.
SpyCloud.CompassApplicationData.target_subdomainStringSubdomain and SLD extracted from 'target_url' field.
SpyCloud.CompassApplicationData.severityNumberSeverity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address.
SpyCloud.CompassApplicationData.document_idStringUUID v4 string which uniquely identifies this breach record in our data set.
SpyCloud.CompassApplicationData.emailStringEmail address.
SpyCloud.CompassApplicationData.email_domainStringDomain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.
SpyCloud.CompassApplicationData.email_usernameStringUsername extracted from 'email' field. This is everything before the '@' symbol.
SpyCloud.CompassApplicationData.domainStringDomain name.

Command example#

!spycloud-compass-application-data-get target_application=dummy.greythr.com limit=2

Context Example#

{
"SpyCloud": {
"CompassDeviceData": [
{
"display_resolution": "1280x720",
"document_id": "c8a11837-808a-4b1e-b9d8-cfba0739c7f5",
"infected_machine_id": "72aaaec1-afa1-4d9e-838f-abfcbbf3ff82",
"ip_addresses": [
"4.4.4.4"
],
"password": "Tron99***018",
"password_plaintext": "Tron99***018",
"password_type": "plaintext",
"severity": 25,
"source_id": 41985,
"spycloud_publish_date": "2023-03-02T00:00:00Z",
"target_domain": "greythr.com",
"target_subdomain": "dummy.greythr.com",
"target_url": "dummy.greythr.com",
"user_browser": "Chrome (v109.0.5414.120-64, Profile: Profile 1)",
"user_os": "Windows 10 Pro",
"username": "345"
},
{
"document_id": "f746b0ba-c765-4a04-b09e-1c42d35ee426",
"infected_machine_id": "eb36d8f4-b802-416a-9e94-cdb419782b10",
"infected_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe",
"infected_time": "2022-12-29T11:01:47Z",
"ip_addresses": [
"4.4.4.4"
],
"keyboard_languages": "english (india) / english (united states)",
"password": "welcome@123",
"password_plaintext": "welcome@123",
"password_type": "plaintext",
"severity": 25,
"source_id": 40883,
"spycloud_publish_date": "2023-01-06T00:00:00Z",
"target_domain": "greythr.com",
"target_subdomain": "dummy.greythr.com",
"target_url": "dummy.greythr.com",
"user_browser": "Mozilla Firefox",
"user_hostname": "LAPPY",
"user_os": "Windows 10 Pro [x64]",
"user_sys_registered_owner": "Home",
"username": "369"
}
]
}
}

Human Readable Output#

Compass Applications - Data#

Source IDUser NameTarget DomainTarget SubdomainPasswordPassword PlaintextPassword TypeTarget URLUser BrowserIP AddressesInfected Machine IDInfected PathInfected TimeUser HostnameUser OSUser SYS Registered OwnerSpyCloud Publish DateDocument IDSeverity
41985345greythr.comdummy.greythr.comTron99***018Tron99***018plaintextdummy.greythr.comChrome (v109.0.5414.120-64, Profile: Profile 1)4.4.4.472aaaec1-afa1-4d9e-838f-abfcbbf3ff82Windows 10 Pro2023-03-02T00:00:00Zc8a11837-808a-4b1e-b9d8-cfba0739c7f525
40883369greythr.comdummy.greythr.comwelcome@123welcome@123plaintextdummy.greythr.comMozilla Firefox4.4.4.4eb36d8f4-b802-416a-9e94-cdb419782b10C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2022-12-29T11:01:47ZLAPPYWindows 10 Pro [x64]Home2023-01-06T00:00:00Zf746b0ba-c765-4a04-b09e-1c42d35ee42625