SpyCloud Enterprise Protection Enrichment
SpyCloud Enterprise Protection Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
#
SpyCloud Enterprise Protection EnrichmentProvide enrichment for domains, IPs, emails, usernames, and passwords using the SpyCloud Enterprise Protection API.
#
Configure SpyCloud Enterprise Protection Enrichment in CortexParameter | Required |
---|---|
API URL | True |
API Key | True |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
spycloud-breach-catalog-listList the Breach Catalog. By default, this lists all breaches in SpyCloud. With the arguments, it's possible to scope the results.
#
Base Commandspycloud-breach-catalog-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. Example:- YYYY-MM-DD. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. Example:- YYYY-MM-DD. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
query | Query value to search the breach catalog for. | Optional |
all_results | Fetch all results. Possible values are: True, False. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.BreachList.site | String | Website of breached organization, when available. |
SpyCloud.BreachList.confidence | Number | Numerical score representing the confidence in the source of the breach. |
SpyCloud.BreachList.id | Number | Numerical breach ID. This number correlates to source_id data point found in breach records. |
SpyCloud.BreachList.acquisition_date | Date | The date on which our security research team first acquired the breached data. |
SpyCloud.BreachList.uuid | String | UUID v4 encoded version of breach ID. This is relevant for users of Firehose, where each deliverable (records file) is named using the breach UUID. |
SpyCloud.BreachList.num_records | Number | Number of records we parsed and ingested from this particular breach. This is after parsing, normalization and deduplication take place. |
SpyCloud.BreachList.type | String | Denotes if a breach is considered public or private. A public breach is one that is easily found on the internet, while a private breach is often exclusive to SpyCloud. |
SpyCloud.BreachList.title | String | Breach title. For each ingested breach our security research team documents a breach title. This is only available when we can disclose the breach details, otherwise it will have a generic title. |
SpyCloud.BreachList.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.BreachList.description | String | Breach description. For each ingested breach our security research team documents a breach description. This is only available when we can disclose the breach details, otherwise it will have a generic description. |
SpyCloud.BreachList.site_description | String | Description of the breached organization, when available. |
SpyCloud.BreachList.assets.phone | Number | Phone number. |
SpyCloud.BreachList.assets.gender | Number | Gender specifier. Typically set to 'M', 'F', 'Male', or 'Female'. |
SpyCloud.BreachList.assets.company_name | Number | Company name. |
SpyCloud.BreachList.assets.user_agent | Number | Browser agent string. |
SpyCloud.BreachList.assets.country | Number | Country name. |
SpyCloud.BreachList.assets.social_telegram | Number | Telegram username. |
SpyCloud.BreachList.assets.social_skype | Number | Skype username. |
SpyCloud.BreachList.assets.state | Number | State name. |
SpyCloud.BreachList.assets.account_login_time | Number | Last account login time. In ISO 8601 datetime format. |
SpyCloud.BreachList.assets.ip_addresses | Number | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.BreachList.assets.postal_code | Number | Postal code, usually zip code in USA. |
SpyCloud.BreachList.assets.dob | Number | Date of birth. In ISO 8601 datetime format. |
SpyCloud.BreachList.assets.account_signup_time | Number | Account signup date. In ISO 8601 datetime format. |
SpyCloud.BreachList.assets.homepage | Number | User's homepage URL. |
SpyCloud.BreachList.assets.first_name | Number | First name. |
SpyCloud.BreachList.assets.country_code | Number | Country code; derived from country. |
SpyCloud.BreachList.assets.account_modification_time | Number | Account modification date. In ISO 8601 datetime format. |
SpyCloud.BreachList.assets.full_name | Number | Full name. |
SpyCloud.BreachList.assets.address_1 | Number | Address line 1. |
SpyCloud.BreachList.assets.last_name | Number | Last name. |
SpyCloud.BreachList.assets.email | Number | Email address. |
SpyCloud.BreachList.assets.city | Number | City name. |
SpyCloud.BreachList.assets.password | Number | Account password. |
SpyCloud.BreachList.assets.username | Number | Username. |
#
Command example!spycloud-breach-catalog-list limit=2
#
Context Example#
Human Readable Output#
Breach List
Title SpyCloud Publish Date Description Confidence ID Acquisition Date UUID Type Sensitive Source 2023-05-05T00:00:00Z This source has been marked as sensitive due to one of the following reasons: Revealing the source may compromise an on-going investigation. The affected site is of a controversial nature but does not validate email addresses and could therefore be used to tarnish an employee's reputation. 3 43120 2023-04-14T00:00:00Z 0f9cfacd-f583-4b16-9eb6-e2b54bc51e43 PUBLIC stealc Stealer 2023-05-05T00:00:00Z stealc Stealer is a Windows-targeted stealer designed to grab form data such as IP addresses, browsing history, saved passwords, cryptocurrency, private messages and/or screenshots from affected users. 3 43491 2023-05-02T00:00:00Z 16689989-fe33-49ec-b02f-0442963ef0b7 PRIVATE
#
spycloud-breach-catalog-getGet Breach Catalog Information by ID.
#
Base Commandspycloud-breach-catalog-get
#
InputArgument Name | Description | Required |
---|---|---|
id | Numerical ID of the breach. Both integer and UUIDv4 ID formats are supported. You may also use a comma delimiter to request more than one breach at a time. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.BreachData.site | String | Website of breached organization, when available. |
SpyCloud.BreachData.confidence | Number | Numerical score representing the confidence in the source of the breach. |
SpyCloud.BreachData.id | Number | Numerical breach ID. This number correlates to source_id data point found in breach records. |
SpyCloud.BreachData.acquisition_date | Date | The date on which our security research team first acquired the breached data. |
SpyCloud.BreachData.uuid | String | UUID v4 encoded version of breach ID. This is relevant for users of Firehose, where each deliverable (records file) is named using the breach UUID. |
SpyCloud.BreachData.num_records | Number | Number of records we parsed and ingested from this particular breach. This is after parsing, normalization and deduplication take place. |
SpyCloud.BreachData.type | String | Denotes if a breach is considered public or private. A public breach is one that is easily found on the internet, while a private breach is often exclusive to SpyCloud. |
SpyCloud.BreachData.title | String | Breach title. For each ingested breach our security research team documents a breach title. This is only available when we can disclose the breach details, otherwise it will have a generic title. |
SpyCloud.BreachData.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.BreachData.description | String | Breach description. For each ingested breach our security research team documents a breach description. This is only available when we can disclose the breach details, otherwise it will have a generic description. |
SpyCloud.BreachData.site_description | String | Description of the breached organization, when available. |
SpyCloud.BreachData.assets.phone | Number | Phone number. |
SpyCloud.BreachData.assets.gender | Number | Gender specifier. Typically set to 'M', 'F', 'Male', or 'Female'. |
SpyCloud.BreachData.assets.company_name | Number | Company name. |
SpyCloud.BreachData.assets.user_agent | Number | Browser agent string. |
SpyCloud.BreachData.assets.country | Number | Country name. |
SpyCloud.BreachData.assets.social_telegram | Number | Telegram username. |
SpyCloud.BreachData.assets.social_skype | Number | Skype username. |
SpyCloud.BreachData.assets.state | Number | State name. |
SpyCloud.BreachData.assets.account_login_time | Number | Last account login time. In ISO 8601 datetime format. |
SpyCloud.BreachData.assets.ip_addresses | Number | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.BreachData.assets.postal_code | Number | Postal code, usually zip code in USA. |
SpyCloud.BreachData.assets.dob | Number | Date of birth. In ISO 8601 datetime format. |
SpyCloud.BreachData.assets.account_signup_time | Number | Account signup date. In ISO 8601 datetime format. |
SpyCloud.BreachData.assets.homepage | Number | User's homepage URL. |
SpyCloud.BreachData.assets.first_name | Number | First name. |
SpyCloud.BreachData.assets.country_code | Number | Country code; derived from country. |
SpyCloud.BreachData.assets.account_modification_time | Number | Account modification date. In ISO 8601 datetime format. |
SpyCloud.BreachData.assets.full_name | Number | Full name. |
SpyCloud.BreachData.assets.address_1 | Number | Address line 1. |
SpyCloud.BreachData.assets.last_name | Number | Last name. |
SpyCloud.BreachData.assets.email | Number | Email address. |
SpyCloud.BreachData.assets.city | Number | City name. |
SpyCloud.BreachData.assets.password | Number | Account password. |
SpyCloud.BreachData.assets.username | Number | Username. |
#
Command example!spycloud-breach-catalog-get id=39897 limit=2
#
Context Example#
Human Readable Output#
Breach data for id 39897
Title SpyCloud Publish Date Description Confidence ID Acquisition Date UUID Type Mansfield Independent School District 2023-04-18T00:00:00Z On an unknown date, data allegedly belonging to Mansfield Independent School District, a U.S-based educational district, was leaked online. The data contains names, email addresses, phone numbers, addresses and additional personal information. This leak is being publicly shared on online forums. 3 39897 2022-10-04T00:00:00Z c504f30a-6fe7-48df-becf-4e14f16e6c0d PUBLIC
#
spycloud-domain-data-getGet Breach Data by Domain.
#
Base Commandspycloud-domain-data-get
#
InputArgument Name | Description | Required |
---|---|---|
domain | Domain or Subdomain name to search for. | Required |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
type | This parameter lets you filter results by several types. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records, email_domain to just match against email domains, and target_domain to just match against target domains or subdomains. If no value has been provided the API function will, by default, return all record types. Possible values are: corporate, infected, , email_domain, target_domain. | Optional |
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. Example:- YYYY-MM-DD. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. Example:- YYYY-MM-DD. | Optional |
severity | This parameter allows you to filter based on the numeric severity code. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: . | Optional |
source_id | This parameter allows you to filter based on a particular breach source. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
all_results | Fetch all results. Possible values are: True, False. | Optional |
since_modification_date | This parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date). | Optional |
until_modification_date | This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.Domain.username | String | Username. |
SpyCloud.Domain.password | String | Account password. |
SpyCloud.Domain.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.Domain.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.Domain.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.Domain.user_browser | String | Browser name. |
SpyCloud.Domain.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.Domain.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.Domain.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.Domain.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.Domain.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.Domain.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.Domain.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.Domain.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.Domain.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.Domain.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.Domain.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.Domain.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.Domain.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.Domain.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.Domain.email | String | Email address. |
SpyCloud.Domain.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.Domain.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.Domain.domain | String | Domain name. |
#
Command example!spycloud-domain-data-get domain=dummy.com limit=2
#
Context Example#
Human Readable Output#
Breach List for domain dummy.com
Source ID Full Name Email Domain Email Username SpyCloud Publish Date Domain Document ID Severity 41180 Dummy Email Shyam Moolagiri dummy.com smoolagiri
2023-03-28T00:00:00Zdummy.com 0046c7e3-fcf4-4d24-9c45-255116054640 5 41180 Dummy Email Sam Robert dummy.com srobert
2023-03-28T00:00:00Z
dummy.com0fa88054-5d74-412a-bc40-0935a6d6e2d5 5
#
spycloud-username-data-getGet Breach Data by Username.
#
Base Commandspycloud-username-data-get
#
InputArgument Name | Description | Required |
---|---|---|
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. | Optional |
since_modification_date | This parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date). | Optional |
until_modification_date | This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date). | Optional |
severity | This parameter allows you to filter based on the numeric severity code. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: . | Optional |
source_id | This parameter allows you to filter based on a particular breach source. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
username | Username you wish to search for. | Required |
all_results | Fetch all results. Possible values are: True, False. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.Username.username | String | Username. |
SpyCloud.Username.password | String | Account password. |
SpyCloud.Username.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.Username.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.Username.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.Username.user_browser | String | Browser name. |
SpyCloud.Username.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.Username.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.Username.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.Username.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.Username.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.Username.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.Username.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.Username.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.Username.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.Username.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.Username.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.Username.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.Username.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.Username.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.Username.email | String | Email address. |
SpyCloud.Username.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.Username.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.Username.domain | String | Domain name. |
#
Command example!spycloud-username-data-get username=abc limit=2
#
Human Readable OutputNo data to present.
#
spycloud-ip-address-data-getGet Breach Data by IP Address.
#
Base Commandspycloud-ip-address-data-get
#
InputArgument Name | Description | Required |
---|---|---|
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. | Optional |
since_modification_date | This parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date). | Optional |
until_modification_date | This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date). | Optional |
severity | This parameter allows you to filter based on the numeric severity code. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: . | Optional |
source_id | This parameter allows you to filter based on a particular breach source. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
ip | IP address or network CIDR notation to search for. For CIDR notation, use an underscore instead of a slash. | Required |
all_results | Fecth all results. Possible values are: True, False. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.IPAddress.username | String | Username. |
SpyCloud.IPAddress.password | String | Account password. |
SpyCloud.IPAddress.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.IPAddress.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.IPAddress.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.IPAddress.user_browser | String | Browser name. |
SpyCloud.IPAddress.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.IPAddress.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.IPAddress.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.IPAddress.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.IPAddress.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.IPAddress.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.IPAddress.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.IPAddress.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.IPAddress.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.IPAddress.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.IPAddress.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.IPAddress.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.IPAddress.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.IPAddress.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.IPAddress.email | String | Email address. |
SpyCloud.IPAddress.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.IPAddress.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.IPAddress.domain | String | Domain name. |
#
Command example!spycloud-ip-address-data-get ip=4.4.4.4 limit=2
#
Context Example#
Human Readable Output#
Breach List for IP address
Source ID Full Name User Name Email Domain Email Username Password Password Type IP Addresses SpyCloud Publish Date Domain Document ID Severity Sighting 38326 Dummy Email bossssomesh gmail.com bossmsrao 4.4.4.4 2021-12-02T00:00:00Z gmail.com 44a59857-49dd-445b-8d19-c9ddc12ecde5 5 16670 Dummy Email Ghouse ghouse260 dummy.com sghouse **** bcrypt 4.4.4.4 2021-05-05T00:00:00Z dummy.com cb71703c-9447-421f-b53a-6a1e3508eadc 5 1
#
spycloud-email-data-getGet Breach Data by Email.
#
Base Commandspycloud-email-data-get
#
InputArgument Name | Description | Required |
---|---|---|
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. | Optional |
since_modification_date | This parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date). | Optional |
until_modification_date | This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date). | Optional |
severity | This parameter allows you to filter based on the numeric severity code. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: . | Optional |
source_id | This parameter allows you to filter based on a particular breach source. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
Email address to search for. | Required | |
all_results | Fetch all results. Possible values are: True, False. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.EmailAddress.username | String | Username. |
SpyCloud.EmailAddress.password | String | Account password. |
SpyCloud.EmailAddress.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.EmailAddress.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.EmailAddress.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.EmailAddress.user_browser | String | Browser name. |
SpyCloud.EmailAddress.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.EmailAddress.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.EmailAddress.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.EmailAddress.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.EmailAddress.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.EmailAddress.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.EmailAddress.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.EmailAddress.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.EmailAddress.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.EmailAddress.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.EmailAddress.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.EmailAddress.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.EmailAddress.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.EmailAddress.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.EmailAddress.email | String | Email address. |
SpyCloud.EmailAddress.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.EmailAddress.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.EmailAddress.domain | String | Domain name. |
#
Command example!spycloud-email-data-get email=Dummmy Email limit=2
#
Context Example#
Human Readable Output#
Breach List for Email address Dummy Email
Source ID Full Name Email Domain Email Username SpyCloud Publish Date Domain Document ID Severity 41180 Dummy Email Shyam Moolagiri dummy.com smoolagiri 2023-03-28T00:00:00Z dummy.com 0046c7e3-fcf4-4d24-9c45-255116054640 5
#
spycloud-password-data-getGet Breach Data by Password.
#
Base Commandspycloud-password-data-get
#
InputArgument Name | Description | Required |
---|---|---|
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. | Optional |
since_modification_date | This parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date). | Optional |
until_modification_date | This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date). | Optional |
severity | This parameter allows you to filter based on the numeric severity code. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: . | Optional |
source_id | This parameter allows you to filter based on a particular breach source. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
password | Password you wish to search for. | Required |
all_results | Fetch all results. Possible values are: True, False. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.Password.username | String | Username. |
SpyCloud.Password.password | String | Account password. |
SpyCloud.Password.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.Password.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.Password.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.Password.user_browser | String | Browser name. |
SpyCloud.Password.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.Password.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.Password.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.Password.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.Password.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.Password.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.Password.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.Password.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.Password.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.Password.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.Password.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.Password.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.Password.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.Password.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.Password.email | String | Email address. |
SpyCloud.Password.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.Password.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.Password.domain | String | Domain name. |
#
Command example!spycloud-password-data-get password=welcome@123 limit=2
#
Context Example#
Human Readable Output#
Breach List for Password welcome@123
Source ID Email Domain Email Username Target Domain Target Subdomain Password Password Plaintext Password Type Target URL IP Addresses Infected Machine ID User SYS Registered Owner SpyCloud Publish Date Domain Document ID Severity Sighting 37732 Dummy Email dummy.com kummadisetti slack.com dummy.slack.com welcome@123 welcome@123 plaintext dummy.slack.com 4.4.4.4 51aa3c3d-090e-417a-8e8c-3a94726e5fed saket 2021-06-24T00:00:00Z dummy.com bc436d97-395c-4b03-819b-9b8fad7711bd 25 1
#
spycloud-watchlist-data-listList Breach Data. By default, this lists all breach data for the customer's configured watchlist. With the arguments, it's possible to scope the results.
#
Base Commandspycloud-watchlist-data-list
#
InputArgument Name | Description | Required |
---|---|---|
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. | Optional |
since_modification_date | This parameter allows you to define the starting point for a date range query on when an already published record was modified (record_modification_date). | Optional |
until_modification_date | This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date). | Optional |
severity | This parameter allows you to filter based on the numeric severity code. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 ->High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. Possible values are: . | Optional |
source_id | This parameter allows you to filter based on a particular breach source. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
type | This parameter lets you filter results by type. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records (from botnet data). If no value has been provided the API function will, by default, return all record types. Possible values are: corporate, infected. | Optional |
watchlist_type | This parameters lets you filter results for only emails or only domains on your watchlist. If no value has been provided, the API will return all watchlist types. Possible values are: email, domain, subdomain, ip. | Optional |
all_results | Fetch all results. Possible values are: True, False. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.Watchlist.username | String | Username. |
SpyCloud.Watchlist.password | String | Account password. |
SpyCloud.Watchlist.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.Watchlist.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.Watchlist.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.Watchlist.user_browser | String | Browser name. |
SpyCloud.Watchlist.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.Watchlist.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.Watchlist.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.Watchlist.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.Watchlist.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.Watchlist.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.Watchlist.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.Watchlist.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.Watchlist.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.Watchlist.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.Watchlist.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.Watchlist.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.Watchlist.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.Watchlist.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.Watchlist.email | String | Email address. |
SpyCloud.Watchlist.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.Watchlist.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.Watchlist.domain | String | Domain name. |
#
Command example!spycloud-watchlist-data-list limit=2
#
Context Example#
Human Readable Output#
Watchlist Data
Source ID Full Name Email Domain Email Username SpyCloud Publish Date Domain Document ID Severity 41180 Dummy Email Shyam Moolagiri dummy.com smoolagiri 2023-03-28T00:00:00Z dummy.com 0046c7e3-fcf4-4d24-9c45-255116054640 5 41180 Dummy Email Sam Robert dummy.com srobert 2023-03-28T00:00:00Z dummy.com 0fa88054-5d74-412a-bc40-0935a6d6e2d5 5
#
spycloud-compass-device-data-getGet Compass device data by infected_machine_id.
#
Base Commandspycloud-compass-device-data-get
#
InputArgument Name | Description | Required |
---|---|---|
infected_machine_id | One or more comma delimited Infected Machine ID to search for compass breach records. | Required |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.CompassDeviceData.username | String | Username. |
SpyCloud.CompassDeviceData.password | String | Account password. |
SpyCloud.CompassDeviceData.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.CompassDeviceData.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.CompassDeviceData.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.CompassDeviceData.user_browser | String | Browser name. |
SpyCloud.CompassDeviceData.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.CompassDeviceData.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.CompassDeviceData.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.CompassDeviceData.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.CompassDeviceData.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.CompassDeviceData.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.CompassDeviceData.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.CompassDeviceData.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.CompassDeviceData.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.CompassDeviceData.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.CompassDeviceData.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.CompassDeviceData.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.CompassDeviceData.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.CompassDeviceData.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.CompassDeviceData.email | String | Email address. |
SpyCloud.CompassDeviceData.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.CompassDeviceData.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.CompassDeviceData.domain | String | Domain name. |
#
Command example!spycloud-compass-device-data-get infected_machine_id=72aaaec1-afa1-4d9e-838f-abfcbbf3ff82 limit=2
#
Context Example#
Human Readable Output#
Compass Devices - Data
Source ID User Name Target Domain Target Subdomain Password Password Plaintext Password Type Target URL User Browser IP Addresses Infected Machine ID User OS SpyCloud Publish Date Document ID Severity 41985 345 greythr.com dummy.greythr.com Tron99***018 Tron99***018 plaintext dummy.greythr.com Chrome (v109.0.5414.120-64, Profile: Profile 1) 4.4.4.4 72aaaec1-afa1-4d9e-838f-abfcbbf3ff82 Windows 10 Pro 2023-03-02T00:00:00Z c8a11837-808a-4b1e-b9d8-cfba0739c7f5 25
#
spycloud-compass-data-listList Compass data. By default, this lists all Compass data. With the arguments, it's possible to scope the results.
#
Base Commandspycloud-compass-data-list
#
InputArgument Name | Description | Required |
---|---|---|
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. | Optional |
since_infected | This parameter allows you to define the starting point for a date range query on the infected_time field. | Optional |
until_infected | This parameter allows you to define the ending point for a date range query on the infected_time field. | Optional |
source_id | This parameter allows you to filter based on a particular breach source. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
type | This parameter will return records that are verified or unverified, meaning those that matched the watchlist or not. By default if type is not used, both types will be returned. Possible values are: verified, unverified. | Optional |
all_results | Fetch all results. Possible values are: True, False. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.CompassDataList.username | String | Username. |
SpyCloud.CompassDataList.password | String | Account password. |
SpyCloud.CompassDataList.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.CompassDataList.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.CompassDataList.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.CompassDataList.user_browser | String | Browser name. |
SpyCloud.CompassDataList.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.CompassDataList.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.CompassDataList.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.CompassDataList.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.CompassDataList.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.CompassDataList.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.CompassDataList.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.CompassDataList.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.CompassDataList.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.CompassDataList.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.CompassDataList.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.CompassDataList.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.CompassDataList.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.CompassDataList.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.CompassDataList.email | String | Email address. |
SpyCloud.CompassDataList.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.CompassDataList.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.CompassDataList.domain | String | Domain name. |
#
Command example!spycloud-compass-data-list limit=2
#
Context Example#
Human Readable Output#
Compass Data List
Source ID User Name Email Domain Email Username Target Domain Target Subdomain Password Password Plaintext Password Type Target URL User Browser IP Addresses Infected Machine ID Infected Path Infected Time User Hostname User OS User SYS Registered Owner SpyCloud Publish Date Domain Document ID Severity 41985 345 greythr.com dummy.greythr.com Tron99***018 Tron99***018 plaintext dummy.greythr.com Chrome (v109.0.5414.120-64, Profile: Profile 1) 4.4.4.4 72aaaec1-afa1-4d9e-838f-abfcbbf3ff82 Windows 10 Pro 2023-03-02T00:00:00Z c8a11837-808a-4b1e-b9d8-cfba0739c7f5 25 40883 Dummy Email gmail.com var*2 amazon.com signin.
aws.
amazon.com**** **** plaintext signin.aws.amazon.com Mozilla Firefox 4.4.4.4 eb36d8f4-b802-416a-9e94-cdb419782b10 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 2022-12-29T11:01:47Z LAPPY Windows 10 Pro [x64] Home 2023-01-06T00:00:00Z gmail.com 89ed3bb4-b523-4037-9f1b-be49e99ce59f 25
#
spycloud-compass-device-listList Compass device data. By default, this lists all devices. With the arguments, it's possible to scope the results.
#
Base Commandspycloud-compass-device-list
#
InputArgument Name | Description | Required |
---|---|---|
source_id | This parameter allows you to filter based on a particular breach source. | Optional |
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. | Optional |
since_infected | This parameter allows you to define the starting point for a date range query on the infected_time. | Optional |
until_infected | This parameter allows you to define the ending point for a date range query on the infected_time field. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.CompassDeviceList.username | String | Username. |
SpyCloud.CompassDeviceList.password | String | Account password. |
SpyCloud.CompassDeviceList.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.CompassDeviceList.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.CompassDeviceList.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.CompassDeviceList.user_browser | String | Browser name. |
SpyCloud.CompassDeviceList.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.CompassDeviceList.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.CompassDeviceList.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.CompassDeviceList.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.CompassDeviceList.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.CompassDeviceList.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.CompassDeviceList.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.CompassDeviceList.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.CompassDeviceList.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.CompassDeviceList.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.CompassDeviceList.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.CompassDeviceList.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.CompassDeviceList.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.CompassDeviceList.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.CompassDeviceList.email | String | Email address. |
SpyCloud.CompassDeviceList.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.CompassDeviceList.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.CompassDeviceList.domain | String | Domain name. |
#
Command example!spycloud-compass-device-list limit=2
#
Context Example#
Human Readable Output#
Compass Device List
Source ID IP Addresses Infected Machine ID Infected Time User Hostname User OS SpyCloud Publish Date 41985 4.4.4.4 72aaaec1-afa1-4d9e-838f-abfcbbf3ff82 Windows 10 Pro 2023-03-02T00:00:00Z 40883 4.4.4.4 eb36d8f4-b802-416a-9e94-cdb419782b10 2022-12-29T11:01:47Z LAPPY Windows 10 Pro [x64] 2023-01-06T00:00:00Z
#
spycloud-compass-application-data-getGet Compass application data for a specific application.
#
Base Commandspycloud-compass-application-data-get
#
InputArgument Name | Description | Required |
---|---|---|
target_application | One or more comma delimited Compass target application (subdomain or domain) to search for. | Required |
since | This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. | Optional |
until | This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. | Optional |
source_id | This parameter allows you to filter based on a particular breach source. | Optional |
limit | The maximum number of records to return from the collection. Limit default value is 50. | Optional |
page | The page number. Default is 1. | Optional |
page_size | The number of requested results per page. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SpyCloud.CompassApplicationData.username | String | Username. |
SpyCloud.CompassApplicationData.password | String | Account password. |
SpyCloud.CompassApplicationData.password_plaintext | String | The cracked, plaintext version of the password (where the password is crackable). |
SpyCloud.CompassApplicationData.password_type | String | Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc). |
SpyCloud.CompassApplicationData.target_url | String | URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system. |
SpyCloud.CompassApplicationData.user_browser | String | Browser name. |
SpyCloud.CompassApplicationData.ip_addresses | String | List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported. |
SpyCloud.CompassApplicationData.infected_machine_id | String | A unique identifier either extracted from an infostealer log, when present, or an RFC 4122-compliant universally unique identifier (UUID) generated by SpyCloud, when no identifier is present in an infected record. The method of generation of these identifiers varies by malware family and may or may not conform to a UUID format. For the ID's in the aforementioned UUID format, there is not currently any way to determine whether an infected_machine_id was extracted from a malware log or generated by SpyCloud. |
SpyCloud.CompassApplicationData.infected_path | String | The local path to the malicious software installed on the infected user's system. |
SpyCloud.CompassApplicationData.infected_time | Date | The time at which the user's system was infected with malicious software. |
SpyCloud.CompassApplicationData.user_sys_domain | String | System domain. This usually comes from Botnet data. |
SpyCloud.CompassApplicationData.user_hostname | String | System hostname. This usually comes from Botnet data. |
SpyCloud.CompassApplicationData.user_os | String | System OS name. This usually comes from Botnet data. |
SpyCloud.CompassApplicationData.user_sys_registered_owner | String | System registered owner name. This usually comes from Botnet data. |
SpyCloud.CompassApplicationData.source_id | Number | Numerical breach ID. This correlates directly with the id field in Breach Catalog objects. |
SpyCloud.CompassApplicationData.spycloud_publish_date | Date | The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers. |
SpyCloud.CompassApplicationData.target_domain | String | SLD extracted from 'target_url' field. |
SpyCloud.CompassApplicationData.target_subdomain | String | Subdomain and SLD extracted from 'target_url' field. |
SpyCloud.CompassApplicationData.severity | Number | Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned. Possible values are: 2 -> Email only severity. This record is part of an email-only list. 5 -> Informational severity. This severity value is given to breach records where we have a non-crackable password hash, or no password at all. 20 -> High severity. This severity value is given to breach records where we have an email address and a plaintext password. 25 -> Critical severity. This severity value is given to breach records recovered from an infected machine (botnet data). These records will always have a plaintext password and most will have an email address. |
SpyCloud.CompassApplicationData.document_id | String | UUID v4 string which uniquely identifies this breach record in our data set. |
SpyCloud.CompassApplicationData.email | String | Email address. |
SpyCloud.CompassApplicationData.email_domain | String | Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol. |
SpyCloud.CompassApplicationData.email_username | String | Username extracted from 'email' field. This is everything before the '@' symbol. |
SpyCloud.CompassApplicationData.domain | String | Domain name. |
#
Command example!spycloud-compass-application-data-get target_application=dummy.greythr.com limit=2
#
Context Example#
Human Readable Output#
Compass Applications - Data
Source ID User Name Target Domain Target Subdomain Password Password Plaintext Password Type Target URL User Browser IP Addresses Infected Machine ID Infected Path Infected Time User Hostname User OS User SYS Registered Owner SpyCloud Publish Date Document ID Severity 41985 345 greythr.com dummy.greythr.com Tron99***018 Tron99***018 plaintext dummy.greythr.com Chrome (v109.0.5414.120-64, Profile: Profile 1) 4.4.4.4 72aaaec1-afa1-4d9e-838f-abfcbbf3ff82 Windows 10 Pro 2023-03-02T00:00:00Z c8a11837-808a-4b1e-b9d8-cfba0739c7f5 25 40883 369 greythr.com dummy.greythr.com welcome@123 welcome@123 plaintext dummy.greythr.com Mozilla Firefox 4.4.4.4 eb36d8f4-b802-416a-9e94-cdb419782b10 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 2022-12-29T11:01:47Z LAPPY Windows 10 Pro [x64] Home 2023-01-06T00:00:00Z f746b0ba-c765-4a04-b09e-1c42d35ee426 25