SpyCloud Enterprise Protection Feed

This Integration is part of the SpyCloud Enterprise Protection Pack.

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

SpyCloud Enterprise Protection Feed

Create breach and malware incidents in Cortex® XSOAR™ using the SpyCloud Enterprise Protection API. This integration was integrated and tested with version 3.5 of SpyCloud Enterprise Protection API

Configure SpyCloud Enterprise Protection Feed on Cortex XSOAR

1. Navigate to Settings > Integrations > Servers & Services.

2. Search for SpyCloud Enterprise Protection Feed.

3. Click Add instance to create and configure a new integration instance.

   Parameter	Description	Required
   API URL	SpyCloud Enterprise Protection API Base URL	True
   API Key	SpyCloud Enterprise Protection API Key	True
   Fetch incidents	This is a required field by XSOAR to fetch new Watchlist events from SpyCloud watchlist API	True
   Since	This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field. Example: -1days, now, YYYY-MM-DD.	False
   Until	This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field. Example: -1days, now, YYYY-MM-DD.	False
   Since Modification Date	This parameter allows you to define the starting point for a date range query on the when an already published record was modified (record_modification_date). Example: -1days, now, YYYY-MM-DD.	False
   Until Modification Date	This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date). Example: -1days, now, YYYY-MM-DD.	False
   Severity	This parameter allows you to filter based on the numeric severity code.	False
   Source ID	This parameter allows you to filter based on a particular breach source.This parameter allows you to filter based on a particular breach source.	False
   Salt	If hashing is enabled for your API key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre-configured salt will be used.	False
   Type	This parameter lets you filter results by type. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records (from botnet data). If no value has been provided the API function will, by default, return all record types.	False
   Watchlist Type	This parameters lets you filter results for only emails or only domains on your watchlist. The allowed values are: ['email', 'domain', 'subdomain', 'ip']. If no value has been provided, the API will return all watchlist types.	False
   Trust any certificate (not secure)	Trust any certificate (not secure)	False
   Use system proxy settings	Use system proxy settings	False
   Incidents Fetch Interval	Incidents Fetch Interval	False
   Incident type	Incident type	False

4. Click Test to validate the URLs, token, and connection.