Skip to main content

SpyCloud - Breach Investigation

This Playbook is part of the SpyCloud Enterprise Protection Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

SpyCloud - Breach Investigation#

This playbook enables the investigation of SpyCloud Breach incidents. This playbook can be used to perform the below actions. Please note that the playbook provides a basic skeleton for the following actions users need to implement the logic according to their needs.

  • Check if the breached password length is >= the minimum required by the organization. If not, exit the playbook.
  • Check if the user is currently an active employee. If not, exit the playbook.
  • Check if the exposed password is in use on the network (check AD, check Okta, check Ping, check G-Suite, etc).
  • If the password is in use in one of the checked systems, perform a password reset, raise an incident, etc.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


SpyCloud Enterprise Protection.


  • StringLength


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
Minimum Password LengthMinimum Password Length8Required.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

SpyCloud Breach