SpyCloud
- Jonas Gonzalez
SpyCloud recaptures data from the criminal underground to illuminate risk you didn’t even know you had across your enterprise, vendors, and customers — so your team can take immediate action.
Connect SpyCloud with Devo SOAR
Navigate to Automations > Integrations.
Search for SpyCloud.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Api Token: Api Token to access SpyCloud.
After you've entered all the details, click Connect.
Actions for SpyCloud
List or Query the Breach Catalog
List or Query the Breach Catalog
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Since | Jinja-templated text containing start time, epoch timestamp in milliseconds to use in params for filter (Default is empty). e.g. 1587448800000 | Optional |
Until | Jinja-templated text containing end time, epoch timestamp in milliseconds to use in query for filter (Default is empty). e.g. 1587448800000 | Optional |
Cursor | Jinja-templated text text containing token used for iterating through multiple pages of results. By default our API methods return up to 1,000 items per page. If the number of requested items is greater than 1,000 a cursor token is provided in the return payload. If set, you can use this value to iterate to the next page of results. | Optional |
Query | Jinja-templated text containing query value to search the breach catalog for. For example, this could be the name of a malicious actor, or a domain name of breached website. Any contextual data part of our breach catalog is searchable. Example: hacked. | Optional |
Output
JSON containing the following items:
``` {json}{ "result": [ { "title": "VPN Credentials for Test Applicances", "spycloud_publish_date": "2022-04-14T00:00:00Z", "description": "description 123", "site_description": "site description 123", "site": "n/a", "confidence": 3, "id": 2345, "acquisition_date": "2022-02-28T00:00:00Z", "uuid": "477ae6bd-a79c-asdf-asdf-d9504d8f4c3a", "type": "PRIVATE", "num_records": 5634, "assets": { "ip_addresses": 34634, "username": 534, "email": 34634, "password": 34634 } }, { "title": "PCGame ABC", "spycloud_publish_date": "2022-04-14T00:00:00Z", "description": "description 321.", "site_description": "site description 321", "site": "example.com", "confidence": 3, "id": 1234, "acquisition_date": "2020-01-01T00:00:00Z", "combo_list_flag": "YES", "uuid": "53c744be-asdf-4cfa-asdf-40d020c7edbd", "type": "PRIVATE", "num_records": 3435, "assets": { "ip_addresses": 123, "username": 542, "email": 956, "password": 956, "salt": 956 } } ], "error": null, "has_error": false }
## Get Catalog
Get/Retrieve Breach Catalog Information by ID
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :--------------------------------------------------------------- | :------- |
| Catalog Id | [Jinja-templated](doc:jinja-template) text containing catalog id | Required |
### Output
JSON containing the following items:
``` {json}{
"cursor": "",
"has_error": false,
"results": [
{
"title": "VPN Credentials for Test",
"spycloud_publish_date": "2022-04-14T00:00:00Z",
"description": "desc123.",
"site_description": "desc1234.",
"site": "n/a",
"confidence": 3,
"id": 1234,
"acquisition_date": "2022-02-28T00:00:00Z",
"uuid": "477ae6bd-a79c-asdf-5345-dasdf4d8f4c3a",
"type": "PRIVATE",
"num_records": 705,
"assets": {
"ip_addresses": 536,
"username": 615,
"email": 13,
"password": 20
}
}
],
"error": null,
"hits": 3
}Get Breach Data by Domain Search
Get Breach Data by Domain Search
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Domain | Jinja-templated text containing domain name to search for. Example: example.org | Required |
Type | Jinja-templated text containing type. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records (from botnet data). If no value has been provided the API function will, by default, return all record types. | Optional |
Cursor | Jinja-templated text text containing token used for iterating through multiple pages of results. By default our API methods return up to 1,000 items per page. If the number of requested items is greater than 1,000 a cursor token is provided in the return payload. If set, you can use this value to iterate to the next page of results. | Optional |
Since | Jinja-templated text containing start time, epoch timestamp in milliseconds to use in params for filter (Default is empty). e.g. 1587448800000 | Optional |
Until | Jinja-templated text containing end time, epoch timestamp in milliseconds to use in query for filter (Default is empty). e.g. 1587448800000 | Optional |
Severity | Jinja-templated text containing severity which allows you to filter based on the numeric severity code. Example: 20 | Optional |
Source ID | Jinja-templated text containing source id which allows you to filter based on a particular breach source. Example: 123 | Optional |
Salt | Jinja-templated text containing salt. If hashing is enabled for your API key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre-configured salt will be used. Example: HFdxEbZylZ | Optional |
Output
JSON containing the following items:
``` {json}{ "cursor": "b9de32a4-4cdc-474d-1344-asdfasdf8c6d8", "has_error": false, "error": null, "hits": 28877, "results": [ { "email": "test@gmail.com", "password": "2352qa43", "account_signup_time": "2013-09-14T10:42:19Z", "account_login_time": "2013-09-14T10:42:19Z", "ip_addresses": [ "23.56.66.27" ], "source_id": 3315, "password_plaintext": "5367", "spycloud_publish_date": "2022-04-07T00:00:00Z", "email_domain": "test@gmail.com", "email_username": "test", "domain": "test", "password_type": "2432", "severity": 34, "document_id": "24r2525-6514-4cb1-ba21-dasdfasdfbb5c", "sighting": 1 }, { "user_browser": "Firefox", "password": "45234se", "source_id": 38324, "ip_addresses": [ "65.23.2.3" ], "user_hostname": "LAPTOP-1D2348K5", "user_sys_registered_owner": "test", "user_os": "Windows 10 Home", "display_resolution": "1920x1080", "infected_machine_id": "23452-3a01-4ccd-4332-asdfadsf3c", "target_url": "test", "username": "2352aw", "infected_time": "2020-10-06T03:02:50Z", "spycloud_publish_date": "2022-03-31T00:00:00Z", "target_domain": "devo.com", "password_type": "plaintext", "password_plaintext": "2342qat434", "severity": 25, "document_id": "235-80b8-465a-345r3q24-d20asdfdsf229" } ] }
## Get Breach Data by Email Search
Get Breach Data by Email Search
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Email | [Jinja-templated](doc:jinja-template) text containing email address to search for. Example: [test@example.org](mailto:test@example.org) | Required |
| Type | [Jinja-templated](doc:jinja-template) text containing type. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records (from botnet data). If no value has been provided the API function will, by default, return all record types. | Optional |
| Cursor | [Jinja-templated](doc:jinja-template) text text containing token used for iterating through multiple pages of results. By default our API methods return up to 1,000 items per page. If the number of requested items is greater than 1,000 a cursor token is provided in the return payload. If set, you can use this value to iterate to the next page of results. | Optional |
| Since | [Jinja-templated](doc:jinja-template) text containing start time, epoch timestamp in milliseconds to use in params for filter (Default is empty). e.g. 1587448800000 | Optional |
| Until | [Jinja-templated](doc:jinja-template) text containing end time, epoch timestamp in milliseconds to use in query for filter (Default is empty). e.g. 1587448800000 | Optional |
| Severity | [Jinja-templated](doc:jinja-template) text containing severity which allows you to filter based on the numeric severity code. Example: 20 | Optional |
| Source ID | [Jinja-templated](doc:jinja-template) text containing source id which allows you to filter based on a particular breach source. Example: 123 | Optional |
| Salt | [Jinja-templated](doc:jinja-template) text containing salt. If hashing is enabled for your API key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre-configured salt will be used. Example: HFdxEbZylZ | Optional |
### Output
JSON containing the following items:
``` {json}{
"cursor": "f2345w-4cdc-474d-ba3f-q34t3ttfq",
"has_error": false,
"error": null,
"hits": 28877,
"results": [
{
"email": "test@devo.com",
"password": "ar3q4f4f.awd",
"account_signup_time": "2013-09-14T10:42:19Z",
"account_login_time": "2013-09-14T10:42:19Z",
"ip_addresses": [
"45.43.77.2"
],
"source_id": 315,
"password_plaintext": "567",
"spycloud_publish_date": "2022-04-07T00:00:00Z",
"email_domain": "test",
"email_username": "test",
"domain": "test",
"password_type": "3245a",
"severity": 34,
"document_id": "t34t345-6514-4cb1-ba21-dasdfasdfbb5c",
"sighting": 1
},
{
"user_browser": "Firefox",
"password": "q34t3f",
"source_id": 38324,
"ip_addresses": [
"54.34.2.3"
],
"user_hostname": "LAPTOP-1D6988K5",
"user_sys_registered_owner": "r324",
"user_os": "Windows 10 Home",
"display_resolution": "1920x1080",
"infected_machine_id": "45-3a01-4ccd-9c36-asdfadsf3c",
"target_url": "test.com",
"username": "4f34t34g",
"infected_time": "2020-10-06T03:02:50Z",
"spycloud_publish_date": "2022-03-31T00:00:00Z",
"target_domain": "test",
"password_type": "plaintext",
"password_plaintext": "1qf4q3r",
"severity": 25,
"document_id": "q34tq3f4-80b8-465a-ba61-d20asdfdsf229"
}
]
}Get Breach Data by IP Address
Get Breach Data by IP Address
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
IP address | Jinja-templated text containing IP address. | Required |
Type | Jinja-templated text containing type. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records (from botnet data). If no value has been provided the API function will, by default, return all record types. | Optional |
Cursor | Jinja-templated text text containing token used for iterating through multiple pages of results. By default our API methods return up to 1,000 items per page. If the number of requested items is greater than 1,000 a cursor token is provided in the return payload. If set, you can use this value to iterate to the next page of results. | Optional |
Since | Jinja-templated text containing start time, epoch timestamp in milliseconds to use in params for filter (Default is empty). e.g. 1587448800000 | Optional |
Until | Jinja-templated text containing end time, epoch timestamp in milliseconds to use in query for filter (Default is empty). e.g. 1587448800000 | Optional |
Severity | Jinja-templated text containing severity which allows you to filter based on the numeric severity code. Example: 20 | Optional |
Source ID | Jinja-templated text containing source id which allows you to filter based on a particular breach source. Example: 123 | Optional |
Salt | Jinja-templated text containing salt. If hashing is enabled for your API key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre-configured salt will be used. Example: HFdxEbZylZ | Optional |
Output
JSON containing the following items:
``` {json}{ "cursor": "144rd-4cdc-474d-ba3f-asdfasdf8c6d8", "has_error": false, "error": null, "hits": 28877, "results": [ { "email": "test@devo.com", "password": "2352qt345fawf.", "account_signup_time": "2013-09-14T10:42:19Z", "account_login_time": "2013-09-14T10:42:19Z", "ip_addresses": [ "27.31.43.21" ], "source_id": 315, "password_plaintext": "567", "spycloud_publish_date": "2022-04-07T00:00:00Z", "email_domain": "test", "email_username": "test", "domain": "tests", "password_type": "awef", "severity": 34, "document_id": "af43f4asd-6514-4cb1-ba21-dasdfasdfbb5c", "sighting": 1 }, { "user_browser": "Firefox", "password": "fa4afsdf", "source_id": 38324, "ip_addresses": [ "54.44.66.3" ], "user_hostname": "LAPTOP-1D6988K5", "user_sys_registered_owner": "324r", "user_os": "Windows 10 Home", "display_resolution": "1920x1080", "infected_machine_id": "f43qf-3a01-4ccd-9c36-asdfadsf3c", "target_url": "devo.com", "username": "ac0dff3", "infected_time": "2020-10-06T03:02:50Z", "spycloud_publish_date": "2022-03-31T00:00:00Z", "target_domain": "test", "password_type": "plaintext", "password_plaintext": "asdfsadfl168", "severity": 25, "document_id": "bdb41fc6-eaf43-465a-ba61-d20asdfdsf229" } ] }
## Get Breach Data by Password Search
Get Breach Data by Password Search
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Password | [Jinja-templated](doc:jinja-template) text containing password you wish to search for. Example: Examplepassword | Required |
| Type | [Jinja-templated](doc:jinja-template) text containing type. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records (from botnet data). If no value has been provided the API function will, by default, return all record types. | Optional |
| Cursor | [Jinja-templated](doc:jinja-template) text text containing token used for iterating through multiple pages of results. By default our API methods return up to 1,000 items per page. If the number of requested items is greater than 1,000 a cursor token is provided in the return payload. If set, you can use this value to iterate to the next page of results. | Optional |
| Since | [Jinja-templated](doc:jinja-template) text containing start time, epoch timestamp in milliseconds to use in params for filter (Default is empty). e.g. 1587448800000 | Optional |
| Until | [Jinja-templated](doc:jinja-template) text containing end time, epoch timestamp in milliseconds to use in query for filter (Default is empty). e.g. 1587448800000 | Optional |
| Severity | [Jinja-templated](doc:jinja-template) text containing severity which allows you to filter based on the numeric severity code. Example: 20 | Optional |
| Source ID | [Jinja-templated](doc:jinja-template) text containing source id which allows you to filter based on a particular breach source. Example: 123 | Optional |
| Salt | [Jinja-templated](doc:jinja-template) text containing salt. If hashing is enabled for your API key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre-configured salt will be used. Example: HFdxEbZylZ | Optional |
### Output
JSON containing the following items:
``` {json}{
"cursor": "2r4f3-4cdc-474d-ba3f-asdfasdf8c6d8",
"has_error": false,
"error": null,
"hits": 28877,
"results": [
{
"email": "test@devo.com",
"password": "caecacgasd.",
"account_signup_time": "2013-09-14T10:42:19Z",
"account_login_time": "2013-09-14T10:42:19Z",
"ip_addresses": [
"23.52.43.2"
],
"source_id": 315,
"password_plaintext": "567",
"spycloud_publish_date": "2022-04-07T00:00:00Z",
"email_domain": "devo.com",
"email_username": "test",
"domain": "test",
"password_type": "2352",
"severity": 34,
"document_id": "234523t4-6514-4cb1-ba21-dasdfasdfbb5c",
"sighting": 1
},
{
"user_browser": "Firefox",
"password": "23454tqwe",
"source_id": 38324,
"ip_addresses": [
"70.80.2.3"
],
"user_hostname": "LAPTOP-1D6988K5",
"user_sys_registered_owner": "maho",
"user_os": "Windows 10 Home",
"display_resolution": "1920x1080",
"infected_machine_id": "11e57699-3a01-4ccd-9c36-asdfadsf3c",
"target_url": "test",
"username": "aswe34",
"infected_time": "2020-10-06T03:02:50Z",
"spycloud_publish_date": "2022-03-31T00:00:00Z",
"target_domain": "test",
"password_type": "plaintext",
"password_plaintext": "23rfqff4",
"severity": 25,
"document_id": "23edr4e-80b8-465a-ba61-d20asdfdsf229"
}
]
}Get Breach Data by Username Search
Get Breach Data by Username Search
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Username | Jinja-templated text containing username you wish to search for. Example: shortpatrick | Required |
Type | Jinja-templated text containing type. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records (from botnet data). If no value has been provided the API function will, by default, return all record types. | Optional |
Cursor | Jinja-templated text text containing token used for iterating through multiple pages of results. By default our API methods return up to 1,000 items per page. If the number of requested items is greater than 1,000 a cursor token is provided in the return payload. If set, you can use this value to iterate to the next page of results. | Optional |
Since | Jinja-templated text containing start time, epoch timestamp in milliseconds to use in params for filter (Default is empty). e.g. 1587448800000 | Optional |
Until | Jinja-templated text containing end time, epoch timestamp in milliseconds to use in query for filter (Default is empty). e.g. 1587448800000 | Optional |
Severity | Jinja-templated text containing severity which allows you to filter based on the numeric severity code. Example: 20 | Optional |
Source ID | Jinja-templated text containing source id which allows you to filter based on a particular breach source. Example: 123 | Optional |
Salt | Jinja-templated text containing salt. If hashing is enabled for your API key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre-configured salt will be used. Example: HFdxEbZylZ | Optional |
Output
JSON containing the following items:
``` {json}{ "cursor": "23452t-4cdc-474d-ba3f-asdfasdf8c6d8", "has_error": false, "error": null, "hits": 28877, "results": [ { "email": "test@devo.com", "password": "va4vq3fq34.", "account_signup_time": "2013-09-14T10:42:19Z", "account_login_time": "2013-09-14T10:42:19Z", "ip_addresses": [ "27.32.63.2" ], "source_id": 315, "password_plaintext": "567", "spycloud_publish_date": "2022-04-07T00:00:00Z", "email_domain": "devo.com", "email_username": "test", "domain": "test", "password_type": "g4q4", "severity": 34, "document_id": "vaeva443-6514-4cb1-ba21-dasdfasdfbb5c", "sighting": 1 }, { "user_browser": "Firefox", "password": "vq4fq", "source_id": 383f24, "ip_addresses": [ "54.34.2.3" ], "user_hostname": "LAPTOP-1D6988K5", "user_sys_registered_owner": "feqe", "user_os": "Windows 10 Home", "display_resolution": "1920x1080", "infected_machine_id": "fq34q34-3a01-4ccd-9c36-asdfadsf3c", "target_url": "devo.com", "username": "ac0dff3", "infected_time": "2020-10-06T03:02:50Z", "spycloud_publish_date": "2022-03-31T00:00:00Z", "target_domain": "test", "password_type": "plaintext", "password_plaintext": "asdfsadfl168", "severity": 25, "document_id": "bdb41fc6-80b8-465a-ba61-d20asdfdsf229" } ] }
List Watchlist Identifiers
List Watchlist Identifiers
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Watchlist Type | Jinja-templated text containing watchlist type which lets you filter results for only emails or only domains on your watchlist. The allowed values are: ['email', 'domain', 'ip']. If no value has been provided, the API will return all watchlist types. | Optional |
Verified | Jinja-templated text containing verified which lets you filter results by verified status. The allowed values are 'yes' or 'no'. If no value has been provided, the API function will returns both verified and unverified identifiers. | Optional |
Output
JSON containing the following items:
``` {json}{ "cursor": "", "has_error": false, "results": [ { "identifier_name": "devo.com", "identifier_type": "domain", "last_discovered": "2022-04-14T06:36:25Z", "status": "ACTIVE", "verified": "YES", "corporate_record_count": 3412, "infected_user_record_count": 524, "infected_employee_record_count": 0, "infected_consumer_record_count": 464 }, { "identifier_name": "devo.com", "identifier_type": "domain", "last_discovered": "2022-04-07T01:25:12Z", "status": "ACTIVE", "verified": "YES", "corporate_record_count": 272349, "infected_user_record_count": 3451, "infected_employee_record_count": 45, "infected_consumer_record_count": 65 } ], "error": null, "hits": 7 }
Create Watchlist Identifier
Create Watchlist Identifier
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Identifier | Jinja-templated text containing identifier. | Required |
Watchlist Type | Jinja-templated text containing watchlist type which lets you filter results for only emails or only domains on your watchlist. The allowed values are: ['email', 'domain', 'ip']. If no value has been provided, the API will return all watchlist types. | Required |
Output
JSON containing the following items:
``` {json}{ "has_error": false, "results": "Successfully created." }
Verify Watchlist Identifier
Verify Watchlist Identifier.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Identifier | Jinja-templated text containing watchlist identifier to retrieve from your watchlist. Example: example.org | Required |
Output
JSON containing the following items:
{json}{
"has_error": false,
"results": "Successfully verified."
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.0.1- Added 13 new actions:List Catalog,Get Catalog,Get Breach Data by Domain Search,Get Breach Data by Email Search,Get Breach Data by IP Address Search,Get Breach Data by Password Search,Get Breach Data by Username Search,Get Breach Data by Entire Watchlist,List Watchlist Identifiers,Get Watchlist Identifier By Name,Create Watchlist Identifier,Delete Watchlist IdentifierandVerify Watchlist Identifier.