SpyCloud

the spycloud connector provides access to a comprehensive database of breached credentials and personal information, enabling proactive threat mitigation and account protection spycloud is a leader in cybercrime analytics and identity protection, offering a comprehensive database of compromised assets the spycloud turbine connector enables users to automate the retrieval of compromised application and device data, breach details, and specific application or device breach information by integrating with spycloud, swimlane turbine users can proactively protect against account takeovers, streamline breach analysis, and enhance their security posture with actionable intelligence on exposed credentials and potential threats prerequisites to effectively utilize the spycloud connector with swimlane turbine, ensure you have the following api key authentication with the necessary parameters url endpoint for spycloud api services spycloud api key unique identifier to authenticate requests capabilities this plugin provides the following capabilities get compass applications list get compass breach data by application search get compass breach data get compass devices data get compass devices list api documentation link for more information on spycloud is found at https //spycloud external readme io/sc enterprise api/reference/compass data get configurations spycloud api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x api key spycloud api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get compass applications list retrieve a list of compromised applications from spycloud's compass database endpoint url /enterprise v2/compass/applications method get input argument name type required description parameters since string optional this parameter allows you to define the starting point for a date range query on the spycloud publish date field parameters until string optional this parameter allows you to define the ending point for a date range query on the spycloud publish date field parameters cursor string optional token used for iterating through multiple pages of results input example {"parameters" {"since" "2018 02 15","until" "2020 02 15","cursor" ""}} output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor hits number output field hits results array result of the operation results target application string result of the operation results latest spycloud publish date string result of the operation results first spycloud publish date string result of the operation results total records number result of the operation results compromised device count number result of the operation results email count number result of the operation results username count number name of the resource results on watchlist string result of the operation output example {"status code" 200,"response headers" {"cache control" "no store, no cache","pragma" "no cache","content type" "application/json; charset=utf 8","expires" " 1","strict transport security" "max age=31536000; includesubdomains","date" "mon, 09 sep 2024 10 38 54 gmt","content length" "1460"},"reason" "ok","json body" {"cursor" "","hits" 3,"results" \[{},{},{}]}} get compass breach data retrieve breach data from spycloud compass, providing insights into exposed credentials and potential threats endpoint url /enterprise v2/compass/data method get input argument name type required description parameters source id string optional this parameter allows you to filter based on a particular breach source a comma separated list of source ids can also be used parameters since string optional this parameter allows you to define the starting point for a date range query on the spycloud publish date field parameters until string optional this parameter allows you to define the ending point for a date range query on the spycloud publish date field parameters since infected string optional this parameter allows you to define the starting point for a date range query on the infected time field parameters until infected string optional this parameter allows you to define the ending point for a date range query on the infected time field parameters type string optional this parameter will return records that are verified or unverified, meaning those that matched the watchlist or not by default if type is not used, both types will be returned parameters cursor string optional token used for iterating through multiple pages of results parameters salt string optional if hashing is enabled for your api key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre configured salt will be used input example {"parameters" {"source id" "93894","since" "2018 02 15","until" "2020 02 15","since infected" "2019 02 15","until infected" "2021 02 15","type" "plaintext","cursor" "","salt" ""}} output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor hits number output field hits results array result of the operation results user browser string result of the operation results password string result of the operation results document id string unique identifier results source id number unique identifier results email string result of the operation results ip addresses array result of the operation results country string result of the operation results infected machine id string unique identifier results infected path string result of the operation results user os string result of the operation results av softwares array result of the operation results log id string unique identifier results user hostname string name of the resource results user sys registered owner string result of the operation results keyboard languages string result of the operation results target url string url endpoint for the request results infected time string result of the operation results spycloud publish date string result of the operation results email domain string result of the operation results email username string name of the resource output example {"status code" 200,"response headers" {"cache control" "no store, no cache","pragma" "no cache","content type" "application/json; charset=utf 8","expires" " 1","strict transport security" "max age=31536000; includesubdomains","date" "mon, 09 sep 2024 10 38 54 gmt","content length" "1460"},"reason" "ok","json body" {"cursor" "","hits" 2,"results" \[{},{}]}} get compass breach data by application search retrieve breach data for a specified application from spycloud's compass database using the target application parameter endpoint url /enterprise v2/compass/data/applications/{{target application}} method get input argument name type required description parameters source id number optional this parameter allows you to filter based on a particular breach source parameters since string optional this parameter allows you to define the starting point for a date range query on the spycloud publish date field parameters until string optional this parameter allows you to define the ending point for a date range query on the spycloud publish date field parameters salt string optional if hashing is enabled for your api key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre configured salt will be used path parameters target application string required one or more comma delimited compass target application (subdomain or domain) to search for input example {"parameters" {"source id" 42436,"since" "2018 02 15","until" "2020 02 15","salt" ""},"path parameters" {"target application" "19372"}} output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor hits number output field hits results array result of the operation results username string name of the resource results password string result of the operation results password plaintext string result of the operation results password type string type of the resource results target url string url endpoint for the request results user browser string result of the operation results ip addresses array result of the operation results av softwares array result of the operation results log id string unique identifier results infected machine id string unique identifier results infected path string result of the operation results infected time string result of the operation results user sys domain string result of the operation results user hostname string name of the resource results user os string result of the operation results user sys registered owner string result of the operation results source id number unique identifier results spycloud publish date string result of the operation results target domain string result of the operation results target subdomain string result of the operation output example {"status code" 200,"response headers" {"cache control" "no store, no cache","pragma" "no cache","content type" "application/json; charset=utf 8","expires" " 1","strict transport security" "max age=31536000; includesubdomains","date" "mon, 09 sep 2024 10 38 54 gmt","content length" "1460"},"reason" "ok","json body" {"cursor" "","hits" 2,"results" \[{},{}]}} get compass devices data retrieve breach data for a specific infected machine from spycloud using the machine's unique id endpoint url /enterprise v2/compass/data/devices/{{infected machine id}} method get input argument name type required description parameters cursor string optional token used for iterating through multiple pages of results parameters salt string optional if hashing is enabled for your api key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre configured salt will be used path parameters infected machine id string required an infected machine id to search for compass breach records input example {"parameters" {"cursor" "","salt" ""},"path parameters" {"infected machine id" "76c9a60b 1d06 4bc1 8e08 4f07f82c0bdd"}} output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor hits number output field hits results array result of the operation results user browser string result of the operation results password string result of the operation results document id string unique identifier results source id number unique identifier results email string result of the operation results ip addresses array result of the operation results country string result of the operation results infected machine id string unique identifier results infected path string result of the operation results user os string result of the operation results av softwares array result of the operation results log id string unique identifier results user hostname string name of the resource results user sys registered owner string result of the operation results keyboard languages string result of the operation results target url string url endpoint for the request results infected time string result of the operation results spycloud publish date string result of the operation results email domain string result of the operation results email username string name of the resource output example {"status code" 200,"response headers" {"cache control" "no store, no cache","pragma" "no cache","content type" "application/json; charset=utf 8","expires" " 1","strict transport security" "max age=31536000; includesubdomains","date" "mon, 09 sep 2024 10 38 54 gmt","content length" "1460"},"reason" "ok","json body" {"cursor" "","hits" 2,"results" \[{},{}]}} get compass devices list retrieve a list of compromised devices from spycloud's compass database for analysis or monitoring endpoint url /enterprise v2/compass/devices method get input argument name type required description parameters source id string optional this parameter allows you to filter based on a particular breach source a comma separated list of source ids can also be used parameters since string optional this parameter allows you to define the starting point for a date range query on the spycloud publish date field parameters until string optional this parameter allows you to define the ending point for a date range query on the spycloud publish date field parameters since infected string optional this parameter allows you to define the starting point for a date range query on the infected time parameters until infected string optional this parameter allows you to define the ending point for a date range query on the infected time field parameters salt string optional if hashing is enabled for your api key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre configured salt will be used input example {"parameters" {"source id" "40347","since" "2018 02 15","until" "2020 02 15","since infected" "2019 02 15","until infected" "2021 02 15","salt" ""}} output parameter type description status code number http status code of the response reason string response reason phrase hits number output field hits results array result of the operation results log id string unique identifier results user hostname string name of the resource results user os string result of the operation results ip addresses array result of the operation results source id number unique identifier results spycloud publish date string result of the operation results infected time string result of the operation results application count number result of the operation results infected device id string unique identifier output example {"status code" 200,"response headers" {"cache control" "no store, no cache","pragma" "no cache","content type" "application/json; charset=utf 8","expires" " 1","strict transport security" "max age=31536000; includesubdomains","date" "mon, 09 sep 2024 10 38 54 gmt","content length" "1460"},"reason" "ok","json body" {"hits" 3,"results" \[{},{},{}]}} response headers header description example cache control directives for caching mechanisms no store, no cache content length the length of the response body in bytes 1460 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated mon, 09 sep 2024 10 38 54 gmt expires the date/time after which the response is considered stale 1 pragma http response header pragma no cache strict transport security http response header strict transport security max age=31536000; includesubdomains