SpyCloud

the spycloud connector provides access to a comprehensive database of breached credentials and personal information, enabling proactive threat mitigation and account protection spycloud is a leader in cybercrime analytics and identity protection, offering a comprehensive database of compromised assets the spycloud turbine connector enables users to automate the retrieval of compromised application and device data, breach details, and specific application or device breach information by integrating with spycloud, swimlane turbine users can proactively protect against account takeovers, streamline breach analysis, and enhance their security posture with actionable intelligence on exposed credentials and potential threats prerequisites to effectively utilize the spycloud connector with swimlane turbine, ensure you have the following api key authentication with the necessary parameters url endpoint for spycloud api services spycloud api key unique identifier to authenticate requests capabilities this plugin provides the following capabilities get compass applications list get compass breach data by application search get compass breach data get compass devices data get compass devices list api documentation link for more information on spycloud is found at spycloud api documentation https //spycloud external readme io/sc enterprise api/reference/compass data get configurations spycloud api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x api key spycloud api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get compass applications list retrieve a list of compromised applications from spycloud's compass database endpoint url /enterprise v2/compass/applications method get input argument name type required description since string optional this parameter allows you to define the starting point for a date range query on the spycloud publish date field until string optional this parameter allows you to define the ending point for a date range query on the spycloud publish date field cursor string optional token used for iterating through multiple pages of results output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor hits number output field hits results array result of the operation target application string output field target application latest spycloud publish date string date value first spycloud publish date string date value total records number output field total records compromised device count number count value email count number count value username count number name of the resource on watchlist string output field on watchlist example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "pragma" "no cache", "content type" "application/json; charset=utf 8", "expires" " 1", "strict transport security" "max age=31536000; includesubdomains", "date" "mon, 09 sep 2024 10 38 54 gmt", "content length" "1460" }, "reason" "ok", "json body" { "cursor" "", "hits" 3, "results" \[] } } ] get compass breach data retrieve breach data from spycloud compass, providing insights into exposed credentials and potential threats endpoint url /enterprise v2/compass/data method get input argument name type required description source id string optional this parameter allows you to filter based on a particular breach source a comma separated list of source ids can also be used since string optional this parameter allows you to define the starting point for a date range query on the spycloud publish date field until string optional this parameter allows you to define the ending point for a date range query on the spycloud publish date field since infected string optional this parameter allows you to define the starting point for a date range query on the infected time field until infected string optional this parameter allows you to define the ending point for a date range query on the infected time field type string optional this parameter will return records that are verified or unverified, meaning those that matched the watchlist or not by default if type is not used, both types will be returned cursor string optional token used for iterating through multiple pages of results salt string optional if hashing is enabled for your api key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre configured salt will be used output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor hits number output field hits results array result of the operation user browser string output field user browser password string output field password document id string unique identifier source id number unique identifier email string output field email ip addresses array output field ip addresses country string output field country infected machine id string unique identifier infected path string output field infected path user os string output field user os av softwares array output field av softwares log id string unique identifier user hostname string name of the resource user sys registered owner string output field user sys registered owner keyboard languages string output field keyboard languages target url string url endpoint for the request infected time string time value spycloud publish date string date value email domain string output field email domain email username string name of the resource example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "pragma" "no cache", "content type" "application/json; charset=utf 8", "expires" " 1", "strict transport security" "max age=31536000; includesubdomains", "date" "mon, 09 sep 2024 10 38 54 gmt", "content length" "1460" }, "reason" "ok", "json body" { "cursor" "", "hits" 2, "results" \[] } } ] get compass breach data by application search retrieve breach data for a specified application from spycloud's compass database using the target application parameter endpoint url /enterprise v2/compass/data/applications/{{target application}} method get input argument name type required description source id number optional this parameter allows you to filter based on a particular breach source since string optional this parameter allows you to define the starting point for a date range query on the spycloud publish date field until string optional this parameter allows you to define the ending point for a date range query on the spycloud publish date field salt string optional if hashing is enabled for your api key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre configured salt will be used target application string required one or more comma delimited compass target application (subdomain or domain) to search for output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor hits number output field hits results array result of the operation username string name of the resource password string output field password password plaintext string output field password plaintext password type string type of the resource target url string url endpoint for the request user browser string output field user browser ip addresses array output field ip addresses av softwares array output field av softwares log id string unique identifier infected machine id string unique identifier infected path string output field infected path infected time string time value user sys domain string output field user sys domain user hostname string name of the resource user os string output field user os user sys registered owner string output field user sys registered owner source id number unique identifier spycloud publish date string date value target domain string output field target domain target subdomain string output field target subdomain example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "pragma" "no cache", "content type" "application/json; charset=utf 8", "expires" " 1", "strict transport security" "max age=31536000; includesubdomains", "date" "mon, 09 sep 2024 10 38 54 gmt", "content length" "1460" }, "reason" "ok", "json body" { "cursor" "", "hits" 2, "results" \[] } } ] get compass devices data retrieve breach data for a specific infected machine from spycloud using the machine's unique id endpoint url /enterprise v2/compass/data/devices/{{infected machine id}} method get input argument name type required description cursor string optional token used for iterating through multiple pages of results salt string optional if hashing is enabled for your api key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre configured salt will be used infected machine id string required an infected machine id to search for compass breach records output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor hits number output field hits results array result of the operation user browser string output field user browser password string output field password document id string unique identifier source id number unique identifier email string output field email ip addresses array output field ip addresses country string output field country infected machine id string unique identifier infected path string output field infected path user os string output field user os av softwares array output field av softwares log id string unique identifier user hostname string name of the resource user sys registered owner string output field user sys registered owner keyboard languages string output field keyboard languages target url string url endpoint for the request infected time string time value spycloud publish date string date value email domain string output field email domain email username string name of the resource example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "pragma" "no cache", "content type" "application/json; charset=utf 8", "expires" " 1", "strict transport security" "max age=31536000; includesubdomains", "date" "mon, 09 sep 2024 10 38 54 gmt", "content length" "1460" }, "reason" "ok", "json body" { "cursor" "", "hits" 2, "results" \[] } } ] get compass devices list retrieve a list of compromised devices from spycloud's compass database for analysis or monitoring endpoint url /enterprise v2/compass/devices method get input argument name type required description source id string optional this parameter allows you to filter based on a particular breach source a comma separated list of source ids can also be used since string optional this parameter allows you to define the starting point for a date range query on the spycloud publish date field until string optional this parameter allows you to define the ending point for a date range query on the spycloud publish date field since infected string optional this parameter allows you to define the starting point for a date range query on the infected time until infected string optional this parameter allows you to define the ending point for a date range query on the infected time field salt string optional if hashing is enabled for your api key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre configured salt will be used output parameter type description status code number http status code of the response reason string response reason phrase hits number output field hits results array result of the operation log id string unique identifier user hostname string name of the resource user os string output field user os ip addresses array output field ip addresses source id number unique identifier spycloud publish date string date value infected time string time value application count number count value infected device id string unique identifier example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "pragma" "no cache", "content type" "application/json; charset=utf 8", "expires" " 1", "strict transport security" "max age=31536000; includesubdomains", "date" "mon, 09 sep 2024 10 38 54 gmt", "content length" "1460" }, "reason" "ok", "json body" { "hits" 3, "results" \[] } } ] response headers header description example cache control directives for caching mechanisms no store, no cache content length the length of the response body in bytes 1460 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated mon, 09 sep 2024 10 38 54 gmt expires the date/time after which the response is considered stale 1 pragma http response header pragma no cache strict transport security http response header strict transport security max age=31536000; includesubdomains