SpyCloud
Integration version: 3.0
Use Cases
Perform enrichment of entities.
Configure SpyCloud integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https:/{{api root}} | Yes | API root of the SpyCloud instance. |
| API Key | Password | N/A | Yes | API Key of the SpyCloud instance. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the SpyCloud server is valid. |
Actions
Ping
Description
Test connectivity to SpyCloud with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: The action should fail and stop a playbook execution: if not successful: "Failed to connect to the SpyCloud server! Error is {0}".format(exception.stacktrace) |
General |
List Catalogs
Description
List available catalogs in SpyCloud.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Filter Logic | DDL | Equal DDL Equal Contains |
No | Specify what filter logic should be applied. |
| Filter Value | String | N/A | No | Specify what value should be used in the filter. If "Equal" is selected, action will try to find the exact match among results and if "Contains" is selected, action will try to find results that contain that substring. "Equal" works with "title" parameter, while "Contains" works with all values in response. If nothing is provided in this parameter, the filter will not be applied. |
| Time Frame | DDL | Last Week Possible Values: Last Week Last Month Last Year Custom |
Yes | Specify a time frame for the search. If "Custom" is selected, you also need to provide "Start Time". |
| Start Time | String | No | Specify the start time for the search. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601 | |
| End Time | String | No | Specify the end time for the search. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter will use current time. | |
| Max Catalogs To Return | Integer | 50 | No | Specify how many catalogs to return. Default: 50. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
"site_description": "unifort.com.br was allegedly breached along with over 23,000 other sites and shared as part of the Cit0Day leak in November, 2020. Cit0Day is a now-defunct criminal databroker that was shuttered in September 2020.",
"media_urls": [
"https://www.zdnet.com/article/23600-hacked-databases-have-leaked-from-a-defunct-data-breach-index-site/"
],
"confidence": 3,
"title": "unifort.com.br",
"description": "In November 2020, a collection of over 23,000 breached sites was leaked on several hacking forums and Telegram channels. These breached sites originated from Cit0Day, a now-defunct private subscription service marketed towards criminals. The leaked data primarily includes email addresses and passwords that Cit0Day offered for a daily or monthly subscription fee.",
"acquisition_date": "2020-11-05T00:00:00Z",
"site": "unifort.com.br",
"id": 18679,
"type": "PRIVATE",
"num_records": 4226,
"uuid": "0c87e8f6-d686-46c9-8ce4-5d9785917c0a",
"spycloud_publish_date": "2020-12-10T00:00:00Z",
"assets": {
"email": 4226,
"password": 4220
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is not available (is_success=false): "No catalogs were found for the provided criteria in SpyCloud". The action should fail and stop a playbook execution: If Start Time is empty, when "Time Frame" is "Custom": "Error executing action "List Catalogs". Reason: "Start Time" should be provided, when "Custom" is selected in "Time Frame" parameter." |
General |
Case Wall Table |
Name: Available Catalogs Columns: Title Type Number of records Site |
General |
List Entity Breaches
Description
Return information about breaches related to entities. Supported entity types: IP Address, Username, Email Address (Username entity that matches email regex), Domain (action will strip domain part from URL entity).
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Catalog Filter | String | No | Specify the name of the category in which you want to search for breaches. | |
| Time Frame | DDL | Last Week Possible Values: Last Week Last Month Last Year Custom |
Yes | Specify a time frame for the search. If "Custom" is selected, you also need to provide "Start Time". |
| Start Time | String | No | Specify the start time for the search. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601. Note: action will only take the datetime for action execution. | |
| End Time | String | No | Specify the end time for the search. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter will use current time. Note: action will only take the datetime for action execution. | |
| Max Breaches To Return | Integer | 1 | No | Specify how many breaches to return per entity. Default: 1. Maximum: 1000. |
Run On
This action runs on the following entities:
- IP Address
- Username
- Email Address
- Domain
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"user_browser": "Google Chrome New",
"password": "password",
"ip_addresses": [
"118.71.221.126"
],
"infected_path": "C:\\Users\\TOAN\\AppData\\Local\\Temp\\7ZipSfx.000\\Nei.exe.com",
"user_os": "Windows 10 Enterprise LTSC 2019 64-bit(x64) build: 17763 release: 1809",
"infected_machine_id": "011c55b5-5951-42d8-aefa-dad3c206a032",
"source_id": 37592,
"target_url": "127.0.0.1",
"email": "zena19@example.com",
"user_sys_registered_owner": "TOAN",
"user_hostname": "DELL",
"infected_time": "2021-05-23T11:38:44Z",
"spycloud_publish_date": "2021-06-03T00:00:00Z",
"email_domain": "example.com",
"email_username": "zena19",
"domain": "example.com",
"password_type": "plaintext",
"password_plaintext": "password",
"severity": 25,
"document_id": "31f3bdff-564c-4c52-a0e5-3cd7f00b6655",
"sighting": 1
}
Enrichment Table
| Enrichment Field Name | Logic - When to apply |
|---|---|
| was_breached | When available in JSON |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is not available for one entity (is_success=true): "Action wasn't able to find breaches for the following entities in SpyCloud: {entity.identifier}" If data is not available for all (is_success=false): No information about breaches was found for the provided entities. The action should fail and stop a playbook execution: if Start Time is empty, when "Time Frame" is "Custom": "Error executing action "List Entity Breaches". Reason: "Start Time" should be provided, when "Custom" is selected in "Time Frame" parameter." If "Catalog Filter" is not found (fail): "Error executing action "List Entity Breaches". Reason: Catalog {catalog name} was not found in SpyCloud. Please check the spelling. ''.format(error.Stacktrace) |
General |