Enricher - SpyCloud Breach Data#


This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.


Enricher name

SpyCloud Breach Data


Domain, email, handle, IP addresses (ipv4 and ipv6).


Enriches supported observable types and incident entities with account takeover (ATO) and security breach details. Generates Cybox observables, related observables, and CIQ identity objects.

API endpoint



Enriches supported observable types, as well as incident entities, with information about account takeover and security breaches, such as a description of the incident, targeted organization(s), type(s) and number of stolen records — for example, leaked or stolen assets or user access credentials — as well as when the records were made public or put for sale on the Internet.

Each entry in a breach description — for example, an entry of a breached database containing login credentials (user name, password, and email address) — is a breach record.

The SpyCloud Breach Data enricher uses input data such as IP addresses, domain names, email addresses and user access credentials to return incident and security breach information that is processed as incident entities, related observables, and enrichment observables.


Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials to access the API endpoint exposing the service.

Configure the enricher parameters#

  1. Edit the enricher.

  2. From the Observable types drop-down, select one or more observable types you want to enrich with data retrieved through the enricher. Supported observable types:

  3. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://api.spycloud.io/sp-v1/breach.

  4. In the API key field, enter your API key.

  5. You can use the Enrich incidents starting from drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
    Default value: 60 days/2 months in the past from the current time (now).

    • Format: dd.MM.yyyy hh:mm:ss.

    • Example: 07.02.2017 23:00:00.

  6. To store your changes, click Save; to discard them, click Cancel.

Additional information#

The SpyCloud Breach Data enricher augments existing incident entities.

If no matching incidents exist in the platform, it creates new incidents from the retrieved enrichment data.

When it retrieves personal data related to a victim, it checks if such information already exists in the platform.
Otherwise, it creates CIQ 3.0 identity type objects.

CIQ identity objects are ingested as Victim characteristics of an incident entity.

If the enrichment package includes relevant IP addresses, they are ingested as enrichment observables related to the incident.