Incoming feed - SpyCloud Watchlist Ingest#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

	Specifications
Transport type	SpyCloud Watchlist Ingest
Content type	SpyCloud Breach Data JSON
Ingested data	Incident and breach data, along with relevant context.
Processed data	Incident entities focusing on security breaches and account takeovers, CIQ entities, CybOX observables, and related observables. When available, context metadata include targeted victim, affected assets, and geolocation details.
Description	Retrieve and process information to prevent security breaches and account takeovers (ATO) from the SpyCloud Enterprise API.

Requirements#

Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials.

Configure the incoming feed#

Create or edit an incoming feed.
From the Transport type drop-down menu, select SpyCloud Watchlist Ingest.
From the Content type drop-down menu, select SpyCloud Breach Data JSON.
The SpyCloud Watchlist Ingest transport type supports only the SpyCloud Breach Data JSON content type.
The organization providing the source data for the incoming feed is SpyCloud.
The API URL field is automatically filled in with the default domain for the endpoint.
You can add a proxy or set up ports according to your needs.
Default value: https://api.spycloud.io/enterprise-v1/.
In the API key field, enter the SpyCloud Enterprise Enter the API key to access the intelligence provider API and to consume the available services through their API endpoints.
Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past. Default value: 60 days/2 months in the past from the current time (now).
- Format: dd.MM.yyyy hh:mm:ss.
- Example: 07.02.2017 23:00:00.
To store your changes, click Save; to discard them, click Cancel.

Additional information#

Retrieved information on data breaches is saved to the platform as incidents, indicators, and TTPs.#

Retrieved personal data related to a victim is saved to the platform as CIQ 3.0-compliant identity type objects.
CIQ identity objects are ingested as Victim characteristics of an incident entity.

Ingested data	Resulting entities
Data breach information: IP addresses Target domains Target email addresses Compromised passwords Compromised user names/handles Compromised user system domains Phone numbers Addresses ZIP codes Cities	Incidents Security compromise defaults to Yes Characteristic: Victim Characteristic: Affected asset Characteristic: Impact Related observables Indicators Related observables: email, user name Domain TTPs: domains, IP addresses Targeted victim TTPs: email, user name, or full name of the victim Related observables (Relationship type: Targeted victim) Relationships from indicators to incidents Relationships from domain TTPs to targeted victim TTPs Default TLP color code: RED

Ingested data

Resulting entities

Data breach information:

IP addresses
Target domains
Target email addresses
Compromised passwords
Compromised user names/handles
Compromised user system domains
Phone numbers
Addresses
ZIP codes
Cities

Incidents
- Security compromise defaults to Yes
- Characteristic: Victim
- Characteristic: Affected asset
- Characteristic: Impact
Related observables
Indicators
Related observables: email, user name
Domain TTPs: domains, IP addresses
Targeted victim TTPs: email, user name, or full name of the victim
Related observables (Relationship type: Targeted victim)
Relationships from indicators to incidents
Relationships from domain TTPs to targeted victim TTPs
Default TLP color code: RED