Incoming feed - SpyCloud Breach API


This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.

Specifications

Transport type

SpyCloud Breach API

Content type

SpyCloud JSON

Ingested data

Incident and breach data, along with relevant context.

Processed data

Incident entities focusing on security breaches and account takeovers, CIQ entities, CybOX observables, related observables.
When available, context metadata include targeted victim, affected assets, and geolocation details.

Description

Retrieve and process information on incidents, security breaches, and account takeovers (ATO).

Requirements

Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select SpyCloud Breach API.

  3. From the Content type drop-down menu, select SpyCloud JSON.
    The SpyCloud Breach API transport type supports only the SpyCloud JSON content type.
    The organization providing the source data for the incoming feed is SpyCloud.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://api.spycloud.io/sp-v1/breach/.

  5. In the API key field, enter the SpyCloud Breach Enter the API key to access the intelligence provider API and to consume the available services through their API endpoints.

  6. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
    Default value: 60 days/2 months in the past from the current time (now).

    • Format: dd.MM.yyyy hh:mm:ss.
      Example: 07.02.2017 23:00:00.

  7. To store your changes, click Save; to discard them, click Cancel.

Additional information

Retrieved information on data breaches is saved to the platform as incidents, indicators, and TTPs.

Retrieved personal data related to a victim is saved to the platform as CIQ 3.0-compliant identity type objects.
CIQ identity objects are ingested as Victim characteristics of an incident entity.

Ingested data

Resulting entities

Data breach information:

  • IP addresses

  • Target domains

  • Target email addresses

  • Compromised passwords

  • Compromised user names/handles

  • Compromised user system domains

  • Phone numbers

  • Addresses

  • ZIP codes

  • Cities

  • Incidents

    • Security compromise defaults to Yes

    • Characteristic: Victim

    • Characteristic: Affected asset

    • Characteristic: Impact

  • Related observables


  • Indicators

  • Related observables:
    email, user name


  • Domain TTPs:
    domains, IP addresses

  • Targeted victim TTPs:
    email, user name, or full name of the victim

  • Related observables
    (Relationship type: Targeted victim)


  • Relationships from indicators to incidents

  • Relationships from domain TTPs to targeted victim TTPs


  • Default TLP color code: RED

See also