Incoming feed - SpyCloud Watchlist Ingest

This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.


Transport type

SpyCloud Watchlist Ingest

Content type

SpyCloud Breach Data JSON

Ingested data

Incident and breach data, along with relevant context.

Processed data

Incident entities focusing on security breaches and account takeovers, CIQ entities, CybOX observables, and related observables.

When available, context metadata include targeted victim, affected assets, and geolocation details.


Retrieve and process information to prevent security breaches and account takeovers (ATO) from the SpyCloud Enterprise API.


Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select SpyCloud Watchlist Ingest.

  3. From the Content type drop-down menu, select SpyCloud Breach Data JSON.
    The SpyCloud Watchlist Ingest transport type supports only the SpyCloud Breach Data JSON content type.
    The organization providing the source data for the incoming feed is SpyCloud.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value:

  5. In the API key field, enter the SpyCloud Enterprise Enter the API key to access the intelligence provider API and to consume the available services through their API endpoints.

  6. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
    Default value: 60 days/2 months in the past from the current time (now).

    • Format: dd.MM.yyyy hh:mm:ss.

    • Example: 07.02.2017 23:00:00.

  7. To store your changes, click Save; to discard them, click Cancel.

Additional information

Retrieved information on data breaches is saved to the platform as incidents, indicators, and TTPs.

Retrieved personal data related to a victim is saved to the platform as CIQ 3.0-compliant identity type objects.
CIQ identity objects are ingested as Victim characteristics of an incident entity.

Ingested data

Resulting entities

Data breach information:

  • IP addresses

  • Target domains

  • Target email addresses

  • Compromised passwords

  • Compromised user names/handles

  • Compromised user system domains

  • Phone numbers

  • Addresses

  • ZIP codes

  • Cities

  • Incidents

    • Security compromise defaults to Yes

    • Characteristic: Victim

    • Characteristic: Affected asset

    • Characteristic: Impact

  • Related observables

  • Indicators

  • Related observables: email, user name

  • Domain TTPs: domains, IP addresses

  • Targeted victim TTPs: email, user name, or full name of the victim

  • Related observables
    (Relationship type: Targeted victim)

  • Relationships from indicators to incidents

  • Relationships from domain TTPs to targeted victim TTPs

  • Default TLP color code: RED

See also