Flashpoint | Marketplace

Details
Content
Dependencies
Version History

Use the Flashpoint integration to reduce business risk.

Use the Flashpoint integration to reduce business risk. Flashpoint allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more.

What does this pack do?

The actions in this pack helps you to determine risks and help to remediate tasks using playbook:

Get alerts, compromised credentials, forum details, event details, report and reputation information.
Investigate compromised credentials incident.

Playbook

Compromised Credentials Match - Flashpoint: It authenticates and expires the credentials and sends an email alert.

For more information, visit our Flashpoint Developer Documentation

What does this pack do?

The actions in this pack helps you to determine risks and help to remediate tasks using playbook:

Get alerts, compromised credentials, forum details, event details, report and reputation information.
Investigate compromised credentials incident.

Playbook

Compromised Credentials Match - Flashpoint: It authenticates and expires the credentials and sends an email alert.

For more information, visit our Flashpoint Developer Documentation

Classifiers

Name	Description
Flashpoint Alerts - Incoming Mapper	Incoming Mapper for Flashpoint Alerts
Flashpoint Compromised Credentials - Incoming Mapper	Incoming Mapper for Flashpoint Compromised Credentials
Ignite Alert - Incoming Mapper	The incoming mapper for the Ignite Alert.

Incident Fields

Name	Description
Flashpoint Affected Domain	Affected domain of the IoC.
Flashpoint Media Storage URI	Storage URI of Flashpoint alert resource's media.
Flashpoint Image Safe Search
Flashpoint Source Basetypes	The type of the alert.
Flashpoint Title	The title of the alert.
Flashpoint Native ID	The ID used by the original site for the resource.
Flashpoint Alert Text	The body of the alert.
Flashpoint Ports	Ports of the FLahpoint alert asset
Flashpoint Last Observed Date	If exists, time object for when the credential was previously observed. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint ID	The Flashpoint ID of the alert.
Flashpoint Source Owner	Author of the repo.
Flashpoint Shodan Host	Information about Shodan Host
Flashpoint Status	status of flashpoint alert.
Flashpoint Container	Container of Flashpoint alert resource
Flashpoint Victim	Victim of the breach.
Flashpoint Data Type
Flashpoint Source URL	Link to the alerted source.
Flashpoint Site Title	The original site or platform where the resource was published.
Flashpoint Header Indexed At Date	Timestamp for when this document was indexed into the Flashpoint database.
Flashpoint Sort Date	Sort date of the alert.
Flashpoint Site Actor Name	Actor name of Flashpoint alert's resource's site.
Flashpoint Password Information	The information about password complexity of the credential.
Flashpoint Is Fresh	This will be "true" if the credential has not been seen before, and it hasn't been marked "not fresh" by an analyst.
Flashpoint Generated Date	Generated Timestamp of Flashpoint alert
Flashpoint Site Native ID	Native ID of Site actor of flashpoint alert's resource.
Flashpoint Source ID	ID of flashpoint Source.
Flashpoint Site Actor Names	The handle of the user who created the message, authored the blog post, or posted a product for sale.
Flashpoint First Observed Date	The first observed date of the alert. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Reason Name
Flashpoint Source Snippet	Snippet of flashppoint alert
Flashpoint Reason Type
Flashpoint Phash	Phash of Flashpoint alert's resource's media.
Flashpoint Source Name	Name of flashpoint alert resource
Flashpoint Read Status
Flashpoint Entity Type
Flashpoint Parent Data Type
Flashpoint Compromised Password	The password for the credential (in plain text, if possible).
Flashpoint Source	Code repository platform.
Flashpoint Reason Sources
Flashpoint Source Repo	Repository name.
Flashpoint Reason ID	ID of Flashpoint reason
Flashpoint Entity Name
Flashpoint Link to Alert	The link of the alert.
Flashpoint Services	Services of the FLahpoint alert asset
Flashpoint Compromised Email	The email address for the compromised credential.
Flashpoint Entity ID
Flashpoint Password Probable Hash Algorithms	The probable hash algorithm information of the password.
Flashpoint Breach Source	Data source of breach (i.e. Analyst Research, CredentialStealer, etc.).
Flashpoint Source Sort Date	Sort Date of Flashpoint alert's resource.
Flashpoint Parent Basetypes	Basetypes of Flashpoint alert's parent
Flashpoint Breach Source Type	Type of source of the breach.
Flashpoint Keyword Text	The value of the keyword.
Flashpoint Source File	File name for the matched alert.
Flashpoint Resource URL	URL of Flashpoint Alert.
Flashpoint Alert ID	The ID of the alert.
Flashpoint Reason Text	Reason Text of Flashpoint Alert reason.
Flashpoint Media Type	Media Type of Flashpoint alert's resource's media.
Flashpoint Site Name	Name of Site of Flashpoint Alert's resource.
Flashpoint Created Date	The created date of the alert. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Mime Type	Mime Type of Flashpoint alert's resource's media.
Flashpoint Basetypes
Flashpoint Reason Origin
Flashpoint Source Domain	This is the domain object extracted off of the email address.

Incident Types

Name	Description
Flashpoint Compromised Credentials
Ignite Alert
Flashpoint Alerts

Integrations

Name	Description
Flashpoint (Deprecated) (Partner Contribution)	Deprecated. Use Flashpoint Ignite instead.
Flashpoint Ignite (Partner Contribution)	Use the Ignite integration to reduce business risk. Ignite allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more.

Layouts

Name	Description
Flashpoint Compromised Credentials	Flashpoint Compromised Credentials Layout.
Ignite Alert	Ignite Alerts Layout.
Flashpoint Alerts	Flashpoint Alerts Layout.

Playbooks

Name	Description
Compromised Credentials Match - Flashpoint	The Compromised Credentials Match playbook uses the details of the compromised credentials ingested from Flashpoint Ignite and authenticates using the Active Directory integration by providing the compromised credentials of the user. It then expires the credentials if it matches, and sends an email alert about the breach. Supported integrations: Flashpoint OpenLDAP Active Directory Query v2

Classifiers

Name	Description
Flashpoint Alerts - Incoming Mapper	Incoming Mapper for Flashpoint Alerts
Ignite Alert - Incoming Mapper	The incoming mapper for the Ignite Alert.
Flashpoint Compromised Credentials - Incoming Mapper	Incoming Mapper for Flashpoint Compromised Credentials

Incident Fields

Name	Description
Flashpoint ID	The Flashpoint ID of the alert.
Flashpoint Container	Container of Flashpoint alert resource
Flashpoint Source	Code repository platform.
Flashpoint Image Safe Search
Flashpoint Source Sort Date	Sort Date of Flashpoint alert's resource.
Flashpoint Entity ID
Flashpoint Reason Type
Flashpoint Services	Services of the FLahpoint alert asset
Flashpoint Ports	Ports of the FLahpoint alert asset
Flashpoint Site Title	The original site or platform where the resource was published.
Flashpoint Alert ID	The ID of the alert.
Flashpoint First Observed Date	The first observed date of the alert. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Compromised Password	The password for the credential (in plain text, if possible).
Flashpoint Entity Type
Flashpoint Password Probable Hash Algorithms	The probable hash algorithm information of the password.
Flashpoint Source Basetypes	The type of the alert.
Flashpoint Compromised Email	The email address for the compromised credential.
Flashpoint Affected Domain	Affected domain of the IoC.
Flashpoint Breach Source	Data source of breach (i.e. Analyst Research, CredentialStealer, etc.).
Flashpoint Source URL	Link to the alerted source.
Flashpoint Generated Date	Generated Timestamp of Flashpoint alert
Flashpoint Site Name	Name of Site of Flashpoint Alert's resource.
Flashpoint Data Type
Flashpoint Breach Source Type	Type of source of the breach.
Flashpoint Source Domain	This is the domain object extracted off of the email address.
Flashpoint Media Type	Media Type of Flashpoint alert's resource's media.
Flashpoint Source Owner	Author of the repo.
Flashpoint Reason ID	ID of Flashpoint reason
Flashpoint Victim	Victim of the breach.
Flashpoint Source Name	Name of flashpoint alert resource
Flashpoint Read Status
Flashpoint Reason Text	Reason Text of Flashpoint Alert reason.
Flashpoint Resource URL	URL of Flashpoint Alert.
Flashpoint Reason Sources
Flashpoint Mime Type	Mime Type of Flashpoint alert's resource's media.
Flashpoint Source Repo	Repository name.
Flashpoint Phash	Phash of Flashpoint alert's resource's media.
Flashpoint Link to Alert	The link of the alert.
Flashpoint Shodan Host	Information about Shodan Host
Flashpoint Reason Name
Flashpoint Site Actor Name	Actor name of Flashpoint alert's resource's site.
Flashpoint Created Date	The created date of the alert. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Site Native ID	Native ID of Site actor of flashpoint alert's resource.
Flashpoint Entity Name
Flashpoint Basetypes
Flashpoint Parent Data Type
Flashpoint Alert Text	The body of the alert.
Flashpoint Site Actor Names	The handle of the user who created the message, authored the blog post, or posted a product for sale.
Flashpoint Source ID	ID of flashpoint Source.
Flashpoint Password Information	The information about password complexity of the credential.
Flashpoint Media Storage URI	Storage URI of Flashpoint alert resource's media.
Flashpoint Status	status of flashpoint alert.
Flashpoint Title	The title of the alert.
Flashpoint Source Snippet	Snippet of flashppoint alert
Flashpoint Is Fresh	This will be "true" if the credential has not been seen before, and it hasn't been marked "not fresh" by an analyst.
Flashpoint Last Observed Date	If exists, time object for when the credential was previously observed. Datetime object formatted as YYYY-mm-ddTHH:MM:SSZ.
Flashpoint Reason Origin
Flashpoint Header Indexed At Date	Timestamp for when this document was indexed into the Flashpoint database.
Flashpoint Keyword Text	The value of the keyword.
Flashpoint Parent Basetypes	Basetypes of Flashpoint alert's parent
Flashpoint Native ID	The ID used by the original site for the resource.
Flashpoint Sort Date	Sort date of the alert.
Flashpoint Source File	File name for the matched alert.

Incident Types

Name	Description
Ignite Alert
Flashpoint Alerts
Flashpoint Compromised Credentials

Integrations

Name	Description
Flashpoint Ignite (Partner Contribution)	Use the Ignite integration to reduce business risk. Ignite allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more.
Flashpoint (Deprecated) (Partner Contribution)	Deprecated. Use Flashpoint Ignite instead.

Playbooks

Name	Description
Compromised Credentials Match - Flashpoint	The Compromised Credentials Match playbook uses the details of the compromised credentials ingested from Flashpoint Ignite and authenticates using the Active Directory integration by providing the compromised credentials of the user. It then expires the credentials if it matches, and sends an email alert about the breach. Supported integrations: Flashpoint OpenLDAP Active Directory Query v2

Required Content Packs (4)

Pack Name	Pack By
Active Directory Query	By: Cortex XSOAR
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
LDAP Authentication	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
LDAP Authentication	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Active Directory Query	By: Cortex XSOAR

2.2.1 - 9932353 (June 7, 2026)

Integrations

Flashpoint Ignite

Added support for the Enable Exact Match for IOC Enrichment parameter. Whether to use exact matching for indicator values by default in enrichment commands (ip, domain, file, and url). This behavior can still be overridden for individual commands using the exact_match argument.
Updated the Docker image to: demisto/python3:3.12.13.9059085.

Related pull requests:
- 44545

Download

2.2.0 - 8515806 (April 27, 2026)

Integrations

Flashpoint Ignite

Added support for the flashpoint-ignite-vulnerability-get command that retrieves detailed information about a specific vulnerability by its Flashpoint ID.
Added support for the cve command that retrieves detailed information about a specific CVE by its CVE ID.
Added support for the flashpoint-ignite-vulnerability-list command that lists vulnerabilities using provided filters.
Added support for the flashpoint-ignite-product-list command that lists products using provided filters.
Added support for the flashpoint-ignite-vulnerability-package-list command that retrieves a list of packages that are affected by a particular vulnerability.
Added support for the flashpoint-ignite-vendor-list command that lists vendors using provided filters.
Added support for the flashpoint-ignite-vulnerability-library-list command that retrieves a list of libraries that are affected by a particular vulnerability.
Updated the Docker image to: demisto/python3:3.12.13.7444307.

Related pull requests:
- 44043
- 43613

Download

2.1.7 - 8315166 (April 16, 2026)

Integrations

Flashpoint Ignite

Added the Reputation commands context limit parameter to control the maximum number of entries stored per reputation command result for both relationships (e.g. related IPs) and enrichments (e.g. domains, emails, CVEs).

Related pull requests:
- 43855
- 43786
- 43725
- 43472
- 43845
- 43808
- 43805
- 43813
- 43713
- 43811
- 43830
- 43826
- 43685

Download

2.1.6 - 7827247 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43566

Download

2.1.5 - 7289906 (February 23, 2026)

Integrations

Flashpoint Ignite

Added support for exact_match argument in the domain, ip, url, file commands.
Updated the Docker image to: demisto/python3:3.12.12.6947692.

Related pull requests:
- 43249

Download

2.1.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.1.3 - R5469292 (October 20, 2025)

Integrations

Flashpoint Ignite

Rename the is_ip_internal function to is_ip_address_internal.

Related pull requests:
- 41055

Download

2.1.2 - 4647015 (August 25, 2025)

Integrations

Flashpoint Ignite

Updated the ip command to exclude internal IP addresses.
Updated the Docker image to: demisto/python3:3.12.11.4508456.

Related pull requests:
- 41013

Download

2.1.1 - 4148802 (July 13, 2025)

Integrations

Flashpoint Ignite

Code functionality improvements.

Related pull requests:
- 38886

Download

2.1.0 - R3980324 (June 26, 2025)

Integrations

Flashpoint Ignite

Added the flashpoint-ignite-indicator-get command to retrieve details for specific indicator of types "url", "domain", "file hash", and "ip" using the indicator ID.
Updated the following commands to use the new IOC v2 API:
- ip, domain, url, file and flashpoint-ignite-common-lookup.
- Note: The context paths of the commands have been updated as per the IOC v2 API response.
Added support for the following parameters to filter incoming compromised credentials alerts based on password characteristics:
- Fetch compromised credentials alerts having numbers in password
- Fetch compromised credentials alerts having minimum length of password
- Fetch compromised credentials alerts having uppercase in password
- Fetch compromised credentials alerts having lowercase in password
- Fetch compromised credentials alerts having symbol in password
Fixed an issue where the ip command could return a "NoneType" error.
Deprecated the filename and email command.

Related pull requests:
- 39968
- 40206

Download

2.2.1 - 9932353 (June 7, 2026)

Integrations

Flashpoint Ignite

Added support for the Enable Exact Match for IOC Enrichment parameter. Whether to use exact matching for indicator values by default in enrichment commands (ip, domain, file, and url). This behavior can still be overridden for individual commands using the exact_match argument.
Updated the Docker image to: demisto/python3:3.12.13.9059085.

Related pull requests:
- 44545

Download

2.2.0 - 8542515 (April 28, 2026)

Integrations

Flashpoint Ignite

Added support for the flashpoint-ignite-vulnerability-get command that retrieves detailed information about a specific vulnerability by its Flashpoint ID.
Added support for the cve command that retrieves detailed information about a specific CVE by its CVE ID.
Added support for the flashpoint-ignite-vulnerability-list command that lists vulnerabilities using provided filters.
Added support for the flashpoint-ignite-product-list command that lists products using provided filters.
Added support for the flashpoint-ignite-vulnerability-package-list command that retrieves a list of packages that are affected by a particular vulnerability.
Added support for the flashpoint-ignite-vendor-list command that lists vendors using provided filters.
Added support for the flashpoint-ignite-vulnerability-library-list command that retrieves a list of libraries that are affected by a particular vulnerability.
Updated the Docker image to: demisto/python3:3.12.13.7444307.

Related pull requests:
- 44043
- 43613

Download

2.1.7 - 8315166 (April 16, 2026)

Integrations

Flashpoint Ignite

Added the Reputation commands context limit parameter to control the maximum number of entries stored per reputation command result for both relationships (e.g. related IPs) and enrichments (e.g. domains, emails, CVEs).

Related pull requests:
- 43855
- 43786
- 43725
- 43472
- 43845
- 43808
- 43805
- 43813
- 43713
- 43811
- 43830
- 43826
- 43685

Download

2.1.6 - 7827247 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43566

Download

2.1.5 - 7289906 (February 23, 2026)

Integrations

Flashpoint Ignite

Added support for exact_match argument in the domain, ip, url, file commands.
Updated the Docker image to: demisto/python3:3.12.12.6947692.

Related pull requests:
- 43249

Download

2.1.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.1.3 - R5469292 (October 20, 2025)

Integrations

Flashpoint Ignite

Rename the is_ip_internal function to is_ip_address_internal.

Related pull requests:
- 41055

Download

2.1.2 - 4647015 (August 25, 2025)

Integrations

Flashpoint Ignite

Updated the ip command to exclude internal IP addresses.
Updated the Docker image to: demisto/python3:3.12.11.4508456.

Related pull requests:
- 41013

Download

2.1.1 - 4148802 (July 13, 2025)

Integrations

Flashpoint Ignite

Code functionality improvements.

Related pull requests:
- 38886

Download

2.1.0 - R3980324 (June 26, 2025)

Integrations

Flashpoint Ignite

Added the flashpoint-ignite-indicator-get command to retrieve details for specific indicator of types "url", "domain", "file hash", and "ip" using the indicator ID.
Updated the following commands to use the new IOC v2 API:
- ip, domain, url, file and flashpoint-ignite-common-lookup.
- Note: The context paths of the commands have been updated as per the IOC v2 API response.
Added support for the following parameters to filter incoming compromised credentials alerts based on password characteristics:
- Fetch compromised credentials alerts having numbers in password
- Fetch compromised credentials alerts having minimum length of password
- Fetch compromised credentials alerts having uppercase in password
- Fetch compromised credentials alerts having lowercase in password
- Fetch compromised credentials alerts having symbol in password
Fixed an issue where the ip command could return a "NoneType" error.
Deprecated the filename and email command.

Related pull requests:
- 39968
- 40206

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	November 25, 2020
Last Release	June 7, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.