SpyCloud Enterprise Protection

Details
Content
Dependencies
Version History

Create breach and malware incidents in Cortex® XSOAR™ using the SpyCloud Enterprise Protection API. Provide enrichment for domains, IPs, emails, usernames, and passwords.

What does this pack do?

SpyCloud’s data includes stolen assets from third-party breaches, malware victim logs, and other sources on the darknet. With the SpyCloud Enterprise API you can automate your exposed assets to be pulled in as incidents in Cortex® XSOAR™. These incidents can trigger two different sample playbooks to be used to triage SpyCloud breach record and malware alerts.

Additionally, the integration includes enrichment commands (along with sample Enrichment Playbooks) that can be used to look up specific details using the standard enterprise endpoints, including:

Watchlist
Domain
Email
IP Addresses
Username
Password

SpyCloud Compass users can also perform enrichment from additional endpoints, including:

Malware-infected devices
Exposed corporate applications (e.g., SSO, collaboration tools, CRM, etc.)

What does this pack do?

Additionally, the integration includes enrichment commands (along with sample Enrichment Playbooks) that can be used to look up specific details using the standard enterprise endpoints, including:

Watchlist
Domain
Email
IP Addresses
Username
Password

SpyCloud Compass users can also perform enrichment from additional endpoints, including:

Malware-infected devices
Exposed corporate applications (e.g., SSO, collaboration tools, CRM, etc.)

Classifiers

Name	Description
SpyCloud - Classifier
SpyCloud - Incoming Mapper

Incident Fields

Name	Description
SpyCloud Email Domain
SpyCloud User Browser
SpyCloud Publish Date
SpyCloud User SYS Registered Owner
SpyCloud Target Domain
SpyCloud Infected Machine ID
SpyCloud Password
SpyCloud Confidence
SpyCloud Target Subdomain
SpyCloud User System Domain
SpyCloud Email Username
SpyCloud Document ID
SpyCloud Password Plaintext
SpyCloud Compass Device-Data
SpyCloud Password Type
SpyCloud Record Modification Date

Incident Types

Name	Description
SpyCloud Informative Data
SpyCloud Malware Data
SpyCloud Breach Data

Integrations

Name	Description
SpyCloud Enterprise Protection Enrichment (Partner Contribution)	Integrate the SpyCloud Enterprise Protection API to use enrichment commands (along with sample Enrichment Playbooks) to look up your watchlists, domains, emails, IP addresses, usernames, and passwords. Data for malware-infected devices and exposed corporate applications are available for SpyCloud Compass users.
SpyCloud Enterprise Protection Feed (Partner Contribution)	Fetch SpyCloud watchlist data (breach and malware records) for daily monitoring, incident response, and mitigation.

Layouts

Name	Description
SpyCloud Malware Layout
SpyCloud Breach Layout
SpyCloud Informative Layout

Playbooks

Name	Description
SpyCloud - Breach Investigation	SpyCloud Breach playbook gets executed on the occurrence of the incident SpyCloud Breach Data type.
SpyCloud - Malware Incident Enrichment	SpyCloud Malware Playbook executes the spycloud-compass-device-data command when any incident of the SpyCloud Malware Data type is created, and sets the corresponding incident field.

Classifiers

Name	Description
SpyCloud - Classifier
SpyCloud - Incoming Mapper

Incident Fields

Name	Description
SpyCloud Email Username
SpyCloud User Browser
SpyCloud User System Domain
SpyCloud Confidence
SpyCloud Record Modification Date
SpyCloud Password Plaintext
SpyCloud User SYS Registered Owner
SpyCloud Document ID
SpyCloud Target Domain
SpyCloud Password
SpyCloud Password Type
SpyCloud Publish Date
SpyCloud Email Domain
SpyCloud Target Subdomain
SpyCloud Compass Device-Data
SpyCloud Infected Machine ID

Incident Types

Name	Description
SpyCloud Malware Data
SpyCloud Breach Data
SpyCloud Informative Data

Integrations

Name	Description
SpyCloud Enterprise Protection Feed (Partner Contribution)	Fetch SpyCloud watchlist data (breach and malware records) for daily monitoring, incident response, and mitigation.
SpyCloud Enterprise Protection Enrichment (Partner Contribution)	Integrate the SpyCloud Enterprise Protection API to use enrichment commands (along with sample Enrichment Playbooks) to look up your watchlists, domains, emails, IP addresses, usernames, and passwords. Data for malware-infected devices and exposed corporate applications are available for SpyCloud Compass users.

Playbooks

Name	Description
SpyCloud - Malware Alert Enrichment	SpyCloud Malware Playbook executes the spycloud-compass-device-data command when any alert of the SpyCloud Malware Data type is created, and sets the corresponding alert field.
SpyCloud - Breach Investigation	SpyCloud Breach playbook gets executed on the occurrence of the alert SpyCloud Breach Data type.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

All level dependencies (4)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.0.10 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

1.0.9 - 6886819 (January 26, 2026)

Integrations

SpyCloud Enterprise Protection Feed

Updates to support new since and until date formats
Bug fixes to "since_modification" and "until_modification"
User agent updated.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42230
- 42815

Download

1.0.8 - 5794368 (November 9, 2025)

Integrations

SpyCloud Enterprise Protection Feed

Documentation and metadata improvements..

Related pull requests:
- 41745
- 41851

Download

1.0.7 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.0.6 - 5145026 (September 28, 2025)

Integrations

SpyCloud Enterprise Protection Enrichment

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SpyCloud Enterprise Protection Feed

Added support for Fetch Limit parameter that allows the number of incidents captured at a single time. by default this is set to 200.
Added support for Domain Search parameter that allows to filter watchlist on domains basis, if left empty, your full watchlist will be pulled.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Related pull requests:
- 41379
- 41143

Download

1.0.5 - 4770511 (September 4, 2025)

Integrations

SpyCloud Enterprise Protection Feed

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SpyCloud Enterprise Protection Enrichment

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

1.0.4 - R3414854 (May 15, 2025)

Integrations

SpyCloud Enterprise Protection Enrichment

Metadata and documentation improvements.

SpyCloud Enterprise Protection Feed

Metadata and documentation improvements.

Related pull requests:
- 39225

Download

1.0.3 - R2989425 (March 26, 2025)

Integrations

SpyCloud Enterprise Protection Enrichment

Updated the Docker image to: demisto/python3:3.11.10.115186.

SpyCloud Enterprise Protection Feed

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

1.0.10 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

1.0.9 - 6886819 (January 26, 2026)

Integrations

SpyCloud Enterprise Protection Feed

Updates to support new since and until date formats
Bug fixes to "since_modification" and "until_modification"
User agent updated.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42230
- 42815

Download

1.0.8 - 5794368 (November 9, 2025)

Integrations

SpyCloud Enterprise Protection Feed

Documentation and metadata improvements..

Related pull requests:
- 41745
- 41851

Download

1.0.7 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.0.6 - 5158591 (September 28, 2025)

Integrations

SpyCloud Enterprise Protection Enrichment

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SpyCloud Enterprise Protection Feed

Added support for Fetch Limit parameter that allows the number of incidents captured at a single time. by default this is set to 200.
Added support for Domain Search parameter that allows to filter watchlist on domains basis, if left empty, your full watchlist will be pulled.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Related pull requests:
- 41379
- 41143

Download

1.0.5 - 4761438 (September 4, 2025)

Integrations

SpyCloud Enterprise Protection Feed

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SpyCloud Enterprise Protection Enrichment

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

1.0.4 - R3414854 (May 15, 2025)

Integrations

SpyCloud Enterprise Protection Enrichment

Metadata and documentation improvements.

SpyCloud Enterprise Protection Feed

Metadata and documentation improvements.

Related pull requests:
- 39225

Download

1.0.3 - R2989425 (March 26, 2025)

Integrations

SpyCloud Enterprise Protection Enrichment

Updated the Docker image to: demisto/python3:3.11.10.115186.

SpyCloud Enterprise Protection Feed

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	February 12, 2024
Last Release	March 22, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

SpyCloud Enterprise Protection Enrichment

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.