SpyCloud Enterprise Protection

Details
Content
Dependencies
Version History

Create breach and malware incidents in Cortex® XSOAR™ using the SpyCloud Enterprise Protection API. Provide enrichment for domains, IPs, emails, usernames, and passwords.

What does this pack do?

SpyCloud’s data includes stolen assets from third-party breaches, malware victim logs, and other sources on the darknet. With the SpyCloud Enterprise API you can automate your exposed assets to be pulled in as incidents in Cortex® XSOAR™. These incidents can trigger two different sample playbooks to be used to triage SpyCloud breach record and malware alerts.

Additionally, the integration includes enrichment commands (along with sample Enrichment Playbooks) that can be used to look up specific details using the standard enterprise endpoints, including:

Watchlist
Domain
Email
IP Addresses
Username
Password

SpyCloud Compass users can also perform enrichment from additional endpoints, including:

Malware-infected devices
Exposed corporate applications (e.g., SSO, collaboration tools, CRM, etc.)

What does this pack do?

Additionally, the integration includes enrichment commands (along with sample Enrichment Playbooks) that can be used to look up specific details using the standard enterprise endpoints, including:

Watchlist
Domain
Email
IP Addresses
Username
Password

SpyCloud Compass users can also perform enrichment from additional endpoints, including:

Malware-infected devices
Exposed corporate applications (e.g., SSO, collaboration tools, CRM, etc.)

Classifiers

Name	Description
SpyCloud - Classifier
SpyCloud - Incoming Mapper

Incident Fields

Name	Description
SpyCloud Document ID
SpyCloud Target Domain
SpyCloud Confidence
SpyCloud Password Type
SpyCloud User Browser
SpyCloud Compass Device-Data
SpyCloud Publish Date
SpyCloud Target Subdomain
SpyCloud User SYS Registered Owner
SpyCloud User System Domain
SpyCloud Email Domain
SpyCloud Password Plaintext
SpyCloud Email Username
SpyCloud Infected Machine ID
SpyCloud Password
SpyCloud Record Modification Date

Incident Types

Name	Description
SpyCloud Breach Data
SpyCloud Informative Data
SpyCloud Malware Data

Integrations

Name	Description
SpyCloud Enterprise Protection Enrichment (Partner Contribution)	Integrate the SpyCloud Enterprise Protection API to use enrichment commands (along with sample Enrichment Playbooks) to look up your watchlists, domains, emails, IP addresses, usernames, and passwords. Data for malware-infected devices and exposed corporate applications are available for SpyCloud Compass users.
SpyCloud Enterprise Protection Feed (Partner Contribution)	Fetch SpyCloud watchlist data (breach and malware records) for daily monitoring, incident response, and mitigation.

Layouts

Name	Description
SpyCloud Malware Layout
SpyCloud Breach Layout
SpyCloud Informative Layout

Playbooks

Name	Description
SpyCloud - Malware Incident Enrichment	SpyCloud Malware Playbook executes the spycloud-compass-device-data command when any incident of the SpyCloud Malware Data type is created, and sets the corresponding incident field.
SpyCloud - Breach Investigation	SpyCloud Breach playbook gets executed on the occurrence of the incident SpyCloud Breach Data type.

Classifiers

Name	Description
SpyCloud - Classifier
SpyCloud - Incoming Mapper

Incident Fields

Name	Description
SpyCloud Email Username
SpyCloud Email Domain
SpyCloud Password Type
SpyCloud Publish Date
SpyCloud Document ID
SpyCloud Password Plaintext
SpyCloud User SYS Registered Owner
SpyCloud User System Domain
SpyCloud User Browser
SpyCloud Target Subdomain
SpyCloud Compass Device-Data
SpyCloud Target Domain
SpyCloud Infected Machine ID
SpyCloud Password
SpyCloud Record Modification Date
SpyCloud Confidence

Incident Types

Name	Description
SpyCloud Malware Data
SpyCloud Informative Data
SpyCloud Breach Data

Integrations

Name	Description
SpyCloud Enterprise Protection Feed (Partner Contribution)	Fetch SpyCloud watchlist data (breach and malware records) for daily monitoring, incident response, and mitigation.
SpyCloud Enterprise Protection Enrichment (Partner Contribution)	Integrate the SpyCloud Enterprise Protection API to use enrichment commands (along with sample Enrichment Playbooks) to look up your watchlists, domains, emails, IP addresses, usernames, and passwords. Data for malware-infected devices and exposed corporate applications are available for SpyCloud Compass users.

Playbooks

Name	Description
SpyCloud - Breach Investigation	SpyCloud Breach playbook gets executed on the occurrence of the alert SpyCloud Breach Data type.
SpyCloud - Malware Alert Enrichment	SpyCloud Malware Playbook executes the spycloud-compass-device-data command when any alert of the SpyCloud Malware Data type is created, and sets the corresponding alert field.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

All level dependencies (3)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

PUBLISHER

SpyCloud

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	February 12, 2024
Last Release	April 7, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

SpyCloud Enterprise Protection Enrichment

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

SpyCloud Enterprise Protection

What does this pack do?

What does this pack do?

Integrations

SpyCloud Enterprise Protection Enrichment

Integrations

SpyCloud Enterprise Protection Enrichment

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER