SpyCloud Dark Web Monitoring Events and Alarms

Overview
USM Anywhere Architecture
USM Anywhere Data Security
USM Anywhere Log Data Enhancement
USM Anywhere Quick Start Guides
USM Anywhere Deployment Guide
USM Anywhere User Guides
USM Anywhere Agents Guide
USM Anywhere BlueApps Guide
- Overview
- BlueApps UI
- Advanced BlueApps Best Practices
- BlueApps and Data Sources
- Assign Assets to BlueApps
- Events Created When BlueApps Stop Receiving Data
- BlueApps Parser Syntax
- Advanced BlueApps
  - Overview
  - BlueApp for Akamai Enterprise Application Access
  - BlueApp for Akamai Enterprise Threat Protector
  - BlueApp for LevelBlue Forensics and Response
  - BlueApp for LevelBlue Secure Remote Gateway
  - BlueApp for Box
  - BlueApp for VMWare Carbon Black Cloud
  - BlueApp for Carbon Black EDR
  - BlueApp for Check Point
  - BlueApp for Cisco Duo
  - BlueApp for Cisco Firepower Management
  - BlueApp for Cisco Meraki
  - BlueApp for Cisco Secure Endpoint
  - BlueApp for Cisco Secure Firewall ASA
  - BlueApp for Cisco Umbrella
  - BlueApp for Cloudflare
  - BlueApp for ConnectWise
  - BlueApp for CrowdStrike Falcon
  - BlueApp for DDI Frontline VM
  - BlueApp for Fortinet FortiGate
  - BlueApp for Fortinet FortiManager
  - BlueApp for G Suite
  - BlueApp for Jira
  - BlueApp for Lookout
  - BlueApp for McAfee ePO
  - BlueApp for Microsoft Defender ATP
  - BlueApp for Mimecast Events Collection
  - BlueApp for MobileIron Threat Defense
  - BlueApp for Office 365
  - BlueApp for Okta
  - BlueApp for Oracle Database
  - BlueApp for Palo Alto Networks PAN-OS
  - BlueApp for Palo Alto Networks Panorama
  - BlueApp for Palo Alto Networks Prisma Access
  - BlueApp for Qualys
  - BlueApp for Salesforce
  - BlueApp for SentinelOne
  - BlueApp for ServiceNow
  - BlueApp for Sophos Central
  - BlueApp for SpyCloud Dark Web Monitoring
    - Overview
    - Configuring the BlueApp for SpyCloud Dark Web Monitoring
    - Collecting Your Historical Breach Events
    - SpyCloud Dark Web Monitoring Events and Alarms
  - BlueApp for Tenable.io
  - BlueApp for Zscaler
- BlueApps List
- Custom BlueApps and Log Parsers
- Request for a New BlueApp or Update to an Existing BlueApp

Role Availability | ✔️ Read-Only ✔️ Investigator ✔️ Analyst ✔️ Manager The BlueApp for SpyCloud Dark Web Monitoring monitors reports that breach records of compromised emails from that domain or assetsassociated with it. You can use this information to identify employees and consumers that have malware infections and protect yourself from potential fraud. Malware often captures user credential information, such as usernames and passwords, along with other information and stores the stolen information on command and control (C2) servers. In cases where SpyCloud has recovered C2 data, it will analyze the records and classify them as either infected employee records or infected customer records. For example, if one of the monitored domains is “example.com,” then emails addressed from “[name]@example.com” that indicate a breach would be classified as an “employee” record. If the malware came from an unmonitored external domain, it is then classified as a “customer” record. See the guide on infected users for more information. The following table lists the fields available for SpyCloud events. Examples of SpyCloud Events

Field	Description
Source DNS Domain	Domain name associated with the breach record.
Event Ref Date	The date on which the record entered the SpyCloud systems, in ISO 8601 date-time format.
Source Username	Username associated with the breach record.
Source User Email	The email address associated with the breach record.
Public Breach	A true/false flag that indicates if the breach has been disclosed to the public.
Infected User	A true/false flag that indicates if the credentials were obtained by a keylogger.
Source ID	SpyCloud-generated numerical identifier for the breach in which the credentials were found.
Password Type	The password type identified in the breach record.
IP Addresses	List of one or more IP addresses in alphanumeric format (both IPV4 and IPv6 addresses are supported).
Sighting	(SpyCloud subscriptions only) An integer that indicates the occurrence of a breached credential across the entire SpyCloud breach catalog A value of “3” would indicate that this breach record is the third occurrence of the credential in the catalog.

The BlueApp for SpyCloud Dark Web Monitoring leverages the SpyCloud APIs to retrieve breach records. See the SpyCloud API documentation for more information about the attributes (data fields) it stores in these breach records.

USM Anywhere generates an alarm from one or more of these events using built-in correlation rules, which analyze the events for patterns that indicate a new breach that requires attention and investigation. It generates the alarm as a Security Critical Event with the following assessed breach method:

Credentials Stolen — Public Breach
Credentials Stolen — Private Breach
Credentials Stolen — Infected User

Additional parameters of a generated alarm are determined by the information in the associated events. For example, an alarm will provide different guidance if an event indicates that the compromised credential is from an infected user, because a simple password reset would be an ineffective response in that situation.

To view Dark Web Monitoring events

To view Dark Web Monitoring alarms

Collecting Your Historical Breach Events Overview

USM Anywhere™

USM Central™

Automated Policy Manager

SpyCloud Dark Web Monitoring Events and Alarms