SpyCloud¶
About¶
SpyCloud combines the world’s largest database of breach assets with automated remediation of exposed passwords to scale account takeover prevention for global enterprises.
Product Details¶
Vendor URL: SpyCloud | Prevent Account Takeover
Product Type: TBD
Product Tier: Tier II
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Near 100%
Data Label: SPYCLOUD
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| “GENERIC_EVENT” | metadata.event_type |
| “SPYCLOUD” | metadata.product_name |
| “SpyCloud” | metadata.vendor_name |
| Channel | metadata.product_name |
| Data | principal.user.userid |
| security_result.action | |
| metadata.event_type | |
| security_result.category | |
| EventID | security_result.rule_id |
| EventType | security_result.description |
| ExecutionProcessID | security_result.about.labels, key=ExecutionProcessID |
| ExecutionThreadID | security_result.about.labels, key=ExecutionThreadID |
| Hostname | principal.hostname |
| Keywords | additional.fields, key=Keywords |
| Message | security_result.summary |
| Opcode | metadata.description |
| RecordNumber | metadata.product_log_id |
| Severity | security_result.severity |
| SeverityValue | security_result.severity_details |
| SourceModuleName | security_result.about.labels, key =SourceModuleName |
| SourceModuleType | security_result.about.labels, key=SourceModuleType |
| SourceName | metadata.product_event_type |
| TaskValue | security_result.about.labels, key=TaskValue |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| All | All events | GENERIC_EVENT |
Log Sample¶
{"EventTime":"2021-11-01T19:44:29.689082-07:00","Hostname":"hostname","Keywords":"key","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":0,"SourceName":"Password Verification Service","TaskValue":0,"RecordNumber":15848,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"SpyCloud","Message":"A password for a user (redacted) has violated a SpyCloud Password Scanner rule (Repeating Character Scanner). The password will be blocked.","Opcode":"Info","Data":"A password for a user (redacted) has violated a SpyCloud Password Scanner rule (Repeating Character Scanner). The password will be blocked.","EventReceivedTime":"2021-11-01T19:44:30.689084-07:00","SourceModuleName":"spyCloud_Directory","SourceModuleType":"im_msvistalog"}
Sample Parsing¶
metadata.product_log_id = "11674"
metadata.event_timestamp = "2021-11-04T04:50:52.763Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "SPYCLOUD"
metadata.product_name = "SpyCloud"
metadata.product_event_type = "Password Verification Service"
metadata.description = "Info"
metadata.ingested_timestamp = "2021-11-04T04:52:13.342005Z"
additional.Keywords = "key"
additional.ExecutionThreadID = "0"
additional.ExecutionProcessID = "0"
principal.hostname = "hostname"
principal.user.userid = "redacted"
principal.asset.hostname = "redacted"
security_result.about.labels.key = "SourceModuleName"
security_result.about.labels.value = "spyCloud_Directory"
security_result.about.labels.key = "SourceModuleType"
security_result.about.labels.value = "im_msvistalog"
security_result.about.labels.key = "TaskValue"
security_result.about.labels.value = "0"
security_result.category = "POLICY_VIOLATION"
security_result.summary = "A password for a user (redacted) has violated a SpyCloud Password Scanner rule (Sequential Character Scanner). The password will be blocked."
security_result.description = "INFO"
security_result.action = "BLOCK"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "2"
security_result.rule_id = "0"
Parser Alerting¶
This product currently does not have any Parser-based Alerting