Documentation Center
AlienVault® USM Anywhere™

Configuring the AlienApp for Dark Web Monitoring

  Role Availability   Read-Only   Analyst   Manager

To enable AlienApp for Dark Web Monitoring functionality within USM Anywhere, you must configure the AlienApp by setting up your watchlist or connecting your SpyCloud-managed watchlist. After this configuration is complete, the AlienApp for Dark Web Monitoring queries the SpyCloud API every 24 hours for information regarding all watchlist items. It parses all collected data and displays it as eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation. in the USM Anywhere interface.

Required Connectivity on the USM Anywhere Sensor

An AlienApp operates through a deployed USM Anywhere Sensor. In order to use the AlienApp for Dark Web Monitoring, there are some additional ports you must open on the sensor to support these functions.

Port Endpoint(s) Function
UDP, TCP port 53 8.8.8.8, 209.244.0.3, 64.6.64.6 DNS lookup to verify domain
80, 443 Domain configured in the watchlist Validate the verification marker of the domain
443 api.spycloud.io Check the SpyCloud breach database

Configuration for Dark Web Monitoring

The AlienApp for Dark Web Monitoring supports two configuration types that USM Anywhere can use to query the SpyCloud database.

  • Domain and email watchlist defined for the AlienApp in USM Anywhere

    Note: This type of watchlist is limited to one domain and/or a list of up to 10 email addresses. There is an available option to monitor additional domains and emails through the AlienVault partnership with SpyCloud. You can learn more by completing the form at this page:
    https://docs.alienvault.com/product/usm-anywhere/landing/dark-web-monitoring

  • A valid SpyCloud customer API key used to retrieve breach data from a watchlist managed in SpyCloud

You can use one of these configuration types to query the SpyCloud database and collect data for breach events for your users' credentials using a default collection job.