AlienVault® USM Anywhere™

Configuring the AlienApp for SpyCloud Dark Web Monitoring

Role Availability Read-Only Analyst Manager

To enable AlienApp for SpyCloud Dark Web Monitoring functionality within USM Anywhere, you must configure the AlienApp by setting up your watchlist or connecting your SpyCloud-managed watchlist. After this configuration is complete, the AlienApp for SpyCloud Dark Web Monitoring queries the SpyCloud API every 24 hours for information regarding all watchlist items. It parses all collected data and displays it as eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation. in the USM Anywhere interface.

Required Connectivity on the USM Anywhere Sensor

An AlienApp operates through a deployed USM Anywhere Sensor. In order to use the AlienApp for SpyCloud Dark Web Monitoring, there are some additional ports you must open on the sensor to support these functions.

Port Endpoint(s) Function
UDP, TCP port 53 8.8.8.8, 209.244.0.3, 64.6.64.6 DNS lookup to verify domain
80, 443 Domain configured in the watchlist Validate the verification marker of the domain
443 api.spycloud.io Check the SpyCloud breach database

Configuration for SpyCloud Dark Web Monitoring

The AlienApp for SpyCloud Dark Web Monitoring supports two configuration types that USM Anywhere can use to query the SpyCloud database:

  • Domain and email watchlist defined for the AlienApp in USM Anywhere.

    This type of watchlist is limited to one domain and up to 10 email addresses. You do not need a SpyCloud account to use this feature. To monitor additional domains and emails through the AT&T Cybersecurity partnership with SpyCloud, complete the form on this page: https://www.alienvault.com/app/dark-web-monitoring/signup.

  • A valid SpyCloud customer API key used to retrieve breach data from a watchlist managed in SpyCloud.

    When you use the SpyCloud API key method, you do not need to manually add domain or email addresses in USM Anywhere. The AlienApp for SpyCloud Dark Web Monitoring retrieves all domains and email addresses from your existing SpyCloud watchlists.

You can use one of these configuration types to query the SpyCloud database and collect data for breach events for your users' credentials using a default collection job.