Documentation Center
AlienVault® USM Anywhere™

Dark Web Monitoring Events and Alarms

  Role Availability   Read-Only   Analyst   Manager

USM Anywhere includes a SpyCloud plugin, which translates the data retrieved by the AlienApp for Dark Web Monitoring into normalizedNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. events for analysis. This plugin is automatically enabled and the events are displayed in USM Anywhere, where you can view information about the reported email or domain breach.

Field Description
Source DNS Domain Domain name associated with the breach record
Event Ref Date The date on which the record entered the SpyCloud systems, in ISO 8601 date-time format
Source Username Username associated with the breach record
Source User Email

The email address associated with the breach record

Public Breach A true/false flag that indicates if the breach has been disclosed to the public
Infected User A true/false flag that indicates if the credentials were obtained by a keylogger

Source ID

SpyCloud-generated numerical identifier for the breach in which the credentials were found

Password Type The password type identified in the breach record
IP Addresses

List of one or more IP addresses in alphanumeric format

Both IPV4 and IPv6 addresses are supported.

sighting

(SpyCloud subscriptions only) An integer that indicates the occurrence of a breached credential across the entire SpyCloud breach catalog

A value of “3” would indicate that this breach record is the 3rd occurrence of the credential in the catalog.

Note: The AlienApp for Dark Web Monitoring leverages the SpyCloud APIs to retrieve breach records. For more information about the attributes (data fields) it stores in these breach records, refer to the SpyCloud API documentation.

USM Anywhere generates an alarm from one or more of these events using built-in correlation rules, which analyze the events for patterns that indicate a new breach that requires attention and investigation. It generates the alarm as a Security Critical Event with the assessed breach method.

  • Credentials Stolen — Public Breach
  • Credentials Stolen — Private Breach
  • Credentials Stolen — Infected User

Additional parameters of a generated alarm are determined by the information in the associated event(s). For example, an alarm will provide different guidance if an event indicates that the compromised credential is from an infected user, because a simple password reset would be an ineffective response in that situation.