Best Practices & Optimization
SpyCloud Compass becomes even more powerful when your alerts, teams, and workflows are optimized to reduce noise and increase speed to action.
This page shares filtering strategies, team-specific tips, and scalable automation guidance to help you get the most from SpyCloud Compass.
🧼 Filter Smarter, Act Faster
Use these filters and strategies to zero in on the most relevant alerts:
| Filter or Strategy | Why It Helps |
|---|---|
severity ≥ 20 | Prioritizes cracked, recent, high-confidence alerts |
domain_owner_match = true | Limits view to your managed domains only |
source_type = malware | Focuses on actionable malware-derived data |
password_type = cracked | Highlights reuse and credential abuse potential |
malware_family filter | Investigate campaign-level risk |
Combine filters to create your own “High Risk View” in SpyCloud Compass.
⚙️ Recommended Tagging System
SpyCloud Compass tags help track alert status across teams.
| Tag | Use Case |
|---|---|
triaged | Reviewed, no action required |
remediated | Action taken, alert resolved |
escalated | Forwarded to SecOps, IAM, or Fraud team |
vip_exposure | Exposure tied to executive or privileged user |
password_reuse | Flag for repeat password issues |
🧠 Optimization by Team
🔒 SOC / IR Teams
- Triage alerts by severity + cracked password
- Automate playbook via SOAR
- Suppress low-risk, external alerts
🧠 CTI / Threat Teams
- Use IDLink for selector pivoting
- Track malware families and campaigns
- Correlate targets by log ID and exposure pattern
💰 Fraud & Risk Teams
- Watch for consumer credential exposure
- Flag reused credentials before fraud occurs
- Alert on trusted domain matches
🔐 SecOps / IAM
- Enforce password rotation for cracked users
- Use tags to trigger password reset flows
- Pair Compass alerts with SSO and IdP telemetry
📋 GRC / Compliance
- Use alert exports to document response
- Track metrics on MTTR and remediation rate
- Align exposures to incident response reporting
📈 Metrics That Matter
Consider tracking the following to measure SpyCloud Compass success:
| Metric | Description |
|---|---|
| Average time to remediate | Time from alert → action |
| Alert volume over time | Helps identify trends & noise |
| Top malware families | Track campaigns impacting your org |
| Reused passwords across alerts | Indicates hygiene gaps or fraud patterns |
| Tags applied per alert | Workflow health indicator |
🤖 Scale with Automation
If you're seeing hundreds (or thousands) of alerts per week, automation becomes essential.
Top Automation Hooks:
- Send high-severity alerts to SOAR or EDR
- Auto-generate tickets for
domain_owner_match = true - Flag cracked passwords in IAM systems
- Suppress known benign domains (e.g., SaaS login reuse)
🧩 Schema References
🎯 Final Thought
SpyCloud Compass works best when it becomes a signal amplifier, not a noisy alert feed. By tuning filters, using tags, and automating repeatable actions, your team can move faster, stay focused, and prevent credential-based compromise before it starts.
Updated 9 days ago