CrowdStrike Falcon Next-Gen SIEM

For SpyCloud Workforce Threat Protection/Employee ATO Prevention

Your SIEM is only as good as the data it receives. Falcon Next-Gen SIEM is exceptional at correlating signals across your environment, but credentials stolen in third-party breaches, malware infections, and successful phishes never touch your network. The SpyCloud Workforce Threat Protection/Employee ATO Prevention Data Connector puts pre-attack identity intelligence where your team already works.

It continuously delivers recaptured exposure data from the criminal underground - breaches, infostealer malware logs, phishing kits, and combolists - directly into Advanced Event Search, parsed and host-enriched alongside every other Falcon signal. Your analysts can see compromised employee credentials weeks before they're weaponized, without changing a single thing about how they investigate.


🚀 What you get

  • Breach Watchlist Events: Alerts when monitored users or domains appear in SpyCloud's recaptured breach, malware log, or phishing data, which is the earliest available signal of credential compromise before it is used in an attack.
  • Breach Catalog Events: Threat intelligence on newly discovered breaches, enriched with malware family, infected device details, severity scoring, and plaintext password data for proactive hunting and investigation enrichment without leaving the Falcon console.

📋 Requirements

CrowdStrike

RequirementDetails
SubscriptionFalcon Next-Gen SIEM or Falcon Next-Gen SIEM 10GB
Supported CloudsUS-1, US-2, EU-1, US-GOV-1, US-GOV-2
Console AccessAdministrator or Connector Manager role for the respective CID

SpyCloud

RequirementDetails
SubscriptionWorkforce Threat Protection with API access
WatchlistPopulated and verified at portal.spycloud.com/watchlist
Breach CatalogBreach Catalog API access enabled on your subscription
NetworkConnectivity to SpyCloud API endpoints
Data FormatJSON — required for the default parser

🔧 Setup

Step 1: Retrieve your SpyCloud API key

  1. In the SpyCloud portal, navigate to API at portal.spycloud.com/api.
  2. Copy your API Key.
  3. Confirm your Watchlist is populated at portal.spycloud.com/watchlist.
📝

Note

Data ingestion depends on an active, verified Watchlist.

Step 2: Configure and activate the SpyCloud Workforce Threat Protection/Employee ATO Prevention Data Connector in Falcon

  1. In the Falcon console, go to Next-Gen SIEM › Log management › Data onboarding.
  2. Click + Add connection.
  3. On the Data Connectors page, search for and select SpyCloud Workforce Threat Protection/Employee ATO Prevention Data Connector.
  4. In the New connection dialog, review the connector metadata, version, and description. Click Configure to open the New Connection details page.
📝

Note

If the connector is in pre-production state, a warning dialogue appears. Click Accept to continue.

  1. Enter a name and optional description for this connection.
  2. In Source Configuration, select the sources to ingest:
    • Breach Catalog: Threat intelligence on newly discovered breaches
    • Breach Watchlist: Credential exposure events for monitored domains and users
📝

Note

Each source can be managed and monitored independently on the Connection Details page.

  1. To add a new data source configuration, click Manage.
  2. Click to accept the terms and conditions, then click Add configuration and enter the following:
    • Configuration name: SpyCloud-Workforce-Threat-Protection
    • Base URL: api.spycloud.com
    • Access Key: [YOUR SPYCLOUD API KEY]
  3. Click Save configuration and close the configuration windows.
  4. From the Data source configuration dropdown, select the configuration you just created.
  5. In Parsing and enrichment, the default parser and host enrichment are pre-selected and enabled by default.
    • To use a custom parser, check Enable parser selection and accept the terms.
    • To disable host enrichment, uncheck Enable host enrichment.
  6. Review the terms and conditions and select the checkbox to agree.
  7. Click Create Connection.

Step 3: Verify data ingestion

⚠️

Important

Wait at least 15 minutes before verifying. Results are not generated until an applicable event occurs. If an event timestamp is greater than the retention period, the data is not visible in search. If you do not see the raw data after 15 minutes, the product may need more time.

To verify that data is being ingested and appears in the Next-Gen SIEM search results, follow these steps:

  1. In the Falcon console, go to Data connectors › Data connectors › Data connections.
  2. Confirm the Status column shows Active.
  3. In the Actions column, click Open menu › Show events to see all events related to this data connection in Advanced Event Search. Confirm at least one match is generated.

To verify manually, run this query and confirm at least one match is generated:

#Vendor = "spycloud" | #event.module = "workforce-threat-protection"

🔎 Parser

The default parser recommended to parse incoming data for this connection is spycloud-workforcethreatprotection. This parser requires logs in JSON format.

Parser PropertyValue
Parser IDspycloud-workforcethreatprotection
Version0.1.0
ECS Version9.2.0
CPS Version1.1.0
Required FormatJSON
Timestamp FormatISO 8601 with timezone — e.g., 2026-01-15T10:30:45Z
Risk ScoringSpyCloud severity mapped to ECS risk.score.base
Malware FieldsPreserved in both malware.name and threat.software.name
IP Mappingsource.ip or host.ip depending on context
Detection LogicField pattern matching distinguishes breach catalog from watchlist events
Breach Catalog Volume~few hundred events/day

Breach Watchlist event schema

{
  "document_id": "bw_12345678",
  "spycloud_publish_date": "2026-01-15T10:30:45.123Z",
  "email": "[email protected]",
  "email_username": "user",
  "email_domain": "company.com",
  "severity": 25,
  "target_url": "https://compromised-site.com",
  "target_domain": "compromised-site.com",
  "ip_addresses": ["192.168.1.100"],
  "user_hostname": "DESKTOP-ABC123",
  "user_os": "Windows 10",
  "country_code": "US",
  "infected_time": "2026-01-10T08:15:30.000Z",
  "infected_path": "C:\\Users\\User\\AppData\\Local\\malware.exe",
  "malware_family": "InfoStealer",
  "password_type": "plaintext",
  "sighting": 3
}
FieldDescription
document_idUnique record identifier
spycloud_publish_dateWhen SpyCloud ingested and published this record
email / email_domainExposed user's email address and parsed domain
severitySpyCloud severity score — mapped to ECS risk.score.base
target_url / target_domainSite or service where credentials were stolen
user_hostname / user_osDevice details from infostealer infections
infected_timeTimestamp of the malware infection
infected_pathWindows file path of the malware executable
malware_familyInfostealer family — e.g., RedLine, Raccoon, Vidar
password_typeplaintext = cracked and match-ready
sightingTimes this credential has appeared across SpyCloud's dataset

Breach Catalog event schema

{
  "id": "bc_87654321",
  "spycloud_publish_date": "2026-01-15T12:00:00.000Z",
  "breach_category": "data_breach",
  "breach_main_category": "breach",
  "title": "Major E-commerce Site Breach",
  "description": "Large-scale breach affecting millions of user accounts",
  "site": "compromised-ecommerce.com",
  "num_records": 5000000,
  "confidence": 90,
  "tlp": "WHITE",
  "malware_family": "Stealer"
}
FieldDescription
idUnique breach catalog record identifier
breach_categoryGranular category: data_breach, combo, malware, etc.
breach_main_categoryTop-level category: breach, malware
siteSource domain of the breach
num_recordsTotal records exposed
confidenceSpyCloud confidence score (0–100) for breach authenticity
tlpTraffic Light Protocol classification
malware_familyAssociated malware family where applicable

🛠️ Troubleshooting

IssueResolution
API Rate LimitingSpyCloud's API has rate limits that may cause ingestion delays during high-volume periods. If you see authentication or throttling errors, verify your API quota and consider adjusting polling intervals. Contact [email protected] to increase limits.
Missing Breach Catalog dataVerify your subscription includes Breach Catalog API access and that Breach Catalog was selected as a source in the connector configuration.
Timestamp parsing errorsEnsure SpyCloud timestamp fields are in ISO 8601 format with timezone — e.g., 2026-01-15T10:30:45Z.
No data after 15 minutesConfirm your Watchlist is populated at portal.spycloud.com/watchlist. A newly configured Watchlist may take up to 24 hours to produce initial results.
Connection status not ActiveVerify the Access Key was entered correctly. If the key is valid but the connection is inactive, contact [email protected].

📚 Resources

SpyCloud

CrowdStrike