CrowdStrike Falcon Next-Gen SIEM
For SpyCloud Workforce Threat Protection/Employee ATO Prevention
Your SIEM is only as good as the data it receives. Falcon Next-Gen SIEM is exceptional at correlating signals across your environment, but credentials stolen in third-party breaches, malware infections, and successful phishes never touch your network. The SpyCloud Workforce Threat Protection/Employee ATO Prevention Data Connector puts pre-attack identity intelligence where your team already works.
It continuously delivers recaptured exposure data from the criminal underground - breaches, infostealer malware logs, phishing kits, and combolists - directly into Advanced Event Search, parsed and host-enriched alongside every other Falcon signal. Your analysts can see compromised employee credentials weeks before they're weaponized, without changing a single thing about how they investigate.
🚀 What you get
- Breach Watchlist Events: Alerts when monitored users or domains appear in SpyCloud's recaptured breach, malware log, or phishing data, which is the earliest available signal of credential compromise before it is used in an attack.
- Breach Catalog Events: Threat intelligence on newly discovered breaches, enriched with malware family, infected device details, severity scoring, and plaintext password data for proactive hunting and investigation enrichment without leaving the Falcon console.
📋 Requirements
CrowdStrike
| Requirement | Details |
|---|---|
| Subscription | Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10GB |
| Supported Clouds | US-1, US-2, EU-1, US-GOV-1, US-GOV-2 |
| Console Access | Administrator or Connector Manager role for the respective CID |
SpyCloud
| Requirement | Details |
|---|---|
| Subscription | Workforce Threat Protection with API access |
| Watchlist | Populated and verified at portal.spycloud.com/watchlist |
| Breach Catalog | Breach Catalog API access enabled on your subscription |
| Network | Connectivity to SpyCloud API endpoints |
| Data Format | JSON — required for the default parser |
🔧 Setup
Step 1: Retrieve your SpyCloud API key
- In the SpyCloud portal, navigate to API at portal.spycloud.com/api.
- Copy your API Key.
- Confirm your Watchlist is populated at portal.spycloud.com/watchlist.
Step 2: Configure and activate the SpyCloud Workforce Threat Protection/Employee ATO Prevention Data Connector in Falcon
- In the Falcon console, go to Next-Gen SIEM › Log management › Data onboarding.
- Click + Add connection.
- On the Data Connectors page, search for and select SpyCloud Workforce Threat Protection/Employee ATO Prevention Data Connector.
- In the New connection dialog, review the connector metadata, version, and description. Click Configure to open the New Connection details page.
NoteIf the connector is in pre-production state, a warning dialogue appears. Click Accept to continue.
- Enter a name and optional description for this connection.
- In Source Configuration, select the sources to ingest:
- Breach Catalog: Threat intelligence on newly discovered breaches
- Breach Watchlist: Credential exposure events for monitored domains and users
- To add a new data source configuration, click Manage.
- Click to accept the terms and conditions, then click Add configuration and enter the following:
- Configuration name:
SpyCloud-Workforce-Threat-Protection - Base URL:
api.spycloud.com - Access Key:
[YOUR SPYCLOUD API KEY]
- Configuration name:
- Click Save configuration and close the configuration windows.
- From the Data source configuration dropdown, select the configuration you just created.
- In Parsing and enrichment, the default parser and host enrichment are pre-selected and enabled by default.
- To use a custom parser, check Enable parser selection and accept the terms.
- To disable host enrichment, uncheck Enable host enrichment.
- Review the terms and conditions and select the checkbox to agree.
- Click Create Connection.
Step 3: Verify data ingestion
ImportantWait at least 15 minutes before verifying. Results are not generated until an applicable event occurs. If an event timestamp is greater than the retention period, the data is not visible in search. If you do not see the raw data after 15 minutes, the product may need more time.
To verify that data is being ingested and appears in the Next-Gen SIEM search results, follow these steps:
- In the Falcon console, go to Data connectors › Data connectors › Data connections.
- Confirm the Status column shows Active.
- In the Actions column, click Open menu › Show events to see all events related to this data connection in Advanced Event Search. Confirm at least one match is generated.
To verify manually, run this query and confirm at least one match is generated:
#Vendor = "spycloud" | #event.module = "workforce-threat-protection"
🔎 Parser
The default parser recommended to parse incoming data for this connection is spycloud-workforcethreatprotection. This parser requires logs in JSON format.
| Parser Property | Value |
|---|---|
| Parser ID | spycloud-workforcethreatprotection |
| Version | 0.1.0 |
| ECS Version | 9.2.0 |
| CPS Version | 1.1.0 |
| Required Format | JSON |
| Timestamp Format | ISO 8601 with timezone — e.g., 2026-01-15T10:30:45Z |
| Risk Scoring | SpyCloud severity mapped to ECS risk.score.base |
| Malware Fields | Preserved in both malware.name and threat.software.name |
| IP Mapping | source.ip or host.ip depending on context |
| Detection Logic | Field pattern matching distinguishes breach catalog from watchlist events |
| Breach Catalog Volume | ~few hundred events/day |
Breach Watchlist event schema
{
"document_id": "bw_12345678",
"spycloud_publish_date": "2026-01-15T10:30:45.123Z",
"email": "[email protected]",
"email_username": "user",
"email_domain": "company.com",
"severity": 25,
"target_url": "https://compromised-site.com",
"target_domain": "compromised-site.com",
"ip_addresses": ["192.168.1.100"],
"user_hostname": "DESKTOP-ABC123",
"user_os": "Windows 10",
"country_code": "US",
"infected_time": "2026-01-10T08:15:30.000Z",
"infected_path": "C:\\Users\\User\\AppData\\Local\\malware.exe",
"malware_family": "InfoStealer",
"password_type": "plaintext",
"sighting": 3
}| Field | Description |
|---|---|
| document_id | Unique record identifier |
| spycloud_publish_date | When SpyCloud ingested and published this record |
| email / email_domain | Exposed user's email address and parsed domain |
| severity | SpyCloud severity score — mapped to ECS risk.score.base |
| target_url / target_domain | Site or service where credentials were stolen |
| user_hostname / user_os | Device details from infostealer infections |
| infected_time | Timestamp of the malware infection |
| infected_path | Windows file path of the malware executable |
| malware_family | Infostealer family — e.g., RedLine, Raccoon, Vidar |
| password_type | plaintext = cracked and match-ready |
| sighting | Times this credential has appeared across SpyCloud's dataset |
Breach Catalog event schema
{
"id": "bc_87654321",
"spycloud_publish_date": "2026-01-15T12:00:00.000Z",
"breach_category": "data_breach",
"breach_main_category": "breach",
"title": "Major E-commerce Site Breach",
"description": "Large-scale breach affecting millions of user accounts",
"site": "compromised-ecommerce.com",
"num_records": 5000000,
"confidence": 90,
"tlp": "WHITE",
"malware_family": "Stealer"
}| Field | Description |
|---|---|
| id | Unique breach catalog record identifier |
| breach_category | Granular category: data_breach, combo, malware, etc. |
| breach_main_category | Top-level category: breach, malware |
| site | Source domain of the breach |
| num_records | Total records exposed |
| confidence | SpyCloud confidence score (0–100) for breach authenticity |
| tlp | Traffic Light Protocol classification |
| malware_family | Associated malware family where applicable |
🛠️ Troubleshooting
| Issue | Resolution |
|---|---|
| API Rate Limiting | SpyCloud's API has rate limits that may cause ingestion delays during high-volume periods. If you see authentication or throttling errors, verify your API quota and consider adjusting polling intervals. Contact [email protected] to increase limits. |
| Missing Breach Catalog data | Verify your subscription includes Breach Catalog API access and that Breach Catalog was selected as a source in the connector configuration. |
| Timestamp parsing errors | Ensure SpyCloud timestamp fields are in ISO 8601 format with timezone — e.g., 2026-01-15T10:30:45Z. |
| No data after 15 minutes | Confirm your Watchlist is populated at portal.spycloud.com/watchlist. A newly configured Watchlist may take up to 24 hours to produce initial results. |
| Connection status not Active | Verify the Access Key was entered correctly. If the key is valid but the connection is inactive, contact [email protected]. |
📚 Resources
SpyCloud
- SpyCloud API Documentation
- SpyCloud Customer Portal — API Key & Watchlist Management
- Workforce Threat Protection — Product Page
CrowdStrike