FAQs

SpyCloud Investigations offers powerful tools to uncover identity-related threats through recaptured breach, malware, and underground data. Whether you’re pivoting across datasets or deep-diving into credential exposure, this FAQ answers common questions from analysts, engineers, and security teams using SpyCloud Investigations.

SpyCloud Investigations FAQ

❓ What does Severity stand for?

Severity is an internal risk scoring metric that reflects the likelihood and potential impact of abuse tied to a record or identity. It factors in breach source, credential type, password reuse, and links to high-risk actors.

📤 How do I export data?

In the Investigations module, the entire Investigations dataset can be downloaded via the detailed results page or the graph page. For a customized dataset to download, find the "Export" button in your detailed results view. You can export selected results or entire query sets as CSV or JSON depending on your needs.

📦 Is there a way to run a batch search?

Yes, using the API there are several ways to run a batch search.

🦠 How can I identify who is sending the malware?

While SpyCloud does not offer real-time attribution of malware operators, you can analyze:

Infostealer logs for clues like operator infrastructure (hostnames, IPs, file hashes). This requires analyst credits to access.
Repeated patterns in campaign metadata. Use ID Link and third-party tools (e.g., VirusTotal, IPQualityScore) to further enrich your findings.

📉 How do I keep my query count down?

Use CSV uploads for bulk searches and filter selectors beforehand to reduce noise. You’ll be charged based on your plan and selected features—using targeted selectors helps optimize value. The API offers the ability to batch certain selectors like email.

🍪 Will cookie data appear in Investigations or notebooks?

No. Cookie data is accessible through a separate API and is not included in standard Investigations queries through the Investigations module or notebook. If needed, contact your customer success manager for access to session-level or cookie-based data. Cookie session data can also be queried through analyst credits.

🔍 Can I query a license plate, name, or address?

Not directly through the Investigations module or API. However, Analyst Credits can be used to support complex lookups involving real-world identity markers, including license plates, names, and addresses, where possible.

📑 Can I get a report from the Investigations module?

Yes. You can generate a custom AI Insight Report, offering a narrative summary of findings.

📊 Can I see an ordered list of queries and counts like in Jupyter Notebooks?

Not in the Investigations module. For more detailed query logging and history, use the API or Jupyter Notebook environment, where full tracking of executed queries and response counts is available.

🌐 Can I query OSINT tools like IPQualityScore from within the graph?

Not directly within the Investigations module. However, you can copy selectors (e.g., IP addresses, domains) and enrich them externally. For automated enrichment, integrate OSINT tools through API or notebook workflows.

💾 Can I create saved investigations in the Investigations module?

No. The Investigations module does not currently support saved investigations.

🔗 Can I share investigations with other users?

While full collaborative workflows are not supported in the Investigations module, exported reports and datasets (CSV, JSON) can be shared manually with other analysts. Collaboration is best handled through shared tools like notebooks, case management platforms, or secured internal systems.

📁 Can I bulk search asset types in the Investigations module?

This type of searching is not supported in the Investigations module. This type of search is supported through the API using a capable integration or through the Jupyter Notebook environment.