SpyCloud Guides
spycloud.comGet a demo
Start typing to search…

Selector Best Practices

SpyCloud Investigations is a flexible, analyst-driven solution. This guide outlines how to effectively use selectors to accelerate workflows, uncover hidden links, and avoid false assumptions when querying SpyCloud’s breach, infostealer, phishing, and combolist datasets.

🔒 Privacy-Protected Selectors

These selectors are SHA-1 hashed before ingestion. You may submit them in plaintext — SpyCloud will hash them automatically.

  • Bank account number
  • Credit card number
  • Social Security Number (SSN)
  • Passport number
  • National ID
  • Driver’s license number
👤 Identity Selector Best Practices

Email

Use full email addresses (e.g., [email protected]) for targeted identity investigations.

Email Username

Search just the portion before @ (e.g., jane.doe) to find reuse across domains.

Username

Run usernames across multiple selectors to detect reuse.

Common usernames may return a large, noisy set.

Social Handle

Uncover cross-platform reuse of handles (e.g., Telegram, Instagram, LinkedIn).

Phone Number

Try multiple formats — with/without country codes. Also test as a password or username.

Name

Use naming patterns (e.g., jdoe, john.doe) to build likely selectors.
For ambiguous identities, request an analyst investigation.

🧠 Investigative Techniques – Moniker Reuse Strategy

Reused monikers (e.g., cyberwolf88) often appear across:

  • Email usernames
  • Forum usernames
  • Social handles

This strategy helps link personas across breach, malware, and surface-level activity.

🌐 Domain Selector Types

Domain

Query a root domain to see all related activity (users, infections, infrastructure).

Email Domain

Returns only email addresses ending in the domain.

Target Domain

Logs showing users or infected devices interacting with the domain.

🖥️ Infrastructure Selector Types

IP Address

Submit individual IPs or CIDR blocks to explore campaign infrastructure.

Infected Machine ID

Pivot to accounts, passwords, and logs tied to a single infected system.

Log ID

SpyCloud-generated log identifier — track recurrence or clusters.

📅 Date Filter Best Practices

Date Behavior

All timestamps reflect SpyCloud’s publish date, not the original compromise date.

Best Practice:
Use date filters to:

  • Focus on new intelligence
  • Correlate with threat reporting or breach timelines

Summary

SpyCloud Investigations gives analysts powerful, flexible tools — and selectors are at the heart of it.

To get the most value:

  • Understand which selectors are hashed
  • Think like your adversary: humans reuse data across platforms
  • Use pivots across selector types to uncover connections

Need help refining a strategy or resolving ambiguous data?
Use Analyst Credits for expert-guided investigations.

Updated 3 months ago