Introduction
SpyCloud's Session Identity Protection API is a programmatic interface into our vast collection of botnet sourced cookie data.
See API Guidelines for authentication, configuration, and error handling details. Most API resources support pagination. See Pagination.
API Reference
Configuration
SpyCloud will need to allow the cookie domains and subdomains that are returned to you. For example, if you are interested in cookie data pertaining to the domain mycompany.com, the allowlisting of mycompany.com will cover all subdomains as well (*.mycompany.com). For specific subdomains, we can match exact an allowed specific subdomain such as mycompany.domain.com
Cookie Data Assets
Cookie records are sourced from our ingest of botnet malware logs and are typically published around the same time as breach records. All of the cookie files in our botnet data follow the Mozilla cookiejar format.
The following are the assets that have been added to the data schema:
| Field | Type | Description |
|---|---|---|
| cookie_domain | string | Domain of the cookie |
| cookie_name | string | Case Sensitive name of the cookie |
| cookie_value | string | Value of the cookie |
| cookie_subdomain | string | Exact subdomain of the cookie, if it exists |
| cookie_expiration | datetime | Expiration date of the cookie, in ISO 8601 datetime format |
| infected_path | string | File path on the infected machine where malware was detected |
| av_softwares | array | List of antivirus software present on the infected machine |
| country_code | string | Two-letter country code of the infected machine (ISO 3166-1 alpha-2) |
| display_resolution | string | Display resolution of the infected device (e.g., 1920x1080) |
| keyboard_languages | array | Languages configured for the keyboard on the infected system |
| timezone | string | Timezone setting of the infected machine (e.g., UTC-5) |
| user_os | string | Operating system of the infected machine |
| log_id | string | Unique identifier for the malware log entry |
| infected_time | datetime | Timestamp when infection was recorded (ISO 8601 format) |
| document_id | string | Unique identifier for the associated breach/malware document |
| infected_machine_id | string | Unique identifier assigned to the infected machine |
| ip_addresses | array | List of IP addresses associated with the infected machine |
| severity | string | Severity rating of the infection or record |
| source_id | string | Identifier for the data source |
| spycloud_publish_date | datetime | Date when SpyCloud published the record (ISO 8601 format) |
| user_hostname | string | Hostname of the infected machine |
| user_sys_registered_owner | string | Registered owner of the infected system |
The following fields will always be displayed:
document_idsource_idspycloud_publish_datecookie_domaincookie_namecookie_value
The following fields will be displayed if data exists:
cookie_expirationcookie_subdomaininfected_pathav_softwarescountry_codedisplay_resolutionkeyboard_languagestimezoneuser_osseverity
From the infected host machine:
infected_machine_idlog_idinfected_timeip_addressesuser_hostnameuser_sys_registered_owner