Back

Cortex XSOAR

SOAR
Read Docs
Read Datasheet
OVERVIEW

SpyCloud’s integration with Cortex XSOAR empowers security teams to detect and respond to identity-based threats faster, turning recaptured darknet data into high-fidelity incidents and automated remediation workflows. SpyCloud’s curated breach and malware records are ingested into Cortex XSOAR as structured incidents, enabling your SOC to respond to credential exposures and infostealer infections with speed and confidence.

With pre-built playbooks and enrichment commands, security teams can use SpyCloud data to automate decision-making, enforce password resets, or investigate malware-linked devices and users across all business applications. The result: reduced dwell time, lower MTTR, and fewer blind spots in your identity threat response.

BENEFITS
  • Accelerate Incident Response
    Shorten the exposure window by generating and triaging high-priority incidents as soon as SpyCloud detects compromised credentials or authentication data tied to your environment.
  • Automate Remediation
    Use built-in or custom playbooks to trigger remediation actions for exposed users, such as password resets, account disablement, or step-up authentication.
  • Enhance Visibility Across Applications
    Expand malware exposure visibility beyond your primary domain watchlist, uncovering risks to unmanaged devices and third-party apps.
  • Reduce Analyst Workload
    Streamline manual investigations with enrichment commands that query SpyCloud’s vast database to provide actionable context for every incident.
  • Support Malware Infection Remediation
    Search by domain, user, IP, or exposed application to uncover stolen session data and credentials from malware-compromised systems.
SEE IT IN ACTION
SCREENSHOTS
Malware investigation for SpyCloud threat detection and cybersecurity analysis.
Password breach investigation workflow for cybersecurity analysis and threat detection.
SpyCloud threat intelligence platform for breach data and cybersecurity protection.
HOW IT WORKS

SpyCloud Okta Workforce Guardian leverages the SpyCloud Enterprise Protection API and Okta Workflows to continuously validate your organization’s Okta Directory for credential exposures. When a compromised credential is identified, Okta Workforce Guardian executes automated, policy-driven responses that can include:

  • Data Ingest
    Cortex XSOAR fetches curated, normalized SpyCloud data with support for high-quality enrichment, deduplication, and real-time ingestion.
  • Incident Generation
    SpyCloud automatically generates high-priority incidents when credentials are exposed in a breach (e.g., plaintext passwords) or when malware infections expose data linked to your users or applications.
  • Remediation Playbooks
    Use built-in XSOAR playbooks or create custom workflows to:
    • Validate password length and reuse
    • Check active user status and credential match
    • Enforce resets or additional access controls
  • Malware Exposure Grouping
    Malware-related records are grouped into comprehensive incidents, allowing analysts to understand the full scope of an infection
  • Advanced Enrichment
    Use XSOAR’s DBot to call SpyCloud’s API for deep incident enrichment. Query by email, IP, domain, username, or password to bring in user exposure history or targeted infection data for threat hunting and post-infection remediation.