ASM - attack surface management listing both assets and potential phishing domains
Combo - focuses on combo lists that contain plaintext credentials
Creds - focuses on 3rd party breaches that contain credentials
Darkweb - focuses on company data being leaked or sold on the darkweb
Monitor - manages monitored assets
Radar - focuses on domains that threat actors are chatting about, either as a target or selling their data
Secrets - focuses on secret keys leaked in publicly available code repositories
Sessions - focuses on session tokens extracted from malware infected devices
Stealer - focuses on credentials extracted from malware infected devices
Endpoint
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /asm |
Supported Parameters
| Parameter | Description | |
|---|---|---|
| assets | filter results to only display assets | |
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/asm?lic=[LicenseKey]&search=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/asm?search=[DomainName] | |
| pphish | filter results to only display potential phishing domains | |
| r | return the number of remaining monthly queries allowed | |
| search | accepts a domain name or email address | |
| update | return the Unix timestamp the combo database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output**
| JSON Key | Value | ||
|---|---|---|---|
| api* | The name of the API endpoint that generated the alert | ||
| cname* | The CNAME of the domain name identified | ||
| dom | The domain name found | ||
| found | The date (in YYYYMMDD or unixtime format) the domain was found | ||
| ip* | The IP address of the domain name identified | ||
| type | The type of asset identified ns represents a nameserver mx represents a mail server ast represents a domain name asset. pphish represents a potential phishing domain found. | ||
| * Optional JSON object keys | |||
| ** Output based on domain names configured in the monitor API endpoint |
Endpoint
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /combo |
Supported Parameters
| Parameter | Description | |
|---|---|---|
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/combo?lic=[LicenseKey]&search=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/combo?search=[DomainName] | |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. | |
| r | return the number of remaining monthly queries allowed | |
| search | accepts a domain name or email address | |
| update | return the Unix timestamp the combo database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value | ||
|---|---|---|---|
| api* | The name of the API endpoint that generated the alert | ||
| cnt* | The number of results available for the searched target | ||
| fle | The file name the credential was found in | ||
| fnd | The date (in YYYYMMDD or unixtime format) the credentials were found | ||
| pwd | The password used to authenticate | ||
| src* | The target URL or IP that the victim authenticated to | ||
| usr | The username used to authenticate | ||
| * Optional JSON object keys |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | ignore@example.com |
Endpoint
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /creds |
Supported Parameters
| Parameter | Description | |
|---|---|---|
| attr | display a short description of the breach | |
| count | display the number of results available for a given target | |
| csv | display results in CSV format (default is JSON) | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| hash | return a 0 if the password is in hashed format and a 1 if the password has been decrypted | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/creds?lic=[LicenseKey]&search=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/creds?search=[DomainName] | |
| list | list the breaches and dates they were imported | |
| limit | increase / decrease the number of records returned in the response | |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. results are limited to 500 credentials per request (by default). | |
| r | return the number of remaining monthly queries allowed | |
| search | accepts a domain name or email address | |
| update | return the Unix timestamp the creds database was last updated | |
| uniq | return a list of all unique email addresses and plaintext passwords | |
| unixtime | display the import date in unixtime (aliases: unix,epoch |
Output
| JSON Key | Value | ||
|---|---|---|---|
| api* | The name of the API endpoint that generated the alert | ||
| atr* | The attribution data associated with the breach | ||
| cnt* | The number of results available for the searched target | ||
| eml | The email address used to authenticate | ||
| fnd | The date (in YYYYMMDD format) the breach was found | ||
| pwd | The password used to authenticate | ||
| src | The name of the breached website or collection | ||
| * Optional JSON object keys |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | ignore@example.com |
Endpoint
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /darkweb |
Supported Parameters
| Parameter | Description | |
|---|---|---|
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| desc | display a short description of the victim | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/darkweb?lic=[LicenseKey]&search=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/darkweb?search=[DomainName] | |
| r | return the number of remaining monthly queries allowed | |
| range | range - accepts a date range in YYYYMMDD-YYYYMMDD format (30 day limit) | |
| search | search term - accepts a domain name | |
| tadesc | display a short description of the threat actor | |
| update | return the Unix timestamp the darkweb database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value | ||
|---|---|---|---|
| api* | The name of the API endpoint that generated the alert | ||
| data | The domain name associated with the victim | ||
| desc* | A short description of the victim | ||
| found | The date the data was indexed (in YYYYMMDD format) | ||
| img* | A signed URL linking to a screenshot of the relevant data The URL is valid for 20 minutes This output is only available in the Business and Enterprise tiers | ||
| name | The company name of the victim | ||
| site | The name of the threat actor | ||
| src | A URL containing data associated with the target | ||
| tadesc* | A short description of the threat actor | ||
| * Optional JSON object keys |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | example.com |
Endpoint
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /monitor |
Supported Parameters
| Parameter | Description | |
|---|---|---|
| action | manage monitored assets must be set to add, del, list or test | |
| ast | add/delete the asset you wish to monitor per asset notifications can be set using the :: separator, e.g.: example.com::soc@example.com or example.com::https://user:pass@www.example.com/Path/To/Webhook monitored session tokens are set similarly example.com::JSESSIONID example.com::JSESSIONID::soc@example.com must be used in conjunction with the action parameter | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/monitor?lic=[LicenseKey]&action=add&ast=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/monitor?action=add&ast=[DomainName] | |
| notify | add/delete the default email address or webhook you wish to receive alerts at this is used when a per asset notification is not set must be used in conjunction with the action parameter | |
| creds | add/delete the basic auth credentials you wish to use when sending an alert to a webhook must be used in conjunction with the action parameter |
Output
| JSON Key | Value | ||
|---|---|---|---|
| ast* | asset that will be monitored | ||
| notify* | email or webhook that will be notified | ||
| * Optional JSON object keys |
Endpoint
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /radar |
Supported Parameters
| Parameter | Description | |
|---|---|---|
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/radar?lic=[LicenseKey]&search=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/radar?search=[DomainName] | |
| r | return the number of remaining monthly queries allowed | |
| search | search term - accepts a domain name | |
| update | return the Unix timestamp the radar database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch |
Output
| JSON Key | Value | ||
|---|---|---|---|
| api* | The name of the API endpoint that generated the alert | ||
| data | The domain name associated with the victim | ||
| found | The date the data was indexed (in YYYYMMDD format) | ||
| img* | A signed URL linking to a screenshot of the relevant data The URL is valid for 20 minutes This output is only available in the Business and Enterprise tiers | ||
| src | A URL containing data associated with the target | ||
| * Optional JSON object keys |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | example.com |
Endpoint
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /secrets |
Supported Parameters
| Parameter | Description | |
|---|---|---|
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/secrets?lic=[LicenseKey]&search=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/secrets?search=[DomainName] | |
| r | return the number of remaining monthly queries allowed | |
| search | accepts a domain name or email address | |
| update | return the Unix timestamp the combo database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value | ||
|---|---|---|---|
| api* | The name of the API endpoint that generated the alert | ||
| id | The type of secret disclosed | ||
| dte | The date (in YYYYMMDD or unixtime format) the secret was found | ||
| src | The source URL where the secret was disclosed | ||
| eml | The email account associated with the code repository | ||
| * Optional JSON object keys |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | ignore@example.com |
Endpoint
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /sessions |
Supported Parameters
| Parameter | Description | |
|---|---|---|
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/sessions?lic=[LicenseKey]&search=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/sessions?search=[DomainName] | |
| r | return the number of remaining monthly queries allowed | |
| search | search term - accepts a domain name, email address or IP address | |
| update | return the Unix timestamp the sessions database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch |
Output
| JSON Key | Value | ||
|---|---|---|---|
| api* | The name of the API endpoint that generated the alert | ||
| bid* | The build ID of the malware | ||
| dom | The domain name associated with the victim | ||
| expires | The date (in unixtime) that the cookie is set to expire | ||
| fle* | The file name the cookie was found in | ||
| fnd | The date the data was found (in YYYYMMDD format) | ||
| iip* | The IP address of the infected device | ||
| inf* | The date the machine was infected on | ||
| mal* | The type of malware infected on the device | ||
| name | The name of the cookie | ||
| nme | The name of the cookie | ||
| path | The cookie path | ||
| pth | The cookie path | ||
| val | The value of the cookie | ||
| * Optional JSON object keys |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | example.com |
Endpoint
| Domain Name | Path | ||
|---|---|---|---|
| api.breachsense.com | /stealer |
Supported Parameters
| Parameter | Description | |
|---|---|---|
| count | display the number of results available for a given target | |
| date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/stealer?lic=[LicenseKey]&search=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/stealer?search=[DomainName] | |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. | |
| r | return the number of remaining monthly queries allowed | |
| search | search term - accepts a domain name, email address, IP address, crypto wallet address, or a truncated credit card number (e.g. 123456-1234) | |
| update | return the Unix timestamp the stealer database was last updated | |
| unixtime | display the import date in unixtime (aliases: unix,epoch |
Output
| JSON Key | Value | ||
|---|---|---|---|
| api* | The name of the API endpoint that generated the alert | ||
| ccn* | The disclosed credit card number | ||
| ccx* | The exposed credit card number’s expiration date | ||
| cnt* | The number of results available for the searched target | ||
| cwa* | The exposed crypto wallet address | ||
| bid* | The build ID of the malware | ||
| fle | The file name the credential was found in | ||
| fnd | The date the credential was found | ||
| hid* | The hardware ID of the infected device | ||
| iip* | The IP address of the infected device | ||
| inf* | The date the machine was infected on | ||
| mac* | The name assigned to the infected device | ||
| mal* | The type of malware infected on the device | ||
| nme* | The user logged in on the infected device | ||
| os* | The operating system installed on the infected device | ||
| pth* | The filesystem path for the malware executable | ||
| pwd | The password used to authenticate | ||
| src | The target URL or IP that the victim authenticated to | ||
| usr | The username used to authenticate to the target | ||
| * Optional JSON object keys |
Test Data :
| Parameter | String | ||
|---|---|---|---|
| search | ignore@example.com 411111-1111 |