Breachsense CTI API Documentation

ASM - attack surface management listing both assets and potential phishing domains
Combo - focuses on combo lists that contain plaintext credentials
Creds - focuses on 3rd party breaches that contain credentials
Darkweb - focuses on company data being leaked or sold on the darkweb
Monitor - manages monitored assets
Radar - focuses on domains that threat actors have announced as targets
Sessions - focuses on session tokens extracted from malware infected devices
Stealer - focuses on credentials extracted from malware infected devices

Endpoint :

Domain NamePath
api.breachsense.com/asm

Supported Parameters :

ParameterDescription
assetsfilter results to only display assets
dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
liclicense key
can be sent via a GET parameter or request header
pphishfilter results to only display potential phishing domains
rreturn the number of remaining monthly queries allowed
searchaccepts a domain name or email address
updatereturn the Unix timestamp the combo database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output* :

JSON KeyValue
cnameThe CNAME of the domain name identified
domThe domain name found
foundThe date (in YYYYMMDD or unixtime format) the domain was found
ipThe IP address of the domain name identified
typeThe type of asset identified
ns represents a nameserver
mx represents a mail server
ast represents a domain name asset.
pphish represents a potential phishing domain found.
* Output based on domain names configured in the monitor API endpoint.

Endpoint :

Domain NamePath
api.breachsense.com/combo

Supported Parameters :

ParameterDescription
countdisplay the number of results available for a given target
dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
liclicense key
can be sent via a GET parameter or request header
pto reduce latency for targets with many results, enable pagination via p=1 in the initial request.
when an HTTP 206 response status is returned, increase the page number to view the next page.
p is a numeric page value and must be accessed sequentially.
rreturn the number of remaining monthly queries allowed
searchaccepts a domain name or email address
updatereturn the Unix timestamp the combo database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output* :

JSON KeyValue
cntThe number of results available for the searched target
fleThe file name the credential was found in
fndThe date (in YYYYMMDD or unixtime format) the credentials were found
pwdThe password used to authenticate
srcThe target URL or IP that the victim authenticated to
usrThe username used to authenticate
* Output dependant on which values were present in the original leak.

Test Data :

ParameterString
search[email protected]

Endpoint :

Domain NamePath
api.breachsense.com/creds

Supported Parameters :

ParameterDescription
attrdisplay a short description of the breach
countdisplay the number of results available for a given target
csvdisplay results in CSV format (default is JSON)
dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
hashreturn a 0 if the password is in hashed format and a 1 if the password has been decrypted
importdisplay the date the breach was imported into the database
liclicense key
can be sent via a GET parameter or request header
listlist the breaches and dates they were imported
limitincrease / decrease the number of records returned in the response
pto reduce latency for targets with many results, enable pagination via p=1 in the initial request.
when an HTTP 206 response status is returned, increase the page number to view the next page.
p is a numeric page value and must be accessed sequentially.
results are limited to 500 credentials per request (by default).
rreturn the number of remaining monthly queries allowed
searchaccepts a domain name or email address
updatereturn the Unix timestamp the creds database was last updated
uniqreturn a list of all unique email addresses and plaintext passwords
unixtimedisplay the import date in unixtime (aliases: unix,epoch

Output :

JSON KeyValue
atrThe attribution data associated with the breach
cntThe number of results available for the searched target
emlThe email address used to authenticate
impThe date (in YYYYMMDD format) the breach was found
pwdThe password used to authenticate
srcThe name of the breached website or collection

Test Data :

ParameterString
search[email protected]

Endpoint :

Domain NamePath
api.breachsense.com/darkweb

Supported Parameters :

ParameterDescription
dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
descdisplay a short description of the victim
liclicense key
can be sent via a GET parameter or request header
rreturn the number of remaining monthly queries allowed
rangerange - accepts a date range in YYYYMMDD-YYYYMMDD format (30 day limit)
searchsearch term - accepts a domain name
tadescdisplay a short description of the threat actor
updatereturn the Unix timestamp the darkweb database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output :

JSON KeyValue
dataThe domain name associated with the victim
descA short description of the victim
foundThe date the data was indexed (in YYYYMMDD format)
nameThe company name of the victim
siteThe name of the threat actor
srcA URL containing data associated with the target
tadescA short description of the threat actor

Test Data :

ParameterString
searchexample.com

Endpoint :

Domain NamePath
api.breachsense.com/monitor

Supported Parameters :

ParameterDescription
actionmanage monitored assets
must be set to add, del or list
astadd/delete the asset you wish to monitor
must be used in conjunction with the action parameter
liclicense key
can be sent via a GET parameter or request header
notifyadd/delete the email address or webhook you wish to receive alerts at
must be used in conjunction with the action parameter
credsadd/delete the basic auth credentials you wish to use when sending an alert to a webhook
must be used in conjunction with the action parameter

Output :

JSON KeyValue
astasset that will be monitored
notifyemail or webhook that will be notified

Endpoint :

Domain NamePath
api.breachsense.com/radar

Supported Parameters :

ParameterDescription
dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
liclicense key
can be sent via a GET parameter or request header
rreturn the number of remaining monthly queries allowed
searchsearch term - accepts a domain name
updatereturn the Unix timestamp the radar database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch

Output :

JSON KeyValue
dataThe domain name associated with the victim
foundThe date the data was indexed (in YYYYMMDD format)
srcA URL containing data associated with the target

Test Data :

ParameterString
searchexample.com

Endpoint :

Domain NamePath
api.breachsense.com/sessions

Supported Parameters :

ParameterDescription
dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
liclicense key
can be sent via a GET parameter or request header
rreturn the number of remaining monthly queries allowed
searchsearch term - accepts a domain name, email address or IP address
updatereturn the Unix timestamp the sessions database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch

Output :

JSON KeyValue
domThe domain name associated with the victim
expiresThe date (in unixtime) that the cookie is set to expire
fndThe date the data was found (in YYYYMMDD format)
nameThe name of the cookie
pathThe cookie path
valThe value of the cookie

Test Data :

ParameterString
searchexample.com

Endpoint :

Domain NamePath
api.breachsense.com/stealer

Supported Parameters :

ParameterDescription
countdisplay the number of results available for a given target
dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
liclicense key
can be sent via a GET parameter or request header
pto reduce latency for targets with many results, enable pagination via p=1 in the initial request.
when an HTTP 206 response status is returned, increase the page number to view the next page.
p is a numeric page value and must be accessed sequentially.
rreturn the number of remaining monthly queries allowed
searchsearch term - accepts a domain name, email address, IP address, crypto wallet address, or a truncated credit card number (e.g. 123456-1234)
updatereturn the Unix timestamp the stealer database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch

Output* :

JSON KeyValue
ccnThe disclosed credit card number
ccxThe exposed credit card number’s expiration date
cntThe number of results available for the searched target
cwaThe exposed crypto wallet address
bidThe build ID of the malware
fleThe file name the credential was found in
fndThe date the credential was found
hidThe hardware ID of the infected device
iipThe IP address of the infected device
infThe date the machine was infected on
macThe name assigned to the infected device
malThe type of malware infected on the device
nmeThe user logged in on the infected device
osThe operating system installed on the infected device
pthThe filesystem path for the malware executable
pwdThe password used to authenticate
srcThe target URL or IP that the victim authenticated to
usrThe username used to authenticate to the target
* Output dependant on which values were present in the original leak.

Test Data :

ParameterString
search[email protected]
411111-1111