Breachsense CTI API Documentation

ASM - attack surface management listing both assets and potential phishing domains
Combo - focuses on combo lists that contain plaintext credentials
Creds - focuses on 3rd party breaches that contain credentials
Darkweb - focuses on company data being leaked or sold on the darkweb
Monitor - manages monitored assets
Radar - focuses on domains that threat actors have announced as targets
Sessions - focuses on session tokens extracted from malware infected devices
Stealer - focuses on credentials extracted from malware infected devices

    Endpoint :

    Domain NamePath
    api.breachsense.com/asm

    Supported Parameters :

    ParameterDescription
    assetsfilter results to only display assets
    dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
    liclicense key
    can be sent via a GET parameter or request header
    pphishfilter results to only display potential phishing domains
    rreturn the number of remaining monthly queries allowed
    searchaccepts a domain name or email address
    updatereturn the Unix timestamp the combo database was last updated
    unixtimedisplay the import date in unixtime (aliases: unix,epoch)

    Output* :

    JSON KeyValue
    cnameThe CNAME of the domain name identified
    domThe domain name found
    foundThe date (in YYYYMMDD or unixtime format) the domain was found
    ipThe IP address of the domain name identified
    typeThe type of asset identified
    ns represents a nameserver
    mx represents a mail server
    ast represents a domain name asset.
    pphish represents a potential phishing domain found.
    * Output based on domain names configured in the monitor API endpoint.

    Endpoint :

    Domain NamePath
    api.breachsense.com/combo

    Supported Parameters :

    ParameterDescription
    dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
    liclicense key
    can be sent via a GET parameter or request header
    rreturn the number of remaining monthly queries allowed
    searchaccepts a domain name or email address
    updatereturn the Unix timestamp the combo database was last updated
    unixtimedisplay the import date in unixtime (aliases: unix,epoch)

    Output* :

    JSON KeyValue
    fndThe date (in YYYYMMDD or unixtime format) the credentials were found
    fleThe file name the credential was found in
    pwdThe password used to authenticate
    srcThe target URL or IP that the victim authenticated to
    usrThe username used to authenticate
    * Output dependant on which values were present in the original leak.

    Test Data :

    ParameterString
    search[email protected]

    Endpoint :

    Domain NamePath
    api.breachsense.com/creds

    Supported Parameters :

    ParameterDescription
    attrdisplay a short description of the breach
    csvdisplay results in CSV format (default is JSON)
    dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
    hashreturn a 0 if the password is in hashed format and a 1 if the password has been decrypted
    importdisplay the date the breach was imported into the database
    liclicense key
    can be sent via a GET parameter or request header
    listlist the breaches and dates they were imported
    limitincrease / decrease the number of records returned in the response
    presults are limited to 500 credentials per request (by default)
    when an HTTP 206 response status is returned, pagination is required to view the remaining results.
    p is a numeric page value
    rreturn the number of remaining monthly queries allowed
    searchaccepts a domain name or email address
    updatereturn the Unix timestamp the creds database was last updated
    uniqreturn a list of all unique email addresses and plaintext passwords
    unixtimedisplay the import date in unixtime (aliases: unix,epoch

    Output :

    JSON KeyValue
    emlThe email address used to authenticate
    pwdThe password used to authenticate
    srcThe name of the breached website or collection
    atrThe attribution data associated with the breach
    impThe date (in YYYYMMDD format) the breach was found

    Test Data :

    ParameterString
    search[email protected]

    Endpoint :

    Domain NamePath
    api.breachsense.com/darkweb

    Supported Parameters :

    ParameterDescription
    dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
    descdisplay a short description of the victim
    liclicense key
    can be sent via a GET parameter or request header
    rreturn the number of remaining monthly queries allowed
    rangerange - accepts a date range in YYYYMMDD-YYYYMMDD format (30 day limit)
    searchsearch term - accepts a domain name
    tadescdisplay a short description of the threat actor
    updatereturn the Unix timestamp the darkweb database was last updated
    unixtimedisplay the import date in unixtime (aliases: unix,epoch)

    Output :

    JSON KeyValue
    dataThe domain name associated with the victim
    descA short description of the victim
    foundThe date the data was indexed (in YYYYMMDD format)
    nameThe company name of the victim
    siteThe name of the threat actor
    srcA URL containing data associated with the target
    tadescA short description of the threat actor

    Test Data :

    ParameterString
    searchexample.com

    Endpoint :

    Domain NamePath
    api.breachsense.com/monitor

    Supported Parameters :

    ParameterDescription
    actionmanage monitored assets
    must be set to add, del or list
    astadd/delete the asset you wish to monitor
    must be used in conjunction with the action parameter
    liclicense key
    can be sent via a GET parameter or request header
    notifyadd/delete the email address or webhook you wish to receive alerts at
    must be used in conjunction with the action parameter
    credsadd/delete the basic auth credentials you wish to use when sending an alert to a webhook
    must be used in conjunction with the action parameter

    Output :

    JSON KeyValue
    notifyemail or webhook that will be notified
    astasset that will be monitored

    Endpoint :

    Domain NamePath
    api.breachsense.com/radar

    Supported Parameters :

    ParameterDescription
    dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
    liclicense key
    can be sent via a GET parameter or request header
    rreturn the number of remaining monthly queries allowed
    searchsearch term - accepts a domain name
    updatereturn the Unix timestamp the radar database was last updated
    unixtimedisplay the import date in unixtime (aliases: unix,epoch

    Output :

    JSON KeyValue
    dataThe domain name associated with the victim
    foundThe date the data was indexed (in YYYYMMDD format)
    srcA URL containing data associated with the target

    Test Data :

    ParameterString
    searchexample.com

    Endpoint :

    Domain NamePath
    api.breachsense.com/sessions

    Supported Parameters :

    ParameterDescription
    dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
    liclicense key
    can be sent via a GET parameter or request header
    rreturn the number of remaining monthly queries allowed
    searchsearch term - accepts a domain name, email address or IP address
    updatereturn the Unix timestamp the sessions database was last updated
    unixtimedisplay the import date in unixtime (aliases: unix,epoch

    Output :

    JSON KeyValue
    domThe domain name associated with the victim
    expiresThe date (in unixtime) that the cookie is set to expire
    fndThe date the data was found (in YYYYMMDD format)
    nameThe name of the cookie
    pathThe cookie path
    valThe value of the cookie

    Test Data :

    ParameterString
    searchexample.com

    Endpoint :

    Domain NamePath
    api.breachsense.com/stealer

    Supported Parameters :

    ParameterDescription
    dateonly display results newer that this value. Value set in YYYYMMDD or unixtime formats
    liclicense key
    can be sent via a GET parameter or request header
    rreturn the number of remaining monthly queries allowed
    searchsearch term - accepts a domain name, email address, IP address, crypto wallet address, or a truncated credit card number (e.g. 123456-1234)
    updatereturn the Unix timestamp the stealer database was last updated
    unixtimedisplay the import date in unixtime (aliases: unix,epoch

    Output* :

    JSON KeyValue
    ccnThe disclosed credit card number
    ccxThe exposed credit card number’s expiration date
    cwaThe exposed crypto wallet address
    bidThe build ID of the malware
    fleThe file name the credential was found in
    fndThe date the credential was found
    hidThe hardware ID of the infected device
    iipThe IP address of the infected device
    infThe date the machine was infected on
    macThe name assigned to the infected device
    malThe type of malware infected on the device
    nmeThe user logged in on the infected device
    osThe operating system installed on the infected device
    pthThe filesystem path for the malware executable
    pwdThe password used to authenticate
    srcThe target URL or IP that the victim authenticated to
    usrThe username used to authenticate to the target
    * Output dependant on which values were present in the original leak.

    Test Data :

    ParameterString
    search[email protected]
    411111-1111

    ©2024 Breachsense - All Rights Reserved