ASM - attack surface management listing both assets and potential phishing domains
Combo - focuses on combo lists that contain plaintext credentials
Creds - focuses on 3rd party breaches that contain credentials
Darkweb - focuses on company data being leaked or sold on the darkweb
Monitor - manages monitored assets
Radar - focuses on domains that threat actors have announced as targets
Sessions - focuses on session tokens extracted from malware infected devices
Stealer - focuses on credentials extracted from malware infected devices
Endpoint :
Domain Name | Path | | |
---|
api.breachsense.com | /asm | | |
Supported Parameters :
Parameter | Description | |
---|
assets | filter results to only display assets | |
date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
lic | license key can be sent via a GET parameter or request header | |
pphish | filter results to only display potential phishing domains | |
r | return the number of remaining monthly queries allowed | |
search | accepts a domain name or email address | |
update | return the Unix timestamp the combo database was last updated | |
unixtime | display the import date in unixtime (aliases: unix,epoch) | |
Output* :
JSON Key | Value | | |
---|
cname | The CNAME of the domain name identified | | |
dom | The domain name found | | |
found | The date (in YYYYMMDD or unixtime format) the domain was found | | |
ip | The IP address of the domain name identified | | |
type | The type of asset identified ns represents a nameserver mx represents a mail server ast represents a domain name asset. pphish represents a potential phishing domain found. | | |
* Output based on domain names configured in the monitor API endpoint. | | | |
Endpoint :
Domain Name | Path | | |
---|
api.breachsense.com | /combo | | |
Supported Parameters :
Parameter | Description | |
---|
count | display the number of results available for a given target | |
date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
lic | license key can be sent via a GET parameter or request header | |
p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. | |
r | return the number of remaining monthly queries allowed | |
search | accepts a domain name or email address | |
update | return the Unix timestamp the combo database was last updated | |
unixtime | display the import date in unixtime (aliases: unix,epoch) | |
Output* :
JSON Key | Value | | |
---|
cnt | The number of results available for the searched target | | |
fle | The file name the credential was found in | | |
fnd | The date (in YYYYMMDD or unixtime format) the credentials were found | | |
pwd | The password used to authenticate | | |
src | The target URL or IP that the victim authenticated to | | |
usr | The username used to authenticate | | |
* Output dependant on which values were present in the original leak. | | | |
Test Data :
Endpoint :
Domain Name | Path | | |
---|
api.breachsense.com | /creds | | |
Supported Parameters :
Parameter | Description | |
---|
attr | display a short description of the breach | |
count | display the number of results available for a given target | |
csv | display results in CSV format (default is JSON) | |
date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
hash | return a 0 if the password is in hashed format and a 1 if the password has been decrypted | |
import | display the date the breach was imported into the database | |
lic | license key can be sent via a GET parameter or request header | |
list | list the breaches and dates they were imported | |
limit | increase / decrease the number of records returned in the response | |
p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. results are limited to 500 credentials per request (by default). | |
r | return the number of remaining monthly queries allowed | |
search | accepts a domain name or email address | |
update | return the Unix timestamp the creds database was last updated | |
uniq | return a list of all unique email addresses and plaintext passwords | |
unixtime | display the import date in unixtime (aliases: unix,epoch | |
Output :
JSON Key | Value | | |
---|
atr | The attribution data associated with the breach | | |
cnt | The number of results available for the searched target | | |
eml | The email address used to authenticate | | |
imp | The date (in YYYYMMDD format) the breach was found | | |
pwd | The password used to authenticate | | |
src | The name of the breached website or collection | | |
Test Data :
Endpoint :
Domain Name | Path | | |
---|
api.breachsense.com | /darkweb | | |
Supported Parameters :
Parameter | Description | |
---|
date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
desc | display a short description of the victim | |
lic | license key can be sent via a GET parameter or request header | |
r | return the number of remaining monthly queries allowed | |
range | range - accepts a date range in YYYYMMDD-YYYYMMDD format (30 day limit) | |
search | search term - accepts a domain name | |
tadesc | display a short description of the threat actor | |
update | return the Unix timestamp the darkweb database was last updated | |
unixtime | display the import date in unixtime (aliases: unix,epoch) | |
Output :
JSON Key | Value | | |
---|
data | The domain name associated with the victim | | |
desc | A short description of the victim | | |
found | The date the data was indexed (in YYYYMMDD format) | | |
name | The company name of the victim | | |
site | The name of the threat actor | | |
src | A URL containing data associated with the target | | |
tadesc | A short description of the threat actor | | |
Test Data :
Parameter | String | | |
---|
search | example.com | | |
Endpoint :
Domain Name | Path | | |
---|
api.breachsense.com | /monitor | | |
Supported Parameters :
Parameter | Description | |
---|
action | manage monitored assets must be set to add, del or list | |
ast | add/delete the asset you wish to monitor must be used in conjunction with the action parameter | |
lic | license key can be sent via a GET parameter or request header | |
notify | add/delete the email address or webhook you wish to receive alerts at must be used in conjunction with the action parameter | |
creds | add/delete the basic auth credentials you wish to use when sending an alert to a webhook must be used in conjunction with the action parameter | |
Output :
JSON Key | Value | | |
---|
ast | asset that will be monitored | | |
notify | email or webhook that will be notified | | |
Endpoint :
Domain Name | Path | | |
---|
api.breachsense.com | /radar | | |
Supported Parameters :
Parameter | Description | |
---|
date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
lic | license key can be sent via a GET parameter or request header | |
r | return the number of remaining monthly queries allowed | |
search | search term - accepts a domain name | |
update | return the Unix timestamp the radar database was last updated | |
unixtime | display the import date in unixtime (aliases: unix,epoch | |
Output :
JSON Key | Value | | |
---|
data | The domain name associated with the victim | | |
found | The date the data was indexed (in YYYYMMDD format) | | |
src | A URL containing data associated with the target | | |
Test Data :
Parameter | String | | |
---|
search | example.com | | |
Endpoint :
Domain Name | Path | | |
---|
api.breachsense.com | /sessions | | |
Supported Parameters :
Parameter | Description | |
---|
date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
lic | license key can be sent via a GET parameter or request header | |
r | return the number of remaining monthly queries allowed | |
search | search term - accepts a domain name, email address or IP address | |
update | return the Unix timestamp the sessions database was last updated | |
unixtime | display the import date in unixtime (aliases: unix,epoch | |
Output :
JSON Key | Value | | |
---|
dom | The domain name associated with the victim | | |
expires | The date (in unixtime) that the cookie is set to expire | | |
fnd | The date the data was found (in YYYYMMDD format) | | |
name | The name of the cookie | | |
path | The cookie path | | |
val | The value of the cookie | | |
Test Data :
Parameter | String | | |
---|
search | example.com | | |
Endpoint :
Domain Name | Path | | |
---|
api.breachsense.com | /stealer | | |
Supported Parameters :
Parameter | Description | |
---|
count | display the number of results available for a given target | |
date | only display results newer that this value. Value set in YYYYMMDD or unixtime formats | |
lic | license key can be sent via a GET parameter or request header | |
p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. | |
r | return the number of remaining monthly queries allowed | |
search | search term - accepts a domain name, email address, IP address, crypto wallet address, or a truncated credit card number (e.g. 123456-1234) | |
update | return the Unix timestamp the stealer database was last updated | |
unixtime | display the import date in unixtime (aliases: unix,epoch | |
Output* :
JSON Key | Value | | |
---|
ccn | The disclosed credit card number | | |
ccx | The exposed credit card number’s expiration date | | |
cnt | The number of results available for the searched target | | |
cwa | The exposed crypto wallet address | | |
bid | The build ID of the malware | | |
fle | The file name the credential was found in | | |
fnd | The date the credential was found | | |
hid | The hardware ID of the infected device | | |
iip | The IP address of the infected device | | |
inf | The date the machine was infected on | | |
mac | The name assigned to the infected device | | |
mal | The type of malware infected on the device | | |
nme | The user logged in on the infected device | | |
os | The operating system installed on the infected device | | |
pth | The filesystem path for the malware executable | | |
pwd | The password used to authenticate | | |
src | The target URL or IP that the victim authenticated to | | |
usr | The username used to authenticate to the target | | |
* Output dependant on which values were present in the original leak. | | | |
Test Data :