Configuring the AlienApp for SpyCloud Dark Web Monitoring

Role Availability Read-Only Investigator Analyst Manager

To enable AlienApp for SpyCloud Dark Web Monitoring functionality within USM Anywhere, you must configure the AlienApp by setting up your watchlist or connecting your SpyCloud-managed watchlist. After this configuration is complete, the AlienApp for SpyCloud Dark Web Monitoring queries the SpyCloud API every 24 hours for information regarding all watchlist items. Then it parses all collected data and displays it as events Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall. and alarms Alarms provide notification of an event or sequence of events that require attention or investigation. in the USM Anywhere interface.

Required Connectivity on the USM Anywhere Sensor

An AlienApp operates through a deployed USM Anywhere Sensor. To use the AlienApp for SpyCloud Dark Web Monitoring, you must open the following ports on the sensor to support these functions.

Port Endpoint(s) Function
UDP, TCP port 53 8.8.8.8, 209.244.0.3, 64.6.64.6 Domain Name System (DNS) lookup to verify the domain
80, 443 Domain configured in the watchlist Validate the verification marker of the domain
443 api.spycloud.io Check the SpyCloud breach database

Configuration for SpyCloud Dark Web Monitoring

The AlienApp for SpyCloud Dark Web Monitoring supports two configuration types that USM Anywhere can use to query the SpyCloud database:

  • Domain and email watchlist defined for the AlienApp in USM Anywhere.

    This type of watchlist is limited to 1 domain and up to 10 email addresses. You do not need a SpyCloud account to use this feature. To monitor additional domains and emails through the AT&T Cybersecurity partnership with SpyCloud, complete the form on this page: https://cybersecurity.att.com/app/spycloud/signup.

  • A valid SpyCloud customer API key used to retrieve breach data from a watchlist managed in SpyCloud.

    When using the SpyCloud API key method, you do not need to manually add domain or email addresses in USM Anywhere. The AlienApp for SpyCloud Dark Web Monitoring retrieves all domains and email addresses from your existing SpyCloud watchlists.

You can use one of these configuration types to query the SpyCloud database and collect data for breach events for your users' credentials using a default collection job.

Define Your Watchlist in USM Anywhere

USM Anywhere supports a watchlist that includes 1 domain, a list of up to 10 email addresses, or both. When combining these watchlist item types, for example, you could add your company domain as well as a list of email addresses to expand the scope of monitoring to include personal accounts of top executives or other high-risk employees.

Note: USM Anywhere enforces this limitation across all of your deployed USM Anywhere Sensors. If you enable the AlienApp for SpyCloud Dark Web Monitoring on more than one sensor, the USM Anywhere user interface (UI) does not allow you to create new watchlist items if you have already reached the maximum across all sensors. If you add an email watchlist item that is already configured on another sensor, USM Anywhere removes the item from the other configuration to avoid duplication.

Monitoring a domain or email address using a watchlist managed by USM Anywhere requires verification:

  • Monitored domain: You can verify ownership by adding an automatically generated verification key to either the DNS record or a page on the domain website.

    Important: If you want to monitor a private domain, it must have DNS set (forward and reverse). Otherwise, USM Anywhere cannot locate the domain and validate the key.

  • Monitored email address: The address owner must click a link in a verification email sent by USM Anywhere.

When the SpyCloud collection job runs after validation of a new domain or email address, it collects all records related to the item from that point forward. Then USM Anywhere creates an event for each record and generates alarms for each breach event. If you want to generate events and alarms for all known records, you can use the AlienApp for SpyCloud Dark Web Monitoring app action to collect historical breach events.

To configure a watchlist for the AlienApp for SpyCloud Dark Web Monitoring

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. If you want to monitor a list of email addresses, click the Email Watchlist tab.

    The email watchlist supports up to 10 email addresses.

    1. For each address that you want to add, click Add Email.
    2. In the Add Email dialog box, enter the email address and click Add.

      Add an email address for the AlienApp for SpyCloud Dark Web Monitoring watchlist

      The email watchlist includes the new email address and the Verified status = No. USM Anywhere automatically sends a message to the email address to verify it. Upon verification, the AlienApp for SpyCloud Dark Web Monitoring includes the address in its event data queries.

      Review the initial query information for the email addresses you added

    3. If an email address remains unverified, click Resend Verification Email to send the message again.

    Note: The Add Email function is disabled when you enter a SpyCloud API key. The AlienApp for SpyCloud Dark Web Monitoring automatically retrieves the list of email addresses from your existing SpyCloud watchlists.

  5. If you want to monitor a domain, click the Domain Watchlist tab.

    The domain watchlist supports one domain.

    1. Click Add Domain.
    2. In the Add Domain dialog box, enter the domain and click Add.

      Add a domain for the AlienApp for SpyCloud Dark Web Monitoring watchlist

      This adds the domain to the watchlist, but it is not yet verified. Upon verification, the AlienApp for SpyCloud Dark Web Monitoring includes the domain in its event data queries.

      Review the initial query information for the domain you added

    3. Copy the value of the Verification Key and click Verify Domain.

      The Verify Domain dialog box provides instructions for adding the verification key to your domain.

      Choose a method to verify the domain in your AlienApp for SpyCloud Dark Web Monitoring watchlist

    4. When you have the information that you need, click Verify Domain to close the dialog box.

      This also executes a successful verification check if you have already completed the configuration, and an automated job that checks every six hours to verify the domain.

      Note: The monitored domain will be listed as Pending in the UI until the domain is verified. Once the domain has been verified and data collection is running, the domain status will be updated.
      After the domain has been verified but before any data has been collected, the domain status will be listed as No Records.

    Note: The Add Domain function is disabled when you enter a SpyCloud API key. The AlienApp for SpyCloud Dark Web Monitoring automatically retrieves the list of domains from your existing SpyCloud watchlists.

Use a Watchlist Managed in a SpyCloud Account

If your organization has a SpyCloud account and manages a watchlist in the SpyCloud portal, you can configure a connection in the AlienApp for SpyCloud Dark Web Monitoring so that USM Anywhere can retrieve the associated breach events. This provides a single view of security events and alarms in the USM Anywhere UI.

With a successful connection, the SpyCloud collection job includes all domains and email addresses in your SpyCloud watchlist to collect all records related to the item from that point forward. In addition, USM Anywhere creates an event for each record and generates alarms for each breach event. If you want to generate events and alarms for all known records, you can use the AlienApp for SpyCloud Dark Web Monitoring app action to collect historical breach events.

Important: If you previously enabled the AlienApp for SpyCloud Dark Web Monitoring using USM Anywhere-managed watchlist items and then you configure a connection to your SpyCloud account, USM Anywhere removes those watchlist items from its SpyCloud collection job. The collection job then only includes those items for your SpyCloud-managed watchlist.

To acquire your API key for SpyCloud

  1. Go to the SpyCloud portal and log in to your account.
  2. In the upper-right corner, click your username and select API Keys.

    Navigate to the API Keys page

  3. Copy the value for an existing key, or generate a new key for your USM Anywhere integration.

To connect the AlienApp for SpyCloud Dark Web Monitoring to your SpyCloud account

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  6. Click Change API key.
  7. Enter your key in the field.

    Select the Credentials tab and enter your SpyCloud API key

  8. Click Save.

    Note: By entering the API key, you allow the AlienApp for SpyCloud Dark Web Monitoring to retrieve all domains and email addresses from your existing SpyCloud watchlists. If you have manually added domain or email addresses to the AlienApp, they are removed. You will not be able to manually add domain or email addresses.

  9. Verify the connection.

    After USM Anywhere completes a successful connection to the SpyCloud APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your SpyCloud connection.

AlienApp Log Collection

Once the AlienApp has been configured, you can choose to have USM Anywhere collect logs from the app on a regular basis.

To configure log collection for the AlienApp

  1. Go to Settings > Scheduler.
  2. In the Job Scheduler, search for the AlienApp on the sensor to which it was deployed.
  3. In the enabled column, click the icon for the inactive collection job.

    The icon turns green, and collection is enabled.

  4. (Optional.) Click the icon to customize the frequency of the event collection.