What Types of Events are Covered?
Leaked Credentials
These events involve compromised credentials such as email addresses, usernames, and passwords. They may originate from infostealer malware infections on personal devices, data breaches, public exposures, or combolists found on dark web forums.
Ransomware\ Hacker Group
These events occur when your asset is referenced on websites operated by adversary groups, including ransomware gangs, APTs, or other hacker collectives. Such sites typically publish stolen databases and sensitive information about targeted organizations, making any mention of your asset highly critical.
Doxxing
These events involve doxxing attempts - the public exposure of personally identifiable information (PII) related to an individual or organization, often with malicious intent.
DDoS
These events signal references to your asset in the context of a distributed denial-of-service (DDoS) attack, which is an attempt to overwhelm and disrupt the normal traffic of a targeted web service. If your asset is mentioned, your infrastructure may be under threat or already experiencing downtime.
What Types of Sub-Events are Covered?
Leaked Credentials - Infostealer
Indicates that credentials were exposed from a device associated with your organization that was infected by infostealer malware. These events typically include device metadata (e.g., HWID, IP address) and compromised credentials (login URL, email, username, and password). This sub-event is considered highly critical.
Leaked Credentials - Data Breach
Represents credentials found in data breach file detected on the dark web. These files usually contain information stolen during a confirmed breach of an organization, and your asset appears within that compromised dataset.
Leaked Credentials - Leaked Client Login Data
Indicates that credentials linked to a client device (not owned by your organization) were compromised by infostealer malware. The leaked data includes device metadata and login credentials. This sub-event typically has lower severity.
Data Breach for Sale
Your organization’s asset is mentioned in a dark web post advertising or offering a data breach for sale. This suggests that your organization may have suffered a breach, and the stolen data is now circulating or being sold.
Ransomware Blog Mention
Your asset is referenced on websites operated by adversarial groups such as ransomware gangs, APTs, or hacker collectives. These blogs typically publish sensitive data from their victims, and any mention is considered highly critical.
Personal Information Exposure
Refers to incidents involving the unauthorized disclosure of personal or sensitive information tied to your asset - often in the context of doxxing. This may include names, addresses, phone numbers, or other personally identifiable information, potentially linked to malicious targeting.
DDoS Attack Indication
Signals that your asset has been identified in connection with Distributed Denial-of-Service (DDoS) activity. This may mean your domain is being actively targeted or leveraged as part of a DDoS campaign.
What Type of Assets are Covered?
An asset refers to a specific digital identifier that our uses choose to monitor for cyber threats. Currently, supported asset types include domains, email addresses, and IP addresses. These are the individual elements the system tracks for exposure, compromise, or mention in threat sources.
*The assets are defined and managed exclusively through the Lunar platform.
What is a Group Name?
A group name is a custom label defined by our users via the** Lunar platform**, used to logically group related assets (e.g., under an organization, department, or brand name). For example, all assets related to a company might be grouped under "acme_corp"
for easier filtering and analysis.
How are events sorted in the response?
To ensure effective pagination, events are sorted by the created_date
field in ascending order - from the oldest to the newest.
How long is historical event data retained?
Historical data is available for 1 year from the event’s creation date.
Are passwords and sensitive fields exposed in the API?
Passwords are masked or exposed based on the Admin's configuration in your Lunar account.