The Events API returns structured threat intelligence data related to monitored assets. Each response page includes up to 10 unique event items, representing individual cyber threat incidents.
Root Object
The Root Object is the top-level structure of the Events API response. It contains metadata about the query request and an array of matched events entries, each representing a distinct cyber event with its associated data.
Field Name | Type | Nullable | Description |
---|---|---|---|
source | string | No | Fixed value: lunar_threat_intel_feed |
events | array of objects | No | List of event objects |
totalEvents | integer | No | Total number of matching events |
moreEventsAvailable | integer | No | Number of additional events available |
next | string | Yes | URL for the next page (null if none) |
EventInfo Object
The EventInfo Object Includes metadata about the event.
Field Name | Type | Nullable | Description |
---|---|---|---|
id | string | No | Unique event ID (UUID) |
link | string | No | URL to event detail |
crawled_date | ISO string | No | The date and time when the original threat was fetched by Webz |
created_date | ISO string | No | The date and time when the event was created |
type | string | No | Event type. e.g. leaked_credentials |
subtype | string | No | Event sub-types. e.g. leaked_credentials_infostealer |
severity | string | No | low, medium , high , critical |
status | string | No | open , fixed , closed |
description | string | No | A brief description of the detected threat and its context |
required_actions | string | Yes | Recommended actions to mitigate or remediate the identified threat |
AssetInfo Object
The AssetInfo Object describes the affected asset involved in the event.
Field Name | Type | Nullable | Description |
---|---|---|---|
id | integer | Yes | Unique asset ID |
type | string | No | Asset type. e.g. domain, email , ip |
value | string | No | Asset value |
group_name | string | No | Asset group name |
AccountInfo Object (Optional)
The AssetInfo Object provides details about a compromised account.
Field Name | Type | Nullable | Description |
---|---|---|---|
string | Yes | Compromised email address | |
account_name | string | Yes | Compromised account username |
password | string | Yes | Compromised password |
password_type | string | Yes | *not available yet |
DeviceInfo Object (Optional)
The DeviceInfo Object Includes details about the infected device, typically present in infostealer-related events.
Field Name | Type | Nullable | Description |
---|---|---|---|
exfiltration_date | ISO string | Yes | The date and time when the stealer log data was collected and exfiltrated from the infected device |
log_file_name | string | Yes | Stealer log file name |
hwid | string | Yes | Hardware ID of infected device |
ip_address | string | Yes | IP address of infected device |
location | object | Yes | Location details of the infected device |
country | string | Yes | Country code. e.g. CA |
city | string | Yes | City name |
zip_code | string | Yes | Zip code |
computer_username | string | Yes | Device username |
os | string | Yes | Operating system |
antivirus_software | array [list] | Yes | Installed AVs on the infected device |
malware_family | string | Yes | Malware family name. e.g. Redline |
malware_path | string | Yes | Path to malicious file on the infected device |
BreachInfo Object (Optional)
The BreachInfo Object contains contextual information about the data breach in which the credentials were found, including the breach name, type, and compromised assets.
Field Name | Type | Nullable | Description |
---|---|---|---|
type | string | Yes | Available breach types: infostealer , data_breach |
sub_type | string | Yes | *not available yet |
breach_date | ISO string | Yes | The date and time when the data breach occurred or was first publicly disclosed |
login_url | string | Yes | The URL linked to the compromised credentials |
login_domain | string | Yes | The domain extracted from the URL |
breach_name | string | Yes | The name of the breach |
compromised_assets | array | Yes | List of all affected asset types in the data breach |
PublicationSourceInfo Object (Optional)
The PublicationSourceInfo Object includes metadata about the original breach file, including its filename, publication date, and the source where Webz detected it.
Field Name | Type | Nullable | Description |
---|---|---|---|
published_date | ISO string | Yes | The date and time when the breach data was published online |
file_name | string | Yes | The name of original data breach file |
file_link | string | Yes | The download link of original data breach file |
post_url | string | Yes | The original post URL where the data breach file was detected |
site_domain | string | Yes | The site domain where the data breach file was detected |
site_name | string | Yes | The site name where the data breach file was detected |
site_type | string | Yes | The site type where the data breach file was detected. e.g. |
network | string | Yes | The network associated with the site where the data breach file was detected. e.g. |
categories | array | Yes | The categories associated with the site where the data breach file was detected. Categories include: For Telegram data only: For more details , please refer to this page . |
OriginalPostInfo Object (Optional)
The OriginalPostInfo Object provides metadata about the original dark web post in which the threat or compromised data was published.
Field Name | Type | Nullable | Description |
---|---|---|---|
title | string | Yes | The title of the post |
text | string | Yes | The body text of the post |
language | string | Yes | The primary language detected in the post text |
org_in_thread | integer | Yes | The post’s position in the thread.0 indicates the first post. |
categories | array | Yes | One or more cyber categories that the post content belong to. Categories include: For more details , please refer to this page. |
risk_score | integer | Yes | The site name where the data breach file was detected |
AuthorExtendedInfo Object (Optional)
The AuthorExtendedInfo Object Includes metadata about the author who published the original post or file where the threat was detected.
Field Name | Type | Nullable | Description |
---|---|---|---|
username | string | Yes | The author's username (publisher) of the post |
display_name | string | Yes | The author's visual name presented on the site |
id | string | Yes | The unique identifier of the user on the site |
link | integer | Yes | The unique hyperlink to the user information on the site |
adversary_group | array | Yes | *not available yet |
JSON Schema
{
"source": "lunar_threat_intel_feed",
"events": [
{
"event_info": {
"id": "f7de9c73-30bc-328f-b226-58027512eb0f",
"link": "https://lunar.api/events/XXXXXXXXX-XXXX-XXX-XXXX-XXXXXXXXX",
"crawled_date": "2025-08-04T18:00:00.000+03:00",
"created_date": "2025-08-04T18:12:00.000+03:00",
"type": "leaked_credentials",
"subtype": "leaked_credentials_infostealer",
"severity": "critical",
"status": "open",
"description": "The email [email protected] was found in an infostealer leak. This stealer malware captures sensitive information, such as credentials from a device.",
"required_actions": "1. Disconnect machine <HWID> from network. 2. Scan & Remove malware: start from the following path: <file path> 3. Scan the device for any additional malware; once clean - connect back to network. 4. Change Credentials: Update the password for the account linked to the leaked email. 5. Monitor accounts for suspicious activity. 6. Enforce MFA to prevent unauthorized access."
},
"asset_info": {
"id": "94bd1d9fded1e40b8843f31df97b807eef35f6aa",
"type": "domain",
"value": "example.com",
"group_name": "Example"
},
"account_info": {
"email": "[email protected]",
"account_name": null,
"password": "admin123",
"password_type": "plaintext"
},
"device_info": {
"exfiltration_date": "2025-08-04T12:11:00.000+03:00",
"log_file_name": "GR[7AFB0C*********EB27C90BA] [2025-08-04T12_11_52.1931867]",
"hwid": "7AFB0C*********EB27C90BA",
"ip_address": "102.38.248.0",
"location": {
"country": "GR",
"city": "Portaria, Kentriki Makedonia",
"zip_code": "63087"
},
"computer_username": "admin",
"os": "Windows 10 Home x64",
"antivirus_software": ["Windows Defender"],
"malware_family": "Redline",
"malware_path": "C:\\Users\\2024\\Pictures\\Minor Policy\\f1Lp2uk21C0jQ8KirMFAwKtq.exe"
},
"breach_info": {
"type": "infostealer",
"sub_type": null,
"breach_date": null,
"login_url": "https://abc.com/login/",
"login_domain": "abc.com",
"breach_name": null,
"compromised_assets": ["email", "password"]
},
"publication_source_info": {
"published_date": "2023-10-13T20:56:00.000+03:00",
"file_name": null,
"file_link": null,
"post_url": null,
"site_domain": "t.me",
"site_name": null,
"site_type": "chat",
"network": "Telegram",
"categories": ["group"]
},
"original_post_info": {
"title": null,
"text": null,
"language": null,
"ord_in_thread": null,
"categories": null,
"risk_score": null
},
"author_extended_info": {
"username": "MoonLogsCloud",
"display_name": "Moon Cloud | Free Logs",
"id": "2475140777",
"link": null,
"adversary_group": null
}
}
],
"totalEvents": 650,
"moreEventsAvailable": 640,
"next": "/LunarEventsFilter?token=XXXX-XXXX-XXXX-XXXX&since=0&to=1754226420000&from=10&severity=high"
}