The Events API returns structured threat intelligence data related to monitored assets. Each response page includes up to 10 unique event items, representing individual cyber threat incidents.
Root Object
The Root Object is the top-level structure of the Events API response. It contains metadata about the query request and an array of matched events entries, each representing a distinct cyber event with its associated data.
| Field Name | Type | Nullable | Description |
|---|---|---|---|
| source | string | No | Fixed value: lunar_threat_intel_feed |
| events | array of objects | No | List of event objects |
| totalEvents | integer | No | Total number of matching events |
| moreEventsAvailable | integer | No | Number of additional events available |
| next | string | Yes | URL for the next page (null if none) |
Top-Level Fields
The following are details about the Top-Level Fields
| Field Name | Type | Nullable | Description |
|---|---|---|---|
| severity | string | No | low, medium, high, critical |
| type | string | No | Event type. e.g., leaked_credentials |
| title | string | No | The event general title, indicating whether it is an Infostealer or Data Breach event |
| status | string | No | open, fixed, closed |
| description | string | No | A brief description of the detected threat and its context |
| user_id | string | No | The unique identifier of the user owning the account |
| required_actions | string | Yes | Recommended actions to mitigate or remediate the identified threat |
| uuid | string | No | Unique event ID (UUID) |
| created | ISO string | No | The date and time when the event was created |
| updated | ISO string | No | The date when the document was last updated |
| source_date | ISO string | No | For Infostealer: exfiltration date; For Data Breach: breach date |
assets Object
The assets Object describes the affected asset involved in the event.
| Field Name | Type | Nullable | Description |
|---|---|---|---|
| id | integer | Yes | Unique asset ID |
| value | string | No | Asset value |
| group_name | string | No | The custom group name defined by the user to categorize the asset. |
| type | string | No | Asset type, e.g., domain, email, ip |
breach_doc Object
The breach_doc Object contains contextual information about the data breach in which the credentials were found, including the breach name, type, and compromised assets.
Field Name | Type | Nullable | Description |
|---|---|---|---|
uuid | string | No | Unique identifier for the breach document |
type | string | Yes | Available breach types: infostealer/ data_breach |
sub_type | string | Yes | Where the compromised credentials were obtained from. Provides important context about the source of exposure. |
login_url | string | Yes | The URL linked to the compromised credentials |
login_domain | string | Yes | The domain extracted from the URL |
account_info | object | Yes | The |
device_info | object | Yes | The |
breach_info | object | Yes | The |
account_info Object (Optional)
The account_info Object provides details about a compromised account.
| Field Name | Type | Nullable | Description |
|---|---|---|---|
| string | Yes | Compromised email address | |
| account_name | string | Yes | Compromised account username |
| password | string | Yes | Compromised password |
| password_type | string | Yes | The password type |
device_info Object (Optional)
The device_info ****Object includes details about the infected device, typically present in infostealer-related events.
| Field Name | Type | Nullable | Description |
|---|---|---|---|
| exfiltration_date | ISO string | Yes | The date and time when the stealer log data was collected and exfiltrated from the infected device |
| log_file_name | string | Yes | Stealer log file name |
| hwid | string | Yes | Hardware ID of infected device |
| ip_address | string | Yes | IP address of infected device |
| location | object | Yes | Location details of the infected device |
| location.country | string | Yes | Country code. e.g. CA |
| location.city | string | Yes | City name |
| location.zip_code | string | Yes | Zip code |
| computer_username | string | Yes | Device username |
| os | string | Yes | Operating system |
| antivirus_software | array [list] | Yes | Installed AVs on the infected device |
| malware_family | string | Yes | Malware family name. e.g. Redline |
| malware_path | string | Yes | Path to malicious file on the infected device |
breach_info Object (Optional)
The breach_info Object contains contextual information about the data breach in which the credentials were found, including the breach name, type, and compromised assets.
| Field Name | Type | Nullable | Description |
|---|---|---|---|
| breach_date | ISO string | Yes | The date and time when the data breach occurred or was first publicly disclosed |
| breach_name | string | Yes | The name of the breach |
| breach_domain | string | Yes | The domain that was breached |
| compromised_assets | array | Yes | List of all affected asset types in the data breach |
publication_source_info Object (Optional)
The publication_source_info Object includes metadata about the original breach file, including its filename, publication date, and the source where Webz detected it.
| Field Name | Type | Nullable | Description |
|---|---|---|---|
| published_date | ISO string | Yes | The date and time when the breach data was published online |
| file_name | string | Yes | The name of original data breach file |
| file_link | string | Yes | The download link of original data breach file |
| post_url | string | Yes | The original post URL where the data breach file was detected |
| site_domain | string | Yes | The site domain where the data breach file was detected |
| is_premium | Boolean | no | Indicates whether the leak originated from a premium source. TRUE = premium |
JSON for Infostealer type
{
"severity": "CRITICAL",
"type": "Leaked Credentials",
"title": "Leaked Credentials - Infostealer",
"status": "Open",
"description": "The email None was found in an infostealer leak. This stealer malware captures sensitive information, such as credentials from a device.
"action_required": [
"Disconnect machine None from network.",
"Scan & Remove malware : start from the following path: None",
"Scan the device for any additional malware; once clean - connect back to network.",
"Change Credentials: Update the password for the account linked to the leaked email.",
"Monitor accounts for suspicious activity.",
"Enforce MFA to prevent unauthorized access."
],
"uuid": "6d589225-cb2a-3259-7d15-97fc8ee9066a",
"created": "2025-12-03T13:55:47Z",
"updated": "2025-12-03T13:55:47Z",
"source_date": "2025-12-01T00:00:00Z",
"assets": [
{
"id": "30423",
"value": "example.com",
"name": "example.com",
"type": "Domain"
}
],
"breach_doc": {
"uuid": "b0ebd0c2bbfe234834ba742fa0a89a8d95f2253c",
"crawled_date": "2025-12-03T12:05:59Z",
"type": "infostealer",
"sub_type": "stealer_logs",
"login_url": "http://gateway.example.com/loginpages/login.shtml",
"login_domain": "gateway.example.com",
"account_info": {
"account_name": "914055",
"password": "AAAAAAAAAAAAAAAAAAAAAGzmaD3bDchn49EDgr0szVE=",
"password_type": null,
"password_lowercase": "AAAAAAAAAAAAAAAAAAAAAHY8e3Ob7z+GScz1QaaTX6I="
},
"device_info": {
"infection_uuid": "0f61de056bb637f7cf5d75834f3f18337de9012e",
"exfiltration_date": "2025-12-01T00:00:00Z",
"log_file_name": "NPIIK712O6UM65QCUPGSPAV7ZHN90GAXV_2025_12_01T15_05_18_419718",
"ip_address": "27.34.111.240",
"location": {
"country": "NP",
"city": null,
"zip_code": null
},
"computer_username": "Dell",
"antivirus_software": "Windows Defender",
"malware_family": "Blank Grabber"
},
"breach_info": null,
"publication_source_info": {
"file_name": "Daisy Private Cloud - 03889 Pcs - 01 December - Bonus.7z",
"file_link": null,
"post_url": null,
"site_domain": "t.me",
"is_premium": true,
"published_date": "2025-12-01T20:09:21Z"
}
}
},
}JSON for Data Breach type
{
"severity": "HIGH",
"type": "Leaked Credentials",
"title": "Leaked Credentials - Data Breach",
"status": "Open",
"description": "The email [email protected] was found in a data breach that was leaked on the dark web.",
"action_required": [
"Change Credentials: update the password for the account linked to the leaked email.",
"Notify users and warn about phishing risks.",
"Monitor accounts for suspicious activity.",
"Enforce MFA to prevent unauthorized access."
],
"uuid": "9539f3a4-019a-1a90-ab8e-eae68ff710a5",
"created": "2025-12-03T13:08:20Z",
"updated": "2025-12-03T13:08:20Z",
"source_date": "2025-02-15T00:00:00Z",
"assets": [
{
"id": "30423",
"value": "example.com",
"name": "example.com",
"type": "Domain"
}
],
"breach_doc": {
"uuid": "9b38c6760c81a5430b992fcadb672669bfddad04",
"type": "data_breach",
"sub_type": "stealers_combo_list",
"login_url": "android://yCm1qa3rW6t5uGLzuGB9eknXSazobdF8c-kN1v7fAsjIEWLpOdPesfoTEJbljvNthQtaU9ExQ2J8HxuREXBoIw==@com.example.loginandsignup/",
"login_domain": "loginandsignup.example.com",
"account_info": {
"email": "[email protected]",
"account_name": null,
"password": "AAAAAAAAAAAAAAAAAAAAACliFV/n/uOuMLyO/kGx5jw=",
"password_type": "plaintext",
"password_lowercase": "AAAAAAAAAAAAAAAAAAAAACliFV/n/uOuMLyO/kGx5jw="
},
"breach_info": {
"uuid": "57ad5e0d0860398131a836248f00f885eb044a3e",
"breach_date": "2025-02-15T00:00:00",
"breach_name": "ALIEN TXTBASE 23B",
"breach_domain": null,
"compromised_assets": [
"url",
"email",
"password"
]
},
"publication_source_info": {
"file_name": "ALIEN TXTBASE 23B.txt",
"file_link": "magnet:?xt=urn:btih:169257f30c3fbee583cc3605e9653549a59a9523&dn=alien_txtbase&tr=udp://tracker.openbittorrent.com:80&tr=udp://tracker.opentrackr.org:1337/announce",
"post_url": "https://leakbase.la/threads/alientxt-base-stealer-logs-all-23b.39613/#post-228084",
"site_domain": "leakbase.la",
"is_premium": false
}
}
}
}