The Events API returns structured threat intelligence data related to monitored assets. Each response page includes up to 10 unique event items, representing individual cyber threat incidents.

Root Object

The Root Object is the top-level structure of the Events API response. It contains metadata about the query request and an array of matched events entries, each representing a distinct cyber event with its associated data.

Field Name	Type	Nullable	Description
source	string	No	Fixed value: lunar_threat_intel_feed
events	array of objects	No	List of event objects
totalEvents	integer	No	Total number of matching events
moreEventsAvailable	integer	No	Number of additional events available
next	string	Yes	URL for the next page (null if none)

Top-Level Fields

The following are details about the Top-Level Fields

Field Name	Type	Nullable	Description
severity	string	No	low, medium, high, critical
type	string	No	Event type. e.g., leaked_credentials
title	string	No	The event general title, indicating whether it is an Infostealer or Data Breach event
status	string	No	open, fixed, closed
description	string	No	A brief description of the detected threat and its context
user_id	string	No	The unique identifier of the user owning the account
required_actions	string	Yes	Recommended actions to mitigate or remediate the identified threat
uuid	string	No	Unique event ID (UUID)
created	ISO string	No	The date and time when the event was created
updated	ISO string	No	The date when the document was last updated
source_date	ISO string	No	For Infostealer: exfiltration date; For Data Breach: breach date
user_type	string	Yes	The type of user associated with the event, e.g., Employee, Client

assets Object

The assets Object describes the affected asset involved in the event.

Field Name	Type	Nullable	Description
id	integer	Yes	Unique asset ID
value	string	No	Asset value
group_name	string	No	The custom group name defined by the user to categorize the asset.
type	string	No	Asset type, e.g., domain, email, ip

breach_doc Object

The breach_doc Object contains contextual information about the data breach in which the credentials were found, including the breach name, type, and compromised assets.

Field Name	Type	Nullable	Description
uuid	string	No	Unique identifier for the breach document
type	string	Yes	Available breach types: infostealer/ data_breach
sub_type	string	Yes	Where the compromised credentials were obtained from. Provides important context about the source of exposure. For more details.
login_url	string	Yes	The URL linked to the compromised credentials
login_domain	string	Yes	The domain extracted from the URL
account_info	object	Yes	The `account_info` Object provides details about a compromised account.
device_info	object	Yes	The `device_info` ****Object includes details about the infected device, typically present in infostealer-related events.
breach_info	object	Yes	The `device_info` ****Object includes details about the infected device, typically present in infostealer-related events.

account_info Object (Optional)

The account_info Object provides details about a compromised account.

Field Name	Type	Nullable	Description
email	string	Yes	Compromised email address
account_name	string	Yes	Compromised account username
password	string	Yes	Compromised password
password_type	string	Yes	The password type

device_info Object (Optional)

The device_info ****Object includes details about the infected device, typically present in infostealer-related events.

Field Name	Type	Nullable	Description
exfiltration_date	ISO string	Yes	The date and time when the stealer log data was collected and exfiltrated from the infected device
log_file_name	string	Yes	Stealer log file name
hwid	string	Yes	Hardware ID of infected device
ip_address	string	Yes	IP address of infected device
location	object	Yes	Location details of the infected device
location.country	string	Yes	Country code. e.g. CA
location.city	string	Yes	City name
location.zip_code	string	Yes	Zip code
computer_username	string	Yes	Device username
os	string	Yes	Operating system
antivirus_software	array [list]	Yes	Installed AVs on the infected device
malware_family	string	Yes	Malware family name. e.g. Redline
malware_path	string	Yes	Path to malicious file on the infected device

breach_info Object (Optional)

The breach_info Object contains contextual information about the data breach in which the credentials were found, including the breach name, type, and compromised assets.

Field Name	Type	Nullable	Description
breach_date	ISO string	Yes	The date and time when the data breach occurred or was first publicly disclosed
breach_name	string	Yes	The name of the breach
breach_domain	string	Yes	The domain that was breached
compromised_assets	array	Yes	List of all affected asset types in the data breach

publication_source_info Object (Optional)

The publication_source_info Object includes metadata about the original breach file, including its filename, publication date, and the source where Webz detected it.

Field Name	Type	Nullable	Description
published_date	ISO string	Yes	The date and time when the breach data was published online
site_domain	string	Yes	The site domain where the data breach file was detected
is_premium	Boolean	no	Indicates whether the leak originated from a premium source. TRUE = premium

JSON for Infostealer type

{
    "severity": "CRITICAL",
    "type": "Leaked Credentials",
    "title": "Leaked Credentials - Infostealer",
    "status": "Open",
    "description": "The email None was found in an infostealer leak. This stealer malware captures sensitive information, such as credentials from a device.",
    "action_required": [
      "Disconnect machine None from network.",
      "Scan & Remove malware : start from the following path: None",
      "Scan the device for any additional malware; once clean - connect back to network.",
      "Change Credentials: Update the password for the account linked to the leaked email.",
      "Monitor accounts for suspicious activity.",
      "Enforce MFA to prevent unauthorized access."
    ],
    "uuid": "6d589225-cb2a-3259-7d15-97fc8ee9066a",
    "created": "2025-12-03T13:55:47Z",
    "updated": "2025-12-03T13:55:47Z",
    "source_date": "2025-12-01T00:00:00Z",
    "user_type": "Employee",
    "serviceClassifications": [
      {
        "service_category": "ADFS (Active Directory)",
        "service_name": "Microsoft"
      }
    ],
    "assets": [
      {
        "id": "30423",
        "value": "example.com",
        "name": "example.com",
        "type": "Domain"
      }
    ],
    "breach_doc": {
      "uuid": "b0ebd0c2bbfe234834ba742fa0a89a8d95f2253c",
      "crawled_date": "2025-12-03T12:05:59Z",
      "type": "infostealer",
      "sub_type": "stealer_logs",
      "login_url": "http://gateway.example.com/loginpages/login.shtml",
      "login_domain": "gateway.example.com",
      "account_info": {
        "account_name": "914055",
        "password": "AAAAAAAAAAAAAAAAAAAAAGzmaD3bDchn49EDgr0szVE=",
        "password_type": null,
        "password_lowercase": "AAAAAAAAAAAAAAAAAAAAAHY8e3Ob7z+GScz1QaaTX6I="
      },
      "device_info": {
        "infection_uuid": "0f61de056bb637f7cf5d75834f3f18337de9012e",
        "exfiltration_date": "2025-12-01T00:00:00Z",
        "log_file_name": "NPIIK712O6UM65QCUPGSPAV7ZHN90GAXV_2025_12_01T15_05_18_419718",
        "ip_address": "27.34.111.240",
        "location": {
          "country": "NP",
          "city": null,
          "zip_code": null
        },
        "computer_username": "Dell",
        "antivirus_software": "Windows Defender",
        "malware_family": "Blank Grabber"
      },
      "breach_info": null,
      "publication_source_info": {
        "file_name": "Daisy Private Cloud - 03889 Pcs - 01 December - Bonus.7z",
        "site_domain": "t.me",
        "is_premium": true,
        "published_date": "2025-12-01T20:09:21Z"
      }
    }
  }

JSON for Data Breach type

{
    "severity": "HIGH",
    "type": "Leaked Credentials",
    "title": "Leaked Credentials - Data Breach",
    "status": "Open",
    "description": "The email mariellebasearamos18@gmail.com was found in a data breach that was leaked on the dark web.",
    "action_required": [
      "Change Credentials: update the password for the account linked to the leaked email.",
      "Notify users and warn about phishing risks.",
      "Monitor accounts for suspicious activity.",
      "Enforce MFA to prevent unauthorized access."
    ],
    "uuid": "9539f3a4-019a-1a90-ab8e-eae68ff710a5",
    "created": "2025-12-03T13:08:20Z",
    "updated": "2025-12-03T13:08:20Z",
    "source_date": "2025-02-15T00:00:00Z",
    "user_type": "Employee",
    "serviceClassifications": [
      {
        "service_category": "ADFS (Active Directory)",
        "service_name": "Microsoft"
      }
    ],
    "assets": [
      {
        "id": "30423",
        "value": "example.com",
        "name": "example.com",
        "type": "Domain"
      }
    ],
    "breach_doc": {
      "uuid": "9b38c6760c81a5430b992fcadb672669bfddad04",
      "type": "data_breach",
      "sub_type": "stealers_combo_list",
      "login_url": "android://yCm1qa3rW6t5uGLzuGB9eknXSazobdF8c-kN1v7fAsjIEWLpOdPesfoTEJbljvNthQtaU9ExQ2J8HxuREXBoIw==@com.example.loginandsignup/",
      "login_domain": "loginandsignup.example.com",
      "account_info": {
        "email": "mariellebasearamos18@gmail.com",
        "account_name": null,
        "password": "AAAAAAAAAAAAAAAAAAAAACliFV/n/uOuMLyO/kGx5jw=",
        "password_type": "plaintext",
        "password_lowercase": "AAAAAAAAAAAAAAAAAAAAACliFV/n/uOuMLyO/kGx5jw="
      },
      "breach_info": {
        "uuid": "57ad5e0d0860398131a836248f00f885eb044a3e",
        "breach_date": "2025-02-15T00:00:00",
        "breach_name": "ALIEN TXTBASE 23B",
        "breach_domain": null,
        "compromised_assets": [
          "url",
          "email",
          "password"
        ]
      },
      "publication_source_info": {
        "file_name": "ALIEN TXTBASE 23B.txt",
        "file_link": "magnet:?xt=urn:btih:169257f30c3fbee583cc3605e9653549a59a9523&dn=alien_txtbase&tr=udp://tracker.openbittorrent.com:80&tr=udp://tracker.opentrackr.org:1337/announce",
        "post_url": "https://leakbase.la/threads/alientxt-base-stealer-logs-all-23b.39613/#post-228084",
        "site_domain": "leakbase.la",
        "is_premium": false
      }
    }
  }