Output

The Events API returns structured threat intelligence data related to monitored assets. Each response page includes up to 10 unique event items, representing individual cyber threat incidents.

Root Object

The Root Object is the top-level structure of the Events API response. It contains metadata about the query request and an array of matched events entries, each representing a distinct cyber event with its associated data.

Field Name	Type	Nullable	Description
source	string	No	Fixed value: `lunar_threat_intel_feed`
events	array of objects	No	List of event objects
totalEvents	integer	No	Total number of matching events
moreEventsAvailable	integer	No	Number of additional events available
next	string	Yes	URL for the next page (null if none)

EventInfo Object

The EventInfo Object Includes metadata about the event.

Field Name	Type	Nullable	Description
id	string	No	Unique event ID (UUID)
link	string	No	URL to event detail
crawled_date	ISO string	No	The date and time when the original threat was fetched by Webz
created_date	ISO string	No	The date and time when the event was created
type	string	No	Event type. e.g. `leaked_credentials`
subtype	string	No	Event sub-types. e.g. `leaked_credentials_infostealer`
severity	string	No	`low,` `medium`, `high`, `critical`
status	string	No	`open` , `fixed`, `closed`
description	string	No	A brief description of the detected threat and its context
required_actions	string	Yes	Recommended actions to mitigate or remediate the identified threat

AssetInfo Object

The AssetInfo Object describes the affected asset involved in the event.

Field Name	Type	Nullable	Description
id	integer	Yes	Unique asset ID
type	string	No	Asset type. e.g. `domain,` `email`, `ip`
value	string	No	Asset value
group_name	string	No	Asset group name

AccountInfo Object (Optional)

The AssetInfo Object provides details about a compromised account.

Field Name	Type	Nullable	Description
email	string	Yes	Compromised email address
account_name	string	Yes	Compromised account username
password	string	Yes	Compromised password
password_type	string	Yes	*not available yet

DeviceInfo Object (Optional)

The DeviceInfo Object Includes details about the infected device, typically present in infostealer-related events.

Field Name	Type	Nullable	Description
exfiltration_date	ISO string	Yes	The date and time when the stealer log data was collected and exfiltrated from the infected device
log_file_name	string	Yes	Stealer log file name
hwid	string	Yes	Hardware ID of infected device
ip_address	string	Yes	IP address of infected device
location	object	Yes	Location details of the infected device
country	string	Yes	Country code. e.g. CA
city	string	Yes	City name
zip_code	string	Yes	Zip code
computer_username	string	Yes	Device username
os	string	Yes	Operating system
antivirus_software	array [list]	Yes	Installed AVs on the infected device
malware_family	string	Yes	Malware family name. e.g. Redline
malware_path	string	Yes	Path to malicious file on the infected device

BreachInfo Object (Optional)

The BreachInfo Object contains contextual information about the data breach in which the credentials were found, including the breach name, type, and compromised assets.

Field Name	Type	Nullable	Description
type	string	Yes	Available breach types: `infostealer`, `data_breach`
sub_type	string	Yes	*not available yet
breach_date	ISO string	Yes	The date and time when the data breach occurred or was first publicly disclosed
login_url	string	Yes	The URL linked to the compromised credentials
login_domain	string	Yes	The domain extracted from the URL
breach_name	string	Yes	The name of the breach
compromised_assets	array	Yes	List of all affected asset types in the data breach

PublicationSourceInfo Object (Optional)

The PublicationSourceInfo Object includes metadata about the original breach file, including its filename, publication date, and the source where Webz detected it.

Field Name	Type	Nullable	Description
published_date	ISO string	Yes	The date and time when the breach data was published online
file_name	string	Yes	The name of original data breach file
file_link	string	Yes	The download link of original data breach file
post_url	string	Yes	The original post URL where the data breach file was detected
site_domain	string	Yes	The site domain where the data breach file was detected
site_name	string	Yes	The site name where the data breach file was detected
site_type	string	Yes	The site type where the data breach file was detected. e.g. `chat`, `market`, `discussions`
network	string	Yes	The network associated with the site where the data breach file was detected. e.g. `tor`, `telegram`, `openweb`
categories	array	Yes	The categories associated with the site where the data breach file was detected. Categories include:`cyber_threat_intelligence`, `financial_crime`, `illicit_trafficking`, `extremism_misinformation`, `brand_monitoring` For Telegram data only: `group`, `channel` For more details , please refer to this page .

OriginalPostInfo Object (Optional)

The OriginalPostInfo Object provides metadata about the original dark web post in which the threat or compromised data was published.

Field Name	Type	Nullable	Description
title	string	Yes	The title of the post
text	string	Yes	The body text of the post
language	string	Yes	The primary language detected in the post text
org_in_thread	integer	Yes	The post’s position in the thread.0 indicates the first post.
categories	array	Yes	One or more cyber categories that the post content belong to. Categories include: `hacking`, `data_breach`, `carding`, `crypto`, `phishing`, `malware`, `ransomware`, `stealer_logs`, `counterfeit`, `gaming`, `extremism`, `drugs`, `weapons`, `sexual` For more details , please refer to this page.
risk_score	integer	Yes	The site name where the data breach file was detected

AuthorExtendedInfo Object (Optional)

The AuthorExtendedInfo Object Includes metadata about the author who published the original post or file where the threat was detected.

Field Name	Type	Nullable	Description
username	string	Yes	The author's username (publisher) of the post
display_name	string	Yes	The author's visual name presented on the site
id	string	Yes	The unique identifier of the user on the site
link	integer	Yes	The unique hyperlink to the user information on the site
adversary_group	array	Yes	*not available yet

JSON Schema

{
  "source": "lunar_threat_intel_feed",
  "events": [
    {
      "event_info": {
        "id": "f7de9c73-30bc-328f-b226-58027512eb0f",
        "link": "https://lunar.api/events/XXXXXXXXX-XXXX-XXX-XXXX-XXXXXXXXX",
        "crawled_date": "2025-08-04T18:00:00.000+03:00",
        "created_date": "2025-08-04T18:12:00.000+03:00",
        "type": "leaked_credentials",
        "subtype": "leaked_credentials_infostealer",
        "severity": "critical",
        "status": "open",
        "description": "The email [email protected] was found in an infostealer leak. This stealer malware captures sensitive information, such as credentials from a device.",
        "required_actions": "1. Disconnect machine <HWID> from network. 2. Scan & Remove malware: start from the following path: <file path> 3. Scan the device for any additional malware; once clean - connect back to network. 4. Change Credentials: Update the password for the account linked to the leaked email. 5. Monitor accounts for suspicious activity. 6. Enforce MFA to prevent unauthorized access."
      },
      "asset_info": {
        "id": "94bd1d9fded1e40b8843f31df97b807eef35f6aa",
        "type": "domain",
        "value": "example.com",
        "group_name": "Example"
      },
      "account_info": {
        "email": "[email protected]",
        "account_name": null,
        "password": "admin123",
        "password_type": "plaintext"
      },
      "device_info": {
        "exfiltration_date": "2025-08-04T12:11:00.000+03:00",
        "log_file_name": "GR[7AFB0C*********EB27C90BA] [2025-08-04T12_11_52.1931867]",
        "hwid": "7AFB0C*********EB27C90BA",
        "ip_address": "102.38.248.0",
        "location": {
          "country": "GR",
          "city": "Portaria, Kentriki Makedonia",
          "zip_code": "63087"
        },
        "computer_username": "admin",
        "os": "Windows 10 Home x64",
        "antivirus_software": ["Windows Defender"],
        "malware_family": "Redline",
        "malware_path": "C:\\Users\\2024\\Pictures\\Minor Policy\\f1Lp2uk21C0jQ8KirMFAwKtq.exe"
      },
      "breach_info": {
        "type": "infostealer",
        "sub_type": null,
        "breach_date": null,
        "login_url": "https://abc.com/login/",
        "login_domain": "abc.com",
        "breach_name": null,
        "compromised_assets": ["email", "password"]
      },
      "publication_source_info": {
        "published_date": "2023-10-13T20:56:00.000+03:00",
        "file_name": null,
        "file_link": null,
        "post_url": null,
        "site_domain": "t.me",
        "site_name": null,
        "site_type": "chat",
        "network": "Telegram",
        "categories": ["group"]
      },
      "original_post_info": {
        "title": null,
        "text": null,
        "language": null,
        "ord_in_thread": null,
        "categories": null,
        "risk_score": null
      },
      "author_extended_info": {
        "username": "MoonLogsCloud",
        "display_name": "Moon Cloud | Free Logs",
        "id": "2475140777",
        "link": null,
        "adversary_group": null
      }
    }
  ],
  "totalEvents": 650,
  "moreEventsAvailable": 640,
  "next": "/LunarEventsFilter?token=XXXX-XXXX-XXXX-XXXX&since=0&to=1754226420000&from=10&severity=high"
}