Cybersixgill Connector

Cybersixgill is a threat intelligence platform that continuously monitors the clear, deep, and dark web to uncover indicators of compromise (IOCs), leaked credentials, and threat actor activity in real-time. It enables security teams to proactively defend against emerging risks using contextual data and STIX-formatted enrichment.

Descope's Cybersixgill connector allows you to query threat intelligence, enrich indicators, and detect exposed credentials as part of your authentication flows.

Setting Up the Cybersixgill Connector

To integrate the Cybersixgill connector, follow the steps below:

Navigate to Connector

• Visit the Connectors page in the Descope Console.
• Choose Cybersixgill from the list of connectors.

Connector Setup

Set up the necessary inputs:

• Connector Name: Assign a custom name for your connector, especially useful when using multiple connectors from the same template.
• (Optional) Connector Description: A brief description of your connector's purpose.

Proceed by providing your Cybersixgill API credentials, issued through the Cybersixgill Developer Portal.

• Client ID: API client ID from Cybersixgill.
• Client Secret: API client secret from Cybersixgill.

Test & Save

Validate your configuration using the built-in test:

• Provide test values for any required parameters.
• Click the Test button to verify connectivity.
• Review the Test Results section for output.
• Finalize setup by clicking Create.

Implementing the Cybersixgill Connector

Select or Create a Flow

Go to Flows in your Descope dashboard and choose an existing flow or create a new one.

Integration

Click the blue plus sign inside the flow builder and choose Connector. You should now see the available Cybersixgill connector actions:

Available Actions

The Cybersixgill connector offers the following actions:

Cybersixgill / Enrich IOC

Returns items in STIX format related to a specified indicator of compromise.

Parameters:

• IOC Type: The type of IOC to enrich ("domain", "ip", "url", "hash").
• IOC Value: The actual IOC value (e.g., domain name or hash).
• Sixgill Field: "actor" or "post_id".
• Sixgill Field Value: The matching value for the selected Sixgill field.
• From Date: Start of search range in YYYY-MM-DD.
• To Date: End of search range in YYYY-MM-DD.
• Limit: Maximum number of results to return.
• Skip: Number of results to skip (for pagination).

Cybersixgill / Search Leaked Credentials

Search for leaked credentials linked to a domain or email address.

Parameters:

• Domain: Domain associated with leaked credentials (e.g., example.com).
• Email: User's email to query leaked data for (e.g., {{user.email}}).
• Limit: Maximum number of results to return.
• Offset: Number of results to skip.
• Additional Query Parameters: Optional additional filters supported by Cybersixgill API.
• Sort By: Object representing sort key and direction (e.g., { "date": "desc" }).

Cybersixgill / Search Leaks Logins

Search for leaked logins to your company's applications.

Parameters:

• Host Domain (required): The host domain for your application (e.g., app.example.com).
• Publication Start Date (required): Start date in YYYY-MM-DD.
• Publication End Date (required): End date in YYYY-MM-DD.

All parameters can use dynamic values such as:

• {{user.email}}
• {{user.emailDomain}}
• Context keys from previous steps or scriptlets

Response Handling

The response from each action is stored in the connector context key, such as connectors.cybersixgill_enrichIOC.

Typical fields available include:

• iocs: Array of returned indicators (enriched STIX objects)
• leaks: List of leaked credential records
• matchCount: Total matches found
• correlationId: For tracking and audit use cases

Use these fields to drive conditional logic, such as requiring MFA for users with leaked credentials or blocking high-risk IOC matches.

Example Usage

Here's an example flow using Cybersixgill's "Search Leaked Credentials" action:

This flow checks whether the user's email is found in a recent leak, and forces the user to update their account with a new email.