TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Upguard CyberRisk Active Risks Logs | ✅ | ✅ | ✅ | upguard_cyberrisk_active_risks | NDJSON | S3 and API | |
Upguard CyberRisk Breaches Logs | ✅ | ✅ | ✅ | upguard_cyberrisk_breaches_logs | NDJSON | S3 and API |
Overview
UpGuard CyberRisk is a cyber risk posture management platform that helps organizations identify, assess, prioritize and remediate cyber risks across their digital ecosystem. It provides a unified view of risk across areas such as vendor risk management, breach risk, attack surface management, user risk, trust management, and risk automation. The platform combines continuous signal collection, risk scoring, impact analysis, AI-assisted workflows, and real-time ratings to help security teams understand their exposure, monitor third-party and internal risks, streamline compliance activities, and take faster action to reduce cyber risk across the organization.
Supported data types
Upguard CyberRisk Active Risks Logs
Overview:
UpGuard CyberRisk Active Risks logs involves extracting and structuring data about current security risks and vulnerabilities identified across domains, assets, and vendors. These logs contain details such as risk type, severity, affected hostnames, detection time, and remediation guidance. By parsing this data, security teams can convert raw risk information into a normalized, actionable format (e.g., for SIEM or OCSF), enabling efficient monitoring, prioritization, and automated response to active cyber threats.
Table name: upguard_cyberrisk_active_risks
Expected format
Logs are expected in JSON format:
{"id":"ssl_version","finding":"Insecure SSL/TLS versions available","risk":"All versions of SSL, and TLS versions below 1.2, are insecure. There are known vulnerabilities for these versions that can allow malicious actors to bypass encryption and access the data. Therefore, these versions of SSL and TLS are susceptible to man-in-the-middle (MITM) attacks, where a third party intercepts data between the client and server.","description":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. There are multiple versions of SSL and TLS that can be used. Although each version supersedes the last, many times the older protocols remain enabled for legacy support.","remediation":"Only TLS 1.2 or higher should be allowed. All older versions should be disabled on the server to prevent malicious actors from trying to connect to these vulnerable protocols.","severity":"medium","category":"encryption","firstDetected":"2023-07-07T02:17:49.481998Z","hostnames":["1.2.3.4"],"hostnameCount":1,"hostnameMeta":{"1.2.3.4":"TLSv1, TLSv1.1"},"sources":["service1.example.com:443"],"riskType":"ssl_version","riskSubtype":""}Upguard CyberRisk Breaches Logs
Overview:
UpGuard CyberRisk Breaches logs involve extracting and structuring data about identity breaches where employee or organizational email accounts and credentials may have been exposed in third-party data breaches. These logs contain details such as breached company name, breach details, severity, breach type, data exposed, date of breach, date published, total/employees involved, VIP involvement, notification status, and breach status. By parsing this data, security teams can convert raw breach information into a normalized, actionable format (e.g., for SIEM or OCSF), enabling faster detection of exposed identities, prioritization of high-severity credential leaks, employee notification, password reset workflows, and identity-risk remediation..
Table name: upguard_cyberrisk_breaches_logs
Expected format
Logs are expected in JSON format:
{"breached_identity":{"id":111111,"name":"user.name","domain":"example.com","last_breach_date":"2020-01-01T00:00:00Z","num_breaches":1,"vip":false,"ignored":false,"severity":"Medium"},"breach_id":2222,"breach":{"id":2222,"name":"anon-breach-code","title":"anon-breach-title","domain":"anon breach domain","description":"anon description text","total_exposures":99999,"date_occurred":"2020-01-01T00:00:00Z","exposed_data_classes":["Email addresses","Job titles","Names","Phone numbers","Physical addresses"],"date_published":"2020-01-02T12:00:00Z","assignee_user_email":"","breach_type":"Company","date_notified":null,"breach_status":"active","employee_count":2,"severity":"Medium"}}Send data to Hunters
Hunters supports the collection of logs from UpGuard CyberRisk using API (and also S3).
To connect Upguard logs via API:
Retrieve the API key from your UpGuard CyberRisk Account Settings.
Complete the process on the Hunters platform, Following this guide.
To connect Upguard logs via S3:
Use the S3-List to push your logs from UpGuard CyberRisk to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.