StealthMole Integration

StealthMole monitors the Deep and Dark Web (DDW) for compromised credentials, focusing on breaches that evade traditional security. Updated daily, it delivers near real-time insights to help businesses protect corporate assets and sensitive information.

Where do the credentials come from?

StealthMole sources data from breached databases, stealer malware logs, and combo lists, using specialized modules:

  • Compromised Data Set (CDS) – Tracks credentials stolen via stealer malware (for example, RedLine, Vidar, Raccoon), enabling searches for compromised accounts.

  • ULP Binder (UB) – Finds URL-Login-Password bundles leaked by stealer malware, aiding in the detection and protection of exposed credentials.

  • Credential Lookout (CL) – Searches for leaked emails in hidden networks, detecting illicit database uploads and breach history of email domains.

  • Combo Binder (CB) – Identifies and analyzes “combo files” (combined leaked credentials) from multiple sources, offering fresh data for defending against credential stuffing attacks.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the StealthMole integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The StealthMole integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the StealthMole integration in Cisco XDR.

You can perform the following tasks after you integrate StealthMole with Cisco XDR:

  • Investigations - Start a new investigation into any combination of domains and email addresses and the results will include any records of them found in your StealthMole. To verify that this integration is working, and to see what kind of data is returned, investigate one or more observables about which you know StealthMole has recent information. For details, see Investigate.