Data Export

The Data Export feature allows you to export data from NordStellar into downloadable files for further analysis, integration with external systems such as SIEMs, or sharing with stakeholders for investigation and remediation.

Exports are processed asynchronously. Once generated, files are available for download for 30 days before being automatically deleted.

Export Types

NordStellar supports exporting data across multiple modules. Each export type produces a separate file.

Export Type	File Format	Available On	Description
Credentials	CSV	Leaked Data — Employees	Combined leaked credentials from data breaches, combo lists, and malware infections
Data Breaches	CSV	Leaked Data — Employees (Data Breaches tab)	Assets exposed in known data breaches
Combo Lists	CSV	Leaked Data — Employees (Combo Lists tab)	Credentials found in publicly circulating combo lists
Malware Infections	ZIP (2 CSVs)	Leaked Data — Employees (Malware Infections tab)	Malware infection summaries and associated stolen credentials
Domain Permutations	CSV	Domain Squatting	Detected domain squatting permutations
Client Credentials	CSV	Leaked Data — Consumers	Leaked credentials associated with monitored client assets
Attack Surface Vulnerabilities	CSV	Attack Surface Management	Vulnerabilities detected across your external attack surface

How It Works

Navigate to a page with an export button

Export buttons are available on the following pages:

Leaked Data — Employees: each tab (Malware Infections, Data Breaches, Combo Lists) has its own export button for the corresponding data type.
Leaked Data — Consumers: exports credentials associated with monitored consumer assets.
Domain Squatting: exports detected domain permutations.
Attack Surface Management: exports detected vulnerabilities across your external attack surface.

Initiate an export

Click the Export button on the page. On the Leaked Data — Employees page, the export type corresponds to the active tab.

Wait for processing

The export is processed asynchronously. The status will show as In Progress while the file is being generated. A toast notification will appear, indicating the current progress.

Download the file

Once processing is complete, the status changes to Completed. Click the Download icon in the table row or use the download button in the notification toast to save the file.

View historical exports

All previously generated exports are listed on the Settings → Data Export page. Each entry shows the report name, status, date generated, and days remaining until automatic deletion. Use this page to re-download past exports or delete ones no longer needed.

Export Statuses

Status	Description
In Progress	The export is being generated. Download and deletion are not available.
Completed	The file is ready for download.
Failed	The export could not be generated. The record can be deleted.

Exports that remain in In Progress beyond the maximum allowed duration are automatically marked as Failed by a background job.

Exported File Structure

Credentials

A single CSV file containing all leaked credentials across data breaches, combo lists, and malware infections.

Column	Description
`asset`	The monitored asset (e.g. email address or phone number)
`email`	Leaked email address
`username`	Associated username
`event_type`	Source type: `malware_infection`, `combo_list`, or `database`
`name`	For `combo_list` — the filename; for `database` — the breach source name; for `malware_infection` — the stealer ID
`url`	URL where the data was found
`password`	Plaintext password, if available
`date_added`	Date the record was added to NordStellar
`infected_at`	Date of infection (malware cases only)
`breached_at`	Date of the breach (data breaches and combo lists only)

Data Breaches

A single CSV file with assets exposed in known data breaches.

Column	Description
`asset`	The monitored asset
`breach_name`	Name of the data breach
`risk_level`	Risk level assigned to the breach
`breach_date`	Date the breach occurred
`date_added`	Date the record was added to NordStellar

Additional dynamic columns may be present depending on the breach.

Combo Lists

A single CSV file with credentials found in publicly circulating combo lists. Shares the same column structure as the Credentials export.

Malware Infections

A ZIP archive containing two CSV files:

malware_summary.csv — One row per infected device.

Column	Description
`asset`	The monitored asset
`malware_identifier`	Unique identifier of the malware/stealer
`malware_type`	Type of malware
`risk_level`	Assigned risk level
`corp_credentials_count`	Count of corporate credentials stolen
`corp_cookies_count`	Count of corporate cookies stolen
`credentials_count`	Total credentials stolen
`cookies_count`	Total cookies stolen
`autofills_count`	Count of autofill entries stolen
`files_count`	Count of files stolen
`credit_cards_count`	Count of credit cards stolen
`infection_date`	Date of infection
`date_added`	Date the record was added to NordStellar
`ip_address`	IP address of the infected device
`device_os`	Operating system of the infected device
`hardware_id`	Hardware identifier
`machine_id`	Machine identifier
`device_username`	Username on the infected device
`system_name`	System/computer name
`zip_code`	ZIP code of the device location
`country_code`	Country code of the device location
`location`	Location of the device
`language`	System language
`timezone`	System timezone

malware_credentials.csv — Credentials stolen by malware.

Column	Description
`malware_identifier`	Unique identifier of the malware/stealer
`email`	Stolen email address
`url`	URL associated with the credential
`application`	Application the credential was stolen from
`username`	Stolen username
`password`	Stolen password

Domain Permutations

A single CSV file with detected domain squatting permutations.

Column	Description
`original_domain`	The monitored domain
`detected_domain`	The squatting domain detected
`permutation_type`	Type of permutation technique used
`risk_level`	Assigned risk level
`detection_date`	Date the permutation was detected
`ip_addresses`	IP addresses resolving to the detected domain
`countries`	Countries associated with the IP addresses
`country_codes`	Country codes
`name_servers`	Name servers of the detected domain
`mail_servers`	Mail servers of the detected domain
`registrar`	Domain registrar
`whois_name`	WHOIS registrant name
`whois_organization`	WHOIS registrant organization
`registration_date`	Domain registration date
`expiration_date`	Domain expiration date
`http_banner`	HTTP response banner
`smtp_banner`	SMTP response banner
`content_similarity`	Content similarity score to the original domain
`visual_similarity`	Visual similarity score to the original domain

Client Credentials

A single CSV file with leaked credentials associated with monitored client assets. Shares the same column structure as the Credentials export.

Attack Surface Vulnerabilities

A single CSV file containing vulnerabilities detected across your external attack surface.

Column	Description
`title`	Vulnerability title
`vulnerability_type`	Type of vulnerability (e.g. CVE, SSL Certificate, DNS Spoofing, Misconfiguration, XSS)
`source_type`	Source where the vulnerability was found: `DNS`, `Network Service`, or `Web Application`
`risk_level`	Assigned risk level
`tags`	Tags associated with the vulnerability
`is_verified`	Whether the vulnerability has been verified
`asset_value`	The asset where the vulnerability was detected (e.g. domain or IP)
`description`	Detailed description of the vulnerability
`impact_description`	Description of the potential impact
`remediation_instructions`	Recommended steps to remediate the vulnerability
`references`	External reference links
`cve_id`	CVE identifier, if applicable
`cwe_ids`	Associated CWE identifiers
`cvss_v2_score`	CVSS v2 severity score
`cvss_v3_score`	CVSS v3 severity score
`cvss_vector`	CVSS vector string
`epss_score`	Exploit Prediction Scoring System (EPSS) score
`evidence_url`	URL where the vulnerability was observed
`evidence_data`	Raw evidence data
`evidence_curl_command`	cURL command to reproduce the finding
`evidence_http_request`	HTTP request used during detection
`evidence_network_data`	Network-level evidence data
`evidence_file_path`	File path related to the evidence
`evidence_target`	Target of the vulnerability scan
`evidence_host`	Host involved in the evidence
`evidence_port`	Port involved in the evidence
`evidence_scheme`	Protocol scheme (e.g. HTTP, HTTPS)
`evidence_extracted_data`	Data extracted during vulnerability detection
`port`	Network port associated with the vulnerability
`network_service_name`	Name of the network service running on the port
`protocol`	Network protocol (e.g. TCP, UDP)
`product`	Software product identified on the service
`version`	Version of the identified product
`is_active`	Whether the vulnerability is currently active
`status`	Current status of the vulnerability
`is_resolved`	Whether the vulnerability has been resolved
`date_detected`	Date the vulnerability was first detected
`assignee`	Name of the person assigned to the vulnerability
`assignee_email`	Email of the assigned person

FAQ

How long does an export take to generate?

Generation time depends on the total amount of data and can range from a few seconds to up to an hour.
How long are exported files available for download?

Exported files are retained for 30 days after generation. The Days Until Deletion column in the export table shows how many days remain before the file is automatically deleted.
Can I cancel an export in progress?

No, exports cannot be canceled once initiated. If an export gets stuck, it will be automatically marked as Failed after exceeding the maximum allowed processing time.
Can I start a new export while one is already in progress?

No, only one export of the same type can be in progress at a time. Starting a new export of the same type is only possible after the current one completes or fails.
Can I filter the exported data by date range or asset type?

No, exports currently include all available records for the project.
Can I delete an export?

Yes, completed and failed exports can be deleted from the Data Export settings page. In-progress exports cannot be deleted.

Brand Protection Alerts