What this capability area answers
“Has this specific person’s device been compromised?” Where Domain Intelligence searches by organization, End User Protection searches by individual identifiers — the building blocks for account-takeover prevention, credential-stuffing defense, and “your account may be at risk” user notifications.| Endpoint | Use it to… |
|---|---|
| Search by Email | Check if an email address appears in any stolen-credential record |
| Search by Username | Same, by username / email local-part |
| Search by IP / CIDR | Find infections from a specific IP address or subnet |
| Search by Stealer ID | Look up full victim records by victim_id/log_victim_id |
| Search by PC Name | Find infections by computer hostname |
emails/usernames require search:login; ip-cidr requires search:ip;
stealer-id/pc-name require search:stealer. All four scopes are
available on every tier including free.
The “searched value is never masked” rule
This is the most important behavior in this capability area. If you search forjohn.doe@example.com, that exact email is returned unmasked in any
matching row — even on the free tier — because you already supplied it.
Other fields in the same row (the matched password, a discovered
computer_name, etc.) are still masked per your tier.
The same applies to exact ips (but not addresses matched only via
cidr), usernames, and pc_names. See
Data Masking for
the full explanation and the subtle “exact match only” caveat.