Loading . . .

Azure Sentinel Playbook Email-Check-HaveIBeenPwned

Sign Up Sign In
Email-Check-HaveIBeenPwned playbook provides additional context from "Have I Been Pwned?" resource for Azure Sentinel threat detection alerts related to the suspicious authentication activity, email phishing, and social engineering attacks. In general, this playbook is suitable for all alerts related to emails or logins in the email format.

The primary function of “Have I Been Pwned?” resource is to provide a way to check if specified private information has been leaked or compromised. Visitors to the website can enter an email address, and see a list of all known data breaches with records tied to that email address. The resource also provides details about each data breach, such as the backstory of the breach and what specific types of data were included in it. The playbook automatically retrieves this information over the API using email from an alert and adds search results as a context to this alert.

The most common mistake related to password security is using the same password across different on-prem, corporate, cloud, and internet resources. In case of breach related to internet resource compromised email/password can be used for password guessing attacks to other resources including corporate or financial. Authentication failures, impossible travel activity, shared credentials, and password brute-force alerts related to pwned emails should be investigated and mitigated as for most likely compromised accounts.

Note. Playbooks leverage Azure Logic Apps, therefore charges apply.

MITRE ATT&ACK Mitigation:

  • ID: M1027 Password Policies Set and enforce secure password policies for accounts. https://attack.mitre.org/mitigations/M1027/

Additional details: https://haveibeenpwned.com/