Data breaches don't announce themselves. Your organization's credentials could be sitting in dark web marketplaces right now, and most security teams won't find out until someone uses them.
We built a Microsoft Sentinel connector that pulls breach exposure data into your SIEM automatically. Free tier included. One-click deploy. No agents to install.
What XposedOrNot Is (Quick Context)
XposedOrNot is a free, open-source breach monitoring platform. We track 10.5 billion+ exposed records across 661 verified breaches, with 835 million+ compromised passwords checked against our database.
You can explore the full list of tracked breaches at our data repository.
The platform offers email breach checks, password exposure lookups (using k-anonymity so your password never leaves your device), risk scoring, and domain monitoring. Everything is API-first, and the core service is free.
The Sentinel connector brings all of this into your existing security workflow.
What the Connector Does
The connector syncs breach exposure data into your Sentinel workspace on a schedule you choose (every 1, 6, 12, or 24 hours).
Once connected, you get:
- Breach exposure per domain you monitor
- Risk-scored credentials (plaintext vs. hashed vs. unknown)
- Pre-built workbook for executive reporting
- Analytics rules that fire when new exposures show up
You keep doing your normal Sentinel work, and breach intel shows up alongside your other security data. Passive early warning.
XposedOrNot API --> Logic App --> Data Collection Endpoint/Rule
| |
v v
Key Vault Log Analytics Workspace
(API Key) |
v
Microsoft Sentinel
(Workbook + Analytics)
Data flow: Logic App runs on schedule (default: every 12h), grabs the API key from Key Vault, calls XposedOrNot, and pushes results into Log Analytics via the Data Collection Rule. Sentinel picks it up for the workbook and analytics rules.
What Gets Deployed
Nine Azure resources, all managed via a single ARM template:
| Resource | What It Does |
|---|---|
| Key Vault | Stores your API key (RBAC, no access policies) |
| Data Collection Endpoint | Ingestion pipeline |
| Data Collection Rule | Defines the schema and routing |
| Logic App | Pulls data on schedule (Managed Identity, no manual auth) |
| Workbook | Breach intelligence dashboard |
| Analytics Rule | Detects new exposures (disabled by default, enable after 24h) |
The Logic App runs under a Managed Identity. Zero passwords, zero service principals to rotate. It talks to Key Vault, grabs your API key, hits the XposedOrNot API, and pushes results into your custom log table.
Prerequisites
You need two things:
1. A Sentinel-enabled Log Analytics workspace
Already have one? Skip ahead. If not:
# Create workspace
az monitor log-analytics workspace create \
--resource-group your-rg \
--workspace-name your-workspace \
--location eastus
# Enable Sentinel
az sentinel onboarding-state create \
--resource-group your-rg \
--workspace-name your-workspace \
--name default
2. An XposedOrNot API key
| Edition | Best For | Features | Where to Get It |
|---|---|---|---|
| Community (free) | Individual or small team monitoring | Basic breach checks, standard polling | xposedornot.com |
| xonEnterprise+ | Organization-wide workforce protection | Multi-domain monitoring, sub-minute alerting, executive dashboards | plus.xposedornot.com |
| xonThreatIntel+ | Vendor/supply chain monitoring | Real-time intelligence feeds, deep web monitoring, partner domain tracking | plus.xposedornot.com |
The free Community key gets you started. When you need to monitor your entire organization's domains, track vendor exposure, or get sub-minute alerting, the Plus tiers unlock everything. The connector works with all editions without any changes on the Sentinel side.
Deploy in 60 Seconds
Option 1: Click the Button
Head to the GitHub repo and hit Deploy to Azure.
The portal wizard asks for three things:
- Workspace name
- Workspace resource group
- Your XposedOrNot API key
Click Create. Done.
Option 2: CLI
az deployment group create \
-g your-resource-group \
-f mainTemplate.json \
-p workspaceName=your-workspace \
workspaceResourceGroup=your-workspace-rg \
xonApiKey=your-api-key
Either way, here's what happens after deploy:
| Time | What Happens |
|---|---|
| 0 min | Deployment completes |
| ~2 min | First sync kicks off (Azure permissions need to propagate) |
| ~5 min | Data shows up in your workspace |
Verify It's Working
Heads up: After deployment, the Logic App needs a few minutes to pull and process the initial data from XposedOrNot. Give it about 5 minutes before running your first query. If you get zero results immediately after deploy, that's normal. Grab a coffee, come back, and try again.
Run this in Log Analytics:
XonBreachDetails_CL
| take 10
You should see records with fields like Email, BreachName, PasswordRisk, and ExposedDataTypes. If rows come back, you're live.
The Data You Get
Every record in XonBreachDetails_CL includes:
| Field | Type | What It Tells You |
|---|---|---|
Email |
string | The exposed email address |
EmailDomain |
string | Domain part of the email |
BreachName |
string | Which breach it came from |
BreachedDate |
datetime | When the breach happened |
PasswordRisk |
string |
plaintext, easytocrack, unknown, or stronghash
|
ExposedDataTypes |
string | What categories of data leaked |
ExposedRecords |
number | How big the breach was |
PasswordRisk is the field that should worry you the most. plaintext means the password was stored in clear text by the breached service. If your employee reused that password on your systems, you have an active problem.
Queries Worth Running
Find your highest-risk exposures:
XonBreachDetails_CL
| where PasswordRisk in ('plaintext', 'easytocrack')
| summarize Count=count() by Email, PasswordRisk
| order by Count desc
These are the accounts that need password resets yesterday.
Breach exposure by domain:
XonBreachDetails_CL
| summarize
Exposures = count(),
Breaches = dcount(BreachName)
by Domain
| order by Exposures desc
Useful when you monitor multiple domains. Shows which parts of your organization are most exposed.
Track new exposures over time:
XonBreachDetails_CL
| where TimeGenerated > ago(7d)
| summarize Count=count() by bin(TimeGenerated, 1h)
| render timechart
Plug this into a dashboard, and you'll see breach data flowing in on each sync cycle.
The Workbook
Once data starts flowing, head to Microsoft Sentinel > Workbooks > My workbooks > XposedOrNot Breach Intelligence.
The workbook gives you:
- Exposure analytics across all monitored domains
- Risk breakdown by password type
- Breach timeline showing when exposures were detected
- Drill down into individual breaches and affected accounts
No KQL required. Your CISO can open this and understand the exposure posture in minutes.
Enable the Analytics Rule
After 24 hours of data collection (so you have a baseline), go to:
Microsoft Sentinel > Analytics > find "XposedOrNot - New Breach Exposure Detected" > Enable
This creates incidents when new breach exposures are detected in your monitored domains. From there, you can build playbooks: automatically trigger password resets, notify affected users, or route to your existing incident response workflow.
What This Costs
The XposedOrNot Community API is free. The Azure costs are minimal:
- Logic App: Runs once every 12 hours by default. A few cents per month.
- Log Analytics ingestion: Depends on data volume. For most organizations, monitoring a handful of domains costs single-digit dollars per month.
- Key Vault: Negligible. One secret, occasional reads.
If you're already running Sentinel, this barely moves the needle on your Azure bill.
Security Notes
A few things we built intentionally:
- Key Vault uses RBAC, not access policies. The Logic App's Managed Identity gets a scoped role. No one else has access by default.
- No secrets in the ARM template. The API key goes straight into Key Vault during deployment.
- The Logic App doesn't store data. It reads from the API, transforms, and pushes to Log Analytics. Nothing persists in the Logic App itself.
- All communication over HTTPS. API calls to XposedOrNot, Key Vault reads, Log Analytics writes: all TLS.
Going Further
Some things worth exploring once you're up and running:
-
Build a playbook that auto-resets passwords when
PasswordRisk = 'plaintext'exposures show up - Correlate with sign-in logs to check if exposed credentials were actually used to authenticate
- Monitor vendor domains with xonThreatIntel+ to catch supply chain breaches before they reach your perimeter
- Track executive exposure with xonEnterprise+ for C-suite credential monitoring
- Set up weekly reports to your CISO with exposure trends
- Connect to Teams/Slack via Sentinel playbooks for real-time notifications
Get Started
The repo, API, and community tier are all free and open source.
- GitHub repo: XposedOrNot/XposedOrNot-Sentinel
- Free API key: xposedornot.com
- Browse tracked breaches: xposedornot.com/our-repository
- Enterprise plans: plus.xposedornot.com
If you spot something we should improve, open an issue. PRs welcome.
Have you set up breach monitoring in your SIEM before? Curious what other integrations you'd want to see. Drop a comment, I read all of them.
Written by Devanand Premkumar, founder of XposedOrNot. Tracking breaches since 2017.
Top comments (0)