Your security team is drowning in alerts, dashboards, and threat feeds. But there’s one question that tends to slip through the cracks:
Are your employees’ credentials already floating around in breach dumps?
If attackers have those credentials, they don’t need to hack in. They just log in. And that’s how many breaches start. Not with sophisticated zero-days, but with a password someone reused from a breach three years ago.
That’s why we built the XposedOrNot integration for Microsoft Sentinel.
One-click deploy. Open source. Works with both the free Community edition and xonPlus commercial plans.
Here’s what it does and how to set it up.
What Is XposedOrNot?
If you’re new here, here’s the quick version.
XposedOrNot is a breach intelligence platform that’s been running since 2017. We track over 10.5 billion exposed records across 660+ verified data breaches, and make that data accessible so organizations can determine whether their credentials have been compromised.
The platform is open source and transparency-focused. You can check out our code on GitHub, see exactly how things work, and even contribute.
Hundreds of organizations use XposedOrNot to monitor their breach exposure, from small startups to large enterprises.
Some use our free Community edition. Others run on xonPlus for full organizational monitoring. Both work with this Sentinel integration.
What Is This Azure Sentinel Integration?
It’s a native Microsoft Sentinel data connector that pulls breach exposure data from XposedOrNot into your SIEM, automatically.
Once it’s running, Sentinel keeps an eye on your domains for compromised credentials. The moment an email from your org pops up in a breach, it shows up in your security dashboard. Not weeks later. Not after the attacker gets in. Right away.
Here’s what you get:
- Automated data sync: The connector checks XposedOrNot on a schedule (every 12 hours by default) and grabs any new exposures
- Pre-built workbook: A dashboard that’s ready to go, with breach analytics, risk breakdowns, and exposure timelines
- Analytics rule: Get alerted when new breach exposures hit your monitored domains
- Risk scoring: Password risk levels (plaintext, easy to crack, strong hash) help you prioritize what needs immediate action
No more manual CSV exports. No more spreadsheet mess. Your breach intelligence lives right next to your other security data.
Why Breach Intelligence in Your SIEM?
Credential-based attacks are everywhere. Verizon’s 2024 DBIR says stolen credentials are behind almost half of all breaches. And the scary part? Most organizations don’t know their credentials are out there until it’s too late.
Here’s the typical story:
- An employee’s email appears in a breach (LinkedIn, Dropbox, some random forum, doesn’t matter)
- That employee reused their password (or a variation of it) for work systems
- Attackers test the credentials against your VPN, email, or cloud apps
- They get in. Game over.
The gap between “credential exposed” and “credential exploited” is your window to act. This integration shrinks that window.
When breach data lives in Sentinel alongside your login logs, firewall events, and identity alerts, you can:
- Correlate exposed credentials with suspicious login attempts
- Kick off password resets for high-risk accounts automatically
- Focus your effort where it matters most (plaintext passwords first, then work your way down)
- Report to leadership with real numbers, not guesses
How Domain Monitoring Works
Different organizations have different needs. Here’s how monitoring works across our editions:
XposedOrNot Community Edition (Free)
Perfect for individuals and small teams getting started with breach monitoring.
You verify your own domains through DNS or HTML, and then use our free API for basic breach checking. It’s straightforward: prove you own the domain, and you get access to see which emails from that domain have been exposed.
Check out the Community FAQ for details on domain verification and how breach checking works, and for common questions.
Great for getting visibility. No cost, no commitment.
xonEnterprise+
For security teams that need full organizational monitoring.
This is where you get the complete picture: dashboards, automations, integrations, real-time alerts, VIP monitoring for executives, and investigation tools. You verify your domains once, and xonPlus continuously monitors them for new exposures.
When a breach hits and your CFO’s email shows up, you know about it in minutes, not weeks.
xonThreatIntel+
Built for MSSPs, security vendors, and partners who need to monitor their clients’ infrastructure.
You get API access to our full breach intelligence feed (10.5 billion+ records) so you can build breach detection into your own products and services. Query on demand, integrate with your existing tools, and provide breach monitoring to your customers without building the database yourself.
Have questions about Plus plans? Check the Plus FAQ for common questions about enterprise features, API access, and integrations.
Works With Community and xonPlus Commercial Plans
This isn’t a commercial-only feature. The integration works with whatever XposedOrNot plan you’re on:
Edition | Best For | API Key Source |
|---|---|---|
Community (Free) | Individual monitoring, small teams | |
xonEnterprise+ | Monitor your organization’s domains | |
xonThreatIntel+ | Monitor partners and customers |
Already have an API key? Great, you can deploy right now.
Don’t have one yet? Grab a free key at xposedornot.com. Takes about 30 seconds.
For pricing details on xonPlus plans, visit plus.xposedornot.com. How to Deploy (It’s One Click)
We tried to make this stupid simple.
Option 1: One-Click Deploy (Recommended)
Hit the Deploy to Azure button in the GitHub repo. The Azure Portal wizard handles the rest. Just provide:
- Your Log Analytics workspace name
- Your workspace resource group
- Your XposedOrNot API key
That’s it. Hit deploy, wait about 5 minutes, and data starts flowing.
[Deployment image] [Screenshot: Azure deployment wizard]
Option 2: CLI Deploy
If you prefer the command line:
az deployment group create \
-g <resource-group> \
-f mainTemplate.json \
-p workspaceName=<workspace> \
workspaceResourceGroup=<workspace-rg> \
xonApiKey=<your-api-key>
What Gets Deployed and What You'll See
The template creates everything you need:
- Key Vault: Securely stores your API key (no credentials in code)
- Logic App: Handles the scheduled data sync
- Data Collection Rule: Routes data to your Log Analytics workspace
- Workbook: Pre-built dashboard for breach intelligence
- Analytics Rule: Alerting for new exposures (disabled by default, enable it after 24 hours of data)
All resources use Managed Identity. No manual authorization or connection setup required.
Give it about 5-7 minutes for the data to start flowing, then open the workbook. Here’s what you’ll find:
Exposure Overview
- Total emails exposed across your monitored domains
- Breakdown by breach, by domain, by risk level
- Timeline showing when exposures occurred
Risk Prioritization
- Plaintext passwords (fix these immediately)
- Easy-to-crack hashes (high priority)
- Strong hashes (lower priority but still worth tracking)
Breach Details
- Which breaches affected your organization
- What data types were exposed (passwords, phone numbers, addresses, etc)
- When each breach occurred and how many records it contained
Sample Query: Find High-Risk Exposures
XonBreachDetails_CL
| where PasswordRisk in ('plaintext', 'easytocrack')
| summarize Count=count() by Email, PasswordRisk
| order by Count desc
Paste that into Log Analytics, and you’ll see exactly which accounts need immediate attention.
Security and Compliance
A few things you should know about how we handle data:
GDPR Compliant: XposedOrNot is built with privacy in mind. We don’t store or resell passwords or email lists. We follow GDPR requirements for data handling and user privacy.
Data Hosted in the USA: Our infrastructure is hosted in the United States on Google Cloud, and security is handled by Cloudflare.
Open Source: The entire integration is open source. No black boxes, no hidden logic. Review the code yourself if you want to know exactly what’s happening.
A few more things we want to be clear about:
Your API key is protected. It lives in Azure Key Vault with RBAC-only access. The Logic App grabs it using Managed Identity. No secrets in code, no hardcoded credentials anywhere.
All traffic is encrypted. TLS 1.2+ for everything.
The code is open source. You can read every line of it on GitHub. No black boxes. No hidden logic.
We built XposedOrNot on transparency, and this integration is no different.
Getting Started Checklist
Here’s the quick version:
- ✅ Get an API key from xposedornot.com (free) or plus.xposedornot.com (commercial)
- ✅ Make sure you have a Sentinel-enabled Log Analytics workspace and appropriate permissions
- ✅ Click Deploy to Azure in the GitHub repo
- ✅ Fill in the wizard (workspace name, resource group, API key)
- ✅ Wait 5-7 minutes
- ✅ Open the workbook and see your breach data
Got questions? Check the Community FAQ for general platform questions, or the xonPlus FAQ if you’re using enterprise features.
Why We Built This
Microsoft Sentinel is where a lot of security teams live. It’s where they triage alerts, investigate incidents, and build their security posture. We wanted breach intelligence to be part of that workflow, not a separate tool you have to remember to check.
When we talk to security analysts, the same pattern comes up: they know breach monitoring matters, but it’s one more thing to manage. One more dashboard. One more login. One more thing that falls through the cracks when things get busy.
This integration fixes that. Breach data flows into Sentinel automatically. It just sits there, ready when you need it.
And since it’s open source, you can peek under the hood, tweak things if needed, or send us a PR if you’ve got ideas.
References & Resources
Deploy the Integration:
- GitHub Repository: Source code, documentation, one-click deploy
XposedOrNot Platform:
- xposedornot.com: Free Community edition
- plus.xposedornot.com: Commercial plans (xonPlus)
- Community FAQ: Common questions about breach checking and domain verification
- xonPlus FAQ: Questions about enterprise features and integrations
API Documentation:
- api.xposedornot.com/docs: Community API docs
- console.xposedornot.com/docs: xonPlus API docs
Other Open Source Projects:
Show Some Love ⭐
Liking what you see? Drop us a star on the GitHub repo. It helps others find this project, and honestly, it makes our day.
