Retrieve domain breach information from the Have I Been Pwned? database

Use the Have I been pwned? Breach intelligence threat source to retrieve all information automatically from the Have I Been Pwned? database to help identify compromised domains on a monthly basis, or you manually can perform the action using this procedure.

Before you begin

Role required: sn_ti.write

About this task

If the Security Operations Have I Been Pwned? Integration plugin is activated, you can submit Have I Been Pwned? lookup requests in the following ways:

Procedure

  1. Navigate to Threat Intelligence > Sources > Threat Sources.
  2. Click 'Have I been pwned?' - Breach intelligence.
    The threat source opens. For a complete description of the available fields and related lists in a threat source, see Define a threat source.
  3. To perform an on-demand retrieval from the Have I Been Pwned? database, click Execute Now at the top of the form.
  4. To view the results of the action, follow these steps.
    1. Click the Integration Run(s) tab and click the INTRUN record associated with the execution.
      The Integration Run form opens.
    2. Click the INTPRC number to view the results of the integration run.
      The integration Process form displays basic information about the integration process and includes an attachment with the results of the integration run.
    3. Open the attachment.
      The database retrieval returns the following information for each record:
      • title
      • name
      • domain name
      • breach date
      • added date
      • PwnCount
      • Description
      • DataClasses
      • Passwords
      • IsVerified (true/false)
      • IsSensitive (true/false)
      • IsActive (true/false)
      • IsRetired (true/false)
      • IsSpamList (true/false)
      • LogoType