How to Query HaveIBeenPwned Using an Azure Sentinel Playbook

I’ve known Troy Hunt for a number of years and his contributions to the security and privacy industry have been hugely valuable and much appreciated by the masses.

HaveIBeenPwned is a great resource developed and maintained by Troy. It provides the ability to query against its database to expose domains or user accounts that have been caught up in any of the number of reported industry data breaches. Wouldn’t it be nice, then, to have this data available for your Azure Sentinel investigations?

Fortunately, Troy provides an API for his service.

There’s quite a bit more that I’ll be working on for this solution – particularly parsing out details to include in the Incident – but initially I’ve provided an Azure Sentinel Playbook that takes email addresses associated with an Incident and submits them through the API and returns a quick note to the Comments tab in the Incident as to whether or not the email address (or addresses) has been compromised.

Whew! This account was not compromised…for now…

You can get the Playbook from GitHub here with full Deploy to Azure capability: https://github.com/rod-trent/SentinelPlaybooks/tree/master/HaveIBeenPwned-Email

NOTE: The HaveIBeenPwned API is not free. There’s a nominal $3.50 per month recurring fee to continue using it, but you can also just pay for a single month to determine if it’s valuable enough to continue using it. The single month usage is also a handy option if your organization has recently been breached and you need to determine which accounts are compromised. To get the API key, go here: https://haveibeenpwned.com/API/Key

Once you have your API key, you need to adjust the Playbook. The second step of the Playbook is where your API is recorded as a variable. Input your API key in the Value field.

Enter your own API key

Also, don’t forget to jump through each step to make sure you’ve made the proper connections. And, please…don’t forget to expand out the For each loop and locate each connection in there. I don’t know about you, but that one always gets me.

Make all the connections

So, I’ve provided the logic all packaged together. You simply deploy it, connect your accounts, obtain and input your API and you’re off and running. But I hope you take the time to look through the logic. There’s some good lessons here for how to utilize variables to create your dynamic content.

Have fun! I hope to begin building out a few others based on this API, but if you get to it before I do…let me know! You can find information about the verbose breach model here: https://haveibeenpwned.com/API/v3#BreachModel

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Authors