How to Query HaveIBeenPwned Using a Microsoft Sentinel Playbook
I want to ride a Pwny
I’ve known Troy Hunt for a number of years and his contributions to the security and privacy industry have been hugely valuable and much appreciated by the masses.
HaveIBeenPwned is a great resource developed and maintained by Troy. It provides the ability to query against its database to expose domains or user accounts that have been caught up in any of the number of reported industry data breaches. Wouldn’t it be nice, then, to have this data available for your Microsoft Sentinel investigations?
Fortunately, Troy provides an API for his service.
I’ve provided a Microsoft Sentinel Playbook that takes email addresses associated with an Incident and submits them through the API and returns a quick note to the Comments tab in the Incident as to whether or not the email address(es) has been compromised.
You can get the Playbook from GitHub here with full Deploy to Azure capability: https://github.com/rod-trent/SentinelPlaybooks/tree/master/HaveIBeenPwned-Email
NOTE: The HaveIBeenPwned API is not free. There’s a nominal $3.50 per month recurring fee to continue using it, but you can also just pay for a single month to determine if it’s valuable enough to continue using it. The single month usage is also a handy option if your organization has recently been breached and you need to determine which accounts are compromised. To get the API key, go here: https://haveibeenpwned.com/API/Key
Make sure you obtain the API key before deploying the Playbook to your Microsoft Sentinel environment as you can enter it during the deployment.
Otherwise, you can enter a fake number and then once you have the actual API key, you can adjust the Playbook. The second step of the Playbook is where your API key is recorded as a variable. Input your API key in the Value field.
Also, don’t forget to jump through each step to make sure you’ve made the proper connections. And please…don’t forget to expand out the For Each loop and locate each connection in there. I don’t know about you, but that one always gets me.
So, I’ve provided the logic all packaged together. You simply deploy it, connect your accounts, obtain and input your API and you’re off and running. But I hope you take the time to look through the logic. There are some good lessons here for how to utilize variables to create your dynamic content.
Have fun! I hope to begin building out a few others based on this API, but if you get to it before I do…let me know! You can find information about the verbose breach model here: https://haveibeenpwned.com/API/v3#BreachModel
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]
when you say "Playbook that takes email addresses associated with an Incident", which incident would that be ? Do I need to create a separate analytics rule for it ?