Forem: Devanand Premkumar

Free Breach Alerts in Microsoft Sentinel: One-Click Setup with XposedOrNot

Devanand Premkumar — Thu, 12 Feb 2026 13:50:23 +0000

Data breaches don't announce themselves. Your organization's credentials could be sitting in dark web marketplaces right now, and most security teams won't find out until someone uses them.

We built a Microsoft Sentinel connector that pulls breach exposure data into your SIEM automatically. Free tier included. One-click deploy. No agents to install.

What XposedOrNot Is (Quick Context)

XposedOrNot is a free, open-source breach monitoring platform. We track 10.5 billion+ exposed records across 661 verified breaches, with 835 million+ compromised passwords checked against our database.

You can explore the full list of tracked breaches at our data repository.

The platform offers email breach checks, password exposure lookups (using k-anonymity so your password never leaves your device), risk scoring, and domain monitoring. Everything is API-first, and the core service is free.

The Sentinel connector brings all of this into your existing security workflow.

What the Connector Does

The connector syncs breach exposure data into your Sentinel workspace on a schedule you choose (every 1, 6, 12, or 24 hours).

Once connected, you get:

Breach exposure per domain you monitor
Risk-scored credentials (plaintext vs. hashed vs. unknown)
Pre-built workbook for executive reporting
Analytics rules that fire when new exposures show up

You keep doing your normal Sentinel work, and breach intel shows up alongside your other security data. Passive early warning.

XposedOrNot API --> Logic App --> Data Collection Endpoint/Rule
                       |                      |
                       v                      v
                  Key Vault            Log Analytics Workspace
                 (API Key)                    |
                                              v
                                      Microsoft Sentinel
                                     (Workbook + Analytics)

Data flow: Logic App runs on schedule (default: every 12h), grabs the API key from Key Vault, calls XposedOrNot, and pushes results into Log Analytics via the Data Collection Rule. Sentinel picks it up for the workbook and analytics rules.

What Gets Deployed

Nine Azure resources, all managed via a single ARM template:

Resource	What It Does
Key Vault	Stores your API key (RBAC, no access policies)
Data Collection Endpoint	Ingestion pipeline
Data Collection Rule	Defines the schema and routing
Logic App	Pulls data on schedule (Managed Identity, no manual auth)
Workbook	Breach intelligence dashboard
Analytics Rule	Detects new exposures (disabled by default, enable after 24h)

The Logic App runs under a Managed Identity. Zero passwords, zero service principals to rotate. It talks to Key Vault, grabs your API key, hits the XposedOrNot API, and pushes results into your custom log table.

Prerequisites

You need two things:

1. A Sentinel-enabled Log Analytics workspace

Already have one? Skip ahead. If not:

# Create workspace
az monitor log-analytics workspace create \
  --resource-group your-rg \
  --workspace-name your-workspace \
  --location eastus

# Enable Sentinel
az sentinel onboarding-state create \
  --resource-group your-rg \
  --workspace-name your-workspace \
  --name default

2. An XposedOrNot API key

Edition	Best For	Features	Where to Get It
Community (free)	Individual or small team monitoring	Basic breach checks, standard polling	xposedornot.com
xonEnterprise+	Organization-wide workforce protection	Multi-domain monitoring, sub-minute alerting, executive dashboards	plus.xposedornot.com
xonThreatIntel+	Vendor/supply chain monitoring	Real-time intelligence feeds, deep web monitoring, partner domain tracking	plus.xposedornot.com

The free Community key gets you started. When you need to monitor your entire organization's domains, track vendor exposure, or get sub-minute alerting, the Plus tiers unlock everything. The connector works with all editions without any changes on the Sentinel side.

Deploy in 60 Seconds

Option 1: Click the Button

Head to the GitHub repo and hit Deploy to Azure.

The portal wizard asks for three things:

Workspace name
Workspace resource group
Your XposedOrNot API key

Click Create. Done.

Option 2: CLI

az deployment group create \
  -g your-resource-group \
  -f mainTemplate.json \
  -p workspaceName=your-workspace \
     workspaceResourceGroup=your-workspace-rg \
     xonApiKey=your-api-key

Either way, here's what happens after deploy:

Time	What Happens
0 min	Deployment completes
~2 min	First sync kicks off (Azure permissions need to propagate)
~5 min	Data shows up in your workspace

Verify It's Working

Heads up: After deployment, the Logic App needs a few minutes to pull and process the initial data from XposedOrNot. Give it about 5 minutes before running your first query. If you get zero results immediately after deploy, that's normal. Grab a coffee, come back, and try again.

Run this in Log Analytics:

XonBreachDetails_CL
| take 10

You should see records with fields like Email, BreachName, PasswordRisk, and ExposedDataTypes. If rows come back, you're live.

The Data You Get

Every record in XonBreachDetails_CL includes:

Field	Type	What It Tells You
`Email`	string	The exposed email address
`EmailDomain`	string	Domain part of the email
`BreachName`	string	Which breach it came from
`BreachedDate`	datetime	When the breach happened
`PasswordRisk`	string	`plaintext`, `easytocrack`, `unknown`, or `stronghash`
`ExposedDataTypes`	string	What categories of data leaked
`ExposedRecords`	number	How big the breach was

PasswordRisk is the field that should worry you the most. plaintext means the password was stored in clear text by the breached service. If your employee reused that password on your systems, you have an active problem.

Queries Worth Running

Find your highest-risk exposures:

XonBreachDetails_CL
| where PasswordRisk in ('plaintext', 'easytocrack')
| summarize Count=count() by Email, PasswordRisk
| order by Count desc

These are the accounts that need password resets yesterday.

Breach exposure by domain:

XonBreachDetails_CL
| summarize 
    Exposures = count(),
    Breaches = dcount(BreachName)
  by Domain
| order by Exposures desc

Useful when you monitor multiple domains. Shows which parts of your organization are most exposed.

Track new exposures over time:

XonBreachDetails_CL
| where TimeGenerated > ago(7d)
| summarize Count=count() by bin(TimeGenerated, 1h)
| render timechart

Plug this into a dashboard, and you'll see breach data flowing in on each sync cycle.

The Workbook

Once data starts flowing, head to Microsoft Sentinel > Workbooks > My workbooks > XposedOrNot Breach Intelligence.

The workbook gives you:

Exposure analytics across all monitored domains
Risk breakdown by password type
Breach timeline showing when exposures were detected
Drill down into individual breaches and affected accounts

No KQL required. Your CISO can open this and understand the exposure posture in minutes.

Enable the Analytics Rule

After 24 hours of data collection (so you have a baseline), go to:

Microsoft Sentinel > Analytics > find "XposedOrNot - New Breach Exposure Detected" > Enable

This creates incidents when new breach exposures are detected in your monitored domains. From there, you can build playbooks: automatically trigger password resets, notify affected users, or route to your existing incident response workflow.

What This Costs

The XposedOrNot Community API is free. The Azure costs are minimal:

Logic App: Runs once every 12 hours by default. A few cents per month.
Log Analytics ingestion: Depends on data volume. For most organizations, monitoring a handful of domains costs single-digit dollars per month.
Key Vault: Negligible. One secret, occasional reads.

If you're already running Sentinel, this barely moves the needle on your Azure bill.

Security Notes

A few things we built intentionally:

Key Vault uses RBAC, not access policies. The Logic App's Managed Identity gets a scoped role. No one else has access by default.
No secrets in the ARM template. The API key goes straight into Key Vault during deployment.
The Logic App doesn't store data. It reads from the API, transforms, and pushes to Log Analytics. Nothing persists in the Logic App itself.
All communication over HTTPS. API calls to XposedOrNot, Key Vault reads, Log Analytics writes: all TLS.

Going Further

Some things worth exploring once you're up and running:

Build a playbook that auto-resets passwords when PasswordRisk = 'plaintext' exposures show up
Correlate with sign-in logs to check if exposed credentials were actually used to authenticate
Monitor vendor domains with xonThreatIntel+ to catch supply chain breaches before they reach your perimeter
Track executive exposure with xonEnterprise+ for C-suite credential monitoring
Set up weekly reports to your CISO with exposure trends
Connect to Teams/Slack via Sentinel playbooks for real-time notifications

Get Started

The repo, API, and community tier are all free and open source.

GitHub repo: XposedOrNot/XposedOrNot-Sentinel
Free API key: xposedornot.com
Browse tracked breaches: xposedornot.com/our-repository
Enterprise plans: plus.xposedornot.com

If you spot something we should improve, open an issue. PRs welcome.

Have you set up breach monitoring in your SIEM before? Curious what other integrations you'd want to see. Drop a comment, I read all of them.

Written by Devanand Premkumar, founder of XposedOrNot. Tracking breaches since 2017.

Just Launched: xonPlus – Real-Time Breach Alerts for Devs and Security Teams

Devanand Premkumar — Wed, 16 Jul 2025 07:02:44 +0000

Hey devs 👋

I love building tools that solve real, annoying problems, and xonPlus was born out of one of the most frustrating: not knowing when your organization’s data gets breached.

🔍 How It Started

A while back, I built XposedOrNot, a free tool that allows anyone to check if their email address was exposed in a breach. It started as a small side project, just something to learn from.

Then, security teams began to arrive. They weren’t looking to check one email; they wanted to monitor entire domains, get real-time alerts, and pipe breach data into their systems.

At first, I wrote scripts. Then a few quick dashboards. But it was clear what they needed wasn’t another bloated, costly tool or a noisy feed. They needed something fast, focused, and dev-friendly.

So I built xonPlus.

🚀 What It Does

xonPlus is a real-time breach alerting system.

It monitors your organization’s emails and domains across billions of breach records and lets you know the moment something shows up.

When your data is exposed, whether in a public breach, paste site, or dark web dump, you get an alert with full context: breach source, affected accounts, and what actions to take.

You can plug alerts into:

Slack
Microsoft Teams
Email
Splunk
Or just call the API and wire it into your stack

🧰 How It’s Built

Under the hood:
FastAPI for async performance (originally started in Flask)
Google Cloud Run + Google Datastore for scale
Redis for caching and rate limiting
Cloudflare for hosting
Support for bulk email checks, multi-domain monitoring, and custom alerting

There’s also a simple frontend if your team wants to view breach timelines and trends visually.

🧠 Who It’s For

xonPlus currently supports three main modules:

xonEnterprise+ → for domain-wide monitoring
xonConsumer+ → to alert your users if they’re exposed
xonAPI+ → If you want to build breach visibility into your product

It’s useful whether you’re a solo engineer, a security lead, or a developer working on auth, fraud prevention, or compliance workflows.

💡 Why It Matters

Breaches are happening constantly. Credentials are getting leaked, reused, and exploited.

But most orgs don’t find out until attackers are already inside.

xonPlus gives you a clear signal when something’s wrong and a chance to act before it becomes a full-blown incident.

📣 What’s Next

I’m adding more features based on early feedback, especially around automation, exports, and deeper integrations.

If this sounds useful or you’re curious about how it works, here’s the full backstory:
👉https://blog.xposedornot.com/xonplus-launch/

I’d love to hear your thoughts, suggestions, or critiques.

Always open to ideas that make the product better.

Thanks for reading 🙌

🚀 Join the XON Hackathon 2024 - 10 Days Left to Win Prizes! 🏆

Devanand Premkumar — Sat, 03 Feb 2024 08:04:52 +0000

Hey dev.to Community,

We're excited to invite you to the XON Hackathon 2024! There are just 10 days left, and we don't want you to miss your chance to grab some fantastic prizes.

What's XON Hackathon 2024 all about?
It's your opportunity to showcase your coding skills and maybe even learn something new. Whether you're a beginner or a coding pro, we've got something for everyone.

Why Participate?

💡 Solve exciting challenges
🏆 Win awesome prizes
🤝 Connect with a friendly coding community
🌟 Boost your coding skills

How to Get Involved?
Simply visit to register for the hackathon and join the fun!

Need Guidance?
Check out our blog post for rules and guidance on the hackathon.

Questions or Need Assistance?
We're here to help. Feel free to reach out anytime.

Don't miss out on the action. Join the XON Hackathon 2024 today and show the world your coding magic! 🔮

Let's code together and make these last 10 days count! 🚀

P.S.: Please show your support and appreciation for XposedOrNot - open-source data breach monitoring solution on GitHub.

Join the XposedOrNot Hackathon 2024: Innovate for Internet Safety!

Devanand Premkumar — Sun, 21 Jan 2024 06:11:32 +0000

🚀 XposedOrNot Hackathon 2024: A Call to All Devs!

Hello, Dev.to Community!

I am super excited to announce the XposedOrNot Hackathon 2024! It's a unique opportunity for developers like you to contribute to an important cause – improving internet safety and data security. Here's everything you need to know:

About XposedOrNot

XposedOrNot is an open-source project dedicated to helping users discover if their personal information has been compromised in data breaches. In today's digital age, our project is more relevant than ever, and we need your innovative minds to enhance its capabilities.

🎯 Hackathon Goals

Engage with a vibrant developer community.
Accelerate development and innovation in the XposedOrNot project.
Create new features and improvements, enhancing user experience and security.

👩‍💻 Who Should Participate?

Whether you're a seasoned developer or just starting out, your ideas and skills are invaluable.
Individuals and teams are both welcome.

🏆 Prizes

Over $3,000 in prizes, with a top prize of $750!
Community choice awards, early bird prizes, and random draws.

🗓️ Key Dates

Start Date: January 22, 2024
End Date: February 12, 2024
Winners Announcement: February 26, 2024

📝 Participation Details

Submit your contributions via GitHub with the tag #XON-Hackathon-2024.
Find more details and guidelines in our official hackathon blog.

This hackathon is not just a competition; it's a chance to make a real difference in the world of internet security. We can't wait to see the innovative solutions you'll bring to the table.

Feel free to ask questions or share your thoughts in the comments. Let's collaborate to make the internet a safer place for everyone!