Summary
This workflow automates the processing of dark web monitoring alerts when compromised credentials are detected. The solution ingests alerts from dark web monitoring services, identifies affected users, validates the breach severity, initiates password resets, creates PSA tickets for tracking, notifies affected users and administrators, and documents the incident for compliance. By automating this response, the workflow reduces the window of exposure, ensures consistent incident handling, and maintains a complete audit trail for security compliance.
Usage
Prerequisites
Before using this workflow, ensure the following requirements are met:
-
Dark Web Monitoring Integration: Configure integration with your dark web monitoring provider (ID Agent, SpyCloud, Have I Been Pwned, etc.)
-
Active Directory / Microsoft 365 Integration: For automated password resets
-
PSA Integration: For ticket creation and tracking
-
Email Integration: For user and admin notifications
-
Organizational Variables:
dark_web_auto_reset_password: Automatically reset compromised passwordsdark_web_force_mfa_reenroll: Force MFA re-enrollment on compromised accountsdark_web_notification_recipients: Security team email addressesdark_web_ticket_board: PSA board for dark web alert ticketsdark_web_severity_threshold: Minimum severity to process
Workflow Inputs
| Parameter | Type | Required | Description |
|---|---|---|---|
alert_id | String | Yes | Dark web alert identifier |
compromised_email | String | Yes | Email address found on dark web |
breach_source | String | No | Name of the breached service |
breach_date | String | No | Date of the breach |
data_types_exposed | Array | No | Types of data exposed (password, email, SSN, etc.) |
company_id | String | Yes | PSA company ID for the affected organization |
auto_reset | Boolean | No | Automatically reset password. Default: org variable |
force_mfa | Boolean | No | Force MFA re-enrollment. Default: true |
create_ticket | Boolean | No | Create PSA ticket. Default: true |
Execution
Event-Driven Trigger (Recommended)
- Triggered automatically when dark web monitoring detects a new alert
- Webhook from monitoring service initiates processing
Scheduled Processing
- Run periodically to poll for new alerts from monitoring API
- Process alerts in batches
Processing Flow
- Alert Ingestion: Receive and parse dark web alert details
- User Identification: Match compromised email to internal user accounts
- Severity Assessment: Evaluate breach severity based on data types exposed
- Account Validation: Verify the account is active and requires action
- Password Reset: Force password reset on compromised account
- Session Revocation: Revoke all active sessions and tokens
- MFA Re-enrollment: Force MFA re-enrollment if configured
- Ticket Creation: Create PSA ticket for tracking and documentation
- User Notification: Notify affected user with instructions
- Admin Notification: Alert security team with breach details
- Documentation: Log incident for compliance reporting
Returned Data
{
"success": true,
"alert_id": "DW-2026-001",
"compromised_account": {
"email": "john.smith@company.com",
"user_found_in_directory": true,
"account_status": "active"
},
"breach_details": {
"source": "Third-Party SaaS Platform",
"breach_date": "2025-12-15",
"data_types_exposed": ["email", "password_hash", "phone_number"],
"severity": "High"
},
"actions_taken": {
"password_reset": true,
"sessions_revoked": true,
"mfa_reset": true,
"conditional_access_applied": false,
"ticket_created": true,
"ticket_id": "SEC-2026-001"
},
"notifications_sent": {
"user_notification": { "sent": true, "recipient": "john.smith@company.com" },
"security_team": { "sent": true, "recipients": ["security@company.com"] },
"manager_notification": { "sent": true, "recipient": "jane.doe@company.com" }
}
}
Changelog
2026-03-04
- Initial version of the document