Summary
This workflow automates the monitoring and processing of ID Agent Dark Web alerts for compromised credentials. The solution continuously checks for new credential exposures on the dark web, correlates exposed accounts with managed users, creates PSA tickets for remediation, enforces password resets when possible, and notifies stakeholders of potential breaches. By automating dark web alert processing, the workflow ensures rapid response to compromised credentials, reduces exposure time, and provides accountability through ticket-based tracking.
Usage
Prerequisites
Before using this workflow, ensure the following requirements are met:
-
ID Agent Integration: Configure the ID Agent API integration in Rewst
-
PSA Integration: For ticket creation and tracking
-
Microsoft 365/Active Directory Integration: For automated password resets
-
Email Integration: For notifications
-
Organizational Variables:
id_agent_ticket_board: PSA board for dark web alert ticketsid_agent_auto_reset: Enable automatic password resetid_agent_notify_users: Notify affected users directlyid_agent_severity_mapping: Map exposure types to ticket priorityid_agent_notification_recipients: Security team emails
Workflow Inputs
| Parameter | Type | Required | Description |
|---|---|---|---|
company_id | String | No | Filter by PSA company |
date_range_days | Number | No | Days of alerts to process. Default: 7 |
exposure_types | Array | No | Filter by exposure type |
auto_reset_passwords | Boolean | No | Force password reset. Default: org variable |
create_tickets | Boolean | No | Create PSA tickets. Default: true |
notify_end_users | Boolean | No | Send user notifications. Default: org variable |
Execution
Scheduled Execution (Recommended)
- Run daily for routine monitoring
- Run every 4 hours for heightened security posture
Processing Flow
- Alert Retrieval: Fetch new dark web exposure alerts from ID Agent
- Deduplication: Filter out previously processed alerts
- User Correlation: Match exposed emails to managed user accounts
- Risk Assessment: Evaluate severity based on data exposed
- Ticket Creation: Create PSA tickets for each exposure event
- Password Reset: Enforce password reset for compromised accounts
- MFA Enforcement: Ensure MFA is enabled on affected accounts
- User Notification: Send awareness emails to affected users
- Management Notification: Alert security team of high-risk exposures
- Documentation: Log exposure details for compliance
Returned Data
{
"success": true,
"monitoring_summary": {
"total_alerts_processed": 24,
"new_exposures": 8,
"previously_processed": 16,
"companies_affected": 5,
"unique_users_exposed": 12
},
"exposures": [
{
"alert_id": "DW-2026-001",
"email": "jane.doe@acmecorp.com",
"company": "Acme Corp",
"source_breach": "third-party-service-2025",
"data_exposed": ["email", "password_hash", "phone_number"],
"exposure_date": "2026-03-01T00:00:00Z",
"risk_level": "High",
"user_found_in_directory": true,
"password_reset_enforced": true,
"mfa_status": "Enabled",
"user_notified": true,
"ticket_id": "SEC-2026-025"
}
],
"remediation_summary": {
"password_resets_enforced": 6,
"mfa_already_enabled": 10,
"mfa_enforcement_pending": 2,
"user_notifications_sent": 8,
"tickets_created": 8
}
}
Changelog
2026-03-04
- Initial version of the document