xonPlus Logo

xonThreatIntel+ / Integrations

Microsoft Sentinel Breach Monitoring Integration

The official XposedOrNot connector brings breach exposure intelligence into Microsoft Sentinel with a one-click deployment: scheduled sync into a custom log table, a breach intelligence workbook, and an architecture your cloud security team will actually approve.

What you get

  • Breach exposure data for your monitored domains, synced on your schedule: every 1, 6, 12, or 24 hours.
  • A custom log table in your Sentinel workspace, ready for analytics rules and automated incident response.
  • A breach intelligence workbook with exposure analytics, risk breakdown, and timeline views.
  • Zero-secret architecture: the Logic App runs under a Managed Identity and pulls the API key from Key Vault. Nothing to rotate.

Setup

  1. Deploy from the official GitHub repository with the one-click Azure template.
  2. Store your XposedOrNot API key in Key Vault; the Logic App's Managed Identity reads it from there.
  3. Pick your sync schedule and the domains to monitor, then open the workbook as data lands.

From the log table, your team can identify at-risk accounts, trigger password resets, and detect credential-based attacks before they become incidents. Full API reference in the developer docs.

Beyond the connector

MSSPs running Sentinel for multiple clients can monitor every client domain through xonThreatIntel+ for MSSPs with white-label reports and multi-tenant management from $99/mo. Security teams watching their own domains get alerts in ~15 minutes through xonEnterprise+ from $25/mo. All plans are on the public price list.

Frequently asked questions

Does the connector work with the free XposedOrNot tier?

Yes. It works with both the free Community Edition and xonPlus. Paid plans raise API rate limits and add the monitoring products around the same data.

How does the connector authenticate?

The Logic App runs under a Managed Identity and retrieves your API key from Azure Key Vault. There are no passwords and no service principals to rotate.

How often does breach data sync?

On the schedule you choose: every 1, 6, 12, or 24 hours. Each run pulls breach exposure data for your monitored domains into a custom log table in your Sentinel workspace.

What do I get out of the box?

A custom log table of breach exposures plus a breach intelligence workbook showing exposure analytics, risk breakdown, and a timeline. From there you can build analytics rules that trigger password resets or flag at-risk accounts.