How does the Axur Credential Monitoring protect your company?
Every time we identify the exposure of credentials containing your domains on these forums, the platform registers a detection in the Data Leakage workspace.
Which companies can benefit from this monitoring?
Axur Credential Monitoring is suited for companies with login areas for customers or employees via mobile apps or web applications. Additionally, it benefits companies looking to minimize the risk of employee credential leaks through logins on other platforms, as people often use the same password across multiple services. Third-party exposures of these credentials can also lead to fraudulent access attempts to the company’s internal systems.
How to prevent credential theft?
By guiding your customers and employees to change their passwords periodically, enforcing the use of strong passwords, and ensuring the use of two-factor authentication on all platforms (owned and contracted). Additionally, using identity management tools and regularly updating apps can help reduce vulnerabilities and improve security.
How to set up your Credentials monitoring directly on the Axur platform?
The configuration format has been updated. To start monitoring your company's data exposure, simply follow the step-by-step instructions provided in this article: Monitored Assets – Data Leakage.
After registering for monitoring, can I change or add more domains, apps, or subdomains?
Yes, you can make changes to the monitored URLs at any time in the settings of your Brand Asset. It is important that every URL (domain, website, host, subdomain, app) is directly related to your brand.
How does the platform work?
Different from the other detection types with ticket visualization, the credentials detections come as a list view. This new approach allows our users to establish a much more fluid workflow when treating higher volumes of information.
Attention: Credentials containing passwords with fewer than 4 digits are automatically disregarded and are not registered as detections on the Axur platform.
In the credentials section, you will find new filters that can help you easily navigate through the credentials list. Knowing that sometimes while performing a deeper analysis in a detection you might need more information, you can now by clicking and expanding a specific detection find all its available metadata.
If a more complex analysis is needed, you can export the results of your query on a CSV. The file will be made available as soon as possible on your email.
How to identify important information: source, group, and file name?
When clicking on a reported case in the credentials tab, a side panel will automatically open on the right side of the screen. In this panel, you will find key details about the detection, including:
Source: The origin of the exposed credential, such as forums, groups, or sharing platforms.
Group: The name of the group or community where the data was found.
File name: If the data is stored in a file, its name will be displayed to facilitate identification.
Additionally, the side panel may include further metadata about the exposure, assisting in analysis and decision-making.
Accessing Infostealer Logs During an Investigation
Credentials can appear in multiple formats such as Infostealer Logs, Combolists, Database Dumps, and others.
When an incident is related to an Infostealer, it’s often crucial to review the original file where the credential was exposed, along with additional context such as:
Machine IP
Cookies
Browsing history
Other data collected by the malware
We provide both the specific file containing the exposed credential and, when available, the original package in which the file was found. These can be downloaded directly from the File Information section of the credential details.
By reviewing the File path, you can inspect all collected information to support further investigation and response.
The files remain available for one year after collection and are limited to 1 terabyte of download per customer per month.
Usage is restricted to investigative purposes only and no API or automated download solutions are recommended.
Please be advised that all files are provided as collected and have not been inspected for malware. Axur strongly recommends utilizing a Sandbox environment during investigation.
What is the life cycle of a Credentials detection?
The detections enter as ‘New’, later can be treated internally, solved or discarded. Cases considered not relevant may be discarded.
What is a duplicate detection?
Since December, we have implemented improvements to ensure that only unique credentials are registered on the platform, eliminating duplicate occurrences.
Currently, deduplication follows this rule:
Username + Password + URL → If these three parameters are identical to a previous detection, the credential is considered a duplicate and will not be registered again.
This approach prevents redundant alerts and keeps monitoring more precise and efficient.
What are the sources?
Telegram
Whatsapp
Discord
Mega.io
Paste sites
Deep/Dark Web Forums
IntelX
What to do after the detection?
Advise the people who had their credentials exposed to change their passwords as soon as possible, wherever they are used, and educate employees on the risks of using corporate credentials on third-party services;
If an internal credential is exposed, immediately review the affected machine for unauthorized access, check security logs, and update credentials to prevent potential breaches;
When changing credentials, encourage the creation of unique and strong passwords for each account. A strong password has at least 8 characters and includes uppercase and lowercase letters, numbers, and special characters;
Perform periodic internal password resets and password policy reviews;
Enable two-factor authentication everywhere. It will act as an additional security barrier;
Once all passwords have been changed, change the detection status to solved;
It is not possible to request the takedown of the detection.
API
With our exposure API it is possible to create automated workflows and data collection, it allows:
Search for credentials using custom filters
Count credentials using custom filters
Update detection status
Add and remove tags
For high volume of detections, we recommend using the bulk operations with up to 1000 credentials per request.
The documentation for the Credentials API is available at: https://docs.axur.com/en/axur/api/#tag/Credential-Search-Operations
Webhooks
We also provide webhook notifications for credential detection and update in near real-time through the platform standard webhooks.
Events supported:
exposure.created
exposure.updated
The webhook documentation is described at Axur Platform webhooks.
Safelist
Adding an email address to your Safelist will prevent new credential detections for that specific username.
Only email-based usernames are currently supported.
If you have any questions, feel free to reach out at [email protected] 😊