# Check Dark Web Leaks ## Overview The **Dark Web Leaks and Public Data Monitoring** dashboard provides visibility into breaches, compromised credentials, and exposed organizational data. It enables analysts to review severity levels, identify users at risk, and investigate malware-infected paths to proactively manage threats before they escalate into major incidents. This data comes from monitoring dark web forums, paste sites, credential dumps, and malware logs. *** ## Event Coverage The dashboard provides insights across multiple dimensions of leaked data: * **Breaches by Severity** – Breach titles, severity ratings, and affected user counts. * **Dark Web Leaks Over Time** – Timeline of leaks detected for trend analysis. * **Passwords** – Total number of compromised passwords identified. * **Accounts** – Total compromised accounts linked to monitored domains. * **Users At Risk** – List of users with leaked credentials and associated risk severity. * **Impacted Domains** – Domains affected by breaches, with the number of leaks per domain. * **Logons From** – Geographic origin of compromised login attempts. * **Compromised Browsers** – Browser families and versions associated with breaches. * **Malware Missed By** – Instances where malware bypassed endpoint or security systems. * **Leaked Data Type** – Types of data exposed (e.g., plaintext, hashed passwords). * **Malware Infected Locations** – Paths on infected devices tied to breach data. * **Impacted URLs** – URLs where leaked credentials were observed, including plaintext password counts. * **Dark Web Search** – Searchable view of leaked records, showing user details, breach name, and timestamps. *** ## Key Fields When analyzing Dark Web events, the following fields provide the most context: * **`user.name`** – Username linked to leaked data.\ \&#xNAN;*Example*: `user.name: Charlie.Cassette` * **`breach.title`** – Title or name of the breach incident.\ \&#xNAN;*Example*: `breach.title: acme.corp` * **`td.darkweb.domain`** – Domain of the leaked email or credential.\ \&#xNAN;*Example*: `td.darkweb.domain: gmail.com` * **`td.darkweb.target.domain`** – Targeted domain or login portal related to the credential.\ \&#xNAN;*Example*: `td.darkweb.target.domain: https://ExampleDomain.com/signin` * **`password.type`** – Format of the leaked password (plaintext, hashed, salted).\ \&#xNAN;*Example*: `password.type: plaintext` * **`password.text`** – Exposed password in plaintext (if available).\ \&#xNAN;*Example*: `password.text: 123456` * **`tenant`** – Tenant/organization identifier.\ \&#xNAN;*Example*: `tenant: acme`. *** ## Dashboard Access The **Dark Web, Public Leaks** dashboard consolidates all detected breaches, exposed credentials, and impacted domains into a single view for investigation. * **From the Menu**: 1. Open the **Dashboards** section in the Analyst Console. 2. Expand the **INTEL** category. 3. Select **Dark Web Leaks From the Third Party**. 4. Review leaks, breach trends, and impacted users. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.threatdefence.com/soc-analyst-guide/everyday-tasks/dark-web-leaks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.