Credential Browser Use Cases

9min
Detecting stolen credentials of your employees
Use case:
“I want to know if the credentials of any of my employees have been leaked in the last 7 days”. Every week you come to the Flare app to see if any new credentials from your employees have been leaked, and therefore your organization might be at risk of being breached. 
How to do it:
In the tenant feed of the credentials browser. 
Date Range: Focus on data from the last 7 days
Search: Select the Domain of Email search type and type in the domain of your organization 
OR 
Filter: Your domain identifier from the Identifier Scope dropdown
﻿
Filtering down to the most important leaks
Use case:
“I want to filter down to the most important and high-risk leaked credentials.”  When looking into the credentials of your employees that have been leaked, you want to remove the noise of old and possibly recycled credentials. I also only want to see those that are a breach of an employee's device rather than from a 3rd party breach. 
How to do it:
In the tenant feed of the credentials browser. 
Source: Search for a select Stealer Logs
Search: Select the Domain search type and type in the domain of your organization 
OR 
Filter: Your domain identifier from the Identifier Scope dropdown
﻿
Investigating a specific compromised employee
Use case:
“I know one of my employees has been compromised, and I want to investigate further.” You are aware that one of your employees has been compromised, and you want to better know what has been leaked. 
How to do it:
In the tenant feed of the credentials browser. 
Filter: Your domain identifier from the Identifier Scope dropdown
Search: Select the Email search type and type in the email of the employee of interest 
OR
Search: Select the Username search type and type in the username of the employee of interest
→ To understand in more depth what has been breached and the level of risk, you can explore the data in the Tenant Event feed. See more detailed use case here. 
﻿
Finding passwords that were breached
Use case:
“I am responding to an incident, and I want to know if the attacker used passwords that were previously breached.” You have had an incident, and you know which passwords the attacker used, now you want to investigate if these passwords were previously breached and, if so, when and where. 
How to do it:
In the tenant feed of the credentials browser. 
Filter: Your domain identifier from the Identifier Scope dropdown
Search: Select the Password search type and type in the password of interest
﻿
Finding leaked credentials for a specific service or endpoint
Use case:
“I want to know if any credentials have been leaked for a specific service or endpoint.” You have certain endpoints and services that are important to you, and if credentials related to them were leaked, you would be at risk, so you want to investigate these first. 
How to do it:
In the tenant feed of the credentials browser. 
Search: Select the URL search type and type in the URL of the service or endpoint of interest. 
﻿
Black box pentesting
Use case:
“When I am doing a black box pentest I want to be able to find leaked credentials of an organization I’m trying to penetrate.“
How to do it:
In the Global search of the credentials browser. 
Search: Select the Domain of Email search type and type in the domain of the organization you are investigating.
﻿
Triage out non-legitimate employee credentials
Use case:
I want to find stealer logs that are only for my employees and I know the password policy. 
How to do it:
Filter: Using the exclude version of the password policy filter, select all options that do not fit your organization's password policy.
Bulk Select: All the credentials and remediate them. This will remove all non-legitimate credentials from the browser. 
Note if it's a hash of a password this search may not work.
Credentials Browser
Takedown Services