Flashpoint - Siemplify SOAR + Risk Intelligence Integration


Your organization’s employees are constantly at risk of attacks that steal their credentials, leaving gaps open to your entire network. When these credentials are successfully stolen they will typically appear for sale on illicit online communities exposing you to risk. However, since these types of alerts are so common, they generate a large volume of work for your analysts to sift through per day which makes it hard to know when you’re actually dealing with a true positive alert.

Solution Overview

The threat intelligence experts and technologies at Flashpoint are continuously monitoring all possible illicit channels to see if your credentials are compromised. By plugging the Flashpoint API into Siemplify’s Security Operations Platform, you can create an automated detection and response cycle, helping your analysts get way ahead of response measures to both true- and false-positive alerts.

Siemplify’s cloud-native Security Operations Platform also groups Flashpoint alerts with alerts from your other tools, to create threat-centric cases that your analysts can investigate. Playbook-driven responses reduce analyst time and effort spent on manual activities for faster and more effective investigation and response.


  • Enrich alerts using Flashpoint products and datasets such as Compromised Credentials Monitoring - Enterprise (CCM - E) and technical data.

  • Group Flashpoint data with alerts from other third-party tools to collect other user, endpoint, network and cloud data from any of Siemplify’s 200+ other integrations.

  • Easily collaborate with others within a case if input or reviews are required across a team.

  • Automatically or manually execute a series of mitigation actions such as blocking a users, isolating a host, or quarantining a machine in coordination with other tools where integrations exist.

  • Automatically send email updates or instant messages to a specific team member per your standard incident workflows.

  • Automatically close compromised credentials alerts as false positives if all enrichment data comes back negative.


    Run playbooks that automate data collection using Flashpoint inputs to limit the amount of time spent manually cross-referencing information before making decisions.

    Integrate Flashpoint data with your other tools for remediation actions such as resetting accounts, isolating hosts or killing processes, without having to pivot between systems.


    Ingest Flashpoint data directly or via SIEM into the Siemplify Security Operations Platform. Siemplify’s patented threat-centric technology automatically groups related alerts into threat-centric cases.

Use Case


In this use case, an employee in your organization signs up for an account with an external service, but unfortunately uses their work email address and reuses their same work password. This service provider is later compromised and their database of account credentials is harvested by a criminal group. These credentials are then listed on the dark web for sale and subsequently detected and collected by Flashpoint.

Once detected by Flashpoint, the credentials are automatically pulled into Siemplify’s Security Operations Platform which creates a Compromised Credentials alert and triggers a pre-configured playbook. The playbook starts by checking if the credentials match any current credentials in your Active Directory instance. If they match, a password reset is automatically forced. An email notification is sent to the employee to notify them that their account on the compromised service needs to be changed, with a friendly reminder not to reuse work passwords.

The ticket can then be automatically closed depending on how you configure your playbook workflow. And if the credentials did not match those in Active Directory, an email can be sent warning the employee about the breach at their external service provider and that they need to change their password there. Then the ticket can also be automatically closed saving your team a substantial amount of time and mitigating this risk at a much faster rate.

Integrated Flashpoint Datasets


Technical Indicators: Enables users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets and those included in Finished Intelligence Reports, allowing for seamless integration into users’ workflows and automated tools.


Compromised Credentials Monitoring - Enterprise (CCM - E): Enables organizations to search and monitor Flashpoint’s unique collections for compromised enterprise accounts and passwords in order to flag accounts, reset employee passwords, and restrict permissions to prevent actors from accessing confidential or personally identifiable information (PII).

Did this answer your question?