Dark Web Monitoring

The One Protect monitors domains and email addresses for exposure in data breaches, alerting your team when compromised credentials are detected so you can take action before they are exploited.

Setting Up Monitoring

Adding Domains

1. Navigate to Protect → Dark Web → Domains
2. Click Add Domain
3. Enter the domain name (e.g., clientcompany.com)
4. Click Save

All email addresses associated with the domain are monitored automatically. New email addresses discovered in breaches are added to monitoring.

Adding Individual Emails

To monitor specific email addresses (including personal or external addresses):

1. Navigate to Protect → Dark Web → Email Monitors
2. Click Add Email
3. Enter the email address
4. Click Save

Breach Detection Alerts

When a monitored domain or email address appears in a breach, The One Protect creates an alert with:

• Breach name — The name of the compromised service or database
• Breach date — When the breach occurred
• Exposed data types — What was compromised (email, password hash, phone, address, etc.)
• Affected accounts — Which monitored email addresses were found
• Severity — Based on the types of data exposed (Critical if plaintext passwords, High if password hashes, Medium for other PII)

Alerts appear in Protect → Dark Web → Alerts and are also sent via email notification to configured recipients.

Compromised Credential Notifications

When credentials are found in a breach:

1. The affected user's manager and the MSP security team are notified
2. The alert includes the breach source, date, and data types exposed
3. Recommended actions are provided based on the exposure type

ℹ️The One Protect does not display or store actual compromised passwords. Alerts indicate that credentials were exposed but do not reveal the credential values.

Auto-Actions

Configure automated responses when breaches are detected:

Force Password Reset via RMM

When credentials are exposed, automatically trigger a password reset:

1. Navigate to Protect → Settings → Auto-Actions
2. Enable Force Password Reset
3. Select the severity threshold (e.g., Critical and High)
4. The One RMM executes the password reset on the affected user's account

Create PSA Ticket

Automatically create a PSA ticket for breach response:

1. Navigate to Protect → Settings → Auto-Actions
2. Enable Create PSA Ticket
3. Configure the ticket template (board, priority, assignment)
4. A ticket is created with breach details and recommended remediation steps

Notification Rules

Customize who is notified and how:

Recipient	Notification Method
MSP security team	Email, Hub notification
Account manager	Email
Client contact (via Portal)	Portal notification

Configure notification rules in Protect → Settings → Notifications.

Monitoring Schedule

• Breach database scans run every 12 hours
• On-demand scans can be triggered by clicking Scan Now on any domain or email monitor
• New breach data is ingested as breach databases are updated by upstream providers

⚠️Dark web monitoring detects breaches after they are publicly disclosed or added to breach databases. There may be a delay between when a breach occurs and when it is detected.

Alert Workflow

Each dark web alert follows a resolution workflow:

1. New — Breach detected, pending review
2. Acknowledged — An analyst has reviewed the alert
3. Remediated — Password has been reset and/or additional protections applied
4. Resolved — Alert is closed with a resolution note