DarkFlash Incidents
Every DarkFlash detection is surfaced as an incident in the XTron Console. This page explains how to view, manage, and respond to DarkFlash incidents.
Viewing Incidents
Navigate to Incidents → DarkFlash in the XTron Console to see all detections for your monitored keywords and domains. Filter by:
- Severity — Critical, High, Medium, Low
- Status — Open, In Progress, Closed
- Keyword — The monitored keyword that triggered the detection
- Date range — Filter by creation date
Incident Types and Response Guidance
Credential Leak
Employee or organizational credentials found in a breach database, stealer log, or dark web post.
Immediate actions:
- Identify the affected account(s) using BreachFinder for full context
- Force a password reset for the affected user
- Verify the same password is not reused on other systems
- Review login logs for unauthorized access using the exposed credential
- Notify the affected employee
Data Breach Mention
Your organization's data referenced in a breach announcement or listed for sale.
Immediate actions:
- Assess the scope — what data was involved
- Initiate your data breach response procedure
- Engage legal and compliance teams if PII is involved
- Notify affected customers if required by regulation
Ransomware Listing
Your organization named on a ransomware group's leak site.
Immediate actions:
- Activate your incident response plan immediately
- Engage your security team and executive leadership
- Preserve all evidence before powering off any systems
- Contact law enforcement if appropriate
Access Sale (Initial Access Broker)
Credentials or network access to your infrastructure listed for sale on underground markets.
Immediate actions:
- Treat as a confirmed compromise until proven otherwise
- Force-rotate credentials for all accounts matching the listed access type
- Review authentication logs for the affected systems
- Engage your IR team or a third-party forensics provider
Incident Fields
| Field | Description |
|---|---|
id | Unique numeric ID |
title | Short description of the detection |
taskKey | Ticket key (e.g., DFINC-123) |
status_statusCd | Open, In Progress, Closed |
severity_label | Critical, High, Medium, Low |
category_name | Detection category |
taskType_name | Specific incident type |
description | Full details with context |
keyword | The monitored keyword that triggered the detection |
publisher_source | Where the data was found |
retrieved_data | Raw data excerpt from the source |
impact | Impact description |
recommendation | Suggested remediation action |
createdDt | Creation Unix timestamp |
updatedDt | Last update Unix timestamp |
Updating Incident Status
Update incident status via the XTron Console under Incidents → DarkFlash → [incident] → Update Status.
Notifications
Configure how you receive DarkFlash incident alerts under Settings → Notifications:
- Email — Per incident or daily digest
- Webhook — POST to your endpoint for each new incident
- Slack — Alert to a designated security channel