Documentation forSolarWinds Identity Monitor

Using the Identity Monitor watchlist

Using Identity Monitor, you can find detailed breach information automatically generated by the Identity Monitor system.

The information found by scanning domains in your watchlist includes:

  • Infected consumer records
  • Infected employee records
  • Compromised credentials associated with a domain log-in

Some of the information found by scanning email addresses in your watchlist includes:

  • Compromised credentials associated with private or public data breaches.
  • Personally identifiable information (PII) that is associated to an email and easily found.


You must own the domain being monitored by Identity Monitor. After you add a domain to the watchlist, you are then prompted to verify that the domain is owned by you.

Identity Monitor then monitors all email addresses that match the domain. For example, if your domain is, and are both automatically included in the overall tracking of the domain.

There is no limit to how many addresses fall under the umbrella, so long as they are a part of the same domain, however the number of domains you can add to the watchlist is limited by your plan.

Email addresses

You can monitor any personal or non-work email address - such as Gmail, Hotmail, or Yahoo - that is used for professional services, such social media, cloud service, or SaaS programs. These are email address that should be added to the Personal Email watchlist in Identity Monitor.

It's common for hackers to use credentials discovered in the breach of third-party services on other websites, including company sites. Identity Monitor can audit a limited number of non-corporate email addresses, based on the your plan.

Since email addresses that fall under a domain are automatically included in the monitoring, it is not necessary to individually add those corporate email addresses to the watchlist.

Users who do not have authorization to monitor all domain addresses, can add their own individual address to monitor breaches that may affect them directly.

Infected watchlist records

Any domain or email address found to be "infected" by Identity Monitor is listed in the watchlist, along with details, such as:

  • the exposure event (breach title)
  • the number of data sightings
  • the severity of the breach
  • the raw data exposed

You can add or remove the columns displayed by clicking Column visibility at the top of the record table.

Breach Title

Each breach event record includes some background information regarding the history of a hack or exposure.

Clicking on the breach title name opens a detail view of information associated with the breach, including how many records in your watchlist are affected, the date of the breach, and which asset types were exposed.

Data Sightings

Sighting indicates the number of times the username and password combination is found throughout the breach catalog. The value under Sighting indicates which instance that the particular record entry has been seen.

For example, in the above image, this is the first time (as indicated by the value of 1) that user hunter89's credential combination has been found in the catalog.


There are four different levels of breach severity levels that a record may indicate:

  1. Critical: the data was stolen from a system infected with malware, and that users should assume the data has already been used for fraud or theft.
  2. High: the exposed data is easily crackable by criminal actors and it is recommended that additional steps be taken to secure it.
  3. Informational: the exposed data is not easily crackable, or the record has no associated password.
  4. Email only: The record is part of an email-only list and is not actionable through Identity Monitor.

Raw record data

You can see additional details of the exposed data for a record by clicking View Raw Data for each record.

This data includes information such as the user's browser, IP address, and system domain.