Signal Definitions
ITDR uses signals to evaluate accounts for fraud based on open-source intelligence data. Account fraud can be determined through IP address, email, and phone data characteristics. Once fraud is found, signals power rules to guard against unwanted access to your systems.
Account Evaluation
| Signal | Type | Description |
|---|---|---|
account.asnCount.last24hours
|
integer | The number of distinct ASNs used to access this account in the last 24 hours |
account.asnCount.last7days
|
integer | The number of distinct ASNs used to access this account in the last 7 days |
account.asoCount.last24hours
|
integer | The number of distinct ISPs used to access this account in the last 24 hours |
account.asoCount.last7days
|
integer | The number of distinct ISPs used to access this account in the last 7 days |
account.connectedAccounts.count
|
integer | The number of other accounts connected to this account in SignalPrint |
account.daysSinceFirstSeen
|
number | Days since ITDR first saw this Account ID |
account.eventCount.last24hours
|
integer | The number of events seen for this account in the last 24 hours |
account.eventCount.last7days
|
integer | The number of events seen for this account in the last 7 days |
account.eventCount.lastHour
|
integer | The number of events seen for this account in the last hour |
account.locationCount.last24hours
|
integer | The number of distinct locations used to access this account in the last 24 hours |
account.locationCount.last7days
|
integer | The number of distinct locations used to access this account in the last 7 days |
account.loginFailedCount.last24hours
|
integer | The number of login failed events seen for this account in the last 24 hours |
account.loginFailedCount.last7days
|
integer | The number of login failed events seen for this account in the last 7 days |
account.loginFailedCount.lastHour
|
integer | The number of login failed events seen for this account in the last hour |
account.loginSuccessCount.last24hours
|
integer | The number of login success events seen for this account in the last 24 hours |
account.loginSuccessCount.last7days
|
integer | The number of login success events seen for this account in the last 7 days |
account.loginSuccessCount.lastHour
|
integer | The number of events seen for this account in the last hour |
account.mfaFailedCount.last24hours
|
integer | The number of MFA failed events seen for this account in the last 24 hours |
account.mfaFailedCount.last7days
|
integer | The number of MFA failed events seen for this account in the last 7 days |
account.mfaFailedCount.lastHour
|
integer | The number of MFA failed events seen for this account in the last hour |
account.mfaSuccessCount.last24hours
|
integer | The number of MFA success events seen for this account in the last 24 hours |
account.mfaSuccessCount.last7days
|
integer | The number of MFA success events seen for this account in the last 7 days |
account.mfaSuccessCount.lastHour
|
integer | The number of MFA success events seen for this account in the last hour |
account.userAgentCount.last24hours
|
integer | The number of distinct user agents used to access this account in the last 24 hours |
account.userAgentCount.last7days
|
integer | The number of distinct user agents used to access this account in the last 7 days |
account.verificationFailedCount.
|
integer | The number of verification failed events seen for this account in the last 24 hours |
account.verificationFailedCount.
|
integer | The number of verification failed events seen for this account in the last 7 days |
account.verificationFailedCount.
|
integer | The number of verification failed events seen for this account in the last hour |
account.verificationFailedCount.total
|
integer | The total number of verification failed events seen for this account in the last 180 days |
account.verificationSuccessCount.
|
integer | The number of verification success events seen for this account in the last 24 hours |
account.verificationSuccessCount.
|
integer | The number of verification success events seen for this account in the last 7 days |
account.verificationSuccessCount.
|
integer | The number of verification success events seen for this account in the last hour |
account.verificationSuccessCount.total
|
integer | The total number of verification success events seen for this account in the last 180 days |
Event Evaluation
|
Signal |
Type |
Description |
|---|---|---|
|
|
array |
In the same sort order as the fields, this contains the percentage the field contributed to the anomaly score |
|
|
array |
Sorted from most to least, these are the fields that contributed to the Anomaly Score |
|
|
integer |
Specifies an anomaly value for the event between 0 (normal) and 100 (highly unusual) relative to the account’s history |
|
|
integer |
A composite score combining the event risk and event anomaly scores |
|
|
array |
Event is on these lists |
|
|
integer |
Specifies a risk value for an event between 0 (safe) and 100 (risky) based on OSINT data and internal algorithms |
|
|
array |
See details in the table |
|
|
number |
Distance in miles from the location of the last LOGIN_SUCCESS |
|
|
number |
Speed of travel in miles per hour from the location of the last LOGIN_SUCCESS to the current location |
|
|
string |
ITDR ID of the last LOGIN_SUCCESS event used for calculations |
Risk Signals Associated With The Event
| Value | Description |
|---|---|
ACCOUNT:ACCOUNT_SHARING
|
Multiple users share credentials to access an account authorized for a single user |
ACCOUNT:DORMANT_ACCOUNT
|
This account has not been active in this workspace for 90 days |
ACCOUNT:OUTLIER_ACCOUNT
|
Indicates unusual activity relative to other accounts in this workspace |
ACCOUNT:TAKE_OVER
|
Indicates that the account has been accessed through unusual activity |
EMAIL:ALIAS
|
Indicates if the email address is an alias, usually due to special characters (+ or -) in the username |
EMAIL:BREACHED
|
Email was breached at least once in the last 2 years |
EMAIL:DISPOSABLE
|
Determines if an email is temporary and expires after a certain period of time |
EMAIL:FREE
|
Indicates if the email has been registered with a free email provider such as Gmail or Yahoo |
EMAIL:GENERIC
|
Indicates if the username portion of the email address is categorized as generic. For example, info@example.com |
EMAIL:INVALID
|
The supplied email address is invalid |
EMAIL:INVALID_A
|
Determines if an email’s domain has a valid IP address record |
EMAIL:INVALID_DNS
|
Determines if an email’s domain has valid nameserver records |
EMAIL:INVALID_DOMAIN
|
Determines if an email's domain is registered |
EMAIL:INVALID_ICANN_SUFFIX
|
Validates that an email's top-level domain is maintained by the Internet Corporation for Assigned Names and Numbers (ICANN) |
EMAIL:INVALID_MX
|
Validates that an email’s domain has one or more valid mail exchanger (MX) records |
EMAIL:INVALID_SPF
|
Validates that an email’s domain has a valid sender policy framework (SPF) record |
EMAIL:PARKED
|
Identifies if the email is from a parked domain |
EMAIL:RELAY
|
Identifies if the email is forwarded to another email address |
EMAIL:RISKY_TLD
|
Determines if an email is associated with a risky top-level domain |
EVENT:ANOMALOUS_EVENT
|
Indicates an Anomaly Score ≥ 75, signaling highly unusual activity relative to the account’s history |
EVENT:IMPOSSIBLE_TRAVEL
|
The speed of travel between a user's last known location and current location is not possible |
EVENT:NEW_PRINT
|
New prints indicate outlier activity (such as a new device) |
EVENT:STUFFING_ATTACK
|
Indicates that the ASN or IP address of an event is currently attempting to access multiple accounts at an unnatural speed |
EVENT:VERIFIED_PRINT
|
Print was used to successfully verify the identity of the account |
IP:ACTIVE_TOR
|
Determines if an IP address is coming from a currently active Tor node, usually to hide a true IP address |
IP:BOT
|
Determines if an IP address is a known bot |
IP:CRAWLER
|
Determines if an IP belongs to a business that scans the Internet, typically for the purpose of web indexing |
IP:DENY_LIST
|
Checks if the IP address is on a deny list |
IP:HOSTED
|
Determines if the IP address belongs to a cloud provider |
IP:INVALID
|
The supplied IP address is invalid |
IP:MALICIOUS
|
Determines if an incoming IP address can be found in a reported scam, breach, or malicious attack |
IP:NONROUTABLE
|
The IP address is classified as non-routable |
IP:PROXY
|
Determines if an IP address is coming from a proxy server, both HTTP and non-HTTP (such as SOCKS) proxies |
IP:RELAY
|
Private relay service IP address (such as Apple relay, Cloudflare, or Akamai) |
IP:TOR
|
Identifies if an IP address is coming from a known Tor exit node |
IP:VPN
|
Identifies if an IP address is coming from a known VPN |
PAYMENT_HASH:SHARED_PAYMENT_METHOD
|
Payment Hash was linked to multiple accounts |
PHONE:DISPOSABLE
|
Determines if a phone number is temporary and expires after a certain period of time |
PHONE:INVALID
|
The supplied phone number is invalid |
PHONE:NOT_REACHABLE
|
Determines if a phone number is in service or out of service |
PHONE:PORTED
|
Determines if a phone number has been ported |
PHONE:WIRELESS
|
Determines the phone number type (mobile and prepaid phone numbers will have a value of True, voice-over-IP and traditional landlines will have a value of False) |
PRINT:MULTIPLE_ACCOUNTS
|
Print was linked to multiple accounts for fraudulent purposes (such as promotions abuse or a banned user) |
SESSION:SESSION_SHARING
|
Multiple users share the same session identifier to access an account authorized for a single user |
USERAGENT:BOT
|
Identifies if the user agent is a known bot |
USERAGENT:OBSOLETE
|
Identifies if the user agent is >180 days old |
Request Identifiers
| Signal | Type | Description |
|---|---|---|
identifiers.accountId
|
string | The account ID |
identifiers.deviceId
|
string | The device ID |
identifiers.email
|
string | The email address |
identifiers.ip
|
string | The IPv4 or IPv6 address |
identifiers.paymentHash
|
string | The hashed payment method identifier |
identifiers.phone
|
string | The phone number in E.164 format |
identifiers.printId
|
string | The print ID |
identifiers.sessionId
|
string | The session ID |
identifiers.targetApp
|
string | The application accessed |
identifiers.timestamp
|
string | The RFC3339 formatted timestamp. Current time is used if not specified |
identifiers.userAgent
|
string | The full user agent string |
IP Address Evaluation
| Signal | Type | Description |
|---|---|---|
|
|
string |
Identifies the Autonomous System Number of the IP assigned to a group of IP prefixes run by network operators that maintain a defined routing policy to the Internet |
|
|
string |
Size class expressed in t-shirt sizes that reflect the available IP addresses in the ASN |
|
|
string |
Identifies the Autonomous System Organization that administers the IP address |
|
|
number |
Identifies the location coordinate of the IP address north or south of the equator |
|
|
number |
Identifies the location coordinate of the IP address east or west of the prime meridian |
|
|
number |
Gives the approximate accuracy radius to the latitude/longitude |
|
|
string |
Identifies the city in which the IP address is located |
|
|
string |
Identifies the two-letter continent code (ISO 3166-1) from which an IP address is located |
|
|
string |
Identifies the two-letter country code (ISO 3166-1) from which an IP address is located |
|
|
string |
Identifies the geographical region (state/province) in which the IP is located |
|
|
string |
Identifies the two-letter region code from which an IP address is located |
|
|
string |
Unique identifier assigned to the location by GeoNames |
|
|
string |
Network address in the CIDR (Classless Inter-Domain Routing) format |
|
|
string |
Size class expressed in t-shirt sizes that reflect the available IP addresses in the network |
|
|
string |
Name of the IP privacy service provider, available when vpn, relay, hosted or proxy is true |
|
|
integer |
Specifies a risk value for an IP address between 0 (safe) and 100 (risky) for ITDR to assess against OSINT data and internal algorithms |
|
|
integer |
The number of signup success events seen for this IP in the last 24 hours |
|
|
integer |
The number of signup success events seen for this IP in the last 7 days |
|
|
integer |
The number of signup success events seen for this IP in the last hour |
|
|
string |
Identifies the timezone of an IP address |
|
|
string |
The type of business using the IP address such as isp, hosting, education |
Phone Number Evaluation
| Signal | Type | Description |
|---|---|---|
|
|
string |
Specifies the name of a phone service provider |
|
|
string |
Specifies the carrier identification code (CIC), a four-digit numeric code assigned to carriers or other entities that access a local exchange carrier (LEC) network |
|
|
string |
Specifies the two-letter country code (ISO 3166-1) where the phone number is registered |
|
|
string |
Specifies a mobile country code (MCC) |
|
|
string |
Specifies a mobile network code (MNC) |
|
|
integer |
Specifies a risk value for a phone number between 0 (safe) and 100 (risky) forITDR to assess against OSINT data and internal algorithms |
|
|
string |
Identifies the specified phone number type such as wireless, a fixed line, or Voice Over IP |
User Agent Evaluation
|
Signal |
Type |
Description |
|---|---|---|
|
|
integer |
The number of other accounts connected to this print in SignalPrint |
|
|
integer |
The number of events seen for this print in the last 24 hours |
|
|
integer |
The number of events seen for this print in the last 7 days |
|
|
integer |
The number of events seen for this print in the last hour |
|
|
integer |
The number of accounts with a a failed login connected to this print in the last 24 hours |
|
|
integer |
The number of accounts with a a failed login connected to this print in the last 7 days |
|
|
integer |
The number of accounts with a a failed login connected to this print in the last hour |
|
|
string |
Specifies the method used to calculate the print ID. Possible values are PROVIDED (the ID is provided with the event) and PRINT (ITDR generates the ID) |
|
|
integer |
The number of login failed events seen for this print in the last 24 hours |
|
|
integer |
The number of login failed events seen for this print in the last 7 days |
|
|
integer |
The number of login failed events seen for this print in the last hour |
|
|
integer |
The number of login success events seen for this print in the last 24 hours |
|
|
integer |
The number of login success events seen for this print in the last 7 days |
|
|
integer |
The number of events seen for this print in the last hour |
|
|
integer |
The number of verification failed events seen for this print in the last 24 hours |
|
|
integer |
The number of verification failed events seen for this print in the last 7 days |
|
|
integer |
The number of verification failed events seen for this print in the last hour |
|
|
integer |
The total number of verification failed events seen for this print in the last 180 days |
|
|
integer |
The number of verification success events seen for this print in the last 24 hours |
|
|
integer |
The number of verification success events seen for this print in the last 7 days |
|
|
integer |
The number of verification success events seen for this print in the last hour |
|
|
integer |
The total number of verification success events seen for this print in the last 180 days |
Session Evaluation
|
Signal |
Type |
Description |
|---|---|---|
|
|
number |
Hours sinceITDR first saw this Session ID |
User Agent Evaluation
|
Signal |
Type |
Description |
|---|---|---|
|
|
string |
Identifies the name of the browser, such as Safari |
|
|
string |
Identifies the version of the browser |
|
|
integer |
Identifies the time in days since the user agent was released |
|
|
string |
Identifies the name of the device |
|
|
string |
Identifies the type of device |
|
|
string |
Identifies the operating system on the device |
|
|
string |
Identifies the version of the operating system on the device |
