🌟 New Feature Alert 🌟

🎉 Happy New Year! 2️⃣ 0️⃣ 2️⃣ 5️⃣ We’re excited to introduce a new threat detection capability: Session Sharing. Building on Verosint’s existing ability to detect and respond to threats, this addition empowers you to stay ahead of token stealing attacks, a rising trend in Account Takeover (ATO) strategies.


What’s New?

New Session Sharing threat detection in AI Insights

New Session Sharing threat detection in AI Insights

1️⃣ Session Sharing Threat Card & Details Panel

  • A new Session Sharing threat card is now generated in AI Insights when Verosint detects multiple instances of impossible travel and device changes for a given session.
  • From the threat card, you can access a Session Details Panel which provides more context for you to investigate and verify the threat.

2️⃣ Email Notifications for Session Sharing Threats

  • Receive email alerts when Session Sharing is detected, ensuring you can respond promptly, even when not actively monitoring your Verosint workspace.

3️⃣ Session Sharing Risk and Session Details Panel in Event Explorer

  • Got a hunch that session sharing is occurring in your workspace? Verify if by searching for the Session Sharing risk in the Event Explorer.
  • You can also access the Session Details Panel in the Sessions tab of the Event Explorer. Click on a specific row to see key details of the session.
We've added Session Sharing to the list of Verosint Risks you can search by in Event Explorer

We've added Session Sharing to the list of Verosint Risks you can search by in Event Explorer


Why Does This Matter?

Token stealing is a growing attack vector because sessions are long-lived. These tokens are targeted by attackers to bypass authentication entirely, enabling session sharing, which significantly increases the risk of Account Takeover (ATO).

  • Session Stealing = ATO Risk: By hijacking active sessions, attackers can assume legitimate user identities, making this a critical threat vector.
  • Long-Lived Sessions Add Risk: Sessions often remain active for days or even months, creating an extended window of opportunity for attackers to exploit them.

By providing tools to detect and respond to Session Sharing, Verosint empowers you to take control of session security and defend against token-stealing attacks. Let us know how these tools work for you and share your feedback—we’re always looking to improve! 😊

🚀 Improvements Alert 🚀

We’ve made significant updates to the Event Details Panel in Event Explorer to make threat detection more actionable, intuitive, and easy to verify. Verosint is the Identity Threat Detection and Response (ITDR) solution that helps you detect, investigate, and respond to threats confidently.


What’s Improved?

1️⃣ Risk & Anomaly Score Donut Charts

  • Added visually intuitive donut charts for Risk Score and Anomaly Score in the Event Details Panel.
  • Enables faster assessment of an account’s threat level.
Risk & Anomaly Score donut charts in the Events Detail Panel

Risk & Anomaly Score donut charts in the Events Detail Panel

💡PRO TIP: Hovering over slices of the Anomaly Score donut chart reveal the factors that contributed to the Anomaly Score. In the example above, the Country from which the IP was seen on this event contributed 13% to the Anomaly Score = 80.

2️⃣ Expanded Metadata and Context

  • Added several new data fields so you have richer context for investigations.
  • Displaying more metadata, now organized by first-class attributes (e.g., IP Address, Device, etc.).
  • Provides richer context for each event, helping you quickly determine if further investigation is needed.
Added more data to the Event Details Panel for richer context

Added more data to the Event Details Panel for richer context

3️⃣ Impossible Travel Alert

  • Added a dedicated alert in the Event Details Panel for Impossible Travel incidents.
  • Displays key details in a clear and visually intuitive format for quicker verification.
Impossible Travel alert specifies the last known and current location of a user, and the impossible speed they would have to travel between the two locations

Impossible Travel alert specifies the last known and current location of a user, and the impossible speed they would have to travel between the two locations


Why Does This Matter?

  • Actionable Threat Detection: Visual enhancements like the Risk and Anomaly Score charts, combined with detailed metadata, help you verify threats faster and with more confidence.
  • Better Context = Better Decisions: By organizing metadata into intuitive categories, we enable quicker identification of suspicious activities and anomalies.
  • Simplified Validation: Impossible Travel alerts now provide clearer evidence of potential account misuse, allowing you to take decisive action sooner.
  • Seamless Workflow: These updates to our Event Details Panel ensure context is just a click away. The Event Details Panel can be accessed from the ATO threat card or the Event Explorer.

These updates are all about empowering you to make threat detection and response both smarter and more effective. Let us know what you think or if you have any questions—we’d love your feedback! 😊 ›

💜 Improvements Alert!

We’ve rolled out key improvements to threat insights and the Accounts tab in Event Explorer, and added a new risk signal called Session Sharing, to enhance how you detect and act on threats within your platform. These changes are designed to improve clarity and make it easier to identify and respond to unusual activity.

What’s Improved?

1️⃣ Credential Stuffing & Account Takeover Cards

  • Enhanced readability: We redesigned these cards to make key details more accessible at a glance.
  • Improved insights: If an account takeover (ATO) occurred during a credential stuffing attack, the Reason now includes specific details about the associated credential stuffing attack.

2️⃣ Accounts Table in Explorer

We’ve replaced some columns with session-related data to help you quickly identify suspicious activity and anomalies:

  • IP Addresses: The total number of distinct IPs associated with an account. More than 2 is unusual.
  • Sessions: The total number of distinct sessions associated with an account
  • Devices: The total number of distinct devices used by the account. Multiple devices used consistently throughout the life of a session is highly unusual.
  • ASOs: The total number of Autonomous System Organization that administers the IPs associated with an account. More than 2 is unusual.

3️⃣ New Risk Signal Added: Session Sharing

Verosint's new Session Sharing risk signal tells you when multiple users share the same session identifier to access an account authorized for a single user. See who is session sharing in the Event Explorer, or add a rule to your workflow to CHALLENGE or DENY users who are session sharing.

Session Sharing risk signal in Event Explorer

Session Sharing risk signal in Event Explorer

Use Session Sharing in Workflows for real-time prevention

Use Session Sharing in Workflows for real-time prevention

Why Does This Matter?

  • Reduced MTTR: The enhanced ATO card provides more context, enabling you to verify faster whether a credential stuffing attack directly led to an account compromise. This makes your response actions more timely, precise, and confident.
  • Easier Detection of Unwanted or Unusual Behavior:
    • The updated Accounts table organizes key session-related metrics, making it easier to spot unusual behavior like high device counts or IP diversity, which could signal suspicious activity.
    • With the Session Sharing risk signal, you can detect and prevent shared sessions across accounts on your platform.

These improvements are all about making sure you're steps ahead ahead of potentials threats to your platform. As always, we’re here to help if you have feedback or questions!

🌟 New Features Alert!

We’ve introduced some exciting updates to help you gain deeper insights into session activity and detect potential threats more effectively.

What’s New?

  1. New Event Type: TOKEN_ISSUED_SUCCESS: This event indicates when access tokens are issued post authentication, providing greater visibility into session activity.
  2. Sessions Tab in Explorer:
    • A dedicated Sessions Tab is now available in Explorer, providing a comprehensive view of session activity.
    • Easily track active sessions, detect shared sessions, and uncover suspicious behaviors.
  3. New User Agent Signals
    • USERAGENT:OBSOLETE: This new risk signal flags user agents older than 180 days.
    • userAgent.daysSinceRelease: Displays the age of a user agent in days, helping you identify outdated or unusually old user agents that might indicate suspicious activity.

Why This Matters?

  • Greater Session Observability: The Sessions Tab offers streamlined access to critical session data, making it easier to identify and respond to anomalies and suspicious activity.
  • Improved Threat Detection: New user agent signals give you advanced insights into potentially risky behavior, such as the use of outdated browsers or applications.
  • Proactive Security: These updates empower your team to stay ahead of threats with enhanced visibility and actionable data.
Event Explorer with the new TOKEN_ISSUED_SUCCESS event type and dedicated Sessions tab

Event Explorer with the new TOKEN_ISSUED_SUCCESS event type and dedicated Sessions tab

"Obsolete User Agent" risk signal displayed in Event Explorer

"Obsolete User Agent" risk signal displayed in Event Explorer

Use the "Days Since Release" signal in your workflows to challenge or deny accounts accessing your platform with an outdated user agent

Use the "Days Since Release" signal in your workflows to challenge or deny accounts accessing your platform with an outdated user agent

💜 Improvements Alert!

We’ve made updates to Threat Insights to ensure everything is crystal clear—spend less time deciphering data and more time responding to threats effectively.

What’s Improved?

Credential Stuffing Insight

Credential stuffing attacks lead to three outcomes:
1️⃣ Successful Takeovers
2️⃣ Failed Takeovers
3️⃣ Nonexistent Accounts (those that don’t match any existing account in your workspace)

We’ve now added Nonexistent Accounts to the Credential Stuffing Attack card to give you a complete view of attack activity.

💡

Pro tip: The sum of Successful Takeovers, Failed Takeovers, and Nonexistent Accounts equals the Total Attempts displayed in the Attack Size & Scope.

Account Takeover Insight

We got feedback that it wasn’t always obvious why an account was taken over—so we made it stand out.

  • The reason for the takeover is now highlighted more clearly.
  • The email shown in the card is now a clickable link that takes you directly to the associated Account Intelligence page for deeper analysis.
Updated Account Takeover threat card, including the reason outlined in red

Updated Account Takeover threat card, including the reason outlined in red

Why Does This Matter?

These improvements make Threat Insights more readable and actionable, so you can spend less time deciphering data and more time responding to threats effectively.

🌟 New Feature Alert!

Verosint has enhanced the way you interact with threat notifications by introducing the Threat Details Panel, a contextual view designed to streamline your response to credential stuffing attacks.

What’s New?

  • Accessible directly from the threat card in the Verosint app or via email notification, the panel provides concise yet actionable details about the detected threat
  • Includes key threat metrics, IP location activity, and a list of compromised accounts (if any) to help verify legitimacy without diving into complex logs

Why This Matters?

  • Simplifies threat investigation by bridging the gap between alert notifications and detailed, complex logs
  • Makes responding to threats faster, more intuitive, and seamlessly integrated into your workflow

This update reflects our commitment to enhancing security observability and actionability, creating a more valuable user experience. Try it out and let us know what you think!

New **Threat Details Panel** on AI Insights

New Threat Details Panel on AI Insights

💜 Improved Device Info & Signals

We're always looking to improve your user experience. We've made improvements to our device signals, so you know exactly what kind of device is being used by an account. These include support for:

  • Okta-specific user agents such as Okta Radius Agent and OktaVerify as well as Okta mobile apps
  • Native applications / mobile built with CFNetwork. Now we show the OS as iOS for these devices (instead of unknown)
  • The Indy Library bot and WhatsApp bot now trigger the USER_AGENT:BOT risk
  • The following custom iOS apps such as Grailed, BestBuy apps, and Outlook on iOS are now parsed properly
  • The following Mozilla compatible user agents are now parsed properly: FreeBSD with Firefox, PlayStation, Opera Touch on iOS, and Windows Phone

🦃 Happy Thanksgiving from the Verosint family to yours! 🥧

🌟 New Feature Alert! You can now send session data with your events to see what's really happening once your users have logged in. Specifically, you will understand user behavior more comprehensively and identify patterns and anomalies within active sessions.

Why does this matter? This enhancement lays the groundwork for detecting session hijacking and shared session threats, enabling stronger security and a more seamless user experience. 🚀

How do I set this up? Refer to our API Reference for details on how to send sessionId and targetApp info with your events. ⚙️

Check out the API Reference to send us session data with events

Check out the API Reference to send us session data with events

Once you send session data, you can search for and see the enriched information in the Event Explorer

Search in Event Explorer using the **Session ID** or **Application**

Search in Event Explorer using the Session ID or Application

See which Application users accessed in the Events table in Event Explorer

See which Application users accessed in the Events table in Event Explorer

🔔 New feature alert! Verosint now detects and notifies you about threats on your platform, including credential stuffing attacks and account takeovers. These insights are obvious, actionable, and easy to verify, so you know exactly what next steps to take when these threats occur.

Introducing Threat Insights!

Introducing Threat Insights!

Set up email notifications so you never miss out on threats!

Set up email notifications so you never miss out on threats

Example credential stuffing attack email notification

Example credential stuffing attack email notification

💜 We're always looking to improve your experience. Verosint makes it easy to trust, but verify the threats and hidden fraud on your platform. We've added a whole bunch of improvements that make trust, but verify a snap! 🫰

  1. We removed search result limits in Explorer!🎉 There used to be a 10,000 records limit in the Events table and a 100 records limit in the Accounts, IPs, Prints, and Emails, and Phones tables. Now when you run a search, you get back all results, paginated neatly. You're welcome.

  2. In the Accounts tab, we replaced the link to the SignalPrint graph with a link to the Account Intelligence page. This makes it easier to drill down into a specific account and see any unusual activity that is worth taking a closer look at.

  3. In the heat map charts in Explorer, we now save the Group By selection you choose in the URL. This way, when you bookmark and send the link to a colleague, they'll see the Group By too!

  4. We added a mobile optimized view of the Verosint application for onboarding! Check out https://app.verosint.com from your 📱mobile device!

🔔 New feature alert! You can now enable device fingerprinting with Verosint!

Device fingerprinting uniquely identifies the device used to access a service, and provides an effective layer of security in combating threats by identifying unusual or suspicious device behavior. Enable device fingerprinting with Verosint by:

Device fingerprinting with Verosint enables you to:

  1. Prevent Account Takeovers
  2. Identify New or Unusual Devices
  3. Add Risk-Based Authentication, evaluating the risk of each login attempt to your application

Check out our guide to get set up and running!