💜 Improvements Alert!

We’ve rolled out key improvements to threat insights and the Accounts tab in Event Explorer, and added a new risk signal called Session Sharing, to enhance how you detect and act on threats within your platform. These changes are designed to improve clarity and make it easier to identify and respond to unusual activity.

What’s Improved?

1️⃣ Credential Stuffing & Account Takeover Cards

• Enhanced readability: We redesigned these cards to make key details more accessible at a glance.
• Improved insights: If an account takeover (ATO) occurred during a credential stuffing attack, the Reason now includes specific details about the associated credential stuffing attack.

2️⃣ Accounts Table in Explorer

We’ve replaced some columns with session-related data to help you quickly identify suspicious activity and anomalies:

• IP Addresses: The total number of distinct IPs associated with an account. More than 2 is unusual.
• Sessions: The total number of distinct sessions associated with an account
• Devices: The total number of distinct devices used by the account. Multiple devices used consistently throughout the life of a session is highly unusual.
• ASOs: The total number of Autonomous System Organization that administers the IPs associated with an account. More than 2 is unusual.

3️⃣ New Risk Signal Added: Session Sharing

Verosint's new Session Sharing risk signal tells you when multiple users share the same session identifier to access an account authorized for a single user. See who is session sharing in the Event Explorer, or add a rule to your workflow to CHALLENGE or DENY users who are session sharing.

Why Does This Matter?

• Reduced MTTR: The enhanced ATO card provides more context, enabling you to verify faster whether a credential stuffing attack directly led to an account compromise. This makes your response actions more timely, precise, and confident.
• Easier Detection of Unwanted or Unusual Behavior:
  • The updated Accounts table organizes key session-related metrics, making it easier to spot unusual behavior like high device counts or IP diversity, which could signal suspicious activity.
  • With the Session Sharing risk signal, you can detect and prevent shared sessions across accounts on your platform.

These improvements are all about making sure you're steps ahead ahead of potentials threats to your platform. As always, we’re here to help if you have feedback or questions!

🌟 New Features Alert!

We’ve introduced some exciting updates to help you gain deeper insights into session activity and detect potential threats more effectively.

What’s New?

1. New Event Type: TOKEN_ISSUED_SUCCESS: This event indicates when access tokens are issued post authentication, providing greater visibility into session activity.
2. Sessions Tab in Explorer:
   • A dedicated Sessions Tab is now available in Explorer, providing a comprehensive view of session activity.
   • Easily track active sessions, detect shared sessions, and uncover suspicious behaviors.
3. New User Agent Signals
   • USERAGENT:OBSOLETE: This new risk signal flags user agents older than 180 days.
   • userAgent.daysSinceRelease: Displays the age of a user agent in days, helping you identify outdated or unusually old user agents that might indicate suspicious activity.

Why This Matters?

• Greater Session Observability: The Sessions Tab offers streamlined access to critical session data, making it easier to identify and respond to anomalies and suspicious activity.
• Improved Threat Detection: New user agent signals give you advanced insights into potentially risky behavior, such as the use of outdated browsers or applications.
• Proactive Security: These updates empower your team to stay ahead of threats with enhanced visibility and actionable data.

💜 Improvements Alert!

We’ve made updates to Threat Insights to ensure everything is crystal clear—spend less time deciphering data and more time responding to threats effectively.

What’s Improved?

Credential Stuffing Insight

Credential stuffing attacks lead to three outcomes:
1️⃣ Successful Takeovers
2️⃣ Failed Takeovers
3️⃣ Nonexistent Accounts (those that don’t match any existing account in your workspace)

We’ve now added Nonexistent Accounts to the Credential Stuffing Attack card to give you a complete view of attack activity.

💡

Pro tip: The sum of Successful Takeovers, Failed Takeovers, and Nonexistent Accounts equals the Total Attempts displayed in the Attack Size & Scope.

Account Takeover Insight

We got feedback that it wasn’t always obvious why an account was taken over—so we made it stand out.

• The reason for the takeover is now highlighted more clearly.
• The email shown in the card is now a clickable link that takes you directly to the associated Account Intelligence page for deeper analysis.

Why Does This Matter?

These improvements make Threat Insights more readable and actionable, so you can spend less time deciphering data and more time responding to threats effectively.

🌟 New Feature Alert!

Verosint has enhanced the way you interact with threat notifications by introducing the Threat Details Panel, a contextual view designed to streamline your response to credential stuffing attacks.

What’s New?

• Accessible directly from the threat card in the Verosint app or via email notification, the panel provides concise yet actionable details about the detected threat
• Includes key threat metrics, IP location activity, and a list of compromised accounts (if any) to help verify legitimacy without diving into complex logs

Why This Matters?

• Simplifies threat investigation by bridging the gap between alert notifications and detailed, complex logs
• Makes responding to threats faster, more intuitive, and seamlessly integrated into your workflow

This update reflects our commitment to enhancing security observability and actionability, creating a more valuable user experience. Try it out and let us know what you think!

💜 Improved Device Info & Signals

We're always looking to improve your user experience. We've made improvements to our device signals, so you know exactly what kind of device is being used by an account. These include support for:

• Okta-specific user agents such as Okta Radius Agent and OktaVerify as well as Okta mobile apps
• Native applications / mobile built with CFNetwork. Now we show the OS as iOS for these devices (instead of unknown)
• The Indy Library bot and WhatsApp bot now trigger the USER_AGENT:BOT risk
• The following custom iOS apps such as Grailed, BestBuy apps, and Outlook on iOS are now parsed properly
• The following Mozilla compatible user agents are now parsed properly: FreeBSD with Firefox, PlayStation, Opera Touch on iOS, and Windows Phone

🦃 Happy Thanksgiving from the Verosint family to yours! 🥧

🌟 New Feature Alert! You can now send session data with your events to see what's really happening once your users have logged in. Specifically, you will understand user behavior more comprehensively and identify patterns and anomalies within active sessions.

Why does this matter? This enhancement lays the groundwork for detecting session hijacking and shared session threats, enabling stronger security and a more seamless user experience. 🚀

How do I set this up? Refer to our API Reference for details on how to send sessionId and targetApp info with your events. ⚙️

Once you send session data, you can search for and see the enriched information in the Event Explorer

🔔 New feature alert! Verosint now detects and notifies you about threats on your platform, including credential stuffing attacks and account takeovers. These insights are obvious, actionable, and easy to verify, so you know exactly what next steps to take when these threats occur.

💜 We're always looking to improve your experience. Verosint makes it easy to trust, but verify the threats and hidden fraud on your platform. We've added a whole bunch of improvements that make trust, but verify a snap! 🫰

1. We removed search result limits in Explorer!🎉 There used to be a 10,000 records limit in the Events table and a 100 records limit in the Accounts, IPs, Prints, and Emails, and Phones tables. Now when you run a search, you get back all results, paginated neatly. You're welcome.

   

2. In the Accounts tab, we replaced the link to the SignalPrint graph with a link to the Account Intelligence page. This makes it easier to drill down into a specific account and see any unusual activity that is worth taking a closer look at.

   

3. In the heat map charts in Explorer, we now save the Group By selection you choose in the URL. This way, when you bookmark and send the link to a colleague, they'll see the Group By too!

   

4. We added a mobile optimized view of the Verosint application for onboarding! Check out https://app.verosint.com from your 📱mobile device!

🔔 New feature alert! You can now enable device fingerprinting with Verosint!

Device fingerprinting uniquely identifies the device used to access a service, and provides an effective layer of security in combating threats by identifying unusual or suspicious device behavior. Enable device fingerprinting with Verosint by:

• Configuring an Auth0 Login
• Adding the VerosintJS Library to Your Application

Device fingerprinting with Verosint enables you to:

1. Prevent Account Takeovers
2. Identify New or Unusual Devices
3. Add Risk-Based Authentication, evaluating the risk of each login attempt to your application

Check out our guide to get set up and running!

💜 We're always looking to improve your experience. We've made some updates to Explorer that will make it even faster and easier to verify conclusions.

1. Want to know the exact count of events? accounts? IPs?

   Hover over the count on the specific tab.

   

   You can also scroll down to the bottom right corner of the table to see the total count of results.

   

2. In the Events by Type stacked bar chart, we noticed a timezone bug and that the bars would increment in un-intuitive intervals (for example, every 46 minutes 🤯). We fixed this so that the bar chart increments will always be a round number (e.g., daily, 3 hours, 5 minutes, etc.), which should make it easier to read and interpret the data.

   

🔔 We added custom actions to workflows. This allows you to provide whatever string of characters you'd like, to set outcomes in your workflows.

In this example, I created a custom action called "LOGOUT" in the Verosint Account Protection for Logins workflow.

Of course you can always feel free to use our default actions. 😉