🌟 New Feature Alert 🌟

Happy Valentine's Day! 🩷 🩷 🩷 The Verosint team is bringing you some love with a new threat resolution feature!

What’s New?

Once Verosint detects a threat, you can be notified to investigate the details. After you've taken the necessary steps—whether it's mitigating the risk, deciding no action is needed, or identifying a false positive—you can mark the threat as resolved with one of these statuses:

✅ Remediated – You’ve taken action to mitigate the threat.
⚠️ No Action Taken – The threat remains, but no action was necessary.
🔺 False Positive – The threat was incorrectly flagged.

Why Does This Matter?

Security teams need clear, actionable workflows to manage threats efficiently. With this update, you can close the loop on investigations, ensuring your security posture remains strong while maintaining a clear log of resolved threats.

🌟 New Feature Alert! 🌟

You can now configure Verosint to send threat notifications directly to your desired SIEM, starting with Splunk—or use custom webhooks to integrate with other security tools. More integrations are on the way!

What’s New?

✅ Seamless SIEM Integration – Verosint threat notifications can now be sent to Splunk, keeping security teams informed in real time.
✅ Custom Webhooks – Send threat notifications to any system that supports webhooks for flexible integration.
✅ Single Pane of Glass – View all threats from multiple sources in one place, improving efficiency and response times.
✅ Built for Enterprise Security – Enterprise organizations expect ITDR solutions to integrate with their SIEM—Verosint delivers!

Why Does This Matter?

We heard you! Security teams rely on SIEM platforms and other security tools to centralize alerts from multiple sources. With this update, Verosint seamlessly fits into your existing security operations, helping you detect and respond to threats faster without switching between platforms. Splunk and custom webhooks are just the beginning—more integrations are coming soon! 🚀

👉 Learn how to configure threat notifications for Splunk or set up a custom webhook in our documentation.

🌟New Feature Alert! 🌟

Verosint Threat Response is Live!

You can now respond to threats in real time—directly from the Verosint app! Take action instantly to protect your organization.

What’s New?

✅ Real-Time Threat Response – Investigate and mitigate threats directly from the Verosint application.
✅ Integration Support for Workforce and Customer Identities – Available now for Okta Workforce Identity Cloud (Okta WIC) and Auth0 by Okta customers, with more integrations coming soon!
✅ Powerful Response Actions – Take immediate action with:

• Revoke Session(Auth0 by Okta only) – Logs the user out of a single device using that session.

• Revoke All Sessions (Supported for both Okta WIC & Auth0 by Okta) – Logs the user out of all devices.

• Suspend Account (Supported for both Okta WIC & Auth0 by Okta) – Logs the user out of all devices and locks the account to prevent future logins.

  

Why Does This Matter?

• You can now detect, investigate, and respond to threats all within the Verosint app, covering the full ITDR lifecycle.
• These response actions provide the flexibility to contain threats quickly—whether you need to log a user out of a single device or completely lock down an account.
• This seamless workflow improves efficiency, reduces response time, and strengthens your organization’s security posture. Stay tuned for more integrations! 🚀

💜 Improvements Alert!

We've expanded the quick filtering options in Event Explorer to make it even easier to pinpoint relevant events.

What’s Improved?

✅ New Quick Filter: Session Sharing – Quickly identify events where multiple users share the same session.
✅ New Quick Filter: Obsolete User Agent – Spot events associated with outdated or unsupported browsers.

Why Does This Matter?

These new filters help analysts detect suspicious activity faster, improving response times for potential security threats.

🌟 New Feature Alert 🌟

We’ve expanded the Account Intelligence page with a powerful new tool: the Sessions tab. This feature provides deeper visibility into session activity for a given account, empowering you to investigate and respond to potential threats more effectively.

What’s New?

1️⃣ Active Sessions Table

• Added a table of all active sessions for an account on their Account Intelligence page.
• Includes detailed session information to help you assess account activity at a glance.

2️⃣ Session Details Panel Integration

• Click on any row in the Sessions table to access the Session Details Panel for deeper investigation.

Why Does This Matter?

When a Session Sharing threat is detected, it’s critical to review not only the related session to validate any risks, but also all session activity for the affected account.

• Comprehensive Session Insights: View all active sessions for an account in one centralized place, making it easier to assess suspicious activity.
• Improved Context: This feature ties directly to the Session Sharing threat detection flow, ensuring you have the information needed to act confidently and efficiently.
• Laying Groundwork for Threat Responses: Once you've validated a threat, you may decide to revoke sessions or suspend an account. This Active Sessions table is one of many recent releases that lays the groundwork for triggering threat responses directly from the Verosint application. More to come - stay tuned! 😉

With these additions, Verosint continues to make threat detection actionable and verification straightforward. Let us know how these tools improve your investigation process—we’d love to hear your feedback! 😊

🌟 New Feature Alert 🌟

🎉 Happy New Year! 2️⃣ 0️⃣ 2️⃣ 5️⃣ We’re excited to introduce a new threat detection capability: Session Sharing. Building on Verosint’s existing ability to detect and respond to threats, this addition empowers you to stay ahead of token stealing attacks, a rising trend in Account Takeover (ATO) strategies.

What’s New?

1️⃣ Session Sharing Threat Card & Details Panel

• A new Session Sharing threat card is now generated in AI Insights when Verosint detects multiple instances of impossible travel and device changes for a given session.
• From the threat card, you can access a Session Details Panel which provides more context for you to investigate and verify the threat.

2️⃣ Email Notifications for Session Sharing Threats

• Receive email alerts when Session Sharing is detected, ensuring you can respond promptly, even when not actively monitoring your Verosint workspace.

3️⃣ Session Sharing Risk and Session Details Panel in Event Explorer

• Got a hunch that session sharing is occurring in your workspace? Verify if by searching for the Session Sharing risk in the Event Explorer.
• You can also access the Session Details Panel in the Sessions tab of the Event Explorer. Click on a specific row to see key details of the session.

Why Does This Matter?

Token stealing is a growing attack vector because sessions are long-lived. These tokens are targeted by attackers to bypass authentication entirely, enabling session sharing, which significantly increases the risk of Account Takeover (ATO).

• Session Stealing = ATO Risk: By hijacking active sessions, attackers can assume legitimate user identities, making this a critical threat vector.
• Long-Lived Sessions Add Risk: Sessions often remain active for days or even months, creating an extended window of opportunity for attackers to exploit them.

By providing tools to detect and respond to Session Sharing, Verosint empowers you to take control of session security and defend against token-stealing attacks. Let us know how these tools work for you and share your feedback—we’re always looking to improve! 😊

🚀 Improvements Alert 🚀

We’ve made significant updates to the Event Details Panel in Event Explorer to make threat detection more actionable, intuitive, and easy to verify. Verosint is the Identity Threat Detection and Response (ITDR) solution that helps you detect, investigate, and respond to threats confidently.

What’s Improved?

1️⃣ Risk & Anomaly Score Donut Charts

• Added visually intuitive donut charts for Risk Score and Anomaly Score in the Event Details Panel.
• Enables faster assessment of an account’s threat level.

💡PRO TIP: Hovering over slices of the Anomaly Score donut chart reveal the factors that contributed to the Anomaly Score. In the example above, the Country from which the IP was seen on this event contributed 13% to the Anomaly Score = 80.

2️⃣ Expanded Metadata and Context

• Added several new data fields so you have richer context for investigations.
• Displaying more metadata, now organized by first-class attributes (e.g., IP Address, Device, etc.).
• Provides richer context for each event, helping you quickly determine if further investigation is needed.

3️⃣ Impossible Travel Alert

• Added a dedicated alert in the Event Details Panel for Impossible Travel incidents.
• Displays key details in a clear and visually intuitive format for quicker verification.

Why Does This Matter?

• Actionable Threat Detection: Visual enhancements like the Risk and Anomaly Score charts, combined with detailed metadata, help you verify threats faster and with more confidence.
• Better Context = Better Decisions: By organizing metadata into intuitive categories, we enable quicker identification of suspicious activities and anomalies.
• Simplified Validation: Impossible Travel alerts now provide clearer evidence of potential account misuse, allowing you to take decisive action sooner.
• Seamless Workflow: These updates to our Event Details Panel ensure context is just a click away. The Event Details Panel can be accessed from the ATO threat card or the Event Explorer.

These updates are all about empowering you to make threat detection and response both smarter and more effective. Let us know what you think or if you have any questions—we’d love your feedback! 😊 ›

💜 Improvements Alert!

We’ve rolled out key improvements to threat insights and the Accounts tab in Event Explorer, and added a new risk signal called Session Sharing, to enhance how you detect and act on threats within your platform. These changes are designed to improve clarity and make it easier to identify and respond to unusual activity.

What’s Improved?

1️⃣ Credential Stuffing & Account Takeover Cards

• Enhanced readability: We redesigned these cards to make key details more accessible at a glance.
• Improved insights: If an account takeover (ATO) occurred during a credential stuffing attack, the Reason now includes specific details about the associated credential stuffing attack.

2️⃣ Accounts Table in Explorer

We’ve replaced some columns with session-related data to help you quickly identify suspicious activity and anomalies:

• IP Addresses: The total number of distinct IPs associated with an account. More than 2 is unusual.
• Sessions: The total number of distinct sessions associated with an account
• Devices: The total number of distinct devices used by the account. Multiple devices used consistently throughout the life of a session is highly unusual.
• ASOs: The total number of Autonomous System Organization that administers the IPs associated with an account. More than 2 is unusual.

3️⃣ New Risk Signal Added: Session Sharing

Verosint's new Session Sharing risk signal tells you when multiple users share the same session identifier to access an account authorized for a single user. See who is session sharing in the Event Explorer, or add a rule to your workflow to CHALLENGE or DENY users who are session sharing.

Why Does This Matter?

• Reduced MTTR: The enhanced ATO card provides more context, enabling you to verify faster whether a credential stuffing attack directly led to an account compromise. This makes your response actions more timely, precise, and confident.
• Easier Detection of Unwanted or Unusual Behavior:
  • The updated Accounts table organizes key session-related metrics, making it easier to spot unusual behavior like high device counts or IP diversity, which could signal suspicious activity.
  • With the Session Sharing risk signal, you can detect and prevent shared sessions across accounts on your platform.

These improvements are all about making sure you're steps ahead ahead of potentials threats to your platform. As always, we’re here to help if you have feedback or questions!

🌟 New Features Alert!

We’ve introduced some exciting updates to help you gain deeper insights into session activity and detect potential threats more effectively.

What’s New?

1. New Event Type: TOKEN_ISSUED_SUCCESS: This event indicates when access tokens are issued post authentication, providing greater visibility into session activity.
2. Sessions Tab in Explorer:
   • A dedicated Sessions Tab is now available in Explorer, providing a comprehensive view of session activity.
   • Easily track active sessions, detect shared sessions, and uncover suspicious behaviors.
3. New User Agent Signals
   • USERAGENT:OBSOLETE: This new risk signal flags user agents older than 180 days.
   • userAgent.daysSinceRelease: Displays the age of a user agent in days, helping you identify outdated or unusually old user agents that might indicate suspicious activity.

Why This Matters?

• Greater Session Observability: The Sessions Tab offers streamlined access to critical session data, making it easier to identify and respond to anomalies and suspicious activity.
• Improved Threat Detection: New user agent signals give you advanced insights into potentially risky behavior, such as the use of outdated browsers or applications.
• Proactive Security: These updates empower your team to stay ahead of threats with enhanced visibility and actionable data.

💜 Improvements Alert!

We’ve made updates to Threat Insights to ensure everything is crystal clear—spend less time deciphering data and more time responding to threats effectively.

What’s Improved?

Credential Stuffing Insight

Credential stuffing attacks lead to three outcomes:
1️⃣ Successful Takeovers
2️⃣ Failed Takeovers
3️⃣ Nonexistent Accounts (those that don’t match any existing account in your workspace)

We’ve now added Nonexistent Accounts to the Credential Stuffing Attack card to give you a complete view of attack activity.

💡

Pro tip: The sum of Successful Takeovers, Failed Takeovers, and Nonexistent Accounts equals the Total Attempts displayed in the Attack Size & Scope.

Account Takeover Insight

We got feedback that it wasn’t always obvious why an account was taken over—so we made it stand out.

• The reason for the takeover is now highlighted more clearly.
• The email shown in the card is now a clickable link that takes you directly to the associated Account Intelligence page for deeper analysis.

Why Does This Matter?

These improvements make Threat Insights more readable and actionable, so you can spend less time deciphering data and more time responding to threats effectively.