Supported Event Types and Data Fields

The first step in detecting suspicious activity is understanding what’s already happening in your environment.

Send your existing usage logs to Verosint, either using the API or CLI. Verosint automatically analyzes user behavior, highlights anomalies, and surfaces risky patterns.

The richer the event data, the more precise our threat detection. Results are visualized in the Threats inbox, Account Intelligence, the Event Explorer and SignalPrint, where you can easily see detected threats, investigate accounts, and analyze user activity.

📘

Processing Identifiers

  • Only valid identifiers on an event are processed and enriched with Verosint signals.
  • If at least one identifier is valid, the event is saved and signals are processed for valid data only.
  • If no identifiers are valid, the event is discarded and no signals are processed.

Supported Identifier Fields

The following table lists the fields that you can submit to Verosint:

Identifier NameDescriptionExample
timestampRFC3339 or UNIX formatted timestamp (defaults to the time of submission when omitted)2023-03-25T16:04:43.865-05:00
accountIdthe unique user identifier (may be the same as email)

Note: Account ID is case sensitive, Verosint will not transform the data sent in the account ID field
babsjensen
emailthe email address of the user[email protected]
userAgentthe full user agent string associated with the eventMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
ipthe origin IPv4 or IPv6 address97.105.216.107
phonethe phone number of the user in the international phone number format+15123944240
typethe event typeLOGIN_SUCCESS
deviceIdthe optional device ID associated with an event, with a maximum of 150 charactersdevice-abc-1234
sessionIdthe session identifiersession-id-1234
targetAppthe target application identifierapp-abc-1234

📘

Specifying Identifiers

  • Event type, IP address, and user agent are required.
  • If you add events without an account ID or an email address, they will not display in SignalPrint.
  • If there is an email address but no account ID, it will display in SignalPrint if the email has history against other events with more data.

Each event may have at most one identifier for each type. For example, each event can only have a single IP address.

Event Types

The following table lists event types that you can submit to Verosint:

Verosint EventDescription
ACCOUNT_RECOVERY_FAILEDFailed account recovery
ACCOUNT_RECOVERY_SUCCESSSucceeded to recover account
CHANGE_EMAIL_FAILEDFailed to change email
CHANGE_EMAIL_SUCCESSSucceeded to change email
CHANGE_PASSWORD_FAILEDFailed to change password
CHANGE_PASSWORD_SUCCESSSucceeded to change password
CHANGE_PAYMENT_FAILEDFailed to change payment
CHANGE_PAYMENT_SUCCESSSucceeded to change payment
CHANGE_PHONE_FAILEDFailed to change phone number
CHANGE_PHONE_SUCCESSSucceeded to change phone number
CHANGE_USERNAME_FAILEDFailed to change username
CHANGE_USERNAME_SUCCESSSucceeded to change username
EMAIL_SUCCESSSucceeded to send email
LOGIN_FAILEDFailed to log in
LOGIN_SUCCESSSucceeded to log in
LOGOUT_FAILEDFailed to log out
MFA_DEVICE_UNENROLLEDUnenrolled device used for MFA
MFA_ENROLLMENT_FAILEDFailed enrollment in MFA
MFA_ENROLLMENT_SUCCESSCompleted enrollment in MFA
MFA_FAILEDFailed to authenticate with MFA
MFA_STARTEDStarted MFA authentication
MFA_SUCCESSSucceeded to authenticate with MFA
PAYMENT_ADDED_FAILEDFailed to add payment
PAYMENT_ADDED_SUCCESSSucceeded to add payment
PAYMENT_FAILEDPayment failed
PAYMENT_REMOVED_FAILEDFailed to remove payment
PAYMENT_REMOVED_SUCCESSSucceeded to remove payment
PAYMENT_SUCCESSPayment succeeded
PUSH_NOTIFICATION_FAILEDFailed to send push notification
PUSH_NOTIFICATION_SUCCESSSucceeded to send push notification
SIGNUP_FAILEDFailed to sign up
SIGNUP_SUCCESSSucceeded to sign up
SMS_FAILEDFailed to send SMS
SMS_SUCCESSSucceeded to send SMS
TOKEN_ISSUED_SUCCESSSucceeded to issue token
VERIFICATION_SUCCESSSucceeded identity verification