Signal Definitions

Verosint uses signals to evaluate accounts for fraud based on open-source intelligence data. Account fraud can be determined through IP address, email, and phone data characteristics. Once fraud is found, signals power rules to guard against unwanted access to your systems.

Account Evaluation

SignalTypeDescription
account.asnCount.last24hoursintegerThe number of distinct ASNs used to access this account in the last 24 hours
account.asnCount.last7daysintegerThe number of distinct ASNs used to access this account in the last 7 days
account.asoCount.last24hoursintegerThe number of distinct ISPs used to access this account in the last 24 hours
account.asoCount.last7daysintegerThe number of distinct ISPs used to access this account in the last 7 days
account.connectedAccounts.countintegerThe number of other accounts connected to this account in SignalPrint
account.eventCount.last24hoursintegerThe number of events seen for this account in the last 24 hours
account.eventCount.last7daysintegerThe number of events seen for this account in the last 7 days
account.eventCount.lastHourintegerThe number of events seen for this account in the last hour
account.locationCount.last24hoursintegerThe number of distinct locations used to access this account in the last 24 hours
account.locationCount.last7daysintegerThe number of distinct locations used to access this account in the last 7 days
account.loginFailedCount.last24hoursintegerThe number of login failed events seen for this account in the last 24 hours
account.loginFailedCount.last7daysintegerThe number of login failed events seen for this account in the last 7 days
account.loginFailedCount.lastHourintegerThe number of login failed events seen for this account in the last hour
account.loginSuccessCount.last24hoursintegerThe number of login success events seen for this account in the last 24 hours
account.loginSuccessCount.last7daysintegerThe number of login success events seen for this account in the last 7 days
account.loginSuccessCount.lastHourintegerThe number of events seen for this account in the last hour
account.mfaFailedCount.last24hoursintegerThe number of MFA failed events seen for this account in the last 24 hours
account.mfaFailedCount.last7daysintegerThe number of MFA failed events seen for this account in the last 7 days
account.mfaFailedCount.lastHourintegerThe number of MFA failed events seen for this account in the last hour
account.mfaSuccessCount.last24hoursintegerThe number of MFA success events seen for this account in the last 24 hours
account.mfaSuccessCount.last7daysintegerThe number of MFA success events seen for this account in the last 7 days
account.mfaSuccessCount.lastHourintegerThe number of MFA success events seen for this account in the last hour
account.userAgentCount.last24hoursintegerThe number of distinct user agents used to access this account in the last 24 hours
account.userAgentCount.last7daysintegerThe number of distinct user agents used to access this account in the last 7 days
account.verificationSuccessCount.
last24hours
integerThe number of verification success events seen for this account in the last 24 hours
account.verificationSuccessCount.
last7days
integerThe number of verification success events seen for this account in the last 7 days
account.verificationSuccessCount.
lastHour
integerThe number of verification success events seen for this account in the last hour
account.verificationSuccessCount.totalintegerThe total number of verification success events seen for this account in the last 180 days

Email Address Evaluation

SignalTypeDescription
email.breachInfo.breachesarrayArray containing data about every time the email was breached
email.breachInfo.countintegerDetermines if an email is found in any known breaches and the number of breaches
email.breachInfo.daysSinceLastBreachintegerIdentifies the time in days since the last breach in which the email was found
email.breachInfo.mostRecentBreachDatestringDetermines if an email is found in a breach, specified by date
email.breachInfo.yearsSinceLastBreachintegerIdentifies the time in years since the email was found in a breach
email.domainstringDomain name of the email in a normalized format
email.domainRegistrationInfo.
daysSinceDomainRegistered
integerIdentifies the time in days since the email domain was registered
email.domainRegistrationInfo.
domainRegistrationDate
stringSpecifies a date by which the email domain should have been registered
email.domainRegistrationInfo.
yearsSinceDomainRegistered
integerIdentifies the time in years since the email domain was registered
email.emailServerstringSpecifies an email server name
email.riskScoreintegerSpecifies a risk value for an email between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms

Event Evaluation

SignalTypeDescription
event.anomalyScoreintegerSpecifies an anomaly value for the event between 0 (normal) and 100 (highly unusual) relative to the account’s history
event.listsarrayEvent is on these lists
event.riskScoreintegerSpecifies a risk value for an event between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms
event.risksarraySee details in the table

Risk Signals Associated With The Event

ValueDescription
ACCOUNT:ACCOUNT_SHARINGMultiple users share credentials to access an account authorized for a single user
ACCOUNT:DORMANT_ACCOUNTThis account has not been active in this workspace for 90 days
ACCOUNT:OUTLIER_ACCOUNTIndicates unusual activity relative to other accounts in this workspace
ACCOUNT:TAKE_OVERIndicates that the account has been accessed through unusual activity
EMAIL:ALIASIndicates if the email address is an alias, usually due to special characters (+ or -) in the username
EMAIL:BREACHEDEmail was breached at least once in the last 2 years
EMAIL:DISPOSABLEDetermines if an email is temporary and expires after a certain period of time
EMAIL:FREEIndicates if the email has been registered with a free email provider such as Gmail or Yahoo
EMAIL:GENERICIndicates if the username portion of the email address is categorized as generic. For example, [email protected]
EMAIL:INVALIDThe supplied email address is invalid
EMAIL:INVALID_ADetermines if an email’s domain has a valid IP address record
EMAIL:INVALID_DNSDetermines if an email’s domain has valid nameserver records
EMAIL:INVALID_DOMAINDetermines if an email's domain is registered
EMAIL:INVALID_ICANN_SUFFIXValidates that an email's top-level domain is maintained by the Internet Corporation for Assigned Names and Numbers (ICANN)
EMAIL:INVALID_MXValidates that an email’s domain has one or more valid mail exchanger (MX) records
EMAIL:INVALID_SPFValidates that an email’s domain has a valid sender policy framework (SPF) record
EMAIL:PARKEDIdentifies if the email is from a parked domain
EMAIL:RELAYIdentifies if the email is forwarded to another email address
EMAIL:RISKY_TLDDetermines if an email is associated with a risky top-level domain
EVENT:ANOMALOUS_EVENTIndicates an Anomaly Score ≥ 75, signaling highly unusual activity relative to the account’s history
EVENT:IMPOSSIBLE_TRAVELThe speed of travel between a user's last known location and current location is not possible
EVENT:NEW_PRINTNew prints indicate outlier activity (such as a new device)
EVENT:STUFFING_ATTACKIndicates that the ASN or IP address of an event is currently attempting to access multiple accounts at an unnatural speed
EVENT:VERIFIED_PRINTPrint was used to successfully verify the identity of the account
IP:ACTIVE_TORDetermines if an IP address is coming from a currently active Tor node, usually to hide a true IP address
IP:BOTDetermines if an IP address is a known bot
IP:CRAWLERDetermines if an IP belongs to a business that scans the Internet, typically for the purpose of web indexing
IP:DENY_LISTChecks if the IP address is on a deny list
IP:HOSTEDDetermines if the IP address belongs to a cloud provider
IP:INVALIDThe supplied IP address is invalid
IP:MALICIOUSDetermines if an incoming IP address can be found in a reported scam, breach, or malicious attack
IP:NONROUTABLEThe IP address is classified as non-routable
IP:PROXYDetermines if an IP address is coming from a proxy server, both HTTP and non-HTTP (such as SOCKS) proxies
IP:RELAYPrivate relay service IP address (such as Apple relay, Cloudflare, or Akamai)
IP:TORIdentifies if an IP address is coming from a known Tor exit node
IP:VPNIdentifies if an IP address is coming from a known VPN
PAYMENT_HASH:SHARED_PAYMENT_METHODPayment Hash was linked to multiple accounts
PHONE:DISPOSABLEDetermines if a phone number is temporary and expires after a certain period of time
PHONE:DO_NOT_ORIGINATEDetermines if an account's phone number is on the Do Not Originate (DNO) registry, which lists numbers used only for inbound calls
PHONE:INVALIDThe supplied phone number is invalid
PHONE:NOT_REACHABLEDetermines if a phone number is in service or out of service
PHONE:PORTEDDetermines if a phone number has been ported
PHONE:WIRELESSDetermines the phone number type (mobile and prepaid phone numbers will have a value of True, voice-over-IP and traditional landlines will have a value of False)
PRINT:MULTIPLE_ACCOUNTSPrint was linked to multiple accounts for fraudulent purposes (such as promotions abuse or a banned user)
USERAGENT:BOTIdentifies if the user agent is a known bot

Request Identifiers

SignalTypeDescription
identifiers.accountIdstringThe account ID
identifiers.deviceIdstringThe device ID
identifiers.emailstringThe email address
identifiers.ipstringThe IPv4 or IPv6 address
identifiers.paymentHashstringThe hashed payment method identifier
identifiers.phonestringThe phone number in E.164 format
identifiers.printIdstringThe print ID
identifiers.timestampstringThe RFC3339 formatted timestamp. Current time is used if not specified
identifiers.userAgentstringThe full user agent string

IP Address Evaluation

SignalTypeDescription
ip.asnstringIdentifies the Autonomous System Number of the IP assigned to a group of IP prefixes run by network operators that maintain a defined routing policy to the Internet
ip.asnInfo.sizestringSize class expressed in t-shirt sizes that reflect the available IP addresses in the ASN
ip.asostringIdentifies the Autonomous System Organization that administers the IP address
ip.geo.latitudenumberIdentifies the location coordinate of the IP address north or south of the equator
ip.geo.longitudenumberIdentifies the location coordinate of the IP address east or west of the prime meridian
ip.location.citystringIdentifies the city in which the IP address is located
ip.location.continentstringIdentifies the two-letter continent code (ISO 3166-1) from which an IP address is located
ip.location.countrystringIdentifies the two-letter country code (ISO 3166-1) from which an IP address is located
ip.location.regionstringIdentifies the geographical region (state/province) in which the IP is located
ip.location.regionCodestringIdentifies the two-letter region code from which an IP address is located
ip.locationIdstringUnique identifier assigned to the location by GeoNames
ip.network.cidrstringNetwork address in the CIDR (Classless Inter-Domain Routing) format
ip.network.sizestringSize class expressed in t-shirt sizes that reflect the available IP addresses in the network
ip.privacyProviderstringName of the IP privacy service provider, available when vpn, relay, hosted or proxy is true
ip.riskScoreintegerSpecifies a risk value for an IP address between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms
ip.signupSuccessCount.last24hoursintegerThe number of signup success events seen for this IP in the last 24 hours
ip.signupSuccessCount.last7daysintegerThe number of signup success events seen for this IP in the last 7 days
ip.signupSuccessCount.lastHourintegerThe number of signup success events seen for this IP in the last hour
ip.timezonestringIdentifies the timezone of an IP address
ip.typestringThe type of business using the IP address such as isp, hosting, education

Phone Number Evaluation

SignalTypeDescription
phone.carrierstringSpecifies the name of a phone service provider
phone.carrierIdentificationCodestringSpecifies the carrier identification code (CIC), a four-digit numeric code assigned to carriers or other entities that access a local exchange carrier (LEC) network
phone.location.countrystringSpecifies the two-letter country code (ISO 3166-1) where the phone number is registered
phone.mobileCountryCodestringSpecifies a mobile country code (MCC)
phone.mobileNetworkCodestringSpecifies a mobile network code (MNC)
phone.riskScoreintegerSpecifies a risk value for a phone number between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms
phone.typestringIdentifies the specified phone number type such as wireless, a fixed line, or Voice Over IP

SignalPrint Evaluation

SignalTypeDescription
print.connectedAccounts.countintegerThe number of other accounts connected to this print in SignalPrint
print.eventCount.last24hoursintegerThe number of events seen for this print in the last 24 hours
print.eventCount.last7daysintegerThe number of events seen for this print in the last 7 days
print.eventCount.lastHourintegerThe number of events seen for this print in the last hour
print.failedAcctsCount.last24hoursintegerThe number of accounts with a a failed login connected to this print in the last 24 hours
print.failedAcctsCount.last7daysintegerThe number of accounts with a a failed login connected to this print in the last 7 days
print.failedAcctsCount.lastHourintegerThe number of accounts with a a failed login connected to this print in the last hour
print.identificationMethodstringSpecifies the method used to calculate the print ID. Possible values are PROVIDED (the ID is provided with the event) and PRINT (Verosint generates the ID)
print.loginFailedCount.last24hoursintegerThe number of login failed events seen for this print in the last 24 hours
print.loginFailedCount.last7daysintegerThe number of login failed events seen for this print in the last 7 days
print.loginFailedCount.lastHourintegerThe number of login failed events seen for this print in the last hour
print.loginSuccessCount.last24hoursintegerThe number of login success events seen for this print in the last 24 hours
print.loginSuccessCount.last7daysintegerThe number of login success events seen for this print in the last 7 days
print.loginSuccessCount.lastHourintegerThe number of events seen for this print in the last hour
print.mfaFailedCount.last24hoursintegerThe number of MFA failed events seen for this print in the last 24 hours
print.mfaFailedCount.last7daysintegerThe number of MFA failed events seen for this print in the last 7 days
print.mfaFailedCount.lastHourintegerThe number of MFA failed events seen for this print in the last hour
print.mfaSuccessCount.last24hoursintegerThe number of MFA success events seen for this print in the last 24 hours
print.mfaSuccessCount.last7daysintegerThe number of MFA success events seen for this print in the last 7 days
print.mfaSuccessCount.lastHourintegerThe number of MFA success events seen for this print in the last hour
print.signupFailedCount.last24hoursintegerThe number of signup failed events seen for this print in the last 24 hours
print.signupFailedCount.last7daysintegerThe number of signup failed events seen for this print in the last 7 days
print.signupFailedCount.lastHourintegerThe number of signup failed events seen for this print in the last hour
print.signupSuccessCount.last24hoursintegerThe number of signup success events seen for this print in the last 24 hours
print.signupSuccessCount.last7daysintegerThe number of signup success events seen for this print in the last 7 days
print.signupSuccessCount.lastHourintegerThe number of signup success events seen for this print in the last hour
print.verificationSuccessCount.
last24hours
integerThe number of verification success events seen for this print in the last 24 hours
print.verificationSuccessCount.
last7days
integerThe number of verification success events seen for this print in the last 7 days
print.verificationSuccessCount.lastHourintegerThe number of verification success events seen for this print in the last hour
print.verificationSuccessCount.totalintegerThe total number of verification success events seen for this print in the last 180 days

User Agent Evaluation

SignalTypeDescription
userAgent.browser.namestringIdentifies the name of the browser, such as Safari
userAgent.browser.versionstringIdentifies the version of the browser
userAgent.device.namestringIdentifies the name of the device
userAgent.device.typestringIdentifies the type of device
userAgent.os.namestringIdentifies the operating system on the device
userAgent.os.versionstringIdentifies the version of the operating system on the device