Signal Definitions
Verosint uses signals to evaluate accounts for fraud based on open-source intelligence data. Account fraud can be determined through IP address, email, and phone data characteristics. Once fraud is found, signals power rules to guard against unwanted access to your systems.
Account Evaluation
| Signal | Type | Description |
|---|---|---|
| account.accountSharing | boolean | Multiple users share credentials to access an account authorized for a single user |
| account.asnCount.last24hours | integer | The number of distinct ASNs used to access this account in the last 24 hours |
| account.asnCount.last30days | integer | The number of distinct ASNs used to access this account in the last 30 days |
| account.asnCount.last7days | integer | The number of distinct ASNs used to access this account in the last 7 days |
| account.asnCount.total | integer | The total number of distinct ASNs used to access this account |
| account.asoCount.last24hours | integer | The number of distinct ISPs used to access this account in the last 24 hours |
| account.asoCount.last30days | integer | The number of distinct ISPs used to access this account in the last 30 days |
| account.asoCount.last7days | integer | The number of distinct ISPs used to access this account in the last 7 days |
| account.asoCount.total | integer | The total number of distinct ISPs used to access this account |
| account.connectedAccounts.count | integer | The number of other accounts connected to this print in SignalPrint |
| account.eventCount.last24hours | integer | The number of events seen for this account in the last 24 hours |
| account.eventCount.last30days | integer | The number of events seen for this account in the last 30 days |
| account.eventCount.last7days | integer | The number of events seen for this account in the last 7 days |
| account.eventCount.lastHour | integer | The number of events seen for this account in the last hour |
| account.eventCount.total | integer | The total number of events seen for this account |
| account.firstSeen | string | Date on which the account was first seen in an event |
| account.lastSeen | string | Date on which the account was last seen in an event |
| account.locationCount.last24hours | integer | The number of distinct locations used to access this account in the last 24 hours |
| account.locationCount.last30days | integer | The number of distinct locations used to access this account in the last 30 days |
| account.locationCount.last7days | integer | The number of distinct locations used to access this account in the last 7 days |
| account.locationCount.total | integer | The total number of distinct locations used to access this account |
| account.loginFailedCount.last24hours | integer | The number of login failed events seen for this account in the last 24 hours |
| account.loginFailedCount.last30days | integer | The number of login failed events seen for this account in the last 30 days |
| account.loginFailedCount.last7days | integer | The number of login failed events seen for this account in the last 7 days |
| account.loginFailedCount.lastHour | integer | The number of login failed events seen for this account in the last hour |
| account.loginFailedCount.total | integer | The total number of login failed events seen for this account |
| account.loginSuccessCount.last24hours | integer | The number of login success events seen for this account in the last 24 hours |
| account.loginSuccessCount.last30days | integer | The number of login success events seen for this account in the last 30 days |
| account.loginSuccessCount.last7days | integer | The number of login success events seen for this account in the last 7 days |
| account.loginSuccessCount.lastHour | integer | The number of events seen for this account in the last hour |
| account.loginSuccessCount.total | integer | The total number of login success events seen for this account |
| account.mfaFailedCount.last24hours | integer | The number of MFA failed events seen for this account in the last 24 hours |
| account.mfaFailedCount.last30days | integer | The number of MFA failed events seen for this account in the last 30 days |
| account.mfaFailedCount.last7days | integer | The number of MFA failed events seen for this account in the last 7 days |
| account.mfaFailedCount.lastHour | integer | The number of MFA failed events seen for this account in the last hour |
| account.mfaFailedCount.total | integer | The total number of MFA failed events seen for this account |
| account.mfaSuccessCount.last24hours | integer | The number of MFA success events seen for this account in the last 24 hours |
| account.mfaSuccessCount.last30days | integer | The number of MFA success events seen for this account in the last 30 days |
| account.mfaSuccessCount.last7days | integer | The number of MFA success events seen for this account in the last 7 days |
| account.mfaSuccessCount.lastHour | integer | The number of MFA success events seen for this account in the last hour |
| account.mfaSuccessCount.total | integer | The total number of MFA success events seen for this account |
| account.multipleAccounts | boolean | Multiple accounts created for a single user for fraudulent purposes (such as promotions abuse or a banned user) |
| account.tags | array | The tags directly associated with this account or connected through other accounts in SignalPrint |
| account.userAgentCount.last24hours | integer | The number of distinct user agents used to access this account in the last 24 hours |
| account.userAgentCount.last30days | integer | The number of distinct user agents used to access this account in the last 30 days |
| account.userAgentCount.last7days | integer | The number of distinct user agents used to access this account in the last 7 days |
| account.userAgentCount.total | integer | The total number of distinct user agents used to access this account |
| account.verificationSuccessCount. last24hours | integer | The number of verification success events seen for this account in the last 24 hours |
| account.verificationSuccessCount. last30days | integer | The number of verification success events seen for this account in the last 30 days |
| account.verificationSuccessCount. last7days | integer | The number of verification success events seen for this account in the last 7 days |
| account.verificationSuccessCount. lastHour | integer | The number of verification success events seen for this account in the last hour |
| account.verificationSuccessCount.total | integer | The total number of verification success events seen for this account |
Email Address Evaluation
| Signal | Type | Description |
|---|---|---|
| email.alias | boolean | Indicates if the email address is an alias, usually due to special characters (+ or -) in the username |
| email.breachInfo.breaches | array | Array containing data about every time the email was breached |
| email.breachInfo.count | integer | Determines if an email is found in any known breaches and the number of breaches |
| email.breachInfo.daysSinceLastBreach | integer | Identifies the time in days since the last breach in which the email was found |
| email.breachInfo.mostRecentBreachDate | string | Determines if an email is found in a breach, specified by date |
| email.breachInfo.yearsSinceLastBreach | integer | Identifies the time in years since the email was found in a breach |
| email.disposable | boolean | Determines if an email is temporary and expires after a certain period of time |
| email.domainRegistrationInfo. daysSinceDomainRegistered | integer | Identifies the time in days since the email domain was registered |
| email.domainRegistrationInfo. domainRegistrationDate | string | Specifies a date by which the email domain should have been registered |
| email.domainRegistrationInfo. yearsSinceDomainRegistered | integer | Identifies the time in years since the email domain was registered |
| email.emailServer | string | Specifies an email server name |
| email.free | boolean | Indicates if the email has been registered with a free email provider such as Gmail or Yahoo |
| email.generic | boolean | Indicates if the username portion of the email address is categorized as generic. For example, [email protected] |
| email.riskScore | integer | Specifies a risk value for an email between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms |
| email.riskyTLD | boolean | Determines if an email is associated with a risky top-level domain |
| email.validA | boolean | Determines if an email’s domain has a valid IP address record |
| email.validDNS | boolean | Determines if an email’s domain has valid nameserver records |
| email.validDomain | boolean | Determines if an email's domain is registered |
| email.validICANNSuffix | boolean | Validates that an email's top-level domain is maintained by the Internet Corporation for Assigned Names and Numbers (ICANN) |
| email.validMX | boolean | Validates that an email’s domain has one or more valid mail exchanger (MX) records |
| email.validSPF | boolean | Validates that an email’s domain has a valid sender policy framework (SPF) record |
Event Evaluation
| Signal | Type | Description |
|---|---|---|
| event.impossibleTravel | boolean | Checks if the speed of travel between a user's last known location and current location is possible. If speed > 600 MPH, it's impossible travel |
| event.newPrint | boolean | Checks if the print was used to successfully login to the account. New prints indicate outlier activity (such as a new device) |
| event.riskScore | integer | Specifies a risk value for an event between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms |
| event.verifiedPrint | boolean | Checks if the print was used to successfully verify the identity of the account |
Request Identifiers
| Signal | Type | Description |
|---|---|---|
| identifiers.accountId | string | The account ID |
| identifiers.email | string | The email address |
| identifiers.ip | string | The IPv4 or IPv6 address |
| identifiers.phone | string | The phone number in E.164 format |
| identifiers.timestamp | string | The RFC3339 formatted timestamp. Current time is used if not specified |
| identifiers.userAgent | string | The full user agent string |
IP Address Evaluation
| Signal | Type | Description |
|---|---|---|
| ip.activeTor | boolean | Determines if an IP address is coming from a currently active Tor node, usually to hide a true IP address |
| ip.asn | string | Identifies the Autonomous System Number of the IP assigned to a group of IP prefixes run by network operators that maintain a defined routing policy to the Internet |
| ip.aso | string | Identifies the Autonomous System Organization that administers the IP address |
| ip.bot | boolean | Determines if an IP address is a known bot |
| ip.crawler | boolean | Determines if an IP belongs to a business that scans the Internet, typically for the purpose of web indexing |
| ip.denyList | boolean | Checks if the IP address is on a deny list |
| ip.geo.latitude | number | Identifies the location coordinate of the IP address north or south of the equator |
| ip.geo.longitude | number | Identifies the location coordinate of the IP address east or west of the prime meridian |
| ip.hosted | boolean | Determines if the IP address belongs to a cloud provider |
| ip.location.city | string | Identifies the city in which the IP address is located |
| ip.location.continent | string | Identifies the two-letter continent code (ISO 3166-1) from which an IP address is located |
| ip.location.country | string | Identifies the two-digit country code (ISO 3166-1) from which an IP address is located |
| ip.location.region | string | Identifies the geographical region (state/province) in which the IP is located |
| ip.locationId | string | Unique identifier assigned to the location by GeoNames |
| ip.malicious | boolean | Determines if an incoming IP address can be found in a reported scam, breach, or malicious attack |
| ip.proxy | boolean | Determines if an IP address is coming from a proxy server, both HTTP and non-HTTP (such as SOCKS) proxies |
| ip.relay | boolean | Private relay service IP address (such as Apple relay, Cloudflare, or Akamai) |
| ip.riskScore | integer | Specifies a risk value for an IP address between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms |
| ip.timezone | string | Identifies the timezone of an IP address |
| ip.tor | boolean | Identifies if an IP address is coming from a known Tor exit node |
| ip.vpn | boolean | Identifies if an IP address is coming from a known VPN |
Phone Number Evaluation
| Signal | Type | Description |
|---|---|---|
| phone.carrier | string | Specifies the name of a phone service provider |
| phone.carrierIdentificationCode | string | Specifies the carrier identification code (CIC), a four-digit numeric code assigned to carriers or other entities that access a local exchange carrier (LEC) network |
| phone.disposable | boolean | Determines if a phone number is temporary and expires after a certain period of time |
| phone.doNotOriginate | boolean | Determines if an account's phone number is on the Do Not Originate (DNO) registry, which lists numbers used only for inbound calls |
| phone.location.country | string | Specifies the two-digit country code (ISO 3166-1) where the phone number is registered |
| phone.location.region | string | Specifies the geographical region (state/province) in which the phone is located |
| phone.mobileCountryCode | string | Specifies a mobile country code (MCC) |
| phone.mobileNetworkCode | string | Specifies a mobile network code (MNC) |
| phone.numberPortabilityDipIndicator | boolean | Determines if a phone number has been queried through a number portability lookup |
| phone.numberPortedIndicator | boolean | Determines if a phone number has been ported |
| phone.reachable | boolean | Determines if a phone number is in service or out of service |
| phone.riskScore | integer | Specifies a risk value for a phone number between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms |
| phone.wireless | boolean | Determines the phone number type (mobile and prepaid phone numbers will have a value of True, voice-over-IP and traditional landlines will have a value of False) |
SignalPrint Evaluation
| Signal | Type | Description |
|---|---|---|
| print.connectedAccounts.avgDegrees | number | The average number of degrees to the connected accounts in SignalPrint |
| print.connectedAccounts.count | integer | The number of other accounts connected to this account in SignalPrint |
| print.connectedAccounts.maxDegrees | integer | The maximum number of degrees to the connected accounts in SignalPrint |
| print.connectedAccounts.minDegrees | integer | The minimum number of degrees to the connected accounts in SignalPrint |
| print.connectedPrints.avgDegrees | number | The average number of degrees to the connected prints in SignalPrint |
| print.connectedPrints.count | integer | The number of other prints connected to this print in SignalPrint |
| print.connectedPrints.maxDegrees | integer | The maximum number of degrees to a connected print in SignalPrint |
| print.connectedPrints.minDegrees | integer | The minimum number of degrees to a connected print in SignalPrint |
| print.eventCount.last24hours | integer | The number of events seen for this print in the last 24 hours |
| print.eventCount.last30days | integer | The number of events seen for this print in the last 30 days |
| print.eventCount.last7days | integer | The number of events seen for this print in the last 7 days |
| print.eventCount.lastHour | integer | The number of events seen for this print in the last hour |
| print.eventCount.total | integer | The total number of events seen for this print |
| print.failedAcctsCount.last24hours | integer | The number of accounts with a a failed login connected to this print in the last 24 hours |
| print.failedAcctsCount.last30days | integer | The number of accounts with a a failed login connected to this print in the last 30 days |
| print.failedAcctsCount.last7days | integer | The number of accounts with a a failed login connected to this print in the last 7 days |
| print.failedAcctsCount.lastHour | integer | The number of accounts with a a failed login connected to this print in the last hour |
| print.failedAcctsCount.total | integer | The total number of accounts with a a failed login connected to this print |
| print.firstSeen | string | Date on which the print was first seen in an event |
| print.lastSeen | string | Date on which the print was last seen in an event |
| print.loginFailedCount.last24hours | integer | The number of login failed events seen for this print in the last 24 hours |
| print.loginFailedCount.last30days | integer | The number of login failed events seen for this print in the last 30 days |
| print.loginFailedCount.last7days | integer | The number of login failed events seen for this print in the last 7 days |
| print.loginFailedCount.lastHour | integer | The number of login failed events seen for this print in the last hour |
| print.loginFailedCount.total | integer | The total number of login failed events seen for this print |
| print.loginSuccessCount.last24hours | integer | The number of login success events seen for this print in the last 24 hours |
| print.loginSuccessCount.last30days | integer | The number of login success events seen for this print in the last 30 days |
| print.loginSuccessCount.last7days | integer | The number of login success events seen for this print in the last 7 days |
| print.loginSuccessCount.lastHour | integer | The number of events seen for this print in the last hour |
| print.loginSuccessCount.total | integer | The total number of login success events seen for this print |
| print.mfaFailedCount.last24hours | integer | The number of MFA failed events seen for this print in the last 24 hours |
| print.mfaFailedCount.last30days | integer | The number of MFA failed events seen for this print in the last 30 days |
| print.mfaFailedCount.last7days | integer | The number of MFA failed events seen for this print in the last 7 days |
| print.mfaFailedCount.lastHour | integer | The number of MFA failed events seen for this print in the last hour |
| print.mfaFailedCount.total | integer | The total number of MFA failed events seen for this print |
| print.mfaSuccessCount.last24hours | integer | The number of MFA success events seen for this print in the last 24 hours |
| print.mfaSuccessCount.last30days | integer | The number of MFA success events seen for this print in the last 30 days |
| print.mfaSuccessCount.last7days | integer | The number of MFA success events seen for this print in the last 7 days |
| print.mfaSuccessCount.lastHour | integer | The number of MFA success events seen for this print in the last hour |
| print.mfaSuccessCount.total | integer | The total number of MFA success events seen for this print |
| print.multipleAccounts | boolean | Checks if this print was linked to multiple accounts for fraudulent purposes (such as promotions abuse or a banned user) |
| print.tags | array | The tags associated to accounts connected through prints in SignalPrint |
| print.verificationSuccessCount. last24hours | integer | The number of verification success events seen for this print in the last 24 hours |
| print.verificationSuccessCount. last30days | integer | The number of verification success events seen for this print in the last 30 days |
| print.verificationSuccessCount. last7days | integer | The number of verification success events seen for this print in the last 7 days |
| print.verificationSuccessCount.lastHour | integer | The number of verification success events seen for this print in the last hour |
| print.verificationSuccessCount.total | integer | The total number of verification success events seen for this print |
User Agent Evaluation
| Signal | Type | Description |
|---|---|---|
| userAgent.bot | boolean | Identifies if the user agent is a known bot |
| userAgent.browser.name | string | Identifies the name of the browser, such as Safari |
| userAgent.browser.version | string | Identifies the version of the browser |
| userAgent.device.name | string | Identifies the name of the device |
| userAgent.device.type | string | Identifies the type of device |
| userAgent.os.name | string | Identifies the operating system on the device |
| userAgent.os.version | string | Identifies the version of the operating system on the device |
Updated about 5 hours ago