Signal Definitions

Verosint uses signals to evaluate accounts for fraud based on open-source intelligence data. Account fraud can be determined through IP address, email, and phone data characteristics. Once fraud is found, signals power rules to guard against unwanted access to your systems.

Account Evaluation

SignalTypeDescription
account.accountSharingbooleanMultiple users share credentials to access an account authorized for a single user
account.asnCount.last24hoursintegerThe number of distinct ASNs used to access this account in the last 24 hours
account.asnCount.last7daysintegerThe number of distinct ASNs used to access this account in the last 7 days
account.asoCount.last24hoursintegerThe number of distinct ISPs used to access this account in the last 24 hours
account.asoCount.last7daysintegerThe number of distinct ISPs used to access this account in the last 7 days
account.connectedAccounts.countintegerThe number of other accounts connected to this print in SignalPrint
account.eventCount.last24hoursintegerThe number of events seen for this account in the last 24 hours
account.eventCount.last7daysintegerThe number of events seen for this account in the last 7 days
account.eventCount.lastHourintegerThe number of events seen for this account in the last hour
account.firstSeenstringDate on which the account was first seen in an event
account.lastSeenstringDate on which the account was last seen in an event
account.locationCount.last24hoursintegerThe number of distinct locations used to access this account in the last 24 hours
account.locationCount.last7daysintegerThe number of distinct locations used to access this account in the last 7 days
account.loginFailedCount.last24hoursintegerThe number of login failed events seen for this account in the last 24 hours
account.loginFailedCount.last7daysintegerThe number of login failed events seen for this account in the last 7 days
account.loginFailedCount.lastHourintegerThe number of login failed events seen for this account in the last hour
account.loginSuccessCount.last24hoursintegerThe number of login success events seen for this account in the last 24 hours
account.loginSuccessCount.last7daysintegerThe number of login success events seen for this account in the last 7 days
account.loginSuccessCount.lastHourintegerThe number of events seen for this account in the last hour
account.mfaFailedCount.last24hoursintegerThe number of MFA failed events seen for this account in the last 24 hours
account.mfaFailedCount.last7daysintegerThe number of MFA failed events seen for this account in the last 7 days
account.mfaFailedCount.lastHourintegerThe number of MFA failed events seen for this account in the last hour
account.mfaSuccessCount.last24hoursintegerThe number of MFA success events seen for this account in the last 24 hours
account.mfaSuccessCount.last7daysintegerThe number of MFA success events seen for this account in the last 7 days
account.mfaSuccessCount.lastHourintegerThe number of MFA success events seen for this account in the last hour
account.risksarrayRisk signals associated with the account

ValueDescription
ACCOUNT_SHARINGMultiple users share credentials to access an account authorized for a single user
account.tagsarrayThe tags directly associated with this account or connected through other accounts in SignalPrint
account.userAgentCount.last24hoursintegerThe number of distinct user agents used to access this account in the last 24 hours
account.userAgentCount.last7daysintegerThe number of distinct user agents used to access this account in the last 7 days
account.verificationSuccessCount.
last24hours
integerThe number of verification success events seen for this account in the last 24 hours
account.verificationSuccessCount.
last7days
integerThe number of verification success events seen for this account in the last 7 days
account.verificationSuccessCount.
lastHour
integerThe number of verification success events seen for this account in the last hour
account.verificationSuccessCount.totalintegerThe total number of verification success events seen for this account

Email Address Evaluation

SignalTypeDescription
email.aliasbooleanIndicates if the email address is an alias, usually due to special characters (+ or -) in the username
email.breachInfo.breachesarrayArray containing data about every time the email was breached
email.breachInfo.countintegerDetermines if an email is found in any known breaches and the number of breaches
email.breachInfo.daysSinceLastBreachintegerIdentifies the time in days since the last breach in which the email was found
email.breachInfo.mostRecentBreachDatestringDetermines if an email is found in a breach, specified by date
email.breachInfo.yearsSinceLastBreachintegerIdentifies the time in years since the email was found in a breach
email.disposablebooleanDetermines if an email is temporary and expires after a certain period of time
email.domainstringDomain name of the email in a normalized format
email.domainRegistrationInfo.
daysSinceDomainRegistered
integerIdentifies the time in days since the email domain was registered
email.domainRegistrationInfo.
domainRegistrationDate
stringSpecifies a date by which the email domain should have been registered
email.domainRegistrationInfo.
yearsSinceDomainRegistered
integerIdentifies the time in years since the email domain was registered
email.emailServerstringSpecifies an email server name
email.freebooleanIndicates if the email has been registered with a free email provider such as Gmail or Yahoo
email.genericbooleanIndicates if the username portion of the email address is categorized as generic. For example, [email protected]
email.parkedbooleanIdentifies if the email is from a parked domain
email.riskScoreintegerSpecifies a risk value for an email between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms
email.risksarrayRisk signals associated with the email address

ValueDescription
ALIASIndicates if the email address is an alias, usually due to special characters (+ or -) in the username
DISPOSABLEDetermines if an email is temporary and expires after a certain period of time
FREEIndicates if the email has been registered with a free email provider such as Gmail or Yahoo
GENERICIndicates if the username portion of the email address is categorized as generic. For example, [email protected]
INVALID_ADetermines if an email’s domain has a valid IP address record
INVALID_DNSDetermines if an email’s domain has valid nameserver records
INVALID_DOMAINDetermines if an email's domain is registered
INVALID_ICANN_SUFFIXValidates that an email's top-level domain is maintained by the Internet Corporation for Assigned Names and Numbers (ICANN)
INVALID_MXValidates that an email’s domain has one or more valid mail exchanger (MX) records
INVALID_SPFValidates that an email’s domain has a valid sender policy framework (SPF) record
PARKEDIdentifies if the email is from a parked domain
RISKY_TLDDetermines if an email is associated with a risky top-level domain
email.riskyTLDbooleanDetermines if an email is associated with a risky top-level domain
email.validAbooleanDetermines if an email’s domain has a valid IP address record
email.validDNSbooleanDetermines if an email’s domain has valid nameserver records
email.validDomainbooleanDetermines if an email's domain is registered
email.validICANNSuffixbooleanValidates that an email's top-level domain is maintained by the Internet Corporation for Assigned Names and Numbers (ICANN)
email.validMXbooleanValidates that an email’s domain has one or more valid mail exchanger (MX) records
email.validSPFbooleanValidates that an email’s domain has a valid sender policy framework (SPF) record

Event Evaluation

SignalTypeDescription
event.anomalyScorenumberEvent anomaly score based on account historical behavior
event.impossibleTravelbooleanChecks if the speed of travel between a user's last known location and current location is possible. If speed > 600 MPH, it's impossible travel
event.listsarrayEvent is on these lists
event.newPrintbooleanChecks if the print was used to successfully login to the account. New prints indicate outlier activity (such as a new device)
event.riskScoreintegerSpecifies a risk value for an event between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms
event.risksarrayRisk signals associated with the event

ValueDescription
IMPOSSIBLE_TRAVELThe speed of travel between a user's last known location and current location is not possible
NEW_PRINTNew prints indicate outlier activity (such as a new device)
VERIFIED_PRINTPrint was used to successfully verify the identity of the account
event.verifiedPrintbooleanChecks if the print was used to successfully verify the identity of the account

Request Identifiers

SignalTypeDescription
identifiers.accountIdstringThe account ID
identifiers.emailstringThe email address
identifiers.ipstringThe IPv4 or IPv6 address
identifiers.paymentHashstringThe hashed payment method identifier.
identifiers.phonestringThe phone number in E.164 format
identifiers.timestampstringThe RFC3339 formatted timestamp. Current time is used if not specified
identifiers.userAgentstringThe full user agent string

IP Address Evaluation

SignalTypeDescription
ip.activeTorbooleanDetermines if an IP address is coming from a currently active Tor node, usually to hide a true IP address
ip.asnstringIdentifies the Autonomous System Number of the IP assigned to a group of IP prefixes run by network operators that maintain a defined routing policy to the Internet
ip.asostringIdentifies the Autonomous System Organization that administers the IP address
ip.botbooleanDetermines if an IP address is a known bot
ip.crawlerbooleanDetermines if an IP belongs to a business that scans the Internet, typically for the purpose of web indexing
ip.denyListbooleanChecks if the IP address is on a deny list
ip.geo.latitudenumberIdentifies the location coordinate of the IP address north or south of the equator
ip.geo.longitudenumberIdentifies the location coordinate of the IP address east or west of the prime meridian
ip.hostedbooleanDetermines if the IP address belongs to a cloud provider
ip.location.citystringIdentifies the city in which the IP address is located
ip.location.continentstringIdentifies the two-letter continent code (ISO 3166-1) from which an IP address is located
ip.location.countrystringIdentifies the two-digit country code (ISO 3166-1) from which an IP address is located
ip.location.regionstringIdentifies the geographical region (state/province) in which the IP is located
ip.locationIdstringUnique identifier assigned to the location by GeoNames
ip.maliciousbooleanDetermines if an incoming IP address can be found in a reported scam, breach, or malicious attack
ip.privacyProviderstringName of the IP privacy service provider, available when vpn, relay, hosted or proxy is true
ip.proxybooleanDetermines if an IP address is coming from a proxy server, both HTTP and non-HTTP (such as SOCKS) proxies
ip.relaybooleanPrivate relay service IP address (such as Apple relay, Cloudflare, or Akamai)
ip.riskScoreintegerSpecifies a risk value for an IP address between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms
ip.risksarrayRisk signals associated with the ip address

ValueDescription
ACTIVE_TORDetermines if an IP address is coming from a currently active Tor node, usually to hide a true IP address
BOTDetermines if an IP address is a known bot
CRAWLERDetermines if an IP belongs to a business that scans the Internet, typically for the purpose of web indexing
DENY_LISTChecks if the IP address is on a deny list
HOSTEDDetermines if the IP address belongs to a cloud provider
MALICIOUSDetermines if an incoming IP address can be found in a reported scam, breach, or malicious attack
PROXYDetermines if an IP address is coming from a proxy server, both HTTP and non-HTTP (such as SOCKS) proxies
RELAYPrivate relay service IP address (such as Apple relay, Cloudflare, or Akamai)
TORIdentifies if an IP address is coming from a known Tor exit node
VPNIdentifies if an IP address is coming from a known VPN
ip.timezonestringIdentifies the timezone of an IP address
ip.torbooleanIdentifies if an IP address is coming from a known Tor exit node
ip.vpnbooleanIdentifies if an IP address is coming from a known VPN

Phone Number Evaluation

SignalTypeDescription
phone.carrierstringSpecifies the name of a phone service provider
phone.carrierIdentificationCodestringSpecifies the carrier identification code (CIC), a four-digit numeric code assigned to carriers or other entities that access a local exchange carrier (LEC) network
phone.disposablebooleanDetermines if a phone number is temporary and expires after a certain period of time
phone.doNotOriginatebooleanDetermines if an account's phone number is on the Do Not Originate (DNO) registry, which lists numbers used only for inbound calls
phone.location.countrystringSpecifies the two-digit country code (ISO 3166-1) where the phone number is registered
phone.location.regionstringSpecifies the geographical region (state/province) in which the phone is located
phone.mobileCountryCodestringSpecifies a mobile country code (MCC)
phone.mobileNetworkCodestringSpecifies a mobile network code (MNC)
phone.numberPortabilityDipIndicatorbooleanDetermines if a phone number has been queried through a number portability lookup
phone.numberPortedIndicatorbooleanDetermines if a phone number has been ported
phone.reachablebooleanDetermines if a phone number is in service or out of service
phone.riskScoreintegerSpecifies a risk value for a phone number between 0 (safe) and 100 (risky) for Verosint to assess against OSINT data and internal algorithms
phone.risksarrayRisk signals associated with the phone number

ValueDescription
DISPOSABLEDetermines if a phone number is temporary and expires after a certain period of time
DO_NOT_ORIGINATEDetermines if an account's phone number is on the Do Not Originate (DNO) registry, which lists numbers used only for inbound calls
NOT_REACHABLEDetermines if a phone number is in service or out of service
PORTABILITY_DIPDetermines if a phone number has been queried through a number portability lookup
PORTEDDetermines if a phone number has been ported
WIRELESSDetermines the phone number type (mobile and prepaid phone numbers will have a value of True, voice-over-IP and traditional landlines will have a value of False)
phone.wirelessbooleanDetermines the phone number type (mobile and prepaid phone numbers will have a value of True, voice-over-IP and traditional landlines will have a value of False)

SignalPrint Evaluation

SignalTypeDescription
print.connectedAccounts.avgDegreesnumberThe average number of degrees to the connected accounts in SignalPrint
print.connectedAccounts.countintegerThe number of other accounts connected to this account in SignalPrint
print.connectedAccounts.maxDegreesintegerThe maximum number of degrees to the connected accounts in SignalPrint
print.connectedAccounts.minDegreesintegerThe minimum number of degrees to the connected accounts in SignalPrint
print.eventCount.last24hoursintegerThe number of events seen for this print in the last 24 hours
print.eventCount.last7daysintegerThe number of events seen for this print in the last 7 days
print.eventCount.lastHourintegerThe number of events seen for this print in the last hour
print.failedAcctsCount.last24hoursintegerThe number of accounts with a a failed login connected to this print in the last 24 hours
print.failedAcctsCount.last7daysintegerThe number of accounts with a a failed login connected to this print in the last 7 days
print.failedAcctsCount.lastHourintegerThe number of accounts with a a failed login connected to this print in the last hour
print.firstSeenstringDate on which the print was first seen in an event
print.lastSeenstringDate on which the print was last seen in an event
print.loginFailedCount.last24hoursintegerThe number of login failed events seen for this print in the last 24 hours
print.loginFailedCount.last7daysintegerThe number of login failed events seen for this print in the last 7 days
print.loginFailedCount.lastHourintegerThe number of login failed events seen for this print in the last hour
print.loginSuccessCount.last24hoursintegerThe number of login success events seen for this print in the last 24 hours
print.loginSuccessCount.last7daysintegerThe number of login success events seen for this print in the last 7 days
print.loginSuccessCount.lastHourintegerThe number of events seen for this print in the last hour
print.mfaFailedCount.last24hoursintegerThe number of MFA failed events seen for this print in the last 24 hours
print.mfaFailedCount.last7daysintegerThe number of MFA failed events seen for this print in the last 7 days
print.mfaFailedCount.lastHourintegerThe number of MFA failed events seen for this print in the last hour
print.mfaSuccessCount.last24hoursintegerThe number of MFA success events seen for this print in the last 24 hours
print.mfaSuccessCount.last7daysintegerThe number of MFA success events seen for this print in the last 7 days
print.mfaSuccessCount.lastHourintegerThe number of MFA success events seen for this print in the last hour
print.multipleAccountsbooleanChecks if this print was linked to multiple accounts for fraudulent purposes (such as promotions abuse or a banned user)
print.risksarrayRisk signals associated with the print

ValueDescription
MULTIPLE_ACCOUNTSPrint was linked to multiple accounts for fraudulent purposes (such as promotions abuse or a banned user)
print.signupFailedCount.last24hoursintegerThe number of signup failed events seen for this print in the last 24 hours
print.signupFailedCount.last7daysintegerThe number of signup failed events seen for this print in the last 7 days
print.signupFailedCount.lastHourintegerThe number of signup failed events seen for this print in the last hour
print.signupSuccessCount.last24hoursintegerThe number of signup success events seen for this print in the last 24 hours
print.signupSuccessCount.last7daysintegerThe number of signup success events seen for this print in the last 7 days
print.signupSuccessCount.lastHourintegerThe number of signup success events seen for this print in the last hour
print.tagsarrayThe tags associated to accounts connected through prints in SignalPrint
print.verificationSuccessCount.
last24hours
integerThe number of verification success events seen for this print in the last 24 hours
print.verificationSuccessCount.
last7days
integerThe number of verification success events seen for this print in the last 7 days
print.verificationSuccessCount.lastHourintegerThe number of verification success events seen for this print in the last hour
print.verificationSuccessCount.totalintegerThe total number of verification success events seen for this print

User Agent Evaluation

SignalTypeDescription
userAgent.botbooleanIdentifies if the user agent is a known bot
userAgent.browser.namestringIdentifies the name of the browser, such as Safari
userAgent.browser.versionstringIdentifies the version of the browser
userAgent.device.namestringIdentifies the name of the device
userAgent.device.typestringIdentifies the type of device
userAgent.os.namestringIdentifies the operating system on the device
userAgent.os.versionstringIdentifies the version of the operating system on the device
userAgent.risksarrayRisk signals associated with the user agent

ValueDescription
BOTIdentifies if the user agent is a known bot