.. index:: single: Console .. _console: Console ======= The web-accessible user interface (:term:`console`) is the main instrument an :term:`operator` uses for reviewing gathered intelligence and adjusting the :tirreno:`Tirreno` system’s functioning. The :term:`console` consists of two parts: a sidebar with the menu on the left side and the main body for outputting a selected page’s data. The pages expose the gathered information through a set of tables, charts, widgets, and controls. They enable multidimensional lookup, filtering, and ordering of data. This way, the :term:`console` provides detailed intelligence on :term:`user` :term:`identities` and their interaction with a platform, making suspicious activity notable. As a rule of thumb, :term:`warning signals` are coloured with :yellow:`yellow` throughout the user interface. Outstanding abnormalities are coloured :red:`red` (for instance, low :term:`trust scores`), ranging up to :purple:`purple` in extreme cases (such as in :term:`rules`). The :green:`green` colour, in contrast, is typically used for marking presumably safe entities. By default, most of the pages output data for the last month. One of the pre-defined periods can be selected in the upper-right corner of the interface. A selection of one day (1D), three days (3D), one week (1W), two weeks (2W), one month (1M), and three months (3M) is available. To obtain the entire dataset, click the label MAX. The top part of many pages contains a search bar that facilitates the lookup and reach of varying entities across the system by matching :term:`user` ID, name, email, phone number, an autonomous system number (ASN), or domain name of an email address. In addition, the principal tables are accompanied by more focused, specialized search bars for easier exploration of large datasets. The specialized search bars are generally located near the upper-right corner of a table. .. index:: single: Dashboard .. _dashboard: Dashboard --------- The *Dashboard* page loads by default after a successful login. It provides a quick overview of :term:`user` activity. This page comprises several widgets, each of which outputs information collected during a selected period of time and links to pages with more extended information on an entity of interest. In particular, at the top row, we can glance through the number of :term:`events`, :term:`users`, IP addresses, countries, and :term:`resources` recorded during a selected period of time and in total. As well as see the number of blacklisted :term:`users` and the ones with low :term:`trust scores`, with the possibility to quickly access the corresponding pages for a thorough review. The second row of widgets displays :term:`users`, countries, and :term:`resources` with the highest level of activity during the set period of time. The last row is akin to light defence weaponry. It serves well for the primary detection of malicious scenarios by analyzing IP addresses. This includes reviewing :term:`users` with shared IP addresses, those using the TOR network, or utilizing many different IP addresses. (For more details, see :ref:`IP Address Signals `.) .. index:: single: Review Queue .. _review-queue: Review Queue ------------ The *Review queue* page enables the assessment of :term:`users` with low :term:`trust scores`. The chart on this page shows the daily count of such :term:`users` identified within a chosen time frame, categorized by review status: ``Whitelisted``, ``On review``, ``Blacklisted``. The table below presents basic :term:`user` information and allows an :term:`operator` to remove a :term:`user` from the queue by performing a :ref:`user score review `, one of the most highly advisable :ref:`operator procedures `. Note that the :ref:`Settings ` page configuration **Review queue notifications** permits to activate sending of daily or weekly email reminders to examine *Review queue* items. .. index:: single: Events .. _events: Events ------ This page lists :term:`events` for a selected period of time. It features a chart that displays the number of daily :term:`events`. The table below outputs the key :term:`event`’s data: :term:`user` essentials, :term:`event` time and :ref:`type `, IP address, and detected device. Clicking an :term:`event`’s row opens a panel with an extended report on the right side. The report reveals numerous details about the :term:`event`, the requested :term:`resource`, as well as expanded :term:`user` and :term:`identity`-based analytics. .. index:: single: Users .. _users: Users ----- The *Users* page outputs basic information about all the :term:`users` reported during a selected period of time. The chart shows the daily number of new visitors, ranked by their :term:`trust score` values. The table beneath lists each :term:`user`’s :term:`trust score`, basic account information, and review status. The specialized search bar and the :ref:`rules ` filter placed at the top of the table simplify :term:`user` lookup by utilizing entered user ID, email, name, signup date, or selected :ref:`rules ` for narrowing down the results. A page devoted to individual :term:`user` analytics can be opened by clicking on a table row. This page comprises widgets, tables, and charts that reveal cumulative intelligence on :term:`user` :term:`identities` (such as IP addresses, emails, and phone numbers) and associated activities. It also displays :term:`user`-matching :term:`rules` and enables setting :term:`user` review status. A careful study of the data presented on a :term:`user` page is one of the keys to the identification of a malicious actor and is often an essential part of threat hunting. (See the chapter on :ref:`Operator Procedures `.) .. caution:: Clicking the ``Delete user`` button at the bottom of the page triggers the removal of all recorded :term:`user`-related information. .. index:: single: IP Addresses .. _ip-addresses: IP Addresses ------------ This page presents information grouped by IP address. The data is shown for a specified period of time. The chart illustrates the daily number of the residential (considered safe) and non-residential (considered a :term:`warning signal`) IP addresses. The table lists IP addresses with key details and indicators of suspicious activity. Particularly, the latter include non-residential IP addresses and a high number of related :term:`events` and :term:`users`. For a more in-depth analysis of the data gathered on a specific IP address, click on a table row. The subsequent page features widgets that output :term:`warning signals` for the IP address, as well as lists associated :term:`users`, devices, and :term:`events`. The :term:`events` table is accompanied by a chart summarizing the daily count of requests made from the IP address. .. index:: single: Countries .. _countries: Countries --------- This page presents information grouped by countries identified based on the requests’ IP addresses. The data is displayed for a specified time period. The map shows the geolocated countries and the respective number of :term:`users`, while the table displays primary statistics for each country. Here, audit the relative change in the number of :term:`users`, :term:`events`, and IP addresses over the specified and preceding periods. Large discrepancies in these numbers can serve as a :term:`warning signal`. To access more analytics related to a country, click on a table row. The subsequent page provides the total number of :term:`users`, IP addresses, and :term:`events` attributed to the country. It also includes compiled data on :term:`users`, IP addresses, internet service providers (ISPs), and :term:`events`. The latter includes a chart visualizing the daily request count from that country. .. _networks: Networks -------- The *Networks* page exhibits analytics categorized by internet service providers (ISP), identified through IP addresses recorded over a chosen period. The chart displays the daily count of unique and newly reported active ISPs. The table presents ISPs with their key statistics. More in-depth data is exposed on a specific ISP’s page, which can be opened by clicking on a table row. This page offers compiled information on associated :term:`users`, IP addresses, and :term:`events` through total counts, tables, and illustrative charts. .. index:: single: Domains .. _domains: Domains ------- This page offers analytics grouped by email domain. The chart illustrates the daily count of unique and newly reported domains, while the table provides essential domain information and :term:`warning signals`. To access a page with more information on an email domain, click on a table row. Here you can see domain statistics, :term:`warning signals`, and aggregated data on linked :term:`users`, IP addresses (including a map of geolocated countries), ISPs, :term:`events` (accompanied by a chart showing the daily request count). .. index:: single: Resources .. _resources: Resources --------- The *Resources* page enables the review of :term:`user` activity grouped by the requested :term:`resource` over a selected time period. The chart on this page illustrates the HTTP response status codes user requests ended with. Namely, it displays the daily counts of ``OK`` (200), ``Not Found`` (404), and ``Forbidden`` (403) with ``Internal Server Error`` (500) responses. To access detailed information regarding a :term:`resource`, click on a table row. The page that opens provides aggregated data on the :term:`users`, IP addresses, internet service providers (ISPs), devices, and :term:`events` recorded in connection with the :term:`resource` requests. .. _blacklist: Blacklist --------- The *Blacklist* page displays :term:`user` :term:`identities` added to a blacklist within a specified time frame. The chart visualizes the daily count of blacklisted :term:`identities`. Each :term:`identity`’s details are outlined in the table below. To remove an :term:`identity` from the blacklist, click the ``Remove`` button on the right side. A page with more details on a corresponding :term:`user` can be opened by clicking on a table row. .. index:: single: Rules .. _rules: Rules ----- This page lists conditions (:term:`rules`) that can serve two purposes, namely: 1. When enabled, to be utilized by the :term:`rules engine` for the :term:`trust score` calculations. 2. To be manually triggered to get a list of :term:`users` matching it. To enable the processing of a :term:`rule` by the :term:`rules engine`, set a :term:`rule`’s weight to one of the following values: ``Extreme``, ``High``, ``Medium``, or ``Positive``. Setting the value to ``None`` disables the processing of a :term:`rule`. To save an adjusted value, click the button appearing on the right side. The highest weight (``Extreme``) strongly affects the calculated :term:`trust score` of a :term:`user` with the matching :term:`rule`, resetting the :term:`trust score` to the critically low value at once. :term:`Rules` with the ``High`` and ``Medium`` weights reduce the :term:`trust score` at correspondingly diminishing rates. In opposite, the ``Positive`` :term:`rule` increases the :term:`user`’s :term:`trust score` value. To manually trigger a :term:`rule`’s processing (e.g., for testing it), click the button shown on the right side. A list of :term:`users` matching the :term:`rule` will be shown below the :term:`rule`’s definition. The :term:`rules engine`’s configuration and analysis of the outcomes of its work are vital parts of an :term:`operator`’s daily routine. Notably, see the :ref:`Supplemental Investigation ` section for several exemplary cases. .. _logbook: Logbook -------- Visit this page to verify the statuses of the recent requests to the :ref:`Tirreno’s API`. The provided data is meant to help identify failing requests (including by sent IP address and event timestamp) and get more information for fixing such requests. The *Logbook* may also serve as a way of confirming API communication is properly set up, making it a valuable tool at the :ref:`API Integration ` stage. .. _api: API --- This page provides information necessary to complete and fine-tune :ref:`API Integration `. At the top of the page, you will see a :term:`tracking code`. It authorizes a :term:`client` platform to connect to the :tirreno:`Tirreno` API. A :term:`tracking code` can be renewed by clicking the ``Reset`` button. Note that the reset action cancels the validity of the previously used :term:`tracking code`. The code examples on the *API* page demonstrate the format in which :tirreno:`Tirreno` expects :term:`event` data to be sent, including mandatory and optional parameters for passing :term:`event` details. You can also find a similar set of examples, supported by instructions, in the chapter :ref:`API Integration `. Use the panels below to manage :term:`data enrichment ` — a feature of the :term:`Enterprise version` of :tirreno:`Tirreno`. The panels allow the following: * Add an :term:`enrichment key`. * Choose the data types to enrich. * Check the currently enabled subscription status. * Update a payment card. * Trigger resetting of enriched information. Generally, enabling only IP address enrichment may be sufficient for the internal risk evaluation. For external fraud prevention, enriching additional data types is typically recommended. .. index:: single: Settings .. _settings: Settings -------- This page provides the ability to configure and control an account, as listed below: Time zone Select a time zone for representing timestamps in the user interface. Data retention Use this panel to set the maximum duration for storing recorded information. Review queue notifications Choose how often to send email reminders to inspect :ref:`Review Queue ` items. The notifications can be sent on a daily or weekly basis, or they can be disabled. Share access Manage :term:`operators` that have access to the :term:`console`. This can be done by inviting new :term:`operators` via email or revoking access for the existing ones. Password Set a new password for the account login. Change email address Configure an email address associated with the account. Check for updates Check if a Tirreno update is available. Delete account ⚠️ *Use this action with caution!* ⚠️ Deletion of an account is unrecoverable and leads to the removal of all related information, including the entire recorded history of :term:`events`.