Console
The web-accessible user interface (console) is the main instrument an operator uses for reviewing gathered intelligence and adjusting the Tirreno system’s functioning. The console consists of two parts: a sidebar with the menu on the left side and the main body for outputting a selected page’s data.
The pages expose the gathered information through a set of tables, charts, widgets, and controls. They enable multidimensional lookup, filtering, and ordering of data. This way, the console provides detailed intelligence on user identities and their interaction with a platform, making suspicious activity notable.
As a rule of thumb, warning signals are coloured with yellow throughout the user interface. Outstanding abnormalities are coloured red (for instance, low trust scores), ranging up to purple in extreme cases (such as in rules). The green colour, in contrast, is typically used for marking presumably safe entities.
By default, most of the pages output data for the last month. One of the pre-defined periods can be selected in the upper-right corner of the interface. A selection of one day (1D), three days (3D), one week (1W), two weeks (2W), one month (1M), and three months (3M) is available. To obtain the entire dataset, click the label MAX.
The top part of many pages contains a search bar that facilitates the lookup and reach of varying entities across the system by matching user ID, name, email, phone number, an autonomous system number (ASN), or domain name of an email address. In addition, the principal tables are accompanied by more focused, specialized search bars for easier exploration of large datasets. The specialized search bars are generally located near the upper-right corner of a table.
Dashboard
The Dashboard page loads by default after a successful login. It provides a quick overview of user activity. This page comprises several widgets, each of which outputs information collected during a selected period of time and links to pages with more extended information on an entity of interest.
In particular, at the top row, we can glance through the number of events, users, IP addresses, countries, and resources recorded during a selected period of time and in total. As well as see the number of blacklisted users and the ones with low trust scores, with the possibility to quickly access the corresponding pages for a thorough review.
The second row of widgets displays users, countries, and resources with the highest level of activity during the set period of time.
The last row is akin to light defence weaponry. It serves well for the primary detection of malicious scenarios by analyzing IP addresses. This includes reviewing users with shared IP addresses, those using the TOR network, or utilizing many different IP addresses. (For more details, see IP Address Signals.)
Review Queue
The Review queue page enables the assessment of users with low trust scores.
The chart on this page shows the daily count of such users
identified within a chosen time frame, categorized by review status:
Whitelisted
, On review
, Blacklisted
.
The table below presents basic user information and allows an operator to remove a user from the queue by performing a user score review, one of the most highly advisable operator procedures.
Note that the Settings page configuration Review queue notifications permits to activate sending of daily or weekly email reminders to examine Review queue items.
Events
This page lists events for a selected period of time. It features a chart that displays the number of daily events.
The table below outputs the key event’s data: user essentials, event time and type, IP address, and detected device.
Clicking an event’s row opens a panel with an extended report on the right side. The report reveals numerous details about the event, the requested resource, as well as expanded user and identity-based analytics.
Users
The Users page outputs basic information about all the users reported during a selected period of time.
The chart shows the daily number of new visitors, ranked by their trust score values.
The table beneath lists each user’s trust score, basic account information, and review status. The specialized search bar and the rules filter placed at the top of the table simplify user lookup by utilizing entered user ID, email, name, signup date, or selected rules for narrowing down the results.
A page devoted to individual user analytics can be opened by clicking on a table row. This page comprises widgets, tables, and charts that reveal cumulative intelligence on user identities (such as IP addresses, emails, and phone numbers) and associated activities. It also displays user-matching rules and enables setting user review status.
A careful study of the data presented on a user page is one of the keys to the identification of a malicious actor and is often an essential part of threat hunting. (See the chapter on Operator Procedures.)
Caution
Clicking the Delete user
button at the bottom of the page
triggers the removal of all recorded user-related
information.
IP Addresses
This page presents information grouped by IP address. The data is shown for a specified period of time.
The chart illustrates the daily number of the residential (considered safe) and non-residential (considered a warning signal) IP addresses.
The table lists IP addresses with key details and indicators of suspicious activity. Particularly, the latter include non-residential IP addresses and a high number of related events and users.
For a more in-depth analysis of the data gathered on a specific IP address, click on a table row. The subsequent page features widgets that output warning signals for the IP address, as well as lists associated users, devices, and events. The events table is accompanied by a chart summarizing the daily count of requests made from the IP address.
Countries
This page presents information grouped by countries identified based on the requests’ IP addresses. The data is displayed for a specified time period.
The map shows the geolocated countries and the respective number of users, while the table displays primary statistics for each country. Here, audit the relative change in the number of users, events, and IP addresses over the specified and preceding periods. Large discrepancies in these numbers can serve as a warning signal.
To access more analytics related to a country, click on a table row. The subsequent page provides the total number of users, IP addresses, and events attributed to the country. It also includes compiled data on users, IP addresses, internet service providers (ISPs), and events. The latter includes a chart visualizing the daily request count from that country.
Networks
The Networks page exhibits analytics categorized by internet service providers (ISP), identified through IP addresses recorded over a chosen period.
The chart displays the daily count of unique and newly reported active ISPs.
The table presents ISPs with their key statistics. More in-depth data is exposed on a specific ISP’s page, which can be opened by clicking on a table row. This page offers compiled information on associated users, IP addresses, and events through total counts, tables, and illustrative charts.
Domains
This page offers analytics grouped by email domain.
The chart illustrates the daily count of unique and newly reported domains, while the table provides essential domain information and warning signals.
To access a page with more information on an email domain, click on a table row. Here you can see domain statistics, warning signals, and aggregated data on linked users, IP addresses (including a map of geolocated countries), ISPs, events (accompanied by a chart showing the daily request count).
Resources
The Resources page enables the review of user activity grouped by the requested resource over a selected time period.
The chart on this page illustrates the HTTP response status codes user
requests ended with. Namely, it displays the daily counts of OK
(200), Not Found
(404), and Forbidden
(403) with Internal
Server Error
(500) responses.
To access detailed information regarding a resource, click on a table row. The page that opens provides aggregated data on the users, IP addresses, internet service providers (ISPs), devices, and events recorded in connection with the resource requests.
Blacklist
The Blacklist page displays user identities added to a blacklist within a specified time frame.
The chart visualizes the daily count of blacklisted identities.
Each identity’s details are outlined in the table below. To
remove an identity from the blacklist, click the Remove
button on the right side. A page with more details on a corresponding
user can be opened by clicking on a table row.
Rules
This page lists conditions (rules) that can serve two purposes, namely:
When enabled, to be utilized by the rules engine for the trust score calculations.
To be manually triggered to get a list of users matching it.
To enable the processing of a rule by the rules engine,
set a rule’s weight to one of the following values: Extreme
,
High
, Medium
, or Positive
. Setting the value to None
disables the processing of a rule. To save an adjusted value,
click the button appearing on the right side.
The highest weight (Extreme
) strongly affects the calculated
trust score of a user with the matching rule,
resetting the trust score to the critically low value at once.
Rules with the High
and Medium
weights reduce the
trust score at correspondingly diminishing rates. In opposite,
the Positive
rule increases the user’s trust
score value.
To manually trigger a rule’s processing (e.g., for testing it), click the button shown on the right side. A list of users matching the rule will be shown below the rule’s definition.
The rules engine’s configuration and analysis of the outcomes of its work are vital parts of an operator’s daily routine. Notably, see the Supplemental Investigation section for several exemplary cases.
Logbook
Visit this page to verify the statuses of the recent requests to the Tirreno’s API.
The provided data is meant to help identify failing requests (including by sent IP address and event timestamp) and get more information for fixing such requests.
The Logbook may also serve as a way of confirming API communication is properly set up, making it a valuable tool at the API Integration stage.
API
This page provides information necessary to complete and fine-tune API Integration.
At the top of the page, you will see a tracking code. It
authorizes a client platform to connect to the
Tirreno API. A tracking code can be renewed by
clicking the Reset
button. Note that the reset action cancels the
validity of the previously used tracking code.
The code examples on the API page demonstrate the format in which Tirreno expects event data to be sent, including mandatory and optional parameters for passing event details. You can also find a similar set of examples, supported by instructions, in the chapter API Integration.
Use the panels below to manage data enrichment — a feature of the Enterprise version of Tirreno. The panels allow the following:
Add an enrichment key.
Choose the data types to enrich.
Check the currently enabled subscription status.
Update a payment card.
Trigger resetting of enriched information.
Generally, enabling only IP address enrichment may be sufficient for the internal risk evaluation. For external fraud prevention, enriching additional data types is typically recommended.
Settings
This page provides the ability to configure and control an account, as listed below:
- Time zone
Select a time zone for representing timestamps in the user interface.
- Data retention
Use this panel to set the maximum duration for storing recorded information.
- Review queue notifications
Choose how often to send email reminders to inspect Review Queue items. The notifications can be sent on a daily or weekly basis, or they can be disabled.
- Share access
Manage operators that have access to the console. This can be done by inviting new operators via email or revoking access for the existing ones.
- Password
Set a new password for the account login.
- Change email address
Configure an email address associated with the account.
- Check for updates
Check if a Tirreno update is available.
- Delete account
⚠️ Use this action with caution! ⚠️ Deletion of an account is unrecoverable and leads to the removal of all related information, including the entire recorded history of events.