Attack Indication Scenario Rule Conditions

This topic describes the conditions that you can use to create rules and the default rules provided for the attack indication scenario.

Attack indication includes the following scenarios:

Each scenario has its own conditions and default rules.

Credit cards for sale

Credit cards for sale - conditions The following table describes the conditions that you can use to create rules.  When using a regular expression, don't surround the expression with quotation marks.

FeaturesOperatorValueDescription
Detection algorithmidentified/did not identify"A credit card for sale"Did the detection algorithm identify a company credit card for sale on the dark web?
Asset tagsin/not inSelect tagsAre any of the threat's matched assets tagged with any of the specified tags?
Bank namein/not in"Select a bank"Was the detected card issued by a specific bank?
BINin/not in"Select BINs"Does the detected card have a specific BIN number?
Breach namein/not in"Select breach"Was the detected card part of a specific data breach?
Cardholder addressin/not in"Regex list"Does the cardholder address contain a phrase (can be expressed as a regular expression)?
Cardholder addressis/is not"Exposed"Is the cardholder address exposed?
Cardholder cityin/not in"Regex list"Does the cardholder city contain a phrase (can be expressed as a regular expression)?
Cardholder cityis/is not"Exposed"Is the cardholder city exposed?
Cardholder emailin/not in"Regex list"Does the cardholder email address contain a phrase (can be expressed as a regular expression)?
Cardholder emailis/is not"Exposed"Is the cardholder email address is exposed?
Cardholder full namein/not in"Regex list"Does the cardholder name contain a certain phrase (can be expressed as a regular expression)?
Cardholder full nameis/is not"Exposed"Is the cardholder name exposed?
Cardholder phonein/not in"Regex list"Does the cardholder phone number contain certain numbers (can be expressed as a regular expression)?
Cardholder phoneis/is not"Exposed"Is the cardholder phone number exposed?
Card PIN numberin/not in"Regex list"Does the card PIN number match a phrase (can be expressed as a regular expression)?
Card price=, !=, >=, <=, >, <Type an integerDoes the card sale offer price match a certain price?
Card service codein/not in"Regex list"Does the card CVV match a phrase (can be expressed as a regular expression)?
Card service levelin/not in"Select service level"Does the card have a specific service level, such as business or student?
Card typein/not in"Select card brand"Is the card from a specific issuer, such as Mastercard or Visa?
Source namein/not in"Select source"Was the card found in a specific store?
Strong identifieris/is not"Exposed"Does the card contain exposed strong identification details?
Trackis/is not"Select track information"Does the card contain information from specific magnetic tracks?
Transaction typeis/is not"Select transfer type"Is the card of a specific transaction type?

Credit cards for sale - default rule

The following table lists the rules that are provided to get you started quickly.

Rule nameDescription of matchDefault state
Credit Cards for Sale - Default Detection RuleA credit card for sale was found with an exposed strong identifier.Enabled

Bot data for sale

Bot data for sale - conditions

FeaturesOperatorValueDescription
Detection algorithmIdentified/did not identifyBotnet credentials offered for saleDid the detection algorithm identify relevant bot data for sale on the dark web?
Asset tagsin/not inSelect tagsAre any of the threat's matched assets tagged with any of the specified tags?
Bot price=, !=, >=, <=, >, <Type an integer between 0 and 1000Does the bot price match a specified price?
Browsercontains/does not contain"regex list"Does the infected user use a browser that contains a specific pattern (can be expressed as a regex list)?
in multiple/not in multipleAll existing optionsDoes the infected user use a specific browser?
Days since bot installation=, !=, >=, <=, >, <Type an integer between 0 and 1000How many days ago was this bot installed?
Host URLcontains/does not contain"regex list"Does the host URL contain a specific pattern (can be expressed as a regex list)?
Internal identifierin multiple/not in multipleList of all possibilitiesDoes the host URL contain compromised credentials for a possible internal host?
Matched assetin multiple/not in multiple"Brand names"Does the host URL contain a brand name asset?
in multiple/not in multiple"Company names"Does the host URL contain a company name asset?
in multiple/not in multiple"Domains"Does the host URL contain a domain name asset?
in multiple/not in multiple"External IP addresses"Does the host URL contain an IP address asset?
in multiple/not in multiple"Login pages"Does the host URL contain a login page asset?
Operating systemcontains/does not contain"regex list"Does the infected user use an operating system that contains a specific pattern (can be expressed as a regex list)?
Operating systemin multiple/not in multipleAll existing optionsDoes the infected user use a specific operating system?
Password after purchaseis/is notAvailableDo the credentials that are offered for sale contain a password that is available after purchase?
Relevant credentials (amount)=, !=, >=, <=, >, <Type an integer between 0 and 1000.What is the amount of relevant credentials in this bot?
Username after purchaseis/is notAvailableDo the credentials that are offered for sale contain a username that is available after purchase?

Bot data for sale - default rule

Rule nameDescription of matchDefault state
Bot Data for Sale - Default Detection RuleA bot data for sale was found with an exposed strong identifierEnabled

Black markets

Black markets - conditions The following table describes the conditions that you can use to create rules.  When using a regular expression, don't surround the expression with quotation marks.

FeaturesOperatorValueDescription
Detection algorithmidentified/did not identifyBlack MarketsDid the detection algorithm identify relevant products for sale on the dark web?
Asset tagsin/not inSelect tagsAre any of the threat's matched assets tagged with any of the specified tags?
Days since product published=, !=, >=, <=, >, <Type an integer between 0 and 1000.How many days ago was this product published?
Matched assetin/not in"Brand names"Does the product name or description contain a specified Brand name asset?
Matched assetin/not in"Company names"Does the product name or description contain a specified Company name asset?
Matched assetin/not in"Domains"Does the product name or the product description contain a domain name asset?
Price=, !=, >=, <=, >, <Type a value.Does the price for the product match a specified price?
Priceis/is notat auctionIs the product offered for sale at auction?
Product descriptioncontains/does not contain"Regex list"Does the product description contain a specific pattern (can be expressed as a regex list)?
Product namecontains/does not contain"Regex list"Does the product name contain a specific pattern (can be expressed as a regex list)?
Product typecontains/does not contain"Regex list"Does the product type contain a specific pattern (can be expressed as a regex list)?
Product typein/not inProduct typesDoes the product type match selected options?
Sellercontains/does not contain"Regex list"Does the seller of the product contain a specific pattern (can be expressed as a regex list)?
Source namein/not inSources ListDoes the source of the published product match a specified value?

Black markets - default rule

Rule nameDescription of matchDefault state
Black Markets - Default Detection RuleA company-related product was found to be sold on a dark web black market.Enabled

Black markets Alert Profiler examples

These examples show how to use the Alert Profiler for black market threats.

Problem : The customer has a brand that is frequently targeted by threat actors, while other brands are less targeted.

Solution : Add a condition (to the Detection algorithm) that alerts only on products that contain the targeted asset. temporary placeholderCustomize alert triggering with the Alert profiler :

  1. Edit the default rule, and change the "any " to "all."
  2. Add the Matched asset  condition.
  3. Add the parameters to select the targeted asset.

Problem : The customer wants to be alerted only on specific product types.

Solution : Add a condition (to the Detection algorithm) that alerts only on products that belong to a defined category. temporary placeholderSteps :

  1. Edit the default rule, and change the "any " to "all."
  2. Add the Product ype condition.
  3. Add the parameters to define a specific type of product.