Console
The web-accessible user interface (console) is the main instrument an operator uses for reviewing gathered intelligence and adjusting the Tirreno system’s functioning. The console consists of two parts: a sidebar with the menu on the left side and the main body for outputting a selected page’s data.
The pages expose the gathered information through a set of tables, charts, widgets, and controls. They enable multidimensional lookup, filtering, and ordering of data. This way, the console provides detailed intelligence on user identities and their interaction with a platform, making suspicious activity notable.
As a rule of thumb, warning signals are coloured with yellow throughout the user interface. Outstanding abnormalities are coloured red (for instance, low trust scores), ranging up to purple in extreme cases (such as in rules). The green colour, in contrast, is typically used for marking presumably safe entities.
By default, most of the pages output data for the last month. One of the pre-defined periods can be selected in the upper-right corner of the interface. A selection of one day (1D), three days (3D), one week (1W), two weeks (2W), one month (1M), and three months (3M) is available. To obtain the entire dataset, click the label MAX.
The top part of many pages contains a search bar that facilitates the lookup and reach of varying entities across the system by matching user ID, name, email, phone number, an autonomous system number (ASN), or domain name of an email address. In addition, the principal tables are accompanied by more focused, specialized search bars for easier exploration of large datasets. The specialized search bars are generally located near the upper-right corner of a table.
Dashboard
The Dashboard page loads by default after a successful login. It provides a quick overview of user activity. This page comprises several widgets, each of which outputs information collected during a selected period of time and links to pages with more extended information on an entity of interest.
In particular, at the top row, we can glance through the number of events, users, IP addresses, countries, and resources recorded during a selected period of time and in total. As well as see the number of blacklisted users and the ones with low trust scores, with the possibility to quickly access the corresponding pages for a thorough review.
The second row of widgets displays users, countries, and resources with the highest level of activity during the set period of time.
The last row is akin to light defence weaponry. It serves well for the primary detection of malicious scenarios by analyzing IP addresses. This includes reviewing users with shared IP addresses, those using the TOR network, or utilizing many different IP addresses. (For more details, see IP Address Signals.)
Review Queue
The Review queue page enables the assessment of users with low trust scores.
The chart on this page shows the daily count of such users identified within a chosen time frame, categorized by review status.
The table below presents basic user information and allows an operator to remove a user from the queue by performing a user score review, one of the most highly advisable operator procedures.
Note that the Settings page configuration Review queue notifications permits to activate sending of daily or weekly email reminders to examine Review queue items.
Events
This page lists events for a selected period of time. It features a chart that displays the number of daily events.
The table below outputs the information reported for each event, with extended details shown when clicking on a row. In particular, that includes the time of the event, a requested resource, user information and identity-based analytics.
Users
This page outputs basic information about all the users reported during a selected period of time.
The chart shows the daily number of new visitors, ranked by their trust score values.
The table beneath lists each user’s trust score, basic account information, and review status. The specialized search bar and the Apply rules filter placed near the upper-right corner of the table simplify user lookup by utilizing entered user ID, email, name, signup date, or selected rules for narrowing down the results.
A page devoted to individual user analytics can be opened by clicking on a table row. This page comprises widgets, tables, and charts that reveal cumulative intelligence on user identities (such as IP addresses, emails, and phone numbers) and associated activities. It also displays user-matching rules and enables setting user review status.
A careful study of the data presented on a user page is one of the keys to the identification of a malicious actor and is often an essential part of threat hunting. (See the chapter on Operator Procedures.)
Caution
Clicking the Delete user button at the bottom of the page
triggers the removal of all recorded user-related
information.
IP Addresses
This page presents information grouped by IP address. The data is shown for a specified period of time.
The chart illustrates the daily number of the residential (considered safe) and non-residential (considered a warning signal) IP addresses.
The table lists IP addresses with key details and indicators of suspicious activity. Particularly, the latter include non-residential IP addresses and a high number of related events and users.
For a more in-depth analysis of the data gathered on a specific IP address, click on a table row. The subsequent page features widgets that output warning signals for the IP address, as well as lists associated users, devices, and events. The events table is accompanied by a chart summarizing the daily count of requests made from the IP address.
Countries
This page presents information grouped by countries identified based on the requests’ IP addresses. The data is displayed for a specified time period.
The map shows the geolocated countries and the respective number of users, while the table displays primary statistics for each country.
To access more analytics related to a country, click on a table row. The subsequent page provides the total number of users, IP addresses, and events attributed to the country. It also includes compiled data on users, IP addresses, internet service providers (ISPs), and events. The latter includes a chart visualizing the daily request count from that country.
ISPs
The ISPs page exhibits analytics categorized by internet service providers, identified through IP addresses recorded over a chosen period.
The chart displays the daily count of unique and newly reported active ISPs.
The table presents ISPs with their key statistics. More in-depth data is exposed on a specific ISP’s page, which can be opened by clicking on a table row. This page offers compiled information on associated users, IP addresses, and events through total counts, tables, and illustrative charts.
Domains
This page offers analytics grouped by email domain.
The chart illustrates the daily count of unique and newly reported domains, while the table provides essential domain information and warning signals.
To access a page with more information on an email domain, click on a table row. Here you can see domain statistics, warning signals, and aggregated data on linked users, IP addresses (including a map of geolocated countries), ISPs, events (accompanied by a chart showing the daily request count).
Resources
The Resources page enables the review of user activity grouped by the requested resource over a selected time period.
The chart on this page illustrates the HTTP response status codes user
requests ended with. Namely, it displays the daily counts of OK
(200), Not Found (404), and Forbidden (403) with Internal
Server Error (500) responses.
To access detailed information regarding a resource, click on a table row. The page that opens provides aggregated data on the users, IP addresses, internet service providers (ISPs), devices, and events recorded in connection with the resource requests.
Devices
This page outputs device information identified based on the user agents of requests made during a specified period of time.
The chart illustrates the daily number of active devices, categorized as desktop or mobile, with bots separated into their own category.
A page with more detailed device analytics can be opened by clicking on a table row. This page displays basic device information and provides aggregated data on the associated users, IP addresses (including a map of geolocated countries), and events (accompanied by a chart summarizing the daily request count from the device).
Blacklist
The Blacklist page displays user identities added to a blacklist within a specified time frame.
The chart visualizes the daily count of blacklisted identities.
Each identity’s details are outlined in the table below. To
remove an identity from the blacklist, click the Remove
button on the right side. A page with more details on a corresponding
user can be opened by clicking on a table row.
Rules
This page lists conditions (rules) that can serve two purposes, namely:
When enabled, to be utilized by the rules engine for the trust score calculations.
To be manually triggered to get a list of users matching it.
To enable the processing of a rule by the rules engine,
set a rule’s weight to one of the following values: Extreme,
High, Medium, or Positive. Setting the value to None
disables the processing of a rule. To save an adjusted value,
click the button appearing on the right side.
The highest weight (Extreme) strongly affects the calculated
trust score of a user with the matching rule,
resetting the trust score to the critically low value at once.
Rules with the High and Medium weights reduce the
trust score at correspondingly diminishing rates. In opposite,
the Positive rule increases the user’s trust
score value.
To manually trigger a rule’s processing (e.g., for testing it), click the button shown on the right side. A list of users matching the rule will be shown below the rule’s definition.
The rules engine’s configuration and analysis of the outcomes of its work are vital parts of an operator’s daily routine. Notably, see the Supplemental Investigation section for several exemplary cases.
API Key
This page provides information necessary to complete and fine-tune API Integration.
An API key is shown at the top of the page. It authorizes a
client platform to connect to the Tirreno’s API. An
API key can be renewed by clicking the button Reset. Note that this
action cancels the validity of the previously used key.
The code examples on this page demonstrate the format in which Tirreno expects event data to be sent, including mandatory and optional fields for passing event details.
The Share access section placed beneath provides a way to manage operators that have access to the console. This can be done by inviting new operators via email or revoking access for the existing ones.
Lastly, use the Data retention panel located at the bottom of the page to restrict the maximum duration of recorded information storage.
Settings
This page provides the ability to configure and control an account, as listed below:
- Profile
Set basic profile information here.
- Time zone
Select a time zone for representing timestamps in the user interface.
- Password
Set a new password for the account login.
- Change email address
Configure an email address associated with the account.
- Review queue notifications
Select how often to send an email reminder to inspect Review Queue items. The notifications can be sent on a daily or weekly basis, or they can be disabled.
- Delete account
⚠️ Use this action with caution! ⚠️ Deletion of an account is unrecoverable and leads to the removal of all related information, including the entire recorded history of events.