Collection Data Categories

17 min

stealer logs stealer logs are records generated by infostealer malware running on compromised machines they typically contain highly sensitive data such as saved usernames and passwords, browser cookies and session tokens, autofill data, browser history, and basic system information (ip, os, hostname, etc ) flare aggregates stealer logs from multiple sources, normalizes them, and surfaces events when the exposed data matches your monitored identifiers (e g domains, emails, ips) because stealer logs often provide everything an attacker needs for account takeover, they are among the most critical data types we monitor chats the chats category includes conversations and posts from real time messaging environments used by threat actors and fraud communities this can range from open “announcement” channels to invite only group chats where actors coordinate operations, share tools, or trade data flare monitors selected high risk chats and generates events when messages or attachments match your identifiers or relevant threat patterns messaging apps messaging apps covers monitored channels and groups on platforms such as telegram and signal that are known to host cybercrime, fraud, or underground activity these spaces are often used to distribute stealer logs, data leaks, phishing kits, credentials, and tooling, or to coordinate campaigns flare ingests messages and attachments from these channels and surfaces events when they relate to your organization or risk profile darkweb rooms darkweb rooms refers to real time chat or shoutbox style features embedded in dark web forums or marketplaces these rooms are typically used for quick coordination, support, or off topic chatter between threat actors while less structured than forum posts, they can still contain mentions of targeted companies, credentials, or operational details flare monitors selected rooms and raises events when your identifiers or relevant threats appear communities the communities category groups platforms where users regularly exchange information, trade, and collaborate in a more persistent and structured way than in chat apps these include illicit forums and imageboards where actors post tutorials, tools, data leaks, or requests for services flare monitors these communities to detect when discussions, offers, or shared content involve your brand, infrastructure, or employees forums forums are structured discussion boards where users create topics and replies on cybercrime, fraud, hacking, or related activities they are often the primary place where threat actors advertise services, coordinate campaigns, share breaches, or exchange techniques flare collects forum posts and threads from selected communities and triggers events when your identifiers or relevant keywords are mentioned, or when a topic represents a potential threat (e g access for sale, targeting discussions) imageboards imageboards are communities centered around posts that may include both images and text, sometimes with minimal structure or moderation certain imageboards are used to share doxing material, harassment campaigns, or leaks that don’t always appear on classic forums flare monitors selected imageboards for posts that reference your organization, key individuals, or sensitive data and generates events when a match is found ransomware the ransomware category covers content from ransomware and extortion groups, primarily via their public “leak sites” and communication channels these sites are used to list victims, publish proof of compromise, and release stolen data if ransom demands are not met flare continuously monitors these sources for new victim entries and data publications when we detect a match to your organization or your supply chain, we generate events to help you assess exposure, validate incidents, and support response efforts marketplaces the marketplaces category includes underground markets and shops where illicit goods and services are bought and sold this can cover everything from access to compromised systems and accounts, to stolen financial data, to full service offerings (e g cashout, fraud services) flare ingests marketplace listings and related data, and raises events when items for sale are linked to your organization, your customers, or your technology stack financial data financial data within marketplaces refers to listings that offer payment cards, bank accounts, payment processor credentials, or other financial instruments these may be sold individually, in bulk, or bundled with identity data flare detects when such listings reference your brand, bin ranges, financial products, or partners, helping you identify potential fraud and carding activity infected devices infected devices are marketplace listings advertising access to compromised systems—often the output of stealer malware sold on “logs” shops or similar platforms these listings typically include device fingerprints, geolocation, installed software, and sometimes high level credential counts, but not always full raw logs flare monitors these offers and surfaces events when infected devices appear to be associated with your organization, your employees, or your customers listings listings is a broader sub category for other items and services sold on marketplaces, such as accounts, identities, tools, or fraud services that don’t fall strictly under financial data or infected devices flare scans these listings for references to your brand, products, or infrastructure, allowing you to see when your assets or services are being abused or resold publications the publications category covers websites and pages where threat actors or related communities publish content rather than trade or chat these can include long form blog posts, dedicated doxing pages, and website defacements that are meant to communicate a message, intimidate, or cause reputational damage flare monitors these publications for mentions of your organization, executives, or other sensitive references blogs blogs includes posts and articles on sites controlled by threat actors or cybercrime communities, as well as certain illicit news or “research” sites that report on breaches, tools, and attacks these blogs can disclose new incidents, publish stolen data, or share technical walkthroughs of attacks flare tracks relevant blogs and generates events when posts relate to your company, technology stack, or industry doxing doxing pages are dedicated to exposing personal information about individuals, such as home addresses, phone numbers, family members, or private accounts these pages are often used to harass, threaten, or pressure targets flare monitors known doxing sites and sections, and raises events when individuals tied to your organization are mentioned, helping you respond to personal risk and executive protection concerns defacement defacement refers to websites that have had their content altered by attackers, typically to display a message, propaganda, or proof of compromise flare tracks defacement archives and related sources where such incidents are recorded or mirrored when a defacement involves your domains, brands, or infrastructure, we generate events so you can validate and remediate the incident pastes the pastes category covers content from paste and snippet sharing services such as pastebin, gist, and similar platforms threat actors use these services to share logs, credentials, configuration files, and other data, but they are also commonly used by developers to exchange code snippets in some cases, this leads to accidental exposure of sensitive information such as api keys, access tokens, or other non human identifiers (nhis) flare monitors selected paste services for your identifiers and for potential leaked secrets, generating events when we detect data that may put your organization at risk