Configure Identifiers

select identifier type domain domain identifiers are used to search for activities related to a domain name when the system searches for a domain name on the criminal underground or the clear web, it looks for a precise match aligned with the following rules with a domain like foo com foo com match bar foo com match foo com au match foo2 com no match foo comment no match with a subdomain like foo bar com foo bar com match abc foo bar com match foo bar com au match foo bar comment no match foofoo bar com no match foo bar au com no match bar com no match com no match important note identifiers are not case sensitive this is true for across all source types we will identify whether domains are reachable or resolvable with these icons in flare, reachable is a subset of resolvable a resolvable domain means the dns successfully translates it to an ip address a reachable domain means our system can establish a connection with that ip a domain may be resolvable but not reachable for several reasons, including the ip is no longer in service the ip requires authentication (e g , private/internal ips) the connection attempt times out there may be other causes, but these are the most common if you encounter a domain that is resolvable but not reachable, we recommend further investigation if you believe a domain should be reachable but isn’t, please report it as a potential bug so our team can troubleshoot you are also able to filter domains by their dns record and host status , and apply these filters by date subdomain identifiers are important for certian cases auto enumerating subdomain identifiers provides more comprehensive visibility across your attack surface look alike domain detection; individual subdomain identifiers are required for stealer logs; when a subdomain is the authorization url or in the email, we wouldn't match it without the specific subdomain identifier for leaksed credentials; any email addresses associated with subdomains wouldn't be found without the specific subdomain identifier for the majority of our dark web sources; chatter involving a subdomain will be missed without the specific subdomains identifiers identity identifiers identity identifiers replace the following existing types email, name, and username email, name and username identifiers have been transitioned to identity identifiers as attributes identity identifiers are used to search for people related activities, specifically with their first and last names you can add email, name (first name/last name) and username as attributes in the same identity identifier name attributes have an optional setting called strict mode when enabled, flare will only search for activities that contain subsequent first name and last name this can help reduce false positives for people with common first names the “mark as vip” toggle is currently for display purposes only when enabled, it adds a visible label—like the one shown below—so you can easily identify vip identities on your identifiers page for example, you are likely to find leaked passwords results or discussions of a person or business alongside their email address, name or username on the open web we will show the leaked passwords associated with the specific attributes, search for mention of this email on clear web and dark web, and track any commits made to source code repository websites there are two ways to create an identity identifier manually create an identity identifier (unauthorized) sync your identities from entra id (authorized) keyword keyword identifiers are used to search for activities related to specific keywords for example, you can search for your organization's name or brand names and monitor for mentions of those keywords on the dark web flare also uses keyword identifiers to do data collection keyword identifiers will be used to search on different platforms flare monitors (like github, twitter, shodan, etc ) any results that are found will then be added to flare so that you can view them in your https //docs flare systems/browse an event feed azure tenant azure tenant identifiers are used to search for events containing mentions of an azure tenant this type of identifier functions similarly to the keyword type the main difference between the two is that identifier recommendations will recommend azure tenant type identifiers when a monitored domain is found to be linked to a microsoft azure tenant monitoring for an azure tenant id is a great way to detect secrets on github (or other sources) when there is no reference to the domain of your organization due to configuration files containing azure tenant id's bin bin identifiers are used to search for activities related to credit card numbers, starting with the specified bank identification numbers enter the first numbers of the card without spaces flare handles any spaces that might appear in the crawled content and keeps only the card numbers that match the luhn algorithm for example, with bin 52588 5258 8199 1008 5316 match 5258819910085316 match 5 2 5 8 8 1 9 9 1 0 0 8 5 3 1 6 match 52 588 1991 0085316 match a regex can also be used for example, with bin 52588\[0 1] 5258 8199 1008 5316 match 5258 8299 1008 5315 no match ip address ip address identifiers are used to search for activities related to ip addresses this is particularly useful for monitoring open ports or to look for technical information leaks related to addresses in your public ip range both specific ip addresses and cidr ip ranges are supported example values 172 1 1 35 172 1 1 0/24 query query identifiers can be used to filter by field or use regex patterns to search for terms that do not fit in any other identifier type use the https //lucene apache org/core/2 9 4/queryparsersyntax html to write these search queries this allows you to receive email alerts when new results are added to flare's database for that search for finding events that have been indexed by flare prior to the creation of your identifier, you can paste your query/regex into flare's search bar to find historical data details about the syntax and examples are described in https //docs flare io/search in existing data query identifiers function similarly to searching with flare's search bar the limit for the query identifier is about 1000 words separated by boolean operators and a nested structure of 20 deep maximum github repository github repository identifiers allow you to specify both a repository owner and/or repository name on github and then monitor for new activities that match the information provided password password identifiers allow you to monitor the clear and dark web for mentions of a password you know this can be helpful for locating mentions of a previously leaked password to better understand how potential threat actors might discuss it on the web select categories you can limit the identifier to apply only to selected categories by default, certain categories are disabled for certain identifier types to avoid returning zero results or false positives, as follows for domain web accounts category is disabled; for keyword look alike domains, leaked credentials, hosts, web accounts categories are disabled; for ip address look alike domains, leaked credentials, web accounts categories are disabled; for query look alike domains, leaked credentials, web accounts categories are disabled; for password look alike domains, hosts, web accounts categories are disabled; for bin look alike domains, leaked credentials, hosts, web accounts categories are disabled; for github repository web accounts are disabled; they can be manually enabled if needed select severity select the minimal alert severity to ignore less critical events associated with this identifier to learn more about severities, see https //docs flare io/understand scoring ignore terms you can use ignore terms on an identifier to filter out all events containing that specific term from appearing in your feed for instance, if your domain name is matched on numerous ad block lists on github (a frequent scenario), you can effortlessly exclude it by specifying either the document's title or the repository's name through the 'add term' button add to group you can add this identifier to an existing identifiers group to create a group, go to the ‘identifiers’ tab > click on ‘create group’ > give it a name, add it to an existing group if necessary > click on “create group” when you’re done alerts you now have the ability to create alerts directly from a specific identifier within the identifiers section all configured alerts can be viewed in https //docs flare io/alert central , where the targeted identifier is displayed in the identifier scope column related articles