Domain Identifiers are used to search for activities related to a domain name. When the system searches for a domain name on the criminal underground or the clear web, it looks for a precise match aligned with the following rules:

With a domain like foo.com:

With a subdomain like foo.bar.com:

Name Identifiers are used to search for people-related activities, specifically with their first and last names.

Flare uses combinations of the provided First name and Last name to search for results on the clear web and dark web.

Name Identifiers have an optional setting called Strict mode. When enabled, Flare will only search for activities that contain subsequent first name and last name. This can help reduce false positives for people with common first names, etc.

Email Identifiers are used to search for activities related to a person or organization’s email address.

For example, you are likely to find leaked passwords results or discussions of a person or business alongside their email address on the open web. We will show the leaked passwords associated with this email, search for mention of this email on clear web and dark web, and track any commits made to source code repository websites.

Keyword Identifiers are used to search for activities related to specific keywords. For example, you can search for your organization's name or brand names and monitor for mentions of those keywords on the dark web.

Flare also uses Keyword Identifiers to do data collection. Keyword Identifiers will be used to search on different platforms Flare monitors (like GitHub, Twitter, Shodan, etc.). Any results that are found will then be added to Flare so that you can view them in your Event Feeds.

Azure Tenant Identifiers are used to search for events containing mentions of an Azure Tenant. This type of Identifier functions similarly to the Keyword type. The main difference between the two is that Identifier Recommendations will recommend Azure Tenant type Identifiers when a monitored domain is found to be linked to a Microsoft Azure Tenant.

Monitoring for an Azure Tenant ID is a great way to detect secrets on GitHub (or other sources) when there is no reference to the domain of your organization due to configuration files containing Azure Tenant ID's.

BIN Identifiers are used to search for activities related to credit card numbers, starting with the specified bank identification numbers. Enter the first numbers of the card without spaces. Flare handles any spaces that might appear in the crawled content and keeps only the card numbers that match the Luhn algorithm.

For example, with BIN 52588: 

A regex can also be used. For example, with BIN 52588[0-1]:

IP Address Identifiers are used to search for activities related to IP addresses. This is particularly useful for monitoring open ports or to look for technical information leaks related to addresses in your public IP range. Both specific IP addresses and CIDR IP ranges are supported.

Example values:

Query Identifiers can be used to filter by field or use regex patterns to search for terms that do not fit in any other Identifier type. Use the Lucene query syntax to write these search queries. This allows you to receive email alerts when new results are added to Flare's Database for that search. For finding events that have been indexed by Flare prior to the creation of your Identifier, you can paste your Query/Regex into Flare's Search Bar to find historical data.

Details about the syntax and examples are described in Search

Query Identifiers function similarly to searching with Flare's Search bar.

The limit for the query Identifier is about 1000 words separated by boolean operators and a nested structure of 20 deep maximum.

GitHub Repository Identifiers allow you to specify both a Repository Owner and/or Repository Name on GitHub and then monitor for new activities that match the information provided.

Username Identifiers function similarly to Name Identifiers but for clear web and dark web mentions of an individual's Username.

Password Identifiers allow you to monitor the clear and dark web for mentions of a password you know. This can be helpful for locating mentions of a previously leaked password to better understand how potential threat actors might discuss it on the web.

You can limit the identifier to apply only to selected categories. By default, certain Categories are disabled for certain Identifier Types to avoid returning zero results or false positives, as follows:

For Domain: Web Accounts Category is disabled;

For Name: Look-alike Domains, Leaked Credentials, Hosts, Web Accounts categories are disabled;

For Email: Look-alike Domains, Hosts, Web Accounts categories are disabled;

For Keyword: Look-alike Domains, Leaked Credentials, Hosts, Web Accounts categories are disabled;

For IP Address: Look-alike Domains, Leaked Credentials, Web Accounts categories are disabled;

For Query: Look-alike Domains, Leaked Credentials, Web Accounts categories are disabled;

For Password: Look-alike Domains, Hosts, Web Accounts categories are disabled;

For BIN: Look-alike Domains, Leaked Credentials, Hosts, Web Accounts categories are disabled;

For Username: All categories, except Web Accounts, are disabled;

For Github Repository: Web Accounts are disabled;

They can be manually enabled if needed.

Select the minimal alert severity to ignore less critical events associated with this identifier.

To learn more about severities, see Understand Severity Scoring.

You can use ignore terms on an Identifier to filter out all Events containing that specific term from appearing in your feed. For instance, if your domain name is matched on numerous ad-block lists on GitHub (a frequent scenario), you can effortlessly exclude it by specifying either the document's title or the repository's name through the 'Add term' button.

You can add this identifier to an existing identifiers group. 

For every Identifier, specific Alerts can be configured.

When Alerts are enabled, alerts are sent via email by default. Secondary addresses can also be included, to share any activity with a colleague or a shared inbox.

Alerts can be sent as soon as an activity is found or in a daily or weekly recap. For more details on email alerts, please visit the Email Alerts article.