Alerts

Overview

Alerts are designed to notify you when recent leads or signups have an increase in risk. If data is added to a blacklist that matches your data, E-HAWK will automatically send an email so you can quickly review the user, revet them if you wish, and take any necessary actions. Alert Emails are sent every six hours with all alerts during that time frame. If you do not want email alerts, you can use the Alert API that you can call anytime to get Alert data.

Settings and Reporting

Alert settings are configured in the Reporting Portal. You can select alert data types as well as set a scoring threshold that filters only high impact scoring changes based on your custom scoring profile. In addition, recent alerts can be viewed in the portal Alert tab.

In the settings area you can configure an email address for Alert notices, Alert Type (Email or API), score threshold, and what data points to monitor.

Alert Data and Format

Alerts contain the following data and are delivered in JSON format.

transaction_id transaction ID of vet
type The type that hit the alert such as IP, Email, Phone, etc
value The value that hit the alert
reason The reason hit for the alert such as Phishing.
transaction_score The Risk Score of the vet
alert_score_impact the change or impact of the new risk hit based on your scoring profile
estimated_new_score An estimate of the new vet score based on the new risk hit
username username value sent in vet. This should be your unique system user ID
transaction_fingerprint The Talon fingerprint of the vet
transaction_date The timestamp of the vet (UTC)
alert_date The timestamp the Alert was created (UTC)

The JSON format is:

  • transaction_id string
  • type string
  • value string
  • reason string
  • transaction_score string
  • alert_score_impact string
  • estimated_new_score string
  • username string
  • transaction_fingerprint string
  • transaction_date string
  • alert_date string


Email Alerts

Email Alerts are sent every six hours to your configured Alert email address and contain a list of all issues during that period. The emails show data for each Alert and contain JSON data at the end for back-end processing.

Subject: E-HAWK Alert - 2016-04-01 04:00:00

The following transactions(s) have been tagged with new information. You may want to review or revet the user(s) as their risk score has changed. At the bottom of this email are alerts in JSON format for back-end processing.

transaction_id: 56fbed88a7c018
type: ip
value: 10.1.1.1
reason: Phishing
transaction_score: -38
alert_score_impact: -70
estimated_new_score: -108
username: user1234
transaction_fingerprint: fb713c209
transaction_date: 2016-04-10 06:00:00 (UTC)
alert_date: 2016-04-10 06:00:00 (UTC)


-- JSON DATA START --
[{"transaction_id":"56fbed88a7c018", "type":"ip", "value":"10.1.1.1", "reason":"Phishing", "transaction_score":"-38", "alert_score_impact":"-70", "estimated_new_score":"-108", "username":"user1234", "transaction_fingerprint":"fb713c209" "transaction_date":"2016-04-10 06:00:00", "alert_date":"2016-06-10 10:00:00"}]
-- JSON DATA END --
Alert API

To get Alerts via an API call (either POST or GET), use the following:

https://feed-api.e-hawk.net/apikey/alert/function/

Where function value is list to get all new, undelivered Alerts, and mark undelivered as "sent". As a backup you can also call list24 to view all Alerts within the last 24 hours, but this does not mark any as "sent" and will keep unsent tags in the portal.

The response will be a JSON string with each Alert in a new sub JSON string. The Alert JSON contains the Vet Transaction ID and all the data for the Alert. As an example:

{response": 
  [{"transaction_id":"56fbed88a7c018", 
    "type":"ip",  
    "value":"10.1.1.1",
    "reason":"Phishing", 
    "transaction_score":"-38", 
    "alert_score_impact":"-70", 
    "estimated_new_score":"-108", 
    "username":"user1234", 
    "transaction_fingerprint":"fb713c209" 
    "transaction_date":"2016-04-10 06:00:00 (UTC)", 
    "alert_date":"2016-06-10 10:00:00 (UTC)"}], 
  "status":200
}
Alert API Response and Status Codes
Status Response
200 OK (no errors)
403 Alert Type is set to Email in the Portal. Change to API.
502 Invalid APIKEY or URL