Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Entity Behavior & Linking Page

High Level Overview

The Entity Linking and Behavior page, EB&L, allows a user to dig into an event or a session and investigate any information that has been associated with the entity within the last 90 days.

Entity Spotlight

The "spotlight" or summary of the investigated entity exposes 5 important pieces of information for the reader.

  1. Entity Value: Value or name of the entity.
  2. Entity Type: Every entity has an associated type. This could be a name, phone number, connection IP Address or any other information that can be associated with a good or bad customer. Supported entities on this page include:
    • Account Address
    • Billing Address
    • Customer ID
    • Merchant ID
    • Order ID
    • Refund ID
    • Tracking ID
    • Shipping Address
    • Device Fingerprint
    • Email
    • Billing Email
    • EIN
    • Email To
    • IP Address
    • IP DNS Address
    • IP Hidden Address
    • Payment From
    • Payment From Account ID
    • Payment To
    • Payment To Account ID
    • Phone
    • Alt Phone
    • Billing Phone
    • Shipping Phone
    • SSN
    • Username
  3. First Seen: First time the entity was ever seen. This is the only portion of the page that is not limited to the last 90 days.
  4. Linked Sessions: All the sessions that this entity has been linked to within the last 90 days.
  5. Linked Entities: All the entities that this entity has been linked to within the last 90 days.

Entity Map

The map displays the geographic regions where the entity has been seen. You can click on a location pin to display a list of IP addresses from that region, which is helpful in addressing entities involved in IP cycling attacks.

In the example above, the entity's IP links to the regions Gyeonggi-do, South Korea and Massachusetts, United States.

Transaction Highlights

Spec highlights transaction metrics for particular entities. This information derives from an element that we store called transaction amount. There are three metrics here:

  1. Dollars and count of purchases made by a linked entity.
  2. Dollars of refunds requested and a ratio of the count of refunds requested to count of overall purchases.
  3. Dollars of chargebacks and a ratio of the count of chargebacks requested and count of overall purchases.

Clicking on "View" will direct you to the Search tab with any sessions involved with the transaction.

Linked Entities

The Linked Entities table displays all the entities that the current entity has been seen with in any session within the last 90 days. As you can see, the total results of this table matches what is displayed in the Entity Spotlight under "Linked Entities".

From this table, you can click on the "Shared Sessions" that the current entity and the entity on the table row have been seen together in. You can also click on the link to the left of an entity's detail to open a new EB&L page for the entity displayed on the table row clicked. This can be a very powerful tool to investigate malicious entities and everyone and everything connected to them.

Entity Labels

An Entity Label is configurable text that can be applied to any entity to classify and identify it. Typically, these labels are applied to entities that link to confirmed bad activity. Two specific examples are "entity seen in bad session" and "entity linked to bad session".

Conclusion

As an investigation tool, this page is very powerful because it highlights and exposes information about an entity that allows you to quickly determine whether an entity is good or bad. You can then take further action from this page to decipher whether other linked entities and sessions are good or bad.