Trigger Events

ClearIP monitors fraudulent activity by reviewing the fraud scores of recent phone calls and looking for suspicious patterns as configured by fraud triggers. When a fraud trigger’s fraud score threshold is exceeded, a trigger event occurs. A trigger event is ClearIP’s detection of and response to a fraud attack.

The trigger event will remain activated for the time specified in the trigger. While activated, the action specified for the trigger event is performed for all calls arriving at the SBC that match the fraud trigger record that was set off. Actions include the ability to block calls, divert calls to the diversion device, or only send an alert. All actions will send an alert to the specified email address, phone number, and/or HTTP URL when a trigger event is activated.

Trigger Alert

When a trigger event is activated, an alert containing detailed information about the fraud event is sent out to the recipient specified in the fraud trigger record. An alert can be sent via email, text message, or HTTP POST to a specified URL.

Alert Email

Below is an example ClearIP alert email sent after a trigger event is activated.

The alert provides direct links to the Trigger Events page and the SIP Messages page to allow the review of the fraud attack. Both pages can also be accessed through the Analytics tab.

NOTE: ClearIP is currently only able to support a single Alert Email address for each trigger. To send alert emails to multiple people, it is recommended to create an email list with the desired recipients and set the email list as the Alert Email address.

HTTP POST to Alert URL

Here is an example of the contents of an alert HTTP POST sent by ClearIP for a Slow Traffic Pumping by User and Calling Number Trigger Event.

{
  "action": "block",
  "actionEndTime": 1577973558312,
  "actionStartTime": 1577969958312,
  "actionTime": 60,
  "alertEmail": "example@transnexus.com",
  "alertPhone": "",
  "alertUrl": "",
  "bucketSize": 60,
  "calledNumber": "18554742536",
  "callingNumber": "14045266060",
  "fraudScore": 11,
  "fraudScoreThreshold": 10,
  "id": "99999999-9999-4999-9999-999999999999",
  "operator": "99999999-9999-4999-9999-999999999999",
  "reseller": "99999999-9999-4999-9999-999999999999",
  "type": "targeted-pumping-by-calling-number"
}

ClearIP uses the following IP ranges to send HTTP POSTs:

  • 35.175.114.64/26
  • 44.234.113.32/27

Trigger Event Details

The Trigger Events page displays information about past trigger events and contains detailed information such as the cumulative fraud score that activated the trigger event and the time when the trigger event occurred. This is also the information included in the fraud trigger alert.

While the trigger event is activated, ClearIP does not perform fraud analysis on the blocked calls. Fraud analysis is not billed for blocked fraud calls except for the single call that activates the trigger event.

The Fraud Score listed in the trigger event details represents the total financial loss from the fraud attack for all fraud types except Targeted Pumping and Robocalling.

SIP Message Details

To view the SIP messages that led to a trigger event and the SIP messages affected by the trigger event, the SIP Messages link found in the alert can be used or the Find button on the Trigger Events page can be clicked. The SIP Messages page will be automatically filtered to only show the SIP messages related to the fraud attack.

Sorting the SIP messages by Timestamp and looking at the Reason column, the exact call that activated the trigger event can be found and how long it took for ClearIP to stop the fraud attack.

Deactivation

Trigger events are automatically deactivated at end of the configured Action Time which defaults to a 60-minute duration. If a trigger event must be manually deactivated before the end of the Action Time, then the following steps can be used to disable active call blocking:

  1. Identify which fraud trigger policy caused the call to be blocked.
  2. Update the fraud trigger policy to slightly increase the fraud score threshold.
  3. Click on the Deactivate button on the Trigger Events page.

Increasing the fraud score threshold ensures that there will not be another trigger event immediately activate after Deactivate is clicked and the customer makes a single test call. Clicking the Deactivate button does not clear out the call history within ClearIP, so new calls will still be monitored alongside the most recently placed test calls within the fraud trigger analysis period.

Deactivated trigger events, whether automatically or manually, will remain visible in the table.