Trigger Events

Introduction

ClearIP monitors fraudulent activity by reviewing the fraud scores of recent phone calls and looking for suspicious patterns as configured by your fraud triggers. When a fraud trigger’s fraud score threshold is exceeded, a trigger event occurs. A trigger event is ClearIP’s detection of and response to a fraud attack.

The trigger event will remain activated for the time specified in the trigger. While activated, the action specified for the trigger event is performed for all calls arriving at the SBC that match the fraud trigger record that was set off. Actions include the ability to block calls, divert calls to the diversion device, or only send an alert. All actions will send an alert to the specified email address, phone number, and/or HTTP URL when a trigger event is activated.

Trigger Alert

When a trigger event is activated, an alert containing detailed information about the fraud event is sent out to the recipient specified in the fraud trigger record. An alert can be sent via email, text message, or HTTP POST to a specified URL.

Alert Email

Below is an example ClearIP alert email sent after a trigger event is activated.

Fraud Trigger Alert Email

The alert provides direct links to the Trigger Events page and the SIP Messages page to enable you to review the fraud attack. Both pages can also be accessed through the Analytics tab.

Note: ClearIP is currently only able to support a single Alert Email address for each trigger. If you would like to send alert emails to multiple people, we suggest that you create an email list with the desired recipients and set the email list as the Alert Email address.

HTTP POST to Alert URL

Here is an example of the contents of an alert HTTP POST sent by ClearIP for a Slow Traffic Pumping by User and Calling Number Trigger Event.

{
  "action": "report-only",
  "actionEndTime": 1577973558312,
  "actionStartTime": 1577969958312,
  "actionTime": 60,
  "alertEmail": "example@transnexus.com",
  "alertLanguage": "en",
  "alertPhone": "",
  "alertUrl": "",
  "bucketSize": 60,
  "calledCountry": "caa3af28-7da6-45ca-ba59-9e1b197b8651"
  "calledNumber": "",
  "callingNumber": "14072855050",
  "fraudScore": 4.0342,
  "fraudScoreThreshold": 4,
  "group": "d8ba61b9-4dbf-4979-850f-6f16cb59db5f",
  "id": "6aa0c334-ae98-4729-83bd-0eef63406759",
  "operator": "667e0f9b-c900-4fbc-b0f6-b4d043f8912a",
  "reseller": "73c246a6-796b-4f11-b15a-808c35b56b1b",
  "serviceProvider": "04db02a1-30ad-4cac-b71b-2b308a9ade5c",
  "type": "slow-traffic-pumping-by-user-and-calling-number",
  "user": "a9a692ac-7d2f-4df3-8557-b76cdc003cf0",
}

ClearIP uses the following IP ranges to send HTTP POSTs:

35.175.114.64/26

44.234.113.32/27

Trigger Event Details

The Trigger Events page displays information about past trigger events and contains detailed information such as the cumulative fraud score that activated the trigger event and the time when the trigger event occurred. This is also the information included in the fraud trigger alert.

Trigger Events

The image above shows the details of a robocalling trigger event. For robocalling, each call is given a called fraud score of 1. The fraud score threshold is set to 30, so all robocall attempts after the 30th attempt are blocked until the trigger event is deactivated.

While the trigger event is activated, ClearIP does not perform fraud analysis on the blocked calls. You are not billed for fraud analysis on blocked fraud calls except for the single call that activates the trigger event.

The Fraud Score listed in the trigger event details represents the total financial loss from the fraud attack for all fraud types except Targeted Pumping and Robocalling.

SIP Message Details

To view the SIP messages that led to a trigger event and the SIP messages affected by the trigger event, you can use the SIP Messages link found in the alert or you can click the Find button on the Trigger Events page. The SIP Messages page will be automatically filtered to only show the SIP messages related to the fraud attack.

Fraud Trigger SIP Message

If you sort the SIP messages by Timestamp and then look at the Reason column, you can find exactly which call activated the trigger event and how long it took for ClearIP to stop the fraud attack. In the above example, all robocall attempts from a specified calling number were blocked after the third call listed in the above ClearIP table.

Deactivation

Trigger events are automatically deactivated at end of the configured Action Time which defaults to a 60 minute duration. If a trigger event must be manually deactivated before the end of the Action Time, then the following steps can be used to disable active call blocking:

  1. Identify which fraud trigger policy caused the call to be blocked.
  2. Update the fraud trigger policy to slightly increase the fraud score threshold.
  3. Click on the Deactivate button in the Trigger Events page.

Increasing the fraud score threshold ensures that you will not have another trigger event immediately activate after you click Deactivate and the customer makes a single test call. Clicking the Deactivate button does not clear out the call history within ClearIP, so new calls will still be monitored alongside the most recently placed test calls within the fraud trigger analysis period.

Deactivated trigger events, whether automatically or manually, will remain visible in the table.