Red Sift Brandtrust¶
About¶
Red Sift Brand Trust is an AI-powered cybersecurity tool that proactively identifies and monitors fraudulent domains attempting to impersonate a company's brand, essentially protecting against brand abuse, phishing attacks, and lookalike scams by detecting suspicious domains and subdomains in real-time, allowing businesses to take action before damage occurs; it utilizes features like logo-matching, keyword-based lookalike detection, and domain intelligence to provide a comprehensive view of a company's online brand perimeter.
Product Details¶
Vendor URL: Red Sift
Product Type: Brand Protection Software
Product Tier: Tier II
Integration Method: Webhook
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: REDSIFT_BRANDTRUST
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| creationDate | metadata.event_timestamp |
| data.apex_domain | target.asset.attribute.labels |
| data.classification | security_result.summary |
| data.dmarc_status | security_result.detection_fields |
| data.dns_providers | network.dns.authority |
| data.domain | target.domain.name |
| data.email_ready | additional.fields |
| data.flagged_by_google_safe_browsing | additional.fields |
| data.has_annotations | additional.fields |
| data.has_detected_keywords | additional.fields |
| data.has_notes | additional.fields |
| data.has_reputation_issues | additional.fields |
| data.has_screenshot | additional.fields |
| data.has_subdomailer | additional.fields |
| data.in_takedown | additional.fields |
| data.industry | security_result.category_details |
| data.is_subdomain | additional.fields |
| data.keywords | security_result.detection_fields |
| data.manually_added | additional.fields |
| data.match_based_on | security_result.rule_name |
| data.ns_records | target.domain.name_server |
| data.related_domain | security_result.detection_fields |
| data.reported_as_false_positive | additional.fields |
| data.risk_rating_score | security_result.risk_score |
| data.similarity | security_result.severity_details |
| data.source | observer.resource.name |
| data.threat_emails_count | security_result.detection_fields |
| data.unicode_domain | target.asset.attribute.labels |
| data.updated_at | security_result.about.asset.attribute.last_update_time |
| data.web_presence | additional.fields |
| entity | metadata.description |
| id | target.asset.attribute.labels |
| type | metadata.product_event_type |
| uuid | metadata.product_log_id |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All | GENERIC_EVENT |
Log Sample¶
{"creationDate":1739392297,"data":{"annotations":[],"apex_domain":"example.co.uk","classification":["Active"],"dmarc_status":" ","dns_providers":["GoDaddy"],"domain":"example.co.uk","domain_reputation":{"issues":[],"status":false},"email_ready":false,"flagged_by_google_safe_browsing":false,"has_annotations":false,"has_detected_keywords":false,"has_notes":false,"has_reputation_issues":false,"has_screenshot":true,"has_subdomailer":false,"id":"d2ViZXJ0cnVzdC5jby51aw==","identity":{},"in_takedown":false,"industry":"Irrelevance","ip_reputation":{"issues":[],"status":false},"is_subdomain":false,"keywords":[],"manually_added":false,"match_based_on":"related_domains","ns_records":["ns73.domaincontrol.com.","ns74.domaincontrol.com."],"observed_date":"1739388930","related_domain":"example.com","reported_as_false_positive":false,"reported_to_google_web_risk":{"ts":null},"reported_to_ncsc":{"ts":null},"risk_rating_score":30,"similarity":"medium","source":"OnDOMAIN","tags":[],"threat_emails_count":0,"unicode_domain":"example.co.uk","updated_at":1739391632,"web_presence":true,"web_risk":[]},"entity":"lookalike","type":"new_lookalike_detected","uuid":"eaec9417-3797-4e40-89bd-f2e7e8245b6e"}
Sample Parsing¶
additional.fields["email_ready"] = "false"
additional.fields["flagged_by_google_safe_browsing"] = "false"
additional.fields["has_annotations"] = "false"
additional.fields["has_detected_keywords"] = "false"
additional.fields["has_notes"] = "false"
additional.fields["has_reputation_issues"] = "false"
additional.fields["has_screenshot"] = "true"
additional.fields["has_subdomailer"] = "false"
additional.fields["in_takedown"] = "false"
additional.fields["is_subdomain"] = "false"
additional.fields["manually_added"] = "false"
additional.fields["reported_as_false_positive"] = "false"
additional.fields["web_presence"] = "true"
metadata.description = "lookalike"
metadata.event_timestamp.seconds = 1739392297
metadata.event_timestamp.nanos = 0
metadata.event_type = "GENERIC_EVENT"
metadata.product_event_type = "new_lookalike_detected"
metadata.product_log_id = "eaec9417-3797-4e40-89bd-f2e7e8245b6e"
metadata.product_name = "Brandtrust"
metadata.vendor_name = "Red Sift"
network.dns.authority.name = "GoDaddy"
observer.resource.name = "OnDOMAIN"
security_result.about.asset.attribute.last_update_time = "2025-02-12T20:20:32Z"
security_result.category_details = "Irrelevance"
security_result.detection_fields.key = "threat_emails_count"
security_result.detection_fields.value = "0"
security_result.detection_fields.key = "related_domain"
security_result.detection_fields.value = "example.com"
security_result.risk_score = 30
security_result.rule_name = "related_domains"
security_result.severity = "MEDIUM"
security_result.severity_details = "medium"
security_result.summary = "Active"
target.asset.attribute.labels.key = "id"
target.asset.attribute.labels.value = "d2ViZXJ0cnVzdC5jby51aw=="
target.asset.attribute.labels.key = "apex_domain"
target.asset.attribute.labels.value = "example.co.uk"
target.asset.attribute.labels.key = "unicode_domain"
target.asset.attribute.labels.value = "example.co.uk"
target.domain.name = "example.co.uk"
target.domain.name_server = "ns73.domaincontrol.com."
target.domain.name_server = "ns74.domaincontrol.com."