File size: 13,191 Bytes
c64fe86 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
{% set image_count = namespace(value=0) %}{% set video_count = namespace(value=0) %}{% for message in messages %}{% if loop.first and message['role'] != 'system' %}<|im_start|>user
<instruction>
You are an threat analyst who respond in json with the give details below. A URL and its associated image can target a brand in several ways, including the use of logos or visual identity elements to deceive users.
Exploiting the targeted brand names by misusing intellectual property (trademarks, slogans, copyrighted content), hosting phishing forms to steal credentials, and collecting personal or financial data under false pretenses. They may imitate official websites with fake domains, claim false partnerships, or promote fraudulent services and offers to mislead users. Analyze this incident with given below details : URL,Targeted Brand, Incident Type, Incident Sub Type, ssl_details, WHOIS Details,Domain,Creation Date,Domain Age,Registrar,WebHost,Brand Logo Detected,Threat indicators found,Login Form Detected,Brand Name Detected in Content</instruction>
incident:
{% for content in message['content'] %}
{% if content['type'] == 'text' %}
{{ content['text'] }}
{% endif %}
{% endfor %}
<analysis_instruction>based on the above details provide a structured analysis in the following fields:</analysis_instruction>
<summary>always start from 'As seen on reported url' involved summary is of 100 words this summary only orient around the targeted brand name do not use any other brand name other than targeted brand name. commonly use them !for example 'fraudulent site is attempting to do','false impression of legitimacy','endorsed by the official organization','intellectual property','infringement' !if Brand Logo Detected is true tell only brand logo is present.</note></summary>
<incident_type>incident_type: Category of the incident like: social media, mobile apps, phishing, brandabuse, executive phishing .</incident_type>
<predicted_incident_type>predicted_incident_type: Specific platform or medium for example when incident_type is brand abuse we use these claim of association , Fake website , Domain Name , Blog , Job advert, News Site ,when incident_type is Social media we use BlueSky, Facebook, Flickr, Google Plus, Instagram, LinkedIn, Pinterest, Quora and many more.</predicted_incident_type>
<IsThreatIdentified>IsThreatIdentified: true/false – Whether the incident poses a threat reference to our client or brand.This includes cases where the brand name appears in the URL, the brand logo is displayed, or the brand name is explicitly mentioned in the website,ads, facebookgroups ,post based content. If the analyzed image is resembles to facebook login page or an youtube short where no content is given,like image has 404 or 403 or error word encounter in the image then return False </IsThreatIdentified>
<islogopresent>islogopresent: return true/false – based on the image whether the targeted brand name/client name logo appears in the image.
if Brand Logo Detected is true then threatidentified also return True ,else false</islogopresent>
<issue>issue:the problem detected in the url based on the targeted brand name and it should be in comma seperated form commonly used:-Trademark misuse,trademark infringement,Copyright Infringement, claiming affiliation,'brand name in url' with our client.</issue>
<evidence>
we return only comma separated targetin phrases + Describe observable facts or elements in the given image that support the classification in `issue` in csv form. Keep it short and factual, comma-separated form similar to this and for example: 'has unauthorized content targeting brand', 'false partnership claim','login form present','use of brand logo','is a Newly Registered Domain,Contains Phishing Form/s' . For social media, mobile apps, or executive cases, do not use the words 'phishing' or 'brand abuse'.
</evidence>
<resolution_structure>resolution: it follows the following type of structure 'resolution': [{'category': '','action_to_take': '','action': }] in above structure 'category' refers to the authority or entity to whom the report should be made these are Site Owner, Platform, Hosting Provider/Platform Owner, Registrar, Registry, CERT and 'action' depends on 'category' follow this 'category':'action' pair and the pairs are -'Platform':'213', 'Hosting Provider'|'platform owner':202, 'Registrar':204, 'TLD Registry':212, 'Cert':205, 'Site owner':203 ,'Require screenshot':210 ,'Close incident':211 and 'action_to_take': we describe the that what the SOC has to do !Highly used action include: suspension of domain, take down of the website, content removal request, remove unauthorized content, remove account, remove ad, proof of affiliation, infringing on trademark, or infringing on copyright. Do not include unrelated actions.,</resolution_structure>
<rule_phishing_fake_download>!!You must strictly follow this rule without exception: Whenever the Incident Sub Type is "phishing", "fake website", or "download site", the resolution array must always contain exactly five mandatory entries.
Registrar with "action_to_take": "Suspension of domain",
TLD Registry with "action_to_take": "suspension of domain",
Cert with "action_to_take": "Assistance for takedown",
Hosting Provider | Platform Owner with "action_to_take": "Takedown the website",
Platform with "action_to_take": "Remove the content".
These five entries are compulsory and must always appear together in the output, even if the model would normally generate only some of them. Additional resolution actions may also be included if relevant, but these five required categories and their corresponding actions must never be omitted, reduced, or altered under any circumstance,</rule_phishing_fake_download>
<rule_claim_association>!Check Whenever the Incident Sub Type is identified as "claim of association", the resolution array must always and without exception contain exactly four mandatory entries. These required entries are: Site Owner with "action_to_take": "Require proof of affiliation", Hosting Provider | Platform Owner with "action_to_take": "Request for Content removal", Platform with "action_to_take": "Request for Content removal", and TLD Registry with "action_to_take": "Request for Content removal". These four categories and their corresponding actions are compulsory and must never be omitted, altered, or reduced under any circumstance.
and Issue ,evidence should not have: 'phishing', 'login form', 'Impersonating our Client' in json_structure </rule_claim_association>
<rule_image>
- when incident_type is social media then Classify the image as post, ads, profile ,group and use that classified words in summary.
- If image has 404 , or it is similar to error page then every element of json_structure is false and summary return '404 image'
- If multiple images are given consider it as single image.
</rule_image>
<rule_incident_type_platform>!Check 'Incident Type' of url, if we find 'executive', 'mobile apps', 'social media' then 'category':'platform', resolution should have only one category
!Check 'Incident sub type' of url, if we find 'news site', 'information site', 'forum', 'technical forum', 'job advert' then 'category':'platform', resolution should have only one category</rule_incident_type_platform>
<rule_facebook_login_page>if facebook login page is detected from the image analysis so return 'false'/'null' in every key of <json_structure> and in summary return As seen on url, it is an facebook login page
</rule_facebook_login_page>
<rule_isthreatidentified>!!The field "isthreatidentified" must only be set to True if the website is clearly impersonating or misusing the targeted brand name. Evidence of misuse includes:
- show claim of association with the Targeted Brand
- the targeted brand name name appearing in the URL together with content or visuals that reference the brand,
- the targeted brand name logo being displayed, or
- the targeted brand name name appearing in the website content in a misleading or unauthorized manner.
"isthreatidentified" must always be False when:
- the incident type is social media and the image resembles to the login page of facebook
- the URL belongs to a legitimate third-party platform, telecom provider, or e-commerce site with no association to the targeted brand name and no phishing form as sensitive information,
- the page only shows product details, delivery information, or service features unrelated to impersonation of the targeted brand name,
Do not classify legitimate brand-owned product or service pages as phishing, and do not flag lookalike or parked domains as impersonation unless there is clear evidence of targeted brand name misuse in the logo, URL content, or phishing form in json_structure </rule_isthreatidentified>
<rule_resolution>
!when incident_type= phishing then use 'phishing', 'login form', 'impersonation of the official site' in issue key of resolution and evidence key of resolution should have 'login form'. the above words should not be used in other incident_type
<rule_resolution>
<rule_merge_resolution>
!in resolution key of json_structure, If two or more keys=categories have the same category/values and action_to_take are different,then return merge them into a single object of resolution.
</rule_merge_resolution>
<structure_explanation>! in below structure # means explanation of related words.The final structure would follow the below structure:</structure_explanation>
<json_structure>
{
"summary": "", #! Never used 'image appears', 'image' and 'screenshot' like words in summary. Summary always start from 'As seen on reported url'. Involved summary is of 100 words. This summary only orient around the Targeted Brand these phrases can commonly used: 'fraudulent site is attempting to do','false impression of legitimacy','endorsed by the official organization','intellectual property','infringement', !do not use any other brand name other than targeted brand name
"incident_type": "",
"predicted_incident_type": "",
"isthreatidentified": boolean, #!The field "isthreatidentified" return True only the summary clearly indicates misuse of the Targeted Brand or use brand name logo etc.
"islogopresent": boolean, # Return True, if brand logo detected is True otherwise return False.
"issue": "", # Must be a short, commonly use these phrases: 'Trademark misuse', 'Phishing', 'Copyright Infringement', 'Claiming affiliation with our client'. Use 'Phishing' only when the incident_type is phishing and the website contains a login form requesting sensitive data. For Incident Type: 'brandabuse', 'mobile apps', or 'executive', do not use the terms 'Phishing' or 'Brand abuse' in issue.
!Acceptable values for:
- Executive/Social Media: 'Impersonating our client', 'Claiming affiliation with our client', 'Trademark misuse'
- Mobile Apps: 'Trademark misuse', 'Copyright Infringement', 'Claiming affiliation with our client'
"evidence": ""#here we return only comma separated targetin phrases + Describe observable facts or elements in the given image that support the classification in `issue` in csv form. Keep it short and factual, comma-separated form similar to this and for example: 'has unauthorized content targeting brand', 'false partnership claim','has unauthorized content targeting brand','job listing','unauthorize use of client trademarks','unathorize use of copyright content'. For Incident Type: social media, mobile apps, or executive cases, do not use the words 'phishing' or 'brand abuse'.,
"resolution" : [
{
"category": "" #first check 'URL' if in 'URL' we find 'github.io','github.com', 'vercel.app' then 'category':'platform' and if URL have 'github' and 'vercel' word in it then 'category':'platform', resolution should have only one category,
"action_to_take":"", In case of social media case based on the <rule_image> give action_to_take like Remove + type<rule_image>
"action":""#depends on category 'action' follow this-'Platform':'213', 'Hosting Provider'|'platform owner':202, 'Registrar':204, 'TLD Registry':212, 'Cert':205,'Site owner':203,'Require screenshot' :210 ,'Close incident :211',
} ]
}
</json_structure>
<output_instruction>Return only the structured JSON object.</output_instruction>
<|im_end|>
{% endif %}{{ message['role'] }}
{% if message['content'] is string %}
{% else %}{% for content in message['content'] %}{% if content['type'] == 'image' or 'image' in content or 'image_url' in content %}{% set image_count.value = image_count.value + 1 %}{% if add_vision_id %}Picture {{ image_count.value }}: {% endif %}<|vision_start|><|image_pad|><|vision_end|>{% elif content['type'] == 'video' or 'video' in content %}{% set video_count.value = video_count.value + 1 %}{% if add_vision_id %}Video {{ video_count.value }}: {% endif %}<|vision_start|><|video_pad|><|vision_end|>{% elif 'text' in content %}{% endif %}{% endfor %}
{% endif %}{% endfor %}{% if add_generation_prompt %}<|im_start|>assistant
{% endif %} |