Custom Events

Custom events are available to External Threats as well as Executive Guardian or Tailored Intelligence customers, depending on the use case. Their purpose is provide a flexible way to track any pieces of information that don't fit into an event-type natively detected by RiskIQ, but which have relevance to the customer's Attack Surface Management program. 

Common uses include tracking phone numbers, email addresses, and integrating data and alerts from other applications into the RiskIQ platform, for example threat intelligence platforms or dark web monitoring tools. See Deep and Dark Web Integration for more information of this specific application.

For a general introduction to events and other parts of the RiskIQ system, please see RiskIQ Platform Architecture.

Outlined below are tips on:

  1. How to read and interpret the information presented in a Custom event (field definitions)
  2. Suggested best practices for Custom event management, including user workflow and tagging
  3. How it works: Custom Threats detection and system overview

Example: a custom event with sample text for demonstration purposes.

Reading Custom Events - Field Definitions

Event List Item

This is how Custom events are represented in the Events section of the RiskIQ web application. Clicking on a list item brings up details for the event and user-initiated workflow actions. 

  • Event-Type: what kind of event it is (custom).
  • Title: the title given to the event.
  • Status: current status of the event.
  • Created: date the event was generated.
  • Updated: date of the most recent entry in the event history.
  • Tags (if any have been applied--not pictured)

Event Header

At the top of each event's details is a header containing workflow actions. Custom events do not have any enforcement actions associated to them, but otherwise have the same workflow as other types of events. See Event User Actions for information on these options.

Summary Tab

This is the only tab in a Custom event. The summary tab is organized into multiple sections:


  • Along with the title, the description text is provided when the event is created to note its purpose and any other useful context
  • Title and description can both be edited after creation


  • Timeline of changes made to the event with the date, time, and name of the user who took each action, including:
    • Status changes 
    • Emails sent (with recipients)
    • Notes added
    • Tags added/removed

Managing Custom Events - User Review Decision Workflow and Tagging Best Practices

Tags and User Review steps for Custom Events are, by definition, custom per client given the non-standard nature of the detection criteria.

Your RiskIQ Technical Account Manager will work with you to build event categories and review/enforcement protocols that are appropriate for your use-case and reporting goals.

Custom Events System Overview


Custom events can only be created via direct event submission in the UI or API. RiskIQ does not provide any independent / automated creation of custom events outside of what is input into the system.

See Event Submission for information on how to create Custom events.

Monitoring and Auto-Resolution

  • Custom events are not monitored over time and do not auto-resolve (all changes in status and other updates must be submitted by a user)