This article describes best practices for managing enforcements of RiskIQ events. Enforcement functionality is available to all customers who have purchased RiskIQ External Threats.
When one or more events are enforced via the events workflow, a new enforcement is created in the Enforcements Section, where it can be tracked and managed from creation to resolution. Your enforcements can be viewed in app.riskiq.net by selecting 'Enforcements' from the navigation menu at the top left.
For information on how to initiate an enforcement for an event, please see Event User Actions. If you are a RiskIQ admin user looking for information on configuring enforcement templates, please see Enforcement Template Configuration.
Outlined below are tips on:
- How to read and interpret the information presented in an enforcement
- Suggested best practices for enforcement management, including user workflow and an explanation of enforcement processing and monitoring in the RiskIQ system
Example: a sample enforcement for a detected phishing page
Reading Enforcements - Field Definitions
Each enforcement initiated against events in the workspace is represented in the list on the left-hand side of the screen. Clicking on a list item brings up details for that enforcement as well as user-initiated workflow actions.
Enforcement List Item
- Type: (icon) what kind of entity the enforcement is related to (e.g. a website/domain, app store, or social network)
- Title: the domain name, app store, or social network towards which the enforcement is directed
- Status: current status of the enforcement (Open, Resolved, or Closed --workspaces managed by RiskIQ IRT will also have a Pending status option)
- Created: date the first enforcement notice was sent.
- Notices: the total number of notices that have been sent during the course of this enforcement (replies and correspondence messages within a notice thread are not counted as notices)
- Events: the proportion of events that are currently resolved out of the total number included in the enforcement (once every event is resolved, the enforcement is considered resolved)
At the top of each enforcement's details is a header containing high-level information, as well as workflow actions.
- Status: current event status and the ability to change the status of this event.
- Send a Follow-Up Message: Send a new notice to follow-up on an enforcement that is not yet resolved (this button hidden on closed or resolved enforcements)
- Left/Right Arrows: View the details of the previous or next enforcement in the list
- Title: the domain name, app store, or social network at which the enforcement is directed
- ID: unique ID for each enforcement
- Created: date the enforcement was created
- Updated: date of the most recent entry in the enforcement history (e.g. a status change or a note added)
- Enforcement Duration: how long this enforcement was/has been in the Open status
- Last Notice: how long ago the most recent notice in this enforcement was sent
This section shows information about all messages that have been sent over the lifetime of this enforcement action.
Messages are listed chronologically and organized into threads. Each notice (templatized messages including the original notice as well as subsequent follow-ups) is the start of a thread. Within that thread, there may be one or more replies (correspondence back and forth in reply to a specific notice).
For example, in the screenshot below, there are 2 notices, both sent by Chris Kennedy--the first of which contains 2 additional replies messages underneath it (a reply from Kennedy Registrar, and a response back to that reply from Beckie Neumann).
Whenever a new response is received an email alert is sent to the user who sent the notice.
Some basic high-level attributes are called out directly in the messages table and the remainder are available by clicking into the details.
- Sent By: the sender of the message
- Subject: the subject of the email that was sent
- Attachments: if the messages contains an attachment, a paperclip icon appears to the right of the subject line
- Sent At: the time this message was sent
- Actions: the blue arrow can be used to send a reply back to received correspondence. Note that you currently can only reply to a received message, not to your own sent message.
- Details: Clicking on any message brings up all other information about the message including the full message body text, recipients, email address from which it was sent, and the name of the template that was used for the notice thread this message belongs to.
This section lists all the related events grouped into this single enforcement action with some summary attributes (in this case, the enforcement only includes 1 event, so the table has only 1 row):
- Event-Type: (icon) the event-type of each included event
- Event: the title of the enforced event, e.g. the URL of a phish or social profile, or domain of a domain infringement event (for rogue mobile apps, both the app title and developer name are shown)
- Status: the current status of this event
- ID: the unique ID of this event (cross-linked so that you can click to view the full event details)
- Timeline of changes made to the enforcement with the date, time, and name of the user who took each action, including:
- Status changes
- Notes added
Search Enforcements Using the Search Bar
You can search and filter your enforcements using the search bar at the top of the screen. You can type directly into the search bar or use the query builder, which expands when the search bar is clicked on.
Example: A query for all enforcements related to phish events that have 2 or more notices sent.
Saved Enforcement Queries
In order to keep complex queries for later use, you save your query using the button on the right side of the search bar. Saved queries must be given a name, and can be saved for your personal use or for use by any users in your workspace.
Access your saved queries in a dropdown list by clicking on 'Enforcements Search' on the left side of the search bar.
Sorting and Pagination
To sort your enforcement list, using the sorting options at the top of list. By default, enforcements are sorted from newest to oldest.
You can also change the number of enforcement results shown per page using the settings icon at the top right.
Managing Enforcements - Workflow Best Practices
Enforcements have workflow actions, just like events in the RiskIQ system:
|Action||What it Does|
Manually change the status of an enforcement.
Enforcements may be manually closed, re-opened from closed, or set to pending, but cannot be manually resolved or re-opened once resolved--resolution is done automatically based on the statuses of all the events in the enforcement.
|Send a Follow-Up Message||Generate and send another enforcement notice to follow-up on an unresolved enforcement|
|Reply to Message||Send a new message to reply to responses received from the recipients of an enforcement notice (e.g. requests for more information)|
|Status||What it Means|
An enforcement notice has been sent, but one or more of the events included in the enforcement are still active. The enforcement duration will continue to be tracked until the enforcement is either closed or resolved.
Enforcement was successful and all the events included were resolved or dismissed--this status is set automatically by the RiskIQ system, not by a user, to signify that the enforcement is over.
*Note: an enforcement may be manually closed and re-opened from the closed status, but resolved enforcements cannot be re-opened. If events in a previously resolved enforcement return, a new enforcement should be created to track any new notices sent on the same event(s). The enforcement tab on the event will display details about all associated enforcements if there are multiple.
At least one event included in this enforcement is still active, but the user has chosen to stop pursuing the enforcement (by manually setting this status) or the enforcement has reached a maximum notice limit pre-configured in the template (the status is set automatically by the RiskIQ system).
*Note: All included events automatically change status from enforced to tenacious when the enforcement is manually closed in order to indicate that they should re-assessed for further action. If the user decides to continue the enforcement process on that event, the closed enforcement can be re-opened.
|Pending||In workspaces using RiskIQ's managed security services, an additional status choice is available for enforcements. In such workspaces, enforcements that reach their maximum pre-configured limit in the template automatically move to this status, rather than closed. This status signifies that at least one event in the enforcement is not yet resolved, even after best practices have been taken to mitigate it, and review is required to determine what further steps may be available.|
Enforcement System Workflow
The diagram below maps out the system event processing workflow for monitoring enforcements and making automatic status changes.
- Green represents steps taken automatically by the RiskIQ system
- Pink represents steps taken by a human user
- Blue represents the enforcement status