This article provides definitions and instructions for managing events within the RiskIQ interface or API, including
- Assigning event status, owner, and priority
- Adding notes or tags
- Emailing event details for feedback from teammates (UI only)
- Enforcing events (UI only)
- Adding events to Inventory (UI only)
- Automating event actions via policy workflow orchestration
- Creating new events
- Exporting event data
Events are notifications within the RiskIQ system that provide information about a particular type of threat. Which event-types you see in your workspace will depend on the RiskIQ products you have purchased and your access permissions as a user. Talk to your RiskIQ Technical Account Manager if you have any questions about the events enabled in your workspace or about user permission controls.
Your events can be viewed in app.riskiq.net by selecting 'Events' from the navigation menu at the top right, or by clicking on any of the graphics in the Events Dashboard.
Event Workflow Actions
Workflow Actions in the RiskIQ UI
All RiskIQ event-types share a common set of user actions, which can be seen at the top of a selected event. Uses must have appropriate permissions to edit events in order to use these actions.
When values are set to something other than their default values, the boxes turn green. Actions typically include adding an item to inventory to claim ownership and resolve the event, to enforce it as fraudulent.
For an event that is already enforced, the workflow options include the ability to change the enforcement status or follow-up on the current enforcement case instead of starting a new one.
|Action||What it Does|
|Status||Change the status of an event to indicate that it has been reviewed (see list of available status choices below)|
|Action||1. Enforce: Open an enforcement case by generating and sending a templated enforcement email notice to third parties providing access to threat resources in order to mitigate a threat, e.g. notify registrars, hosting providers, app stores, or social platforms associated to an External Threat event.|
2. Enforcement Status: Manually close an enforcement or re-open an enforcement that was previously closed.
3. Follow Up on Enforcement: Send a new notice to follow-up on an open enforcement case.
4. Add to Inventory: Claim this item as a legitimate asset owned by your organization and add it to your inventory of assets under monitoring, thereby resolving the event.
These actions are only available for External Threat event-types.
|Tags||Add custom labels to this event, which can be used for filtering and reporting (this button not visible if no tag labels have been created)|
|Owner||Assign a specific user in your workspace to manage this event|
|Priority||Assign a priority level to this event|
|Send this event's details to a specified recipient email address for feedback (recipient does not need to have a RiskIQ login to view, not an enforcement notice). This action can be taken in conjunction with another change, such as tags, or status, or can be taken on its own by clicking on the envelope icon on the right side of the event header.|
|Add Note||Add a note to this event's history that will be viewable by all other users. Notes can be added as part of another action, such as applying a tag or changing status, or can be added directly into the event history (character limit is 10,240). Notes are included in the message you send if you add a note and specify an email recipient within the same action.|
Example: adding a note (without sending an email) at the same time as changing the event's status:
|Status||What it Means|
|New||Brand new event has not yet been actioned by a user.|
|Dismissed||User review of the event determined it was not actionable in the case of a false positive or irrelevant event.|
Note that applying this status will stop the event from getting re-monitored in the future.
|Review||Event has been flagged for review to make a decision on how to action (by the customer team or a manager if not specifically assigned to another owner).|
|Confirmed||User review of the event determined it was a true positive hit against the policy logic.|
|Enforced||Enforcement process has been initiated to mitigate the associated risk of this event.|
While only External Threats Event-Types can have an enforcement initiated directly from within the RiskIQ platform, this status can be manually set for any event-type to signify that some kind of remediation effort has been initiated.
|Resolved||Event no longer carries an associated risk and requires no further action.This status is assigned automatically upon system detection that the event is no longer active, or has been added to Inventory, does not need to be changed manually.|
|Tenacious||Previously actioned or resolved events with a detected change that warrants a new review (e.g. previously Resolved and has reappeared as a recurring risk, was under monitoring and has changed in some significant way triggering another review, or a pending mitigation process initiated against this event was manually closed by a user without the event resolving and next steps must be evaluated).|
This status is assigned automatically upon system detection, does not need to be changed manually.
|Monitor||Event is not currently actionable, but is suspicious and may become actionable in the future--continue to monitor this event and automatically move the event to Tenacious for re-evaluation when any major changes are observed.|
This status only applicable to Phish, Social, Domain Infringement, and Content events.
Bulk Event Actions
The following actions can be performed "in-bulk" by multi-selecting events from the events list on the left-hand side and using the bulk actions update function at the top of the list.
Even if multiple events are selected, changes made to the event details on the right will only impact that individual event. To make the change to all the selected events (which may or may not include the event shown on the right), use the "Modify X events" button.
- ***Note that bulk changing events' status to 'Enforced' does NOT not initiate of send enforcement messages for those events--see the section on enforcing events below for instructions on enforcing more than 1 event at a time
Example: By selecting multiple events in the list on the left, users can make bulk changes to all selected events at once.
In addition to selecting the check boxes for each event you want to action within the list, users can also use the check box at the top of the events list to bulk select all events on the page or all events on all pages as well.
- To send an enforcement, click on the 'Action' button in the event header and select 'Enforce' from the available actions to open up the enforcement dialog.
- Select any related events from the list on the left (web events associated the same domain name or mobile apps posted in the same app store) to simultaneously take action on in this enforcement
- Select a template to preview your message and made edits to the recipients, attachments, or message text.
- Press 'Submit' at the bottom when you are finished reviewing the message preview to send your message.
Example: Enforcing a Phish event (there are no other related events in the case shown below)
After you send the message,
- All the included events will automatically change their status to Enforced
- A new Enforcement tab will appear in each event, displaying details about any current or prior enforcement that event is involved in, including enforcement status, notes, and list of other included events with their event-types, IDs, and current status.
- The available workflow actions will change: the 'Enforce' option will be replaced by the ability to change the status of the current enforcement or send a follow-up in the actions list.
Enforcement templates can have a configured "follow-up period", defined as a number of hours. If any of the enforced events are still active after the follow-up period elapses, and no other follow-up has manually been sent in the meantime, then a second notice will be automatically sent to the original recipients of the first notice to remind them of the issue and spur further action. When configuring the follow-up period, a max notice count between 1 and 5 must also be chosen, after which the enforcement will be closed, so that automated follow-ups cannot continue indefinitely and spam the intended recipients.
If preferred, instead of auto-sending the follow-up, an alert email can be sent reminding the user that this enforcement needs further attention in order to prompt them to send the follow-up manually by logging into the portal. Both auto-alerting and auto-follow-ups can be disabled if the user wishes to perform both follow-up monitoring and sending manually. If follow-ups are configured to be sent manually, there is no requirement for a maximum notice count.
The process of sending a follow-up notice manually is similar to that of sending an original notice to open and Enforcement. The user must select a template, the still active events in the original enforcement and the recipients will be auto-populated, and then the user can make any additional additions or edits they wish to before sending the email.
Example: sending a follow-up manually:
Enforcing Events via Web Forms (Social Events and Rogue Mobile App Events from Specific Stores)
Unlike with other event-types in the RiskIQ, Social Events are primarily enforced via web forms offered by each social network hosting an offending profile, rather than by sending enforcement email notices to an abuse team at those networks--the same is true of a few mobile app stores which do not respond to emailed complaints. This is the result of the preferred workflow of abuse teams at these organizations who are more responsive to complaints filed via their forms, and so RiskIQ provides a link to each of these web forms for convenience.
However to record and verify that a user has sent these forms and track the enforcement action within the RiskIQ system for reporting purposes, we recommend first submitting the form and then using the template / enforce button as normal to send an email to firstname.lastname@example.org confirming that the web form was filled out and creating an enforcement ID in the RiskIQ system to track success.
The steps below outline best practices for web-form based enforcement within the RiskIQ system:
- Click on the 'Report Profile' link provided in the summary tab of the social event. For a rogue mobile app event, the URL will be given in the enforcement dialogue when the mobile template is selected if the store is one of the set that does not accept email.
- Fill out the form with the requested details specific to the abuse / violation present in the event. Take a screenshot if you wish to include it in your records within RiskIQ.
- Upon submitting the form, enforce the event in RiskIQ by selecting the template called 'Confirmation of Social Web Form Completion' (or similar) in order to create an enforcement ID and track metrics on this enforcement.
- Upon doing that--an enforcement will be created in the enforcement tab on the event(s) as well as in the enforcement section alongside all other enforcements in the workspace.
- Forward any emails to the notice ID from which your first email was sent to associate them to this enforcement ID automatically and have them show up via correspondence tracking (for example, if you filled out the form and got a confirmation of receipt notice back from the site and/or a tracking ID to your email, you should forward it to the notice ID to have it show up in RiskIQ as associated to this enforcement).
Adding Events to Inventory
- To add an event to your inventory, click on the 'Action' button in the event header and select 'Add to Inventory' from the available actions to open up the enforcement dialog.
- Confirm that the asset is legitimate / owned by your organization to submit it to inventory.
- Upon exiting out of the confirmation message, you receive, the event will automatically resolve and the asset will be added. Additionally, a note will appear in the event history along with the status changing stating "Resolved - Auto Resolved By Adding to Inventory".
User Action Automation via Policy Workflow Orchestration
Some user actions (assigning status, owner, priority, or tagging) can be automated via the policy logic that creates new events and monitors existing ones. Enforcement, adding to inventory, and adding notes currently are not supported via orchestration. For more details on how policy workflow orchestration works and when/how it can be applied, see Event Policy Writing and Workflow Orchestration.
Event Workflow Actions via API
Event updates can also be done via API with a valid API token and password (all actions except adding to inventory and enforcement are supported via API). Ask your RiskIQ Technical Account Manager if you do not have or do not know your API credentials.
See RiskIQ API Documentation for more details on using the RiskIQ API.
Requests consist of a repeated list of event IDs to update. Along with the review code (status label), priority label, owner name, target country value (phish events only), tag labels, or note to apply to all of them.
You may apply multiple tags to all of the event IDs in your set, but other values must be singular.
Submitting enforcements or follow-up notices via API is not currently supported.
Beyond modifying existing events, users can also add new events via the UI or API. For more details see Event Submission.
Exporting Event Data
Event data can be exported to an Excel document using the download button (located to the right of the search bar, above the email button).
The export will contain the details of all events matching the query you currently have set in the screen. If your query includes multiple event types, the exported file will contain multiple tabs corresponding to each type of event.
Outside of common fields relevant to all event-types, the fields in each tab can vary slightly according to the data that's particular to each type of event. See Event Lifecycle Metrics for more information on universal metrics tracked in relation to the event lifecycle from creation to resolution.
Alternatively, event data can be retrieved as JSON, by using the RiskIQ API. See the section on API responses in Event Search for more details.