This article provides definitions and instructions for managing events within the RiskIQ interface or API, including
- Assigning event status, owner, and priority
- Adding notes or tags
- Emailing event details for feedback from teammates (UI only)
- Enforcing events (UI only)
- Adding events to Inventory (UI only)
- Automating event actions via policy workflow orchestration
- Creating new events
- Exporting event data
Events are notifications within the RiskIQ system that provide information about a particular type of threat. Which event-types you see in your workspace will depend on the RiskIQ products you have purchased and your access permissions as a user. Talk to your RiskIQ Technical Account Manager if you have any questions about the events enabled in your workspace or about user permission controls.
Your events can be viewed in app.riskiq.net by selecting 'Events' from the navigation menu at the top right, or by clicking on any of the graphics in the Events Dashboard.
Event Workflow Actions
Workflow Actions in the RiskIQ UI
All RiskIQ event-types share a common set of user actions, which can be seen at the top of a selected event. Uses must have appropriate permissions to edit events in order to use these actions.
When values are set to something other than their default values, the boxes turn green. Actions typically include adding an item to inventory to claim ownership and resolve the event, to enforce it as fraudulent.
For an event that is already enforced, the workflow options include the ability to change the enforcement status or follow-up on the current enforcement case instead of starting a new one.
|Action||What it Does|
|Status||Change the status of an event to indicate that it has been reviewed (see list of available status choices below)|
|Action||1. Enforce: Open an enforcement case by generating and sending a templated enforcement email notice to third parties providing access to threat resources in order to mitigate a threat, e.g. notify registrars, hosting providers, app stores, or social platforms associated to an event.|
2. Enforcement Status: Manually close an enforcement or re-open an enforcement that was previously closed.
3. Follow Up on Enforcement: Send a new notice to follow-up on an open enforcement case.
4. Add to Inventory: Claim this item as a legitimate asset owned by your organization and add it to your inventory of assets under monitoring, thereby resolving the event.
These actions are only available for Phish, Domain Infringement, Social, Rogue Mobile App, Content, and Custom event-types.
|Tags||Add custom labels to this event, which can be used for filtering and reporting (this button not visible if no tag labels have been created)|
|Owner||Assign a specific user in your workspace to manage this event|
|Priority||Assign a priority level to this event|
|Send this event's details to a specified recipient email address for feedback (recipient does not need to have a RiskIQ login to view, not an enforcement notice). This action can be taken in conjunction with another change, such as tags, or status, or can be taken on its own by clicking on the envelope icon on the right side of the event header.|
|Add Note||Add a note to this event's history that will be viewable by all other users. Notes can be added as part of another action, such as applying a tag or changing status (ex. to explain why that action was chosen), or can be added directly into the event history (character limit is 10,240) without another change being made. Notes are included in the email message body if you add a note within the email sending action.|
Example: adding a note to the event history at the same time as changing the event's status:
|Status||What it Means|
|New||Brand new event has not yet been actioned by a user.|
|Dismissed||User review of the event determined it was not actionable in the case of a false positive or irrelevant event.|
Note that applying this status pauses monitoring of the event.
|Review||Event has been flagged for review to make a decision on how to action (by the customer team or a manager if not specifically assigned to another owner).|
|Confirmed||User review of the event determined it was a true positive hit against the policy logic.|
|Enforced||Enforcement process has been initiated to mitigate the associated risk of this event.|
While only certain kinds of events can have an enforcement initiated directly from within the RiskIQ workflow, this status can also be manually set for any event-type to signify that an remediation effort has been initiated outside the platform. Just manually setting this status does NOT create an enforcement in the RiskIQ platform or trigger any external communications to be sent.
|Resolved||Event no longer carries an associated risk and requires no further action.|
This status is assigned automatically upon system detection that the event is no longer active, or has been added to Inventory, does not need to be changed manually.
|Tenacious||Previously actioned or resolved events with a detected change that warrants a new review (e.g. previously Resolved and has reappeared as a recurring risk, was under monitoring and has changed in some significant way triggering another review, or a pending mitigation process initiated against this event was manually closed by a user without the event resolving and next steps must be evaluated).|
This status is assigned automatically upon system detection, does not need to be changed manually.
|Monitor||Event is not currently actionable, but is suspicious and may become actionable in the future--continue to monitor this event and automatically move the event to Tenacious for re-evaluation when any major changes are observed.|
This status only applicable to Phish, Social, Domain Infringement, and Content events.
Bulk Event Actions
The following actions can be performed "in-bulk" by multi-selecting events from the events list on the left-hand side and using the bulk actions update function at the top of the list.
Even if multiple events are selected, changes made to the event details on the right will only impact that individual event. To make the change to all the selected events (which may or may not include the event shown on the right), use the "Modify X events" button.
- Status (***Note that bulk changing events' status to 'Enforced' does NOT not initiate of send enforcement messages for those events--see the section on enforcing events below for instructions on enforcing more than 1 event at a time)
Example: By selecting multiple events in the list on the left, users can make bulk changes to all selected events at once.
In addition to selecting the check boxes for each event you want to action within the list, users can also use the check box at the top of the events list to bulk select all events on the page or all events on all pages as well.
- To send an enforcement, click on the 'Action' button in the event header and select 'Enforce' from the available actions to open up the enforcement dialog.
- Select any related events from the list on the left (web events associated the same domain name or mobile apps posted in the same app store) to simultaneously take action on in this enforcement
- Select a template to generate a preview your message and made edits to the recipients, attachments, or message text.
- Press 'Submit' at the bottom when you are finished reviewing the message preview to send your message.
Example: Enforcing a Phish event. There are a total of 7 active, un-enforced events on the domain in the case shown below (the event on which the action was selected + 6 related others), which have all been selected for inclusion.
Note that in specific cases, upon clicking 'Submit', you may receive a warning and asked to confirm whether you want to proceed with your enforcement. These warnings are intended to prompt a pause and second review before sending since there is one or more reason to believe the enforcement may be getting submitted in error (either because the site may be legitimate, or because there may be a more effective enforcement avenue available for reporting abuse related to this site that should be used instead), and thus, provide a final opportunity to prevent it going through the system rather than having to issue a retraction notice after the fact.
These scenarios include:
- The domain name against which you are issuing an enforcement is in the Alexa Top 10,000 domains (ex. a user accidentally trying to send a takedown request for facebook.com to the domain's registrar or ISP instead of reporting a specific profile or post to Facebook).
- The domain or hostname of a URL you are trying to enforce is in the Inventory of a RiskIQ workspace, indicating it is a website owned by a legitimate company (note this includes but is not limited to the workspace in which the enforcement is being sent and does not necessarily indicate whether the owner of that website is a RiskIQ Digital Footprint customer or not).
- The domain is registered through a known corporate registrar (MarkMonitor, CSC, NetNames, SafeNames, CitizenHawk), and, thus, likely belongs to a legitimate organization even if not currently in any existing RiskIQ workspaces' inventories.
- Is a known app store -- this warning occurs if the domain of an event, ex. a content or DI event, matches that of an app store in the RiskIQ system monitored for rogue mobile apps. This warning indicates that the enforcement should likely be done through that app store's documented web form or app removal email contact rather than reporting the domain or host as a whole to the registrar or ISP.
- The site is a legitimate service used to analyze other websites -- this warning is shown when a user is attempting to send a takedown request against a site like urlscan.io, because a URL on that site is displaying content that is actually hosted elsewhere. In such a case, the enforcement should be directed at the site on which the content is actually hosted, rather than the service being used to display that in a safe manner.
After you send the message,
- All the included events will automatically change their status to Enforced
- A new Enforcement tab will appear in each event, displaying details about any current or prior enforcement that event is involved in, including enforcement status, notes, and list of other included events with their event-types, IDs, and current status.
- The available workflow actions will change: the 'Enforce' option will be replaced by the ability to change the status of the current enforcement or send a follow-up in the actions list. Events can only be associated to 1 open enforcement at a time, so the current enforcement has to be resolved or closed in order to create a new one for a given event.
Example: For events that are part of an active enforcement, the actions available for the event include closing that enforcement or manually sending a follow up notice.
Enforcement templates can have a configured "follow-up period", defined as a number of hours. If any of the enforced events are still active after the follow-up period elapses, and no other follow-up has manually been sent in the meantime, then a second notice will be automatically sent to the original recipients of the first notice to remind them of the issue and spur further action. When configuring the follow-up period, a max notice count between 1 and 5 must also be chosen, after which the enforcement will be closed, so that automated follow-ups cannot continue indefinitely and spam the intended recipients.
If preferred, instead of auto-sending the follow-up, an alert email can be sent reminding the user that this enforcement needs further attention in order to prompt them to send the follow-up manually by logging into the portal. Both auto-reminder alerting and auto-follow-ups can be disabled if the user wishes to perform both follow-up monitoring and sending manually. If follow-ups are configured to be sent manually, there is no requirement for a maximum notice count. When a reminder email is sent, it is logged in the enforcement's history.
Example: an enforcement whose history shows that a reminder email was sent to the user who initiated the enforcement that this case was still open after a couple days and thus, might require a follow-up. In this particular case, however, no follow-up was needed as the recipient of the original notice had already responded to acknowledge the request, and the event was subsequently resolved.
The process of sending a follow-up notice manually is similar to that of sending an original notice to open and Enforcement. The user must select a template, the still active events in the original enforcement and the recipients will be auto-populated, and then the user can make any additional additions or edits they wish to before sending the email.
Example: sending a follow-up manually:
Enforcing Events via Web Forms
Unlike other event-types in the RiskIQ, Social Events are enforced exclusively via web forms offered by each social network hosting an offending profile, rather than by sending enforcement email notices to an abuse team at those networks--the same is true of some mobile app stores, registrars, and ISPs that also have web forms to receive complaints instead of email contacts, but there is generally a mix of email and non-email-based enforcements for Rogue Mobile App, Phish, Domain Infringement, and Content events. In all cases, using web forms in lieu of email contacts reflect the preferred workflows of abuse teams at these organizations who are more responsive to complaints filed via their forms that standardize the format of the requests they receive, which allows them to take action more quickly as a result.
To record that a user has submitted one of the social networks' forms and track the enforcement action of a Social Event within the RiskIQ system for reporting purposes, we recommend submitting the form and then using the template / enforce button as normal to send an email to firstname.lastname@example.org confirming that the web form was filled out and creating an enforcement ID in the RiskIQ system to track success.
The steps below outline best practices for Social Event enforcement within the RiskIQ system:
- Click on the 'Report Profile' link provided in the summary tab of the social event. For a rogue mobile app event, the URL will be given in the enforcement dialogue when the mobile template is selected if the store is one of the set that does not accept email.
- Fill out the form with the requested details specific to the abuse / violation present in the event. Take a screenshot as well if you wish to include that in your records within RiskIQ.
- Upon submitting the form, enforce the event in RiskIQ by selecting the template called 'Confirmation of Social Web Form Completion' in order to create an enforcement ID and track metrics on this enforcement.
- Upon doing that--an enforcement will be created in the enforcement tab on the event(s) as well as in the enforcement section alongside all other enforcements in the workspace.
- Forward any emails to the notice ID from which your first email was sent to associate them to this enforcement ID automatically and have them show up via correspondence tracking (for example, if you filled out the form and got a confirmation of receipt notice back from the site and/or a tracking ID to your email, you should forward it to the notice ID to have it show up in RiskIQ as associated to this enforcement).
For other event-types, where the need for web form-based enforcement sometimes, but not always surfaces, the standard workflow should be followed and in cases where web-forms are required, upon submitting the email template, the RiskIQ system will automatically bring up a prompt if one or more of the recipients in your submitted enforcement notice has a known, associated web form with the option to use the information in your template to auto-fill out that web form for you and record that was done as part of the enforcement history as well. In such cases, both the email and the form will be sent.
Example: Upon hitting 'Submit' for an enforcement related to GoDaddy and OVH, the system provides the option to fill out web forms those organizations offer.
Example: The Enforcement details include the web forms that were filled out in the 'Web forms' column.
Adding Events to Inventory
- To add an event to your inventory, click on the 'Action' button in the event header and select 'Add to Inventory' from the available actions to open up the enforcement dialog.
- Confirm that the asset is legitimate / owned by your organization to submit it to inventory.
- Upon exiting out of the confirmation message, you receive, the event will automatically resolve and the asset will be added. Additionally, a note will appear in the event history along with the status changing stating "Resolved - Auto Resolved By Adding to Inventory".
User Action Automation via Policy Workflow Orchestration
Some user actions (assigning status, owner, priority, or tagging) can be automated via the policy logic that creates new events and monitors existing ones. Enforcement, adding to inventory, and adding notes currently are not supported via orchestration. For more details on how policy workflow orchestration works and when/how it can be applied, see Event Policy Writing and Workflow Orchestration.
Event Workflow Actions via API
Event updates can also be done via API with a valid API token and password (all actions except adding to inventory and enforcement are supported via API). Ask your RiskIQ Technical Account Manager if you do not have or do not know your API credentials.
See RiskIQ API Documentation for more details on using the RiskIQ API.
Requests consist of a repeated list of event IDs to update. Along with the review code (status label), priority label, owner name, target country value (phish events only), tag labels, or note to apply to all of them.
You may apply multiple tags to all of the event IDs in your set, but other values must be singular.
Submitting enforcements or follow-up notices via API is not currently supported.
Beyond modifying existing events, users can also add new events via the UI or API. For more details see Event Submission.
Exporting Event Data
Event data can be exported to an Excel document using the download button (located to the right of the search bar, above the email button).
The export will contain the details of all events matching the query you currently have set in the screen. If your query includes multiple event types, the exported file will contain multiple tabs corresponding to each type of event.
Outside of common fields relevant to all event-types, the fields in each tab can vary slightly according to the data that's particular to each type of event. See Event Lifecycle Metrics for more information on universal metrics tracked in relation to the event lifecycle from creation to resolution.
Alternatively, event data can be retrieved as JSON, by using the RiskIQ API. See the section on API responses in Event Search for more details.