The Global Blacklist
Research gives you access to RiskIQ's Global Blacklist of aggregate security incident data across all RiskIQ crawls, including all instances of phishing, malware, spam, and scam observed in RiskIQ crawls.
Click on Research in the top navigation menu, and select Global Blacklist.
Filtering and Searching Blacklist Entries
Click on the currently applied filter at the top left to edit it (by default, this filter will be "Incident Date >= last month" when you load the screen).
This will open the query builder dialog, where you can use drop-down lists of filter/operator choices and create AND and OR clauses to build your query.
You can alternatively type your query directly into the query bar if you know the filter syntax you would like to use.
Below is a list of the filter facets you can use to search events from RiskIQ's Global Blacklist on the Research Tab.
Blacklist score (High = 76+, Medium = 51-75, Low = under 50).
Subset(s) of the blacklist (Phishing, Malware, Spam)
Incident is an exact match or a match by reputation.
Incident matched by domain, URL, host, or path.
Blacklists that include the resource flagged in this incident:
Host associated to this incident.
ASN associated to this incident.
Cause Page Type
Whether the page that generated the incident is the parent page, cloaked page, or prior page in a crawl.
Cause Page Host
Host associated to the cause page in this incident.
Cause Page Alexa
Alexa traffic rank of the cause page in this incident.
Host of the first URL in the sequence leading to this incident.
Cause for generating the incident in the sequence, e.g. Parent page, redirect, embed, etc.
(If applicable) whether the ad in this incident was a display ad, contextual ad, or paid search ad.
(If applicable) ad network that served the ad in this incident.
(If applicable) search network for the crawl that generated this incident, e.g. Google, yahoo, twitter, etc.
Search Result Type
(If applicable) whether a search result that generated this incident was organic, paid, or a blog or microblog.
Which Anti-Virus vendor flagged the resource in this incident.
What type of flag the Anti-Virus vendor raised on the resource in this incident, e.g. Trojan, adware, exploit kit, toolbar or fake AV.
Terms extracted from the virustotal description of the resource in this incident (an Anti-Virus Type typically includes several Anti-Virus Results).
Anti-Virus Result Count
Number of Anti-Virus Results contained in the virustotal description of the resource in this incident.
RiskIQ List Description
Category applied to the incident by riskiq, e.g. Fake Software Update or a specific exploit kit.
(If applicable) organization targeted by a phishing scam.