Release Notes: October 2019

RiskIQ Release Notes contain the following subsections:

  1. Enhancements (per module) describe improvements made in the existing product capabilities.

  2. New Components which are introduced and modified in every release.

  3. New Features in RiskIQ which may require you to set up new processes or re-think existing processes.

  4. Issues Addressed section contains customer reported issues that were fixed in this release.

  5. Known Issues section contains a list of issues whose cause has been identified and cannot be fixed at the time of current release; but typically these issues have workarounds.


Inventory API Cascaded To Asset Type

When updating inventory assets, you can now also update linked assets at the same time.  For example, when tagging a domain name, you may also want to tag the hosts and websites on that domain. We previously released a change that allows users to select which types of linked assets for which to “cascade” bulk changes, but the functionality was limited to the UI only. We now have this functionality in the API as well.

An example of a cascaded update is shown in the endpoint below:

{"ids": [133750362],
  "tags": ["existingTag1"],
  "brands": ["existingBrand1"],
  "organizations": ["existingOrg1"],
  "cascadeToAssetTypes": ["IP Block", "Domain", "Contact", "Host"]

Add/Remove Brand/Org Inventory API

Previously, all updates to the organization or brand fields on an asset would override the previous selection; any asset could only have one brand or organization associated with it.  

Now, the ‘/update’ endpoint for inventory provides the following options: addBrands, removeBrands, addOrganizations, removeOrganizations.  These fields will make relative updates to the existing brand/org values on the assets, just like we do for add/remove tags. You can now have more than one brand or organization associated with an asset. 

See the API here using the previous example:

{"ids": [133750362],
  "addTags": ["existingTag1"],
  "addBrands": ["existingBrand1"],
  "addOrganizations": ["existingOrg1"],

Inventory API Search Timeout

“Timeout” has been added as a query parameter to allow the API caller to request a longer timeout. This ensures that customers with large inventories can avoid any timeout issues with ease. 

An example of the parameter usage:


Asset Security Policies on Website Assets now contain Login-Form and Form indicators

This provides a consistent display between the Asset details view and Asset Security Policy facets in Inventory Search. Previously, we stored this information as a simple yes/no flag within the Details view; it was not clear that Login-Forms and Form indicators are actually part of our security policies.  Now, they have been fully incorporated into the appropriate section

Issues Addressed

External Threats

  • While most event alerts already defanged any URLs inside the email message, until recently there were a couple types of links we did not defang, most notably links to view a mobile application in the app store where it was discovered for a rogue mobile app event notification. However, to prevent the possibility of these links potentially being malicious or blocked by users’ email gateway systems for any reason that would cause such alerts not to get delivered, we now defang those URLs as well.

  • Some users previously encountered errors when attempting to submit enforcements for extremely long URLs, but this has now been fixed. The reason behind this was that when we defanged the URL in the enforcement message body, that caused the URL to surpass an allowed character limit of 256 characters which caused the error.

  • A bug causing classifiers containing multiple entries differing only by a non-English character not to be recognized as unique has been corrected.

Known Issues

  • Users browsing with IE 11 have reported being unable to see the export and full screen buttons at the top right of the dashboard screens in the RiskIQ platform. No other browsers are affected.

External Threats

  • The ‘Time to Action’ metric in the export of phish events currently contains an error in how that metric is calculated. Time to Action is defined as the duration between when an event was created and when the first analyst update to the event took place. This metric is calculated correctly in the External Threats report and other event-type exports, but was starting from the time the crawl completed instead of the time the event was created. This difference is on the order a couple mins for the vast majority of events, but in some unusual cases, such as when crawl examples are used to train the RiskIQ machine learning phishing detection algorithm, we can retroactively create events with a longer delay after the original crawl completed. These cases have produced some events that show a much longer than expected Time to Action value in the export.