RiskIQ virtual users closely simulate human Internet users in the ways they interact with web content and capture everything that a human user sees as well as what the browser sees happening behind the scenes in order to provide a 360-degree record of any observed threat activity. For high value target sites, virtual users will visit a site as often as every couple hours. Whenever a virtual user crawl completes, RiskIQ analyzes the observed data for malicious or suspicious activity, noting all newly added or changed resources, as well as checking for any threat indicators based on either RiskIQ's proprietary malware research or third party blacklists in the site.
- Blacklist host reputation
- Newly added or changed resource URL or content uses a bare IP address
- Newly added or changed resource URL or content uses a non-standard / new gTLD
- Newly added or changed resource URL or content uses a newly registered / observed domain or hostname
- Newly added or changed resource hash does not match expected SRI hash
Full records of virtual user sessions, including screenshots, user agent metadata, the captured document object model of each page, and preserved sequence of links and redirects provide the technical basis of RiskIQ's detection capabilities, upon which layers of analytics are automatically applied in order to classify each threats and enrich data with additional insights to determine the appropriate response.
Alerting & Threat Management Workflow
RiskIQ provides a web interface, email alerts, and API access to clients and their support teams to view and investigate events. Events are designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.
Users can take the following workflow actions via either UI or API:
- Confirm: Validate event as a true positive
- Enforce: Note that action has already been taken to correct the problem
- Review: Set aside for discussion/review to get feedback and decide on proper response
- Dismiss: Label event as a false positive
- Assign: Make a specific user the owner in charge of managing this event
- Tag: Add a customizable label to an event for searching or reporting
- Email: Send the details of an event to a specified email address (recipient need not have a RiskIQ user account)
- Note: Annotate an event with additional context or details
RiskIQ provides live dashboards, CSV data exports, and an API and integrations with popular SIEM and other tools to extract and interact with our data.