Social Events

Social events are available to External Threats and/or Executive Guardian customers. They alert customers to unauthorized social profiles claiming to represent their brand in the case of External Threats and/or an executive or employee of the organization in the case of Executive Guardian. 

When an infringing profile is detected in either case, a Social event is created in the workspace which can be viewed in the the events dashboard and events list inside the RiskIQ web application, in an email alert, or via the RiskIQ events API. Currently, Social events cover the following sites: Facebook, Twitter, Instagram, LinkedIn, Pinterest, and YouTube.

For a general introduction to events and other parts of the RiskIQ system, please see RiskIQ Platform Architecture. 

Outlined below are tips on:

  1. How to read and interpret the information presented in a Social event
  2. Suggested user review decision tree and tagging best practices for Social event management
  3. How it works: Social Threats system workflow 

Example: an unsanctioned Twitter profile soliciting donations from users on behalf of the Wikimedia Foundation

Reading Social Events - Field Definitions

Event List Item

This is how Social events are represented in the Events section of the RiskIQ web application. Clicking on a list item brings up details for the event and user-initiated workflow actions. 

  • Thumbnail screenshot of the page that generated the event.
  • Username: the username of the social media profile associated to the event.
  • Social Network: The social network of the profile that generated the event (represented as an icon).
  • Status: current status of the event.
  • Created: date the event was generated.
  • Updated: date of the most recent entry in the event history.
  • Profile Name: Name of the social media profile associated to this event.
  • Active: social events are considered active if the account is live, not owned or approved by the brand, and contains branded content.
  • Tags (if any have been applied)

Event Header

At the top of each event's details is a header containing workflow actions. See Event User Actions for information on these options.

Summary Tab

The Summary provides screenshots of the first and most recent crawls of the page and other information for assessing the event and deciding how to act on it.  The Summary tab is organized into multiple sections:


  • Network: the social media platform in which the infringing profile was found.
  • Name: (if applicable) if the network supports a profile name that is different from the username/URL, this field stores that information
  • Username: the unique username of the profile within the social network.
  • Homepage: the URL of the profile homepage.
  • Description: (if provided) the description or bio given for the profile.
  • Location: (if provided) the location of the profile.
  • Joined: (if provided) the date the user joined the social network.
  • Link: (if provided) any link provided in the user bio / account description,
  • Followers: (if provided) the number of friends or followers of the profile.
  • Report Profile: Link for reporting fraudulent profiles to the social network for takedown—typically this is a web form that a user must fill out or steps to follow in order to request the removal of an account.


  • Active: whether the event was active on the latest crawl.


  • Timeline of changes made to the event with the date, time, and name of the user who took each action, including:
    • Status changes 
    • Emails sent (with recipients)
    • Notes added
    • Tags added/removed
    • Changes in Owner or Priority

Classify Tab

This section details what about the page was flagged by the RiskIQ system in relation to your business logic. 

Classifiers score the characteristics of social profiles seen by virtual users and determine whether or not a profile should create an event according to the logic described in the policy. Each classifier used in Social event analysis is listed here with the number of hits, its total score, and the highlighted page content that created the score per each available field that the classifier is targeted to.

The page layout of user profiles and terminology can be slightly different across social networks, but they share the following common features that are extracted and parsed by RiskIQ on each profile in order to fuel analysis of social threats related to your brands.

Crawls Tab

This section houses information on each instance this page was analyzed by RiskIQ. Users can select from any of the times that RiskIQ analyzed the page associated to this event (red arrow next to the timestamp indicates, active, while grey signals inactive) to see details about the virtual user's interaction with the event page and user session overall at that point in time. 

Details provided about the crawl include: 

  • An overview providing metadata on the crawl and the screenshot taken by the virtual user
    • Global Unique Identifier for the user session and page within the user session
    • Date and time
    • Initial URL where the virtual user began the crawl
    • Browser used
    • Geographic location of the virtual user
    • Total number of pages visited during the user session
    • Total number of pages visited that returned error messages
    • URL of the event page
    • IP address
    • Response code and message returned by the event page
    • Page Content-type
    • Page Content length
    • Page response time
    • Window name
  • The original HTML response of the page
  • The rendered document object model after the page loaded in the user's browser
  • Files
  • Cookies
  • Links
  • Headers

Managing Social Events - User Review Decision Tree and Tagging Best Practices

The flow chart below describes a decision tree encompassing best practices for handling and enforcing social events. 

  • Green represents steps taken automatically by the RiskIQ system
  • Pink represents steps taken by a human user 
  • Blue represents a status and/or tag label

Recommended Tag Set

  1. Undetermined
  2. Authorized Profile
  3. Unauthorized Profile
  4. Impersonation/Fraud
  5. Brand Abuse
  6. Other

Social Threats System Overview


Social Threats is designed to detect social profiles impersonating your brands and/or executives. We use a combination of search engine, native UI, and API-based methods because the search capabilities and data model varies by social network. Virtual user searching coverage supplements where API-based searching is not available or where gaps in API-based detection may exist. 

For example, the Twitter API gives near real-time detection of posting activity, but virtual user coverage through a native UI search is needed to identify any accounts that have never posted, or which posted in the past but are not actively posting currently. This takes the form of scheduled searches--typically daily to supplement the real-time activity detection.

When either searching method identifies a candidate social profile, RiskIQ crawls the homepage associated to that social account and parses the profile details, including the username, profile name, bio, bio link, number of followers, join date, location, etc. These details are analyzed against the configured policy in the workspace to see if the profile should create an event. 

Social profiles are considered active as long as the account homepage URL still accessible and the current profile details trigger the configured policy logic in the workspace. If the account is deleted by the user or if the social network, the event is considered inactive and will resolve. Similarly, if details about the account such as the profile picture, bio, etc. are edited to remove all brand-related content, the event is considered inactive and will resolve. 

System Overview

The following diagram follows a Social event through the RiskIQ system from a virtual user first encountering a page through a search, to the analysis of the crawl, and through the event monitoring, including enforcement procedures if applicable, to resolution, and post-resolution monitoring. 

  • Green represents steps taken automatically by the RiskIQ system
  • Pink represents steps taken by a human user 
  • Blue represents a status and/or tag label

If you are a RiskIQ admin user looking for step-by-step instructions on creating/modifying Social classifiers, policies, or projects refer to Setting Up Social Events.

Monitoring and Auto-Resolution

  • Social events are re-crawled roughly every 48 hours. Additional samples can occur outside of this schedule based on normal/non-monitoring-related virtual user activity (if, for example the same pages also show up in searches for new pages). 
    • Monitoring times are somewhat rough--to balance load across the entire system, so crawls may be slightly advanced or delayed to prevent road spikes.
  • Upon the first inactive sample of an event, an additional crawl will be scheduled 12 hours later to confirm whether it should resolve or the first crawl was an anomaly
  • An event will automatically resolve after 2 consecutive inactive samples and at least 1 hour of continuous inactive time.
  • Events change from Resolved to Tenacious if the next crawl is found to be active.
  • Events change from Monitor to Tenacious if there is a >10% difference in page content between the next crawl and the prior one.
  • All events are monitored using the metro and browser from the most recent active crawl sample; if there was no prior active crawl (ex. for a manually submitted event), then the default crawl settings will be inherited from the auto-generated monitor project assigned to the event-type (typically this is a US based metro and a recent desktop version of Chrome as the browser unless otherwise specified)