Web Compliance Events

Web Compliance events are available to customers who have purchased RiskIQ Enterprise Digital Footprint (view product description). They alert customers to any within inventory that violate policies set by your Governance Risk and Compliance Group.

When a compliance violation is found, a Web Compliance event is created in the workspace which can be viewed in the the events dashboard and events list inside the RiskIQ web application, in an email alert, or via the RiskIQ events API.

Outlined below are tips on:

  1. How to read and interpret the information presented in a Web Compliance event
  2. Suggested best practices for Web Compliance event management, including user workflow and  tagging

Example: a web compliance event showing a web page that contains a form transmitting customer data in an non-compliant manner.


Reading Web Compliance Events - Field Definitions

Event List Item

This is how Web Compliance events are represented in the Events section of the RiskIQ web application. Clicking on a list item brings up details for the event and user-initiated workflow actions. 

  • Event-Type: What kind of event it is.
  • Cause: The name of the specific web compliance policy violated.
  • Active: Web Compliance events are considered active if the page is live (has a 200 response code) and triggers an enabled compliance policy.
  • Status: current status of the event.
  • First Seen: date the event was generated.
  • Scanned At: When the page was last crawled to see if the violation has been resolved
  • Tags (if any have been applied)



Event Header

At the top of each event's details is a header containing high-level information, as well as workflow actions.



  • Status: current event status and the ability to change the status of this event.
  • Tags: Tags applied to this event and the ability to add or remove tags (if any tags are configured for this event-type).
  • Owner: current event owner responsible for reviewing or tracking the event and the ability to assign a new owner for this event. 
  • Priority: current event priority and the ability to assign a new priority for this event.
  • Email Event Details (via envelope icon at top right)

Summary Tab

The Summary provides screenshots of the first and most recent crawls of the page, if applicable--the highlighted code within the DOM of the page containing the violation, and other information for assessing the event and deciding how to act on it. The Summary tab is organized into multiple sections:



ATTRIBUTES

  • Cause: The name of the specific web compliance policy violated.
  • Cause Description: Description of what the policy is intended to detect and it's potential business or security impact
  • Active: Web Compliance events are considered active if the page is live (has a 200 response code) and triggers an enabled compliance policy.
  • Domain: The domain name of the URL associated to this event.
  • Alexa: degree of web traffic indicated by the site’s Alexa rank (High = Top 1,000, Medium = Top 10,000, Low = 10,000+).
  • First Seen: date the event was generated.
  • Updated: date of the most recent status change on this event.


HISTORY

  • Timeline of changes made to the event with the date, time, and name of the user who took each action, including:
    • Status changes 
    • Emails sent (with recipients)
    • Notes added
    • Tags added/removed

Site Details

This section provides more information about the website associated to this event beyond what is shown in the summary tab, including:

  • CName
  • Nameserver Information
  • ASN Information
  • Metro Code Information
  • Alexa Category and Exact Rank
  • Full WhoIs Record
  • Full IP WhoIs Record
  • Host Details
  • SSL Information
  • File Information


Crawls Tab

This section houses information on each instance this page was analyzed by RiskIQ. Users can select from any of the times that RiskIQ analyzed the page associated to this event to see details about the virtual user's interaction with the event page and user session overall at that point in time (a red arrow next to the timestamp indicates, active, while grey signals inactive).


Details provided about the crawl include: 

  • An overview providing metadata on the crawl and the screenshot taken by the virtual user
    • Date and time
    • Initial URL where the virtual user began the crawl
    • Browser used
    • Geographic location of the virtual user
    • Total number of pages visited during the user session
    • Total number of pages visited that returned error messages
    • URL of the event page
    • IP address
    • Response code and message returned by the event page
    • Page Content-type
    • Page Content length
    • Page response time
    • Window name
  • The original HTML response of the page
  • The rendered document object model after the page loaded in the user's browser
  • Files
  • Cookies
  • Links
  • Headers


Managing Web Compliance Events - User Review Decision Workflow and Tagging Best Practices

  • Green represents steps taken automatically by the RiskIQ system
  • Pink represents steps taken by a human user
  • Blue represents a status and/or tag label





Tag Set

  • Requires Remediation
  • Acceptable Risk

Monitoring and Resolution

  • Web Compliance events are re-crawled roughly every 48 hours. Additional samples can occur outside of this schedule based on normal/non-monitoring-related virtual user activity (if, for example the same pages also show up in searches for new pages). 
    • Monitoring times are somewhat rough--to balance load across the entire system, so crawls may be slightly advanced or delayed to prevent road spikes.
  • Upon the first inactive sample of an event, an additional crawl will be scheduled 12 hours later to confirm whether it should resolve or the first crawl was an anomaly
  • An event will automatically resolve after 2 consecutive inactive samples and at least 1 hour of continuous inactive time.
  • Events change from Resolved to Tenacious if the next crawl is found to be active.