Risk IQ External Threats
App Vendor: Risk IQ
Connector Category: Data Enrichment and Threat Intelligence
App Version in Orchestrate: 1.1.1
API Version: 1.0.0
About App
The RiskIQ External Threats app allows Orchestrate to connect with RiskIQ to create and modify events, enforcements, and enrichments. Using RiskIQ, security analysts can detect and eliminate external threats and automate response to phishing pages or domain abuse. RiskIQ External Threats empowers organizations to monitor digital channels and detect advanced threats such as phishing against customers or employees, imposter social media accounts, compromised mobile apps, or any unsanctioned brand usage.
The RiskIQ External Threats app is configured with the Orchestrate application to perform the following actions:
Action | Description |
|---|---|
Update Event or Events | This action updates an event or events with a priority, review code, notes, and tags. |
List Search Filter Fields | This action lists all the permitted fields for filtering event searches. |
List Crawls | This action lists all the crawls in ascending order from the start date. |
View Crawl | This action retrieves details of the crawl based on the crawl GUID. |
Search Enforcements | This action searches for enforcements using a query string and date filter. |
View Enforcement | This action views an enforcement using the enforcement ID. |
Search Event | This action searches events in RiskIQ using queries. |
Create Social Event | This action creates a social event in RiskIQ. |
Create Content Event | This action creates a content event in RiskIQ. |
Create Phish Event | This action creates a phishing event in RiskIQ. |
Create Domain Infringement Event | This action creates a domain infringement event in RiskIQ. |
Query Whois Information | This action queries the Whois information from RiskIQ. |
Update Event Phase | This action updates the phase of a particular event in RiskIQ. |
Update Event Tag | This action updates the tag of a particular event in RiskIQ. |
View Event | This action views the event details based on the event ID. |
Configuration Parameters
The following configuration parameters are required for the RiskIQ app to communicate with the RiskIQ enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the RiskIQ External Threats API key. | Text | Required | |
Secret Key | Enter the RiskIQ External Threats secret key. | Password | Required |
Action: Update Event or Events
This action updates an event or events with a priority, review code, notes and tags. The Event ID can be retrieved using the Search Events action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID List | Enter the list of event IDs to update. Example: "event_ids": [ "85844621", "76643567"] | List | Required | |
Review Code | Enter the review code to assign to events reflecting the review status. Example: "Resolved" | Text | Optional | Allowed values:
|
Event Priority | Enter the priority to assign to the events. Example: "MINOR" | Text | Optional | Allowed values:
|
Owner | Enter the owner name to assign to events. | Text | Optional | |
Country | Enter the country to assign to events. Example: "USA" | Text | Optional | |
Tags | Enter the new tags to assign to events as key-value pairs. Example: “Content”: “Credit Card” | Key Value | Optional | |
Note | Enter the note to add to events. | Text | Optional |
Example Request
[
{
"note": "Test Event",
"tags": {“Content”: “Credit Card”},
"country": "USA",
"event_ids": [
"85844621"
],
"review_code": "Resolved",
"event_priority": "MAJOR"
}
]Action: List Search Filter Fields
This action lists all the permitted fields for filtering event searches.
Action Input Parameters
This action does not require any input parameters.
Action: List Crawls
This action lists all the crawls in ascending order from the start date. The crawl details includes the associated crawl ID, GUID, projectID, and other crawl details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start Date | Enter the start date in yyyy-MM-dd format to list the crawls from. | Text | Required | |
End Date | Enter the end date in yyyy-MM-dd format. | Text | Required |
Example Request
[
{
"end_date": "2021-05-01",
"start_date": "2021-01-01"
}
]Action: View Crawl
This action retrieves details of the crawl based on the crawl GUID. The crawl GUID can be retrieved from the List Crawls action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Crawl GUID | Enter the GUID of the crawl to retrieve details for. | Text | Required |
Example Request
[
{
"crawl_guid": "8cdc3fd5-60c4-4222-b690-4b832e71a54a"
}
]Action: Search Enforcements
This action searches enforcements using a query string or date filter.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query string to search enforcements. Example: "name": "amazonaws.com" | Text | Optional | |
Earliest Creation Date | Enter the earliest creation date in yyyy-mm-dd format to return the enforcements. | Text | Optional | |
Number of Results | Enter the number of results to return. | Integer | Optional | Default value: 50 |
Offset | Enter the offset of the first result returned. | Integer | Optional | Default value: 0 |
Example Request
[
{
"earliest_creation_date": "2015-01-01",
"offset": "0",
"results": "50",
"query": [
"name": "amazonaws.com"
]
}
]Action: View Enforcement
This action views the enforcement details using the Enforcement ID, which can be retrieved from Search Enforcement action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Enforcement ID | Enter the Enforcement ID to retrieve the corresponding enforcement details. | Integer | Required |
Example Request
[
{
"enforcement_id": 243121
}
]Action: Search Event
This action searches events in RiskIQ using queries or filter strings to display all the event related information such as event name, ID, associated tags, status, and other details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to search events. Example: "status": "New" | Text | Optional | |
Filter String | Enter the filter for events. Format: "<FIELD> <LOGICAL OPERATOR> <VALUE>" Filters can be joined using "OR" and "AND". "OR" is applied before "AND". | Text | Optional | |
Number of Results | Enter the number of search results to return. Example: 10 | Integer | Optional | Default value: 50 |
Offset | Enter the offset of the first result returned. Example: 1 | Integer | Optional | Default value: 0 |
Example Request
[
{
"offset":1,
"results":10,
"filter_string":"reviewCode NOT_IN Dismissed,Resolved OR eventType NE BRAND_IN_DOMAIN AND ip IN 127.0.0.1",
"query": [
"status": "New"
]
}
]Action: Create Social Event
This action creates a social event in RiskIQ using the social event URL, review code, priority, and a note.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter the URL of the social event to be logged. Example: "https://www.sampledomain.com/test.exampleuser/" | Text | Required | |
Review Code | Review the status code to assign to the social event. Example: "Resolved" | Text | Required | Allowed values:
|
Event Priority | Assign the priority to to the social event. Example: "MAJOR" | Text | Required | Allowed values:
|
Note | Add a custom note to the event. Example: "This is a test event" | Text | Optional |
Example Request
[
{
"url": "https://www.sampledomain.com/test.user/",
"note": "This is a test event",
"review_code": "Dismissed",
"event_priority": "Minor"
}
]Action: Create Content Event
This action creates a content event in RiskIQ using the URL, status, priority, and notes.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter the URL to be logged. Example: "https://www.medium.com" | Text | Required | |
Review Code | Review the status code to assign to the event. Example: "Monitor" | Text | Required | Allowed values:
|
Event Priority | Assign a priority to the event. Example: "MINOR" | Text | Required | Allowed values:
|
Note | Add a custom note to the event. Example: "This is a test note for the event" | Text | Optional |
Example Request
[
{
"url": "https://www.medium.com",
"note": "This is a test note for the event",
"review_code": "Dismissed",
"event_priority": "Minor"
}
]Action: Create Phish Event
This action creates a phishing event in RiskIQ using the URL, status, priority, and notes.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter the URL of the phishing event to be logged. Example: "https://www.g000gle.com" | Text | Required | |
Review Code | Review the status code to assign to the phish event. | Text | Required | Allowed values:
|
Event Priority | Assign a priority to the phish event. | Text | Required | Allowed values:
|
Note | Add a custom note to the phish event. Example: "This is a test note for the phish event" | Text | Optional |
Example Request
[
{
"url": "https://www.g000gle.com",
"note": "This is a test note for the phish event",
"review_code": "Dismissed",
"event_priority": "Minor"
}
]Action: Create Domain Infringement Event
This action creates a domain infringement event in RiskIQ using the domain URL, status, priority, and optional notes.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain to log an event for domain infringement. Example: "http://cyvvare.com" | Text | Required | |
Review Code | Review the status code to assign to the domain infringement event. Example: "Review" | Text | Required | Allowed values:
|
Priority | Enter the event priority to assign to this event. Example: "TRIVIAL" | Text | Required | Allowed values:
|
Note | Enter any notes to add to the domain infringement event. | Text | Optional |
Example Request
[
{
"note": "This is a test",
"domain": "http://cyvvare.com",
"review_code": "Dismissed",
"event_priority": "Minor"
}
]Action: Query Whois Information
This action queries Whois information from RiskIQ.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain to query RiskIQ for. Example: "https://www.testdomain.com" | Text | Required | |
No of results | Enter the number of results to return. Example: 50 | Integer | Optional | Default value: 10 |
Example Request
[
{
"domain": "https://www.cyware.com"
}
]Action: Update Event Phase
This action updates the phase of a particular event in RiskIQ using the Event ID. The Event ID can be retrieved using the Search Events action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the event ID for which the phase must be updated. Example: "85844621" | Integer | Required | |
Review Code | Enter the status code to update the event to. Example: "Resolved" | Text | Required | Allowed values:
|
Example Request
[
{
"event_id": 89061670,
"review_code": "Resolved"
}
]Action: Update Event Tag
This action updates the tag of a particular event in RiskIQ using the Event ID. The Event ID can be retrieved using the Search Events action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the event ID for which the tag must be updated. Example: "85844621" | Integer | Required | |
Tag | Enter the tag along with the value to update. Note, these tags must exist in external threats. Example: "eventtype": "item" | Key Value | Required |
Example Request
[
{
"tags": {
"Content": "Credit Card"
},
"event_id": 89061647
}
]Action: View Event
This action views the event corresponding to an event ID with additional summary details about the event such as associated tags, IP details, domain attributes, and other enforcement details. The Event ID can be retrieved using the Search Events action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the event ID to view all the event related details. Example: "85844621" | Integer | Required | |
Include User Notes | Enter whether to include notes from users in the response. | Boolean | Optional | Default value: False |
Include Classifier Matches | Enter whether to include classifier matches in the response. | Boolean | Optional | Default value: False |
Include Snapshot URL of Event | Enter whether to include a snapshot URL of the event in the response. | Boolean | Optional | Default value: False |
Example Request
[
{
"event_id": 85844621,
"snapshot": true,
"classifier_matches": true,
"include_user_notes": true
}
]