RiskIQ PassiveTotal

RiskIQ PassiveTotal expedites investigations by connecting internal activity, event, and incident indicator of compromise (IOC) artifacts to what is happening outside the firewall-external threats, attackers, and their related infrastructure.

Integration with LogicHub

Connecting with RiskIQ PassiveTotal

To connect to RiskIQ PassiveTotal following details are required:

  • Label: Connection name.
  • Credential Entry Type: Credential settings vary based on credential type.
  • API Key: The API key to connect to the RiskIQ PassiveTotal.
  • Username: The Username to connect to the RiskIQ PassiveTotal.

Actions with RiskIQ PassiveTotal

Host Scan

Submits a host name or IP address to RiskIQ PassiveTotal for lookup against their database. Based off of the results, automate how Incident Response is handled.

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Host: Column name from parent table to lookup value for Host.

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Scan Result.
{
  "ip_list": "['uatu.useed.fr', 'dc-7ef8afd4dd38.freshspam.tools', 'freshtoolsx.com', 'dc-f859fcc9d787.fudtoolvideos.com', 'dc-c5611aa9b71d.claysendervideos.com', 'dc-5a675cfa30ef.freshspamtools.io', 'www.fudsender.com', 'dc-f6356b7f68a2.freshscamtools.com', 'dc-97a425cb514e.fudpages.store', 'dc-d2294fcd139a.politicalshub.com', 'alicg.fudsell.com', 'dc-3f851d5396fa.fudtoolx.com', 'tamilmov.net', 'fudspamtoolshop.com', 'www.bg-gledai.tv', 'dc-2519f8039198.sellonline.tools', 'fudpagetools.com', 'whoarewe.cc', 'dl.mytamilhdmovies.com', 'www.heartsenderpages.com', 'xleetshop.com', 'dc-0cd40b7ab2a7.buyspamtools.com', 'mail.heartsender.com', 'fudtoolmarket.com', 'fudninja.com', 'webdisk.fudsell.com', 'dc-8c82a8fb6c36.fudpage.ru', 'cpanel.fudsell.com', 'hostmaster.fudsell.com', 'dc-445c117b2372.fudsender.com', 'image.whoarewe.cc', 'dc-26af7fbfee86.fudletter.com', 'onlintoolspayment.com', 'mta-sts.mail.fudsell.com', 'dc-29c0deaca007.heartsender.com', 'dc-7a3a42658a94.fudscam.com', 'fudtool.com', 'dc-59799231c095.fudspamvideos.com', '62-210-178-100.rev.poneytelecom.eu', 'dl.tamilsrc.xyz', 'bg-gledai.tv', 'dc-39172d7351b5.fudspam.com', 'freshscamtool.com', 'm1.xxaiai.xyz', 'dc-17ca623f2693.mrcodertools.com', 'fudscampage.com', 'mail.fudsell.com', 'fudscamtool.com', 'dc-122b16482fed.fudpagegateway.com', 'www.fudtool.com', 'fudscamtools.com', 'dc-6546831540f8.seliunx.com', 'mail.heartsenderpages.com', 'dlm.fullmob.net', 'fudsender.com', 'dl1.tamilsrc.xyz', 'heartsenderpages.com', 'v1.aiaixx.top', 'avleak.com', 'dc-42edc694d94e.heartsenderscampages.com', 'dc-d447e8e62bed.techsmithpro.com', 'd29sender.com', 'www.spammarket.com', 'cpanel.fudsender.com', 'dc-7aacbea34d7b.scrapercode.net', 'dc-fcada5615da0.fudninja.com', 'dc-e3c48c5aa1dc.claysender.com', 'dc-0bb404909276.freshfudpages.com', 'dc-cec0389c92bf.fudsenderstore.com', 'dc-ea4581343e13.fudpagevideos.com', 'mail.fudteambilling.com', 'dc-4b66a8da3ce1.fudtool.ru', 'dl2.tamilmov.net', 'webmail.fudsell.com', 'dc-3f9c20d8de7e.heartsendervideos.com', 'm3u8.xxaiai.xyz', 'mail.freshspamtool.com', 'freshspamtoolshop.com']",
  "record_list": "['A']"
}

Get Enrichment Data

Get enrichment data for a query.

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Jinja Template Query: Jinja-templated query containing the domain or IP being queried. Example:{{query_column_name}}.

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Enrichment Data.
{
  "network": "62.210.0.0/16",
  "classification": null,
  "tags": [],
  "country": "FR",
  "system_tags": [
    "routable",
    "ONLINE-S.A.S."
  ],
  "dynamic": null,
  "longitude": 2.4075000286102295,
  "sinkhole": false,
  "global_tags": [
    "as12876"
  ],
  "tag_meta": {},
  "autonomousSystemNumber": 12876,
  "queryValue": "62.210.178.100",
  "latitude": 48.832298278808594,
  "everCompromised": false,
  "autonomousSystemName": "ONLINE S.A.S.",
  "queryType": "ip"
}

Get OSINT

Get OSINT data for a query.

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Jinja Template Query: Jinja-templated query containing the domain or IP being queried. Example:{{query_column_name}}.

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: OSINT Data.
{
  "compromised": [],
  "creator": "RiskIQ",
  "derived": [],
  "description": "LogoKit: Actor Deepdive",
  "error": null,
  "guid": "81e748fa-25b8-4553-9ecd-cf9df54cc788",
  "has_error": false,
  "inReport": [],
  "indicators": [],
  "name": "LogoKit: Actor Deepdive",
  "source": "RiskIQ Intel",
  "sourceUrl": "https://community.riskiq.com/article/a9d3b8b8",
  "tags": [
    "RiskIQ Intel"
  ]
}

Did this page help you?