One of the primary byproducts from infrastructure analysis is almost always a set of indicators that tie back to a threat actor or group of actors. These indicators serve as a way of identifying campaigns later on and provide insight into how the threat actors operate. For years, PassiveTotal has provided analysts with tools to classify or tag infrastructure items, but never a way to group similar activity while also retaining the context of the actual investigation. Projects were built to do just that.
Users now have the option to create both public and private projects with names, descriptions, collaborators, and monitoring profiles. When pivoting inside of PassiveTotal, users can now hover over indicators of interest and automatically add them to a project. This process not only keeps track of the indicator, who added it, and when, but also notes where it was added from. For example, if I searched for "riskiq.com,” I may view the WHOIS record to see that the domain was registered by "email@example.com.” Adding that email address to my project would tell me that I was using "riskiq.com" as my query when the addition was made.
Visiting a project's details shows a listing of all associated artifacts and a detailed history that retains all the context described above. Users within the same organization no longer need to spend time communicating back and forth. Threat actor profiles can be built within PassiveTotal and serve as a "living" set of indicators. As new information is discovered or found, it can be added to that project.
A quick video overview can be found on RiskIQ youtube.