In addition to visualization via the heatmap, PassiveTotal also makes use of tags and classifications to bring context to indicators and investigations.
Tags come in many forms from system to user-generated and help assist analysts in connecting the dots between incidents and historical analysis.
System Generated Content
These tags are automatically generated by the platform for users and require no input or effort on the analyst's part. These tags are meant to guide analysis.
Contextual Tags (Blue)
These tags provide analysts with additional information about the IOC they are investigating
ASN - Pulls an abbreviated portion of an IP address ASN description into a tag to provide analysts context into who the IP address belongs to.
Dynamic - Indicates if a domain is owned by a dynamic DNS service such as No-IP or Change IP.
Sinkhole - Indicates that an IP address is a research sinkhole used by security organizations to investigate attack campaigns and therefore the domains associated will not be directly connected to each other.
- Ever_compromised - The domain or IP address queried has been previously reported as compromised in open-source reporting or by the PassiveTotal analyst community.
User-Generated Tags (Green)
Analysts have the ability to add their own tags to the tag cluster by entering them into the tag bar. These tags are viewable to the individual analysts and the analyst's peers if your organization is a PassiveTotal enterprise customer. Tags entered into the system are private and not shared with the larger community.
Analysts are able to search on the following tag types:
- User-Generated Tags
- Open Source Intelligence Tags
Classifications inside of PassiveTotal bring context to IOCs and make analysis even simpler by identifying those domains that are known bad from public reporting or that have been categorized by your company's analysts.
Classifications come in two forms - PassiveTotal derived classifications based on Open Source Intelligence or Analysts derived based on in platform investigation. Analyst derived classifications are only visible to individual analysts or the analysts within a given PassiveTotal organization, they do not go to the larger PassiveTotal community.
PassiveTotal Classifications are defined as follows:
Malicious (Red) - High confidence that the indicator in questions is bad. An entity in PassiveTotal has been deemed malicious through association with malware or open-source intelligence.
Suspicious (Yellow) - Medium confidence that indicator in questions is bad. An entity has connections to known bad infrastructure.
Non-Malicious (Green) - Legitimate entities that are not connected to malicious activity.
Unknown (Orange) - Entities that have yet to be analyzed by PassiveTotal or an organization analyst.