Skip to main content
RiskIQ Customers Sign In For Enterprise Access

PassiveTotal Monitors

  • Updated

RiskIQ’s PassiveTotal platform provides analysts with the ability to monitor specific artifacts inside of projects for change-related events.  These alerts can provide insight into evolving actor based infrastructure and assist in tracking attack campaigns targeting an organization.

The following data sets can be used to deploy monitors and receive alerts.

Passive DNS

PassiveTotal’s PDNS monitoring capability monitors RiskIQ’s PDNS repository for the following change events based on a domain or IP artifact:

  • A records
    • Domain to IP resolution changes
    • IP to domain resolution changes
  • Nameserver (New)
  • CNAME (New)
  • MX (New)
  • TXT (New)
  • SOA (New)

Note: PassiveTotal does not currently monitor 3rd party PDNS sources as these lookups and requests are made on-demand and therefore outside the purview of our monitoring infrastructure

WHOIS

Analysts can use PassiveTotal monitors to alert them when specific domains WHOIS record changes or when a domain is registered using individual whois facets of interest

  • Domain record changes and updates
  • New Domains registered using WHOIS Artifacts:
    • Email
    • Phone
    • Address
    • Name
    • Nameserver

Keywords

  • PDNS Keywords
    • Analysts can deploy keyword artifacts to match against newly resolving domains and hosts observed in our PDNS database
  • WHOIS Keywords
    • Analysts can deploy keyword artifacts to match WHOIS registration information for newly registered and updated WHOIS records

Future Capability

As RiskIQ continues to build out our monitoring pipeline we will look to bring additional data sets into our monitoring construct to provide even greater situational awareness to our users.

Data sets and capabilities we will focus on adding into the monitoring pipeline include:

Trackers

  • New tracker associates to an IP or Domain
  • New domain or IP address associates to a given tracker

Host Pairs

  • New Parent / Child relationships for a domain or IP address

Web Components

  • New web component associated with a domain or IP address
  • New Domain or IP associated with a web component 

Cookies

  • New Cookie Name associated with a domain or IP address
  • New Domain or IP associated with a Cookie name

Projects

Monitor a given project for artifact updates.  Get alerted when a Public or Private project is updated and keep up with evolving actor based intelligence and investigations

Tags

Monitor global tags inside of PassiveTotal for new intelligence on a given actor group, campaign, malware, or attack category.

SSL Certificates

  • Host to SHA-1 Certificate Hash
  • SSL Certificate SHA-1 to IP address
  • IP address to SSL Certificate SHA-1

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk