RiskIQ’s PassiveTotal platform provides analysts with the ability to monitor specific artifacts inside of projects for change-related events. These alerts can provide insight into evolving actor based infrastructure and assist in tracking attack campaigns targeting an organization.
The following data sets can be used to deploy monitors and receive alerts.
Passive DNS
PassiveTotal’s PDNS monitoring capability monitors RiskIQ’s PDNS repository for the following change events based on a domain or IP artifact:
- A records
- Domain to IP resolution changes
- IP to domain resolution changes
- Nameserver (New)
- CNAME (New)
- MX (New)
- TXT (New)
- SOA (New)
Note: PassiveTotal does not currently monitor 3rd party PDNS sources as these lookups and requests are made on-demand and therefore outside the purview of our monitoring infrastructure
WHOIS
Analysts can use PassiveTotal monitors to alert them when specific domains WHOIS record changes or when a domain is registered using individual whois facets of interest
- Domain record changes and updates
- New Domains registered using WHOIS Artifacts:
- Phone
- Address
- Name
- Nameserver
Keywords
- PDNS Keywords
- Analysts can deploy keyword artifacts to match against newly resolving domains and hosts observed in our PDNS database
- WHOIS Keywords
- Analysts can deploy keyword artifacts to match WHOIS registration information for newly registered and updated WHOIS records
SSL Certificates
- Host to SHA-1 Certificate Hash
- SSL Certificate SHA-1 to IP address
- IP address to SSL Certificate SHA-1
Comments
0 comments
Please sign in to leave a comment.