RiskIQ’s PassiveTotal platform provides analysts with the ability to monitor specific artifacts inside of projects for change-related events. These alerts can provide insight into evolving actor based infrastructure and assist in tracking attack campaigns targeting an organization.
The following data sets can be used to deploy monitors and receive alerts.
PassiveTotal’s PDNS monitoring capability monitors RiskIQ’s PDNS repository for the following change events based on a domain or IP artifact:
- A records
- Domain to IP resolution changes
- IP to domain resolution changes
- Nameserver (New)
- CNAME (New)
- MX (New)
- TXT (New)
- SOA (New)
Note: PassiveTotal does not currently monitor 3rd party PDNS sources as these lookups and requests are made on-demand and therefore outside the purview of our monitoring infrastructure
Analysts can use PassiveTotal monitors to alert them when specific domains WHOIS record changes or when a domain is registered using individual whois facets of interest
- Domain record changes and updates
- New Domains registered using WHOIS Artifacts:
- PDNS Keywords
- Analysts can deploy keyword artifacts to match against newly resolving domains and hosts observed in our PDNS database
- WHOIS Keywords
- Analysts can deploy keyword artifacts to match WHOIS registration information for newly registered and updated WHOIS records
As RiskIQ continues to build out our monitoring pipeline we will look to bring additional data sets into our monitoring construct to provide even greater situational awareness to our users.
Data sets and capabilities we will focus on adding into the monitoring pipeline include:
- New tracker associates to an IP or Domain
- New domain or IP address associates to a given tracker
New Parent / Child relationships for a domain or IP address
- New web component associated with a domain or IP address
- New Domain or IP associated with a web component
- New Cookie Name associated with a domain or IP address
- New Domain or IP associated with a Cookie name
Monitor a given project for artifact updates. Get alerted when a Public or Private project is updated and keep up with evolving actor based intelligence and investigations
Monitor global tags inside of PassiveTotal for new intelligence on a given actor group, campaign, malware, or attack category.
- Host to SHA-1 Certificate Hash
- SSL Certificate SHA-1 to IP address
- IP address to SSL Certificate SHA-1