PassiveTotal centralizes numerous data sets into a single platform, making it easier for our community and customers to conduct infrastructure analysis. Our primary focus is to provide as much data as possible about Internet infrastructure.
View our RiskIQ youtube playlist about Passivetotal: Datasets.
Resolutions - Passive DNS
Passive DNS is a system of record that stores DNS resolution data for a given location, record, and time period. This historical resolution data set allows analysts to view which domains resolved to an IP address and vice versa. This data set allows for time-based correlation based on domain or IP overlap.
A protocol that lets anyone query for information about a domain, IP address, or subnet. One of the most common functions for WHOIS in threat infrastructure research is to identify or connect disparate entities based on unique data shared within the WHOIS record content.
SSL certificates are files that digitally bind a cryptographic key to a set of user-provided details. Using internet-scanning techniques, PassiveTotal collects SSL certificate associations from IP addresses on various ports. These certificates are stored inside of a local database and allow us to create a timeline for where a given SSL certificate appeared on the Internet.
An internet domain, which is part of a primary domain. Subdomains are also referred to as "host". As an example, "play.google.com" is a subdomain of "google.com". For every subdomain, there could be a new set of IP addresses to which the domain resolves to and this can be a great data source for finding related infrastructure.
Trackers are unique codes or values found within web pages and often used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity.
Our tracker data set includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky, and is continuing to grow on a regular basis.
Web components are details describing a web page or server infrastructure gleaned from RiskIQ performing a web crawl or scan. These components allow an analyst to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure.
Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Analysts can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.
Host pairs are two domains (a parent and a child) that shared a connection observed from a RiskIQ crawl. The connection could range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference.
Open Source Intelligence
Long and short-form reporting developed by individuals and companies combined with data feeds of known bad infrastructure. This data set provides context to the actors, campaign, or malicious infrastructure.
PassiceTotal partners with a number of commercial and open-source repositories of malware data in order to pair it with queried infrastructure to populate the Hash data set. This data helps analysts understand actor capabilities, intent, and motives of an attacker while also aiding in connecting infrastructure together. Each result contains a unique hash.
DNS records RiskIQ has been collecting over the years, providing analysts insight into
- MX (mail exchanger)
- NS (nameserver)
- TXT (text)
- SOA (start of authority)
- CNAME (canonical name) records
Public and private projects created to monitor connecting artifacts within PassiveTotal. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, collaborators, and monitoring profiles.
Cookies are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain a state for the application or little bits of tracking data. RiskIQ highlights and indexes cookie names observed when crawling a website and allows analysts to dig into everywhere RiskIQ has observed specific cookie names across its crawling and data collection.