Skip to main content
RiskIQ Customers Sign In For Enterprise Access

Analyst Insights

  • Updated

PassiveTotal Analyst insights distill RiskIQ’s vast data set into a handful of observations that simplify the investigation and make it more approachable to analysts of all levels

Insights are meant to be small facts or observations about a domain or IP address and provide PassiveTotal analysts with the ability to make an assessment about the artifact queried and improve an analyst's ability to determine if an indicator being investigated is malicious, suspicious, or benign.

Domain Insights

Blacklisted

  • Is / When was the domain blacklisted?

  • How many times has RiskIQ blacklisted the domain?

 

Registered & Updated

  • How many days, months, years ago was the domain registered?

  • When was the domain whois Record updated?

  • Newly registered or updated domains can often be used for suspicious or malicious purposes.

 

Recently Changed IP

  • Has the domain changed IP addresses in the past 30 days?

 

Subdomain IP count

  • How many different IPs are associated with the subdomains of the domain?

  • Malicious actors often use different subdomains for different attacks and therefore subdomain IP addresses can lead to new investigative leads.

New subdomain observations

  • When was the last time RiskIQ observed a new subdomain for the domain in question?

  • This can highlight new malicious infrastructure.

 

Registered & Resolving

  • Does the domain queried exist?

  • Does the domain resolve to an IP address?

  • Both of these insights provide context around if the domain in question is part of an active campaign.

 

 

Alexa Rank

  • What is the Alexa rank of the domain queried?

  • Alexa ranks domains based on 3 months of aggregated traffic to the domain in question.

  • Domains listed in the Alexa Top 100K tend to be legitimate sites.

  • Domains outside of the Top 100K may be interesting to investigate.

 

# of Domains sharing the Whois record

  • Shared Whois record information is a good way to connect malicious infrastructure.

  • A domain that shares a record with a limited number of other domains could be a strong analytical lead.

 

# of domains sharing the Name Server

  • Actors often times use the same hosting provider and Name Servers for multiple attacks.

  • Name Servers can provide analysts with a common connection point between malicious infrastructure.

 

 

# of subdomains

  • Highlights the number of subdomains RiskIQ has identified in association with the higher-level domain.

  • Subdomains can provide analysts with valuable additional analytical leads and each subdomain could be hosted on a different IP address.

 

Crawled by RiskIQ

  • Identifies the last time RiskIQ crawled the domain.

 

International Domain

  • Is the domain queried for an international domain name (IDN)?

  • IDN domains can oftentimes be used to spoof legitimate brand domains and are often used in phishing or malicious attacks in an attempt to fool the victim.

 

 

IP Analyst Insights

 

Blacklisted by Third Party

 

 

  • Have any of our third-party vendor feeds blacklisted the IP address in question.  

  • Hover over the insight to see which threat categories it was flagged for.

 

Tor Exit Node Status

 

 

  • Is the IP address in questions associated with The Onion Router Network (Tor)?

  • If yes, it could indicate possible malicious activity.

Open Ports Detected

 

  • When did RiskIQ last port scan this IP address?

  • Hover over to see what ports have been detected and understand what services may be running.

 

Proxy Status

 

  • Identifies if the IP address in question is a known proxy server.

  • Could indicate that an individual is trying to mask their true IP / location?

 

Host Last Observed

  • When was the last time RiskIQ observed a host resolving to this IP address based on Passive DNS data?

  • This could indicate attack timeframe or highlight new infrastructure being stood up.

 

Infrastructure Routable

 

  • Is the IP address in question internet accessible?

Insight Colors

PassiveTotal Analyst insights use colors to highlight/call out specific rules as interesting to an analyst.

Red

Possibly Suspicious or Malicious and should be investigated further.

Blue

Informational, these provide analysts with facts about the artifact in question.

Gray

Rule scored low or did not trigger for the artifact in question.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk