V2 of PassiveTotal brings additional monitoring capabilities to the platform in a new format. Instead of merely monitoring individual items in order to get alerts back on change, monitors are now coupled with projects. As users add "artifacts" to projects, we monitor the items for any changes. Alerts will be located within the project where a user can choose to add those results to their project or investigate them further. In terms of monitor changes, PassiveTotal will continue to use our existing datasets to alert when we observe changes, but we now also support WHOIS registrant alerting and keyword alerts on WHOIS and DNS data.
A common use case for analysts is to leverage WHOIS content in order to surface new infrastructure of interest or make connections to existing infrastructure. Some analysts want to be more proactive and monitor for new domain registrations based on content found within the WHOIS record. Fields like an email address or phone number are often required to be real items, even though they could be registered freely.
The enhanced monitoring capability in V2 now allows analysts to register WHOIS alerts based on the fields. They can do this manually from within a project or add pieces of the WHOIS record to a project from the analysis section. Once added, PassiveTotal will send the monitored items over to a stream-based framework that will look for the keywords. It should be noted, because we are using streaming, we will not be able to provide retroactive results for a given query. When we observe a match in the stream pipeline, we register the alert and send it back to PassiveTotal.
The concept of keywords is often leveraged by those in the brand space. Looking across RiskIQ datasets for matches on company names, individual people, or products is a useful way to surface content that may be masking as their brand or using it for malicious purposes. Enhanced monitors allow analysts to register keywords in two different types, WHOIS and DNS. For this release, keywords strings and cannot be regular expressions or complex patterns. Keywords are applied to a stream of data, so they will not apply to retroactive results.
Similar to WHOIS field monitors, WHOIS keywords let a user monitor for a specific keyword being present anywhere inside of the WHOIS record. If the keyword is identified, an alert is generated and sent back out to the user.
Leveraging the RiskIQ Newly Observed Host (NOH) feed, we are able to identify new hostnames never seen before on the Internet. Users can add a keyword monitor that will run against the NOH feed on a daily basis. If there's a match on the keyword, the results will be sent back to the user.