Cooking with fire: Making your investigations more efficient with tags and classifications

The ever-expanding attack surface of the enterprise has increased the importance of correlating internal activity with what is happening outside the firewall. The most successful security programs are providing their analysts with real-time context to improve the efficiency and outcomes of their investigations. This allows their security teams to quickly discover additional threat infrastructure and block it proactively.

Chefs have a term for preparing to cook a dish, “mise en place”, or “set in place”, which refers to having all of the spices measured, onions diced, and all of the tools they’ll need within reach. The modern security program should perform a similar task, by integrating their, internal data sets across existing security systems. This allows for quicker, easier, and more approachable analysis by their team.

 You can’t win all by yourself.

Our goal with PassiveTotal is to help make infrastructure analysis more efficient by bringing a variety of datasets into a single place and providing users with context around the indicators they query. These data sets can be made even more easily consumable by providing internal context to them.

Analysts have the ability to add their own tags to the tag cluster via the search results page, projects, or via our API. These tags are viewable to all of the users in your PassiveTotal enterprise organization. All data entered into the system are private and not shared with the larger community, unless a public project is used.

Classifications inside of PassiveTotal help bring context to IOCs and make analysis more efficient. Analysts will have a visual indication that the infrastructure that are searching has been determined to have a known classification. Whether malicious, suspicious, or unknown, any set classification will bring instant context to an investigation, and can help avoid duplication of work.

Enrich your PassiveTotal searches by providing internal context.

Here are a few examples to try out:

  • For Hosts and IP addresses blocked by a web or email gateway. Tag = “Blocked”, Classify = Malicious
  • Hosts quarantined by a web or email gateway. Tag = “Quarantine”, Classify = Suspicious
  • Hosts submitted to abuse box. Tag = “Abuse Box”, Classify = Suspicious
  • Hosts registered to your company. Tag = “Company Name”, Classify = Non Malicious
  • Newly observed hosts/IPs in your network (<30 days). Tag = “Newly Observed”, Classify = Unknown


Open up a chat in PassiveTotal if you have any questions!

Links to additional documentation:

In the UI: https://help.passivetotal.org/tags_&_classifications.html

Via the API: https://api.passivetotal.org/api/docs/#api-Actions