Tags and Classifications

Tags & Classifications

In addition to visualization via the heatmap, PassiveTotal also makes use of tags and classifications to bring context to indicators and investigations.


Tags come in many forms from system to user generated and help assist analyst in connecting the dots between incidents and historical analysis.

System Generated Content

These tags are automatically generated by the platform for users and require no input or effort on the analysts part. These tags are meant to guide analysis.

Contextual Tags (Blue)

These tags provide analysts with additional information about the IOC they are investigating

  • ASN - Pulls an abbreviated portion of an IP addresses ASN description into a tag to provide analysts context into who the IP address belongs to.

  • Dynamic - Indicates if a domain is owned by a dynamic DNS services such as No-IP or Change IP.

  • Sinkhole - Indicates that an IP address is a research sinkhole used by security organizations to investigate attack campaigns and therefor the domains associated will not be directly connected to each other.

  • Ever_compromised - The domain or IP address queried has been previously reported as compromised in open source reporting or by the PassiveTotal analysts community

User Generated Tags (Green)

Analysts have the ability to add their own tags to the tag cluster by entering them into the tag bar. These tags are view able to the individual analysts and the analysts peers if your organization is a PassiveTotal enterprise customer. Tags entered into the system are private and not shared with the larger community.

Search-able Tags

Analysts are able to search on the following tag types:

  • User Generated Tags
  • Open Source Intelligence Tags


Classifications inside of PassiveTotal bring context to IOCs and make analysis even simpler by identifying those domains that are known bad from public reporting or that have been categorized by your company's analysts.

Classifications come in two forms - PassiveTotal derived classifications based on Open Source Intelligence or Analysts derived based on in platform investigation. Analyst derived classifications are only visible to individual analysts or the analysts within a given PassiveTotal organization, they do not go to the larger PassiveTotal community.

PassiveTotal Classifications are defined as follows:

  • Malicious (Red) - High confidence that the indicator in questions is bad. Entity in PassiveTotal has been deemed malicious through association with malware or open source intelligence.

  • Suspicious (Yellow) - Medium confidence that indicator in questions is bad. Entity has connections to known bad infrastructure.

  • Non-Malicious (Green) - Legitimate entities that are not connected to malicious activity.

  • Unknown (Orange) - Entities that have yet to be analyzed by PassiveTotal or an organizations analyst.