Local Triage with ThreatNote and PassiveTotal


If it's not clear by our previous postings, we have been making a push to get PassiveTotal data into as many platforms and tools as possible. You may ask yourself why, but the truth of the matter is that each cyber security analyst has their own workflow and process. We realize we cant be all the things to all the people, so we are taking the approach of bring all the data to all the places! As the title implies, if you are a ThreatNote user, you can now access PassiveTotal data from within the application.

ThreatNote was created by Brian Warehime (@brian_warehime) over at Defense Point Security and its purpose is simple - easily store your indicators of interest when doing research in small, lightweight utility. Whats nice about ThreatNote is that it doesn't try to take on every cyber security analyst problem and instead focuses precisely on what the analyst inputs into the system. At the time of writing this blog, ThreatNote supports network indicators, cyber threat actors, campaigns and basic relationships between the supplied inputs.

PassiveTotal fits into ThreatNote as a 3rd-party enrichment source that can be configured within the user settings panel. When creating our integration with ThreatNote, we decided to split our different data sources into individual enrichment points, so that users can choose which data they bring into the platform.

Once your instance is configured, PassiveTotal data will show up when viewing individual indicators entered inside of the platform. To reduce the clutter from larger dataset responses, we allow the user to easily toggle the dataset from exposed to collapsed. Its worth noting that data returned back from the PassiveTotal enrichment service is not stored directly into ThreatNote and will use a new API call every time. In order to persist results, you will need to feed them into the system manually.

What we like about ThreatNote is that analysts can easily describe a specific incident, see relevant enrichment data and then quickly share the SQLite database file with others who may provide more insight. Additionally, as you enter details into the application, it automatically creates small dashboards and breakdowns about the data that's been added to the system.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor