Context is Everything: Using Tags and Classifications in RiskIQ PassiveTotal

As an analyst, how much time can you afford to waste at work?

Do you have eight hours to spend investigating those 203 suspect hosts only to learn a fellow analyst has already determined two weeks ago that they are registered to your company?

Or, what if you had to stop mid-investigation to address a different priority—wouldn’t it be great to come back to an investigation and know how your research had manifested up to that point?

The attack surface of your enterprise is always expanding, and that growth has increased the importance of correlating internal activity with what is happening outside the firewall. This changing threat landscape is why most successful security programs are providing analysts with real-time context to improve the efficiency and outcomes of their investigations so they can discover additional threat infrastructure and block it proactively.

PassiveTotal: Context, All in One Place

Chefs have a term for the prep work involved in cooking a dish, “mise en place,” or “set in place,” which refers to having all of the spices measured, onions diced, and all the tools they’ll need within reach.

A modern security program should perform a similar task by integrating internal data sets across existing security systems. This integration allows for quicker, more comfortable, and more approachable analysis by the team.

Our goal with PassiveTotal is to help make infrastructure analysis more efficient by bringing a variety of datasets into a single place and providing you with context around the indicators that you query. These data sets can be made even more easily consumable when you provide internally derived tags and classifiers which translate across your teams.

Analysts can add tags to the tag cluster via:

  • Search results page
  • Projects
  • Our API

These tags are viewable to all of the users in your PassiveTotal enterprise organization. All data entered into the system is private and not shared with the broader community unless a public project is used.

Our goal with PassiveTotal is to help make infrastructure analysis more efficient with internally derived tags and classifiers.

Classifications inside of PassiveTotal help bring context to IOCs and make your analysis more efficient. Analysts will have a visual indication that the infrastructure they are searching has been determined to have a known classification. Whether malicious, suspicious, or unknown, any added classification will bring instant context to an investigation and can help avoid duplication of work. Save time and enrich your PassiveTotal searches by providing internal context, all in one place.

Here are a few examples to try out:

  • For Hosts and IP addresses blocked by web or email gateway. Tag = “Blocked”, Classify = Malicious
  • Hosts quarantined by web or email gateway. Tag = “Quarantine”, Classify = Suspicious
  • Hosts submitted to abuse box. Tag = “Abuse Box”, Classify = Suspicious
  • Hosts registered to your company. Tag = “Company Name”, Classify = Non Malicious
  • Newly observed hosts/IPs in your network (<30 days). Tag = “Newly Observed”, Classify = Unknown

Questions? Open a chat in PassiveTotal!

Links to documentation:

In the UI:

Via the API:

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor