Announcing Updated API for RiskIQ PassiveTotal for Better Investigations

Automating Investigations: Announcing Updated API for RiskIQ PassiveTotal

May 3, 2017, Steve Ginty

mm

The RiskIQ PassiveTotal team continually strives to improve our platform’s capabilities and make it even easier for our analyst community to investigate threats, track actor groups, and proactively monitor malicious infrastructure in response to an ever-evolving threat environment. Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints, making it even easier to interact with our platform and integrate PassiveTotal into your security operations.

What’s New

Projects

Projects allow users to organize investigative leads and collaborate with colleagues on research easily. Organizations can now create and manage projects directly from our API enabling them to quickly add, delete, or update artifacts for any given project either on an individual basis or in bulk.

Monitors

PassiveTotal’s monitoring capability helps organizations keep tabs on suspicious and malicious infrastructure and receive in-platform alerts and weekly digest emails when things change. With this new monitoring, endpoint organizations can now retrieve alerts for both artifacts and projects programmatically, making it even easier to block malicious infrastructure proactively.

Automate Investigations & Alerting

So what is the big deal? What is exciting about our updated API is that it now allows security operations groups to automate the creation of threat investigations and intelligence within the PassiveTotal platform enhancing an organization’s ability to collaborate, investigate, track, and monitor threats.

Create a Project

Sharing intelligence among analysts and the PassiveTotal community just got easier. Using the API, I can create a project and quickly specify properties such as tag, description, visibility, and collaborators. As you can see from my terminal below, I’m creating a public project based on Kaspersky’s Lazarus report:

Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints

Fig-1 A new public project based on Kaspersky’s Lazarus report

Once I submit the project, it’s created in the system instantly and available to users via both the API and UI. As the screenshot below shows, the project has been created and is now awaiting the addition of artifacts:

Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints

Fig-2 The new project inside RiskIQ PassiveTotal

Bulk Upload Artifacts

Once I create a project, I can use the project guide to bulk upload indicators, which can be tagged with individual context and flagged for monitoring. As you can see from my terminal, I’m adding five artifacts to the project and tagging them as associated with the Lazarus actor group and Kaspersky reporting:

Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints

Fig-3 Bulk uploading artifacts to the Lazarus public project

Once I submit the artifacts, they become associated with my newly created project. As we can see in the UI, one of the artifacts was already known to be malicious:

Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints

Fig-4 My artifacts in the PassiveTotal UI

Because each of these indicators is now tagged appropriately in the system and associated with a project, analysts have this context available during an investigation so they can action incidents quicker:

Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints

Fig-5 Pivoting on my new artifacts

Get Alerts

Finally, once I create a project and add artifacts, I can easily poll our API monitoring endpoint for alerts. Alerts are available by project or artifact, and allow for requests by a specific timeframe:

Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints

Fig-6 Requesting alerts over a specific timeframe

The above command requests all alerts for the Lazarus project after May 2, 2017. As you can see by the data returned, the monitoring endpoint provides eight entries:

Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints

Fig-7 My request returned eight results

Organizations can use this alerting feature to proactively block malicious infrastructure within their environments, providing better situational awareness and thereby reducing possible exposure from future attacks. If you are interested in conducting further research around this threat group, check out this newly created public project in PassiveTotal.

Explore the Updated API

The team is excited about these new API capabilities and their ability to streamline investigations and incident response. As always, this blog post highlights just one of many workflows that organizations can now implement using the updated API. For more information check out our updated  API documentation.

Not a member of RiskIQ Community Edition? Sign up today.

Share: