Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
May 3, 2017, Steve Ginty
The RiskIQ PassiveTotal team continually strives to improve our platform’s capabilities and make it even easier for our analyst community to investigate threats, track actor groups, and proactively monitor malicious infrastructure in response to an ever-evolving threat environment. Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints, making it even easier to interact with our platform and integrate PassiveTotal into your security operations.
Projects allow users to organize investigative leads and collaborate with colleagues on research easily. Organizations can now create and manage projects directly from our API enabling them to quickly add, delete, or update artifacts for any given project either on an individual basis or in bulk.
PassiveTotal’s monitoring capability helps organizations keep tabs on suspicious and malicious infrastructure and receive in-platform alerts and weekly digest emails when things change. With this new monitoring, endpoint organizations can now retrieve alerts for both artifacts and projects programmatically, making it even easier to block malicious infrastructure proactively.
So what is the big deal? What is exciting about our updated API is that it now allows security operations groups to automate the creation of threat investigations and intelligence within the PassiveTotal platform enhancing an organization’s ability to collaborate, investigate, track, and monitor threats.
Create a Project
Sharing intelligence among analysts and the PassiveTotal community just got easier. Using the API, I can create a project and quickly specify properties such as tag, description, visibility, and collaborators. As you can see from my terminal below, I’m creating a public project based on Kaspersky’s Lazarus report:
Fig-1 A new public project based on Kaspersky’s Lazarus report
Once I submit the project, it’s created in the system instantly and available to users via both the API and UI. As the screenshot below shows, the project has been created and is now awaiting the addition of artifacts:
Fig-2 The new project inside RiskIQ PassiveTotal
Bulk Upload Artifacts
Once I create a project, I can use the project guide to bulk upload indicators, which can be tagged with individual context and flagged for monitoring. As you can see from my terminal, I’m adding five artifacts to the project and tagging them as associated with the Lazarus actor group and Kaspersky reporting:
Fig-3 Bulk uploading artifacts to the Lazarus public project
Once I submit the artifacts, they become associated with my newly created project. As we can see in the UI, one of the artifacts was already known to be malicious:
Fig-4 My artifacts in the PassiveTotal UI
Because each of these indicators is now tagged appropriately in the system and associated with a project, analysts have this context available during an investigation so they can action incidents quicker:
Fig-5 Pivoting on my new artifacts
Finally, once I create a project and add artifacts, I can easily poll our API monitoring endpoint for alerts. Alerts are available by project or artifact, and allow for requests by a specific timeframe:
Fig-6 Requesting alerts over a specific timeframe
The above command requests all alerts for the Lazarus project after May 2, 2017. As you can see by the data returned, the monitoring endpoint provides eight entries:
Fig-7 My request returned eight results
Organizations can use this alerting feature to proactively block malicious infrastructure within their environments, providing better situational awareness and thereby reducing possible exposure from future attacks. If you are interested in conducting further research around this threat group, check out this newly created public project in PassiveTotal.
The team is excited about these new API capabilities and their ability to streamline investigations and incident response. As always, this blog post highlights just one of many workflows that organizations can now implement using the updated API. For more information check out our updated API documentation.
Not a member of RiskIQ Community Edition? Sign up today.