The RiskIQ PassiveTotal team continually strives to improve our platform's capabilities and make it even easier for our analyst community to investigate threats, track actor groups, and proactively monitor malicious infrastructure in response to an ever-evolving threat environment. Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints, making it even easier to interact with our platform and integrate PassiveTotal into your security operations.
Projects allow users to organize investigative leads and collaborate with colleagues on research easily. Organizations can now create and manage projects directly from our API enabling them to quickly add, delete, or update artifacts for any given project either on an individual basis or in bulk.
PassiveTotal’s monitoring capability helps organizations keep tabs on suspicious and malicious infrastructure and receive in-platform alerts and weekly digest emails when things change. With this new monitoring, endpoint organizations can now retrieve alerts for both artifacts and projects programmatically, making it even easier to block malicious infrastructure proactively.
Automate Investigations & Alerting
So what is the big deal? What is exciting about our updated API is that it now allows security operations groups to automate the creation of threat investigations and intelligence within the PassiveTotal platform enhancing an organization's ability to collaborate, investigate, track, and monitor threats.
Create a Project
Sharing intelligence among analysts and the PassiveTotal community just got easier. Using the API, I can create a project and quickly specify properties such as tag, description, visibility, and collaborators. As you can see from my terminal below, I’m creating a public project based on Kaspersky’s Lazarus report:
Once I submit the project, it's created in the system instantly and available to users via both the API and UI. As the screenshot below shows, the project has been created and is now awaiting the addition of artifacts:
Bulk Upload Artifacts
Once I create a project, I can use the project guide to bulk upload indicators, which can be tagged with individual context and flagged for monitoring. As you can see from my terminal, I’m adding five artifacts to the project and tagging them as associated with the Lazarus actor group and Kaspersky reporting:
Once I submit the artifacts, they become associated with my newly created project. As we can see in the UI, one of the artifacts was already known to be malicious:
Because each of these indicators is now tagged appropriately in the system and associated with a project, analysts have this context available during an investigation so they can action incidents quicker:
Finally, once I create a project and add artifacts, I can easily poll our API monitoring endpoint for alerts. Alerts are available by project or artifact, and allow for requests by a specific timeframe:
The above command requests all alerts for the Lazarus project after May 2, 2017. As you can see by the data returned, the monitoring endpoint provides eight entries:
Organizations can use this alerting feature to proactively block malicious infrastructure within their environments, providing better situational awareness and thereby reducing possible exposure from future attacks. If you are interested in conducting further research around this threat group, check out this newly created public project in PassiveTotal.
Explore the Updated API
The team is excited about these new API capabilities and their ability to streamline investigations and incident response. As always, this blog post highlights just one of many workflows that organizations can now implement using the updated API. For more information check out our updated API documentation.
Not a member of RiskIQ Community Edition? Sign up today.