The enhanced PassiveTotal brings far more than just a new look to the analysis platform; it's a culmination of all the feedback we've received since joining forces with RiskIQ. Our approach to this rewrite was to not only match the technology of RiskIQ, but also address several user experience issues that were introduced as we made more and more RiskIQ data available within the interface. We see this version of PassiveTotal as a significant step forward in empowering the analyst with as much control as possible.
User Experience and Design
When using the platform, the most notable change is the overall design and layout of the information. Long-time users of PassiveTotal will notice many of the same elements and data sources inside of the system, but laid out in a much cleaner way. Additionally, several client-side tools have been added to provide the analyst with several single-click methods to interact with query data. For example, when running a search, users will see the familiar table of results, but also a number of facet controls on the left-hand side. These controls allow analysts to manipulate the results in order to see only the data points that matter to them. As users conduct pivots within the system, a trail of breadcrumbs will be created next to the current results. Understanding that analysts often need to get data and results out of the platform, sprinkled into the application are several locations that allow an analyst to copy or download results directly from the web interface.
Heatmap and Timebar
When performing the platform rewrite, a major focus of our efforts was centered around the concept of time. Many of our users enjoy the heatmap visuals and wealth of data RiskIQ has collected over the years, but felt overwhelmed when trying to analyze a specific portion of time.
Our solution to this temporal-based issue is the timebar, a miniature heatmap visual that shows the entire history of the infrastructure based on the result data. Clicking on a location within the timebar will constrain the data within the data table and re-render the heatmap for a six month period. From there, analysts can choose to further refine their query by selecting individual days or ranges of time within the heatmap to get exactly the data that was relevant during that time. No longer does an analyst need to wade through hundreds of data points to find what they want, they can now get it on demand.
One of the primary byproducts from infrastructure analysis is almost always a set of indicators that tie back to a threat actor or group of actors. These indicators serve as a way of identifying campaigns later on and provide insight into how the threat actors operate. For years, PassiveTotal has provided analysts with tools to classify or tag infrastructure items, but never a way to group similar activity while also retaining context of the actual investigation. Projects were built to do just that.
Users now have the option to create both public and private projects with names, descriptions, collaborators and monitoring profiles. When pivoting inside of PassiveTotal, users can now hover over indicators of interest and automatically add them to a project. This process not only keeps track of the indicator, who added it, and when, but also notes where it was added from. For example, if I searched for "riskiq.com,” I may view the WHOIS record to see that the domain was registered by "email@example.com.” Adding that email address to my project would tell me that I was using "riskiq.com" as my query when the addition was made.
Visiting a project's details shows a listing of all associated artifacts and a detailed history that retains all the context described above. Users within the same organization no longer need to spend time communicating back and forth. Threat actor profiles can be built within PassiveTotal and serve as a "living" set of indicators. As new information is discovered or found, it can be added to that project.
One of the unique capabilities that has always set PassiveTotal apart was its ability to alert analysts of infrastructure changes based on our collected data sets and most recent scans. We've continued to build on this monitoring framework and now support a new range of query types focused on newly observed host domains and WHOIS registrant data. Using specific keywords or field types, analysts can be alerted to new domains or WHOIS changes as they are seen by RiskIQ.
Users looking to monitor specific indicators or keywords can now create a project, select their choice of monitoring profile, and add to the project in order to begin the automatic monitoring process. When changes are detected, an email and in-platform notification will be sent to the user and associated with that project. From the alert, the user can add new items to a project or kick off a search.
This launch of the enhanced PassiveTotal is extremely exciting and wouldn't have been possible without the support from our great community of users. We hope the changes that we've introduced not only speed up your workflow, but also make your analysis easier and more enjoyable. Over the coming months, our plan is to continue refining the new features and experiences we debuted today while also upgrading our API to support the new projects and monitors. If you are using the system and come across any strange issues, please let us know by sending a message to firstname.lastname@example.org.