Utilizing Projects to Manage Investigations - RiskIQ

VIDEO

Utilizing Projects to Manage Investigations


In this video, you will learn how to utilize projects within an investigation.

Projects

To mirror the process of the analyst, PassiveTotal has introduced lightweight case management in the form of “projects.” Users now have the option to create both public and private projects with names, descriptions, tags, and collaborators.

PassiveTotal projects allow users to group related activity and easily collaborate with others in their organization. Projects also retain the history of an investigation over time, so as new details emerge, get researched, and added to the project, users can be sure they have an accurate audit history.

Public Projects

For many in the security community, sharing information and intelligence is a large part of their daily workflow. Exchanging indicators, known group tactics, and investigation notes are commonplace but happens manually through email threads.

While these processes work, they don’t lend themselves well to a large collaboration or follow-on research work.

Public projects within PassiveTotal allow users to share both data and context that details the steps the analyst took to discover those indicators. These projects are noted with a green open lock and can be published by anyone in the community.

Private Projects

PassiveTotal enterprise customers have the ability to publish private projects to the platform. These projects work the same as our public projects, however, they are only visible to those analysts within your enterprise organization. Private projects are denoted with a red lock and can be published by anyone in your organization.

Analysts can also add external collaborators to private projects who can participate in the investigation and add entities and IOCs to the project. To allow Community Edition users to experience private projects, PassiveTotal Community Edition users can create one private project.

Infrastructure Monitoring

Keeping track of activity on known bad infrastructure can provide security operations groups with the needed insight to proactively defend their networks. PassiveTotal allows analysts to find artifacts of interest from record changes across data sets, making it easy to keep tabs on bad actors.

Demonstration

In this demonstration, we will perform an investigation. We will create a private team project and add artifacts to the project. This will allow the project to monitor those artifacts and alert you when changes are observed.

We are now going to perform a discovery search for toy-spinners.com.

Go to the WHOIS tab to see who registered toys-spinners.com. The domain is registered to Hildegard Gruener. If you click on the email address j@ddf.co.at, it will now pivot on that particular artifact and you can now see all of the domains registered to Hildegard Gruener.

If you would like to track any new domain that Hildegard registers, you can do it in a project.

Click back the back button and go to the WHOIS information tab. Hover over the email address and you will see a folder appear. Now click on New Project.

The type of project we are going to select is a private project. RiskIQ allows community users the ability to have a single private team project. RiskIQ PassiveTotal Enterprise users do not have this limitation.

Now we can add a project name and description. I am going to name my project Hildegard.

The description will be, “Tracking domains registered to Hildegard Gruener.”

You can also add tags and external collaborators. When you are done, you can click on the submit button.

Now that artifact has been added to your newly created project. Now let’s add the name, street and phone number to the project as well.

To view the project tab containing public and private projects, you can click on the menu toggle button located on the top-left portion of the screen.

Now click on projects. Here you can see all of the public projects. All public projects have a green open lock and can be viewed by everyone.

Click on browse my projects. This will take you to your private team projects. All private team projects have a red closed lock and can only be viewed by you and other people in your organization or email addresses you have specifically added to your team project.

Now let’s click on the newly created team project. Artifacts can be seen that we added during our investigation. Monitors can be toggled on or off on each individual artifacts.

The alerts tab show anything new that has been found and associated with your monitored artifacts. You can individually review each artifact and then decide whether to dismiss them or add them to be monitored in your project.

Project history is everything that has happened in your project. You can see when and where each artifact was added and by which user. This allows staff or new users of the project to understand the entire history of the project or investigation. It will help team member collaborate with each other and understand the context of each artifact.

You can also use project history to teach junior staff how to conduct investigations by learning how a previous investigation progressed over time.

We hope you have enjoyed this video on utilizing projects within your investigations.

If you want to learn more about the products RiskIQ offers, visit us on the web at www.riskiq.com. For sales inquiries, you can call us at 1.888.415.4447 or email us at sales@www.riskiq.com