What’s New with PassiveTotal:

Threat Intel Portal, Intelligence Articles, Packaging

August 5th, By Dean Coza, RiskIQ Chief Product Officer

We are excited to announce the relaunch of PassiveTotal that includes a new Threat Intelligence Portal with a feed of OSINT articles dynamically linked into PassiveTotal core and derived data sets—enhanced with additional research by RiskIQ Labs.

The new RiskIQ community represents the convergence of timely and topical threat intelligence with the most comprehensive internet data and history available, helping 100,000+ PassiveTotal community users scale-out threat hunting, enable smarter and faster incident response, and automate security operations.

Threat Intel Portal

The Threat Intel Portal launches with hundreds of OSINT and original RiskIQ research articles. RiskIQ Labs will continue to regularly enrich and publish new OSINT articles, along with weekly Attack Intelligence highlights and original research such as our groundbreaking Magecart investigation.

Article Cards and Easy Pivot-search

Article summaries are presented as cards on the Threat Intel Portal home page. Clicking on a card takes users to the Article Details page, which includes intelligence indicators that dynamically link to PassiveTotal search results.

PassiveTotal Classic

Users can leverage RiskIQ PassiveTotal’s search and preview indicators directly from RiskIQ’s Threat Intel Portal. Live-links in the Threat Intel Portal and pre-built indexes give you the ability to quickly pivot into deeper intelligence and artifacts. Once in PassiveTotal Classic, you can access core and derived data sets to extend your threat visibility and tailor your response, while enjoying a clean new look and feel.

Threat Summary Digests

Tap into security intelligence from RiskIQ Labs’s team of experts. Accessible and actionable threat summaries and weekly updates refine your threat discovery and analysis. Keep track of trends, threat actors, indicators, and the latest results from RiskIQ’s worldwide Internet collection. Paired with our team of security specialists and analysts, customers get straightforward guidance on the most critical threat intelligence.

Search In Teams

New RiskIQ Community packages allow teams to share quota and queries. Now, individual users in the same organization are linked, capable of joint projects, watchlists, and team-extended queries across all enterprise accounts.

See What's New

Threat Intel Portal Homepage

Featured Articles
The featured article section of the home page (right below the search bar) shows you the featured RiskIQ content:

Clicking the article title takes you to the underlying article content. The article synopsis gives the user a quick understanding of the article. The Indicators bar at the right shows how many community and enterprise indicators are associated with the article.

Other Articles
All articles (including featured articles) are listed under the RiskIQ articles section, ordered by their creation date (descending):

Download Indicators
The download icon is next to the indicator summary:
Clicking the download icon will download the indicators from the article:

Saved Articles
The Saved article icon is near the article title:

When you click the saved article icon, it changes color to indicate that the article has been saved:

And the article is added to your saved articles list:

Article Sharing
The sharing icon presents users with two options: copy a link to the article, and email the article:

Clicking the “link” icon copies the link to the user’s clipboard. Clicking the “mail” icon opens up a mail dialog:

Search
When you search for a term, the page refreshes, showing you just the articles that match your search term:

In addition to article matches, search results may return a data summary card (see sections below for an explanation of data cards).

Note: Clicking the “X” when the search bar is populated will reset the search and reset the data card (if visible) and articles.

Data Card for Domains, Hosts, and IPs
PassiveTotal shows users a summary data card when the user searches for a domain, host, or IP Address.

When the search is for a domain or host, the card is comprised of:

  • The most recent five DNS resolutions for the entity
  • The most recent five SSL Certificates for the entity
  • The most recent five matching hashes for the entity
  • The most recent five projects the entity is contained within

When the search is for an IP Address, the search is comprised of:

  • The most recent five DNS resolutions for the entity
  • The most recent five services exposed on the IP Address (within the past 14 days)
  • The most recent five SSL Certificates for the entity
  • The most recent five matching hashes for the entity
  • The most recent five projects the entity is contained within

The “View All ## Records” buttons pivot into the PassiveTotal search for the entity and the clickable links under each section pivot into the underlying PassiveTotal data.

Data Card for Text Search
The data cards summarize results for free text search (in addition to domain, host, and IP searches). For example, searching for GlobalProtect—the name of a network device—yields the following data card:

Data Card for Email
Searching for an email address shows the email address data card, which lists the most recent five domains for which the email address is the WHOIS contact:

Data Card - “Less Common Searches”
The “Less Common Searches” section at the bottom of a data card contains other searches that a user can run if the data card doesn’t match their intended results:

For example, clicking the “Whois Name” less common search takes one to the related WHOIS records:

Use PT Classic
The “Use PT Classic” button switches to the more classic PT home page and sets that as the default home page:

Article Details: Curated OSINT and RiskIQ Intelligence

Clicking on an article takes the user to the article details:

Description
The description section of the article detail screen contains information about the attack or attacker profiled. The content can range from very short (in the case of OSINT bulletins) or quite long (for long-form reporting – especially when RiskIQ has augmented the report with content). The longer descriptions may contain images, links to the underlying content, links to searches within PassiveTotal, attacker code snippets, and firewall rules to block the attack:

Community Indicators
The community indicators section of the screen shows the previously-published indicators related to the article:



The links in the community indicators take one to the underlying PassiveTotal data or relevant external sources (e.g., VirusTotal for hashes).

Enterprise Indicators
The enterprise indicators section covers the indicators that RiskIQ’s research team has found and added to the articles:

These links also pivot into the relevant PassiveTotal data or the corresponding external source.

More RiskIQ Intelligence
This section lists other recent articles:

Updates To PassiveTotal Classic

Home Screen

Items Moved to Menu
The left-hand menu items have been moved to the User menu at the top-right of the screen.

Use New PT Button
Visible to all users, this button switches to the newer PassiveTotal home page and sets the default home page to the new home page.

Application Styling
The application has been restyled to be consistent across both the new PassiveTotal experience and the PassiveTotal classic search experience.

Removal of Extraneous Items
The home page previously had featured projects, RiskIQ featured content, and an upgrade message on it. These are all extraneous as RiskIQ has replaced the latter two with the new home page.

Menu Bar
Clicking on the “hamburger” menu (the three blue lines at the top-left) of PassiveTotal expands the menu bar:

PassiveTotal Search
Heatmap (Licensing)

Unlicensed accounts are presented with limited history on the heatmap: generally 14 days for individual accounts and 90 days for organization accounts.

Tab Counts (Licensing)
The Tab Counts no longer accumulates as search volume or quota. The counts will continue to populate even when you are beyond your licensed query quota.

OSINT Tab
The OSINT Tab (open source intelligence) now contains a link to any RiskIQ Threat Intel articles that the indicator shows up in. These OSINT links are tagged with the “RiskIQ Intel” tag:

Resolutions Tab (Licensing)
Unlicensed accounts are presented with limited history: 14 days for most individual accounts and 90 days for organization accounts.

WHOIS Tab (Licensing)
Unlicensed accounts may only view the current WHOIS record. Only enterprise licensees may view WHOIS History records.

Certificates Tab (Licensing)
Unlicensed accounts are presented with limited history: 14 days for most individual accounts and 90 days for organization accounts.

Trackers Tab (Licensing)
Trackers are only available to users with an enterprise license.

Components Tab (Licensing)
Trackers are only available to users with an enterprise license.

Host Pairs Tab (Licensing)
Trackers are only available to users with an enterprise license.

OSINT Tab
The OSINT tab now contains a link to any RiskIQ Threat Intel articles that the indicator shows up in. These OSINT links are tagged with the “RiskIQ Intel” tag:

DNS / Reverse DNS Tab (Licensing)
The DNS Tab (Reverse DNS for IP Addresses) restricts history for unlicensed accounts. Individual accounts are generally limited to 14 days history, and organization accounts are limited to 90 days history.

Cookies Tab (Licensing)
Trackers are only available to users with an enterprise license.

Services (Licensing)
When searching for an IP Address, the Services tab is now available to organization accounts (it had previously been restricted to enterprise accounts). The tab shows recent services exposed on the IP Address.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor