RiskIQ Passive Total

riskiq passivetotal is a threat intelligence and digital risk management platform that uncovers threats and malicious actors across the internet riskiq passivetotal offers comprehensive threat intelligence by analyzing diverse internet data this connector enables swimlane turbine users to automate the retrieval of enrichment, whois, and passive dns data for domains and ip addresses by integrating with riskiq passivetotal, security teams can enhance their incident response and threat hunting capabilities, leveraging rich context and historical data to make informed decisions the connector simplifies complex investigations, allowing users to focus on mitigating threats and strengthening their security posture prerequisites to effectively utilize the riskiq passivetotal connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the riskiq passivetotal api username your riskiq account username api secret the api secret key associated with your riskiq account capabilities the riskiq passivetotal connector has the following capabilities passive dns lookup domain/ip enrichment data (list of subdomains, threat intel, more) whois lookup configurations http basic authentication authenticates using username and api secret configuration parameters parameter description type required url a url to the target host string required username username string required password api secret, can be obtained from the riskiq settings menu string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get enrichment retrieve enrichment data for a specified query from riskiq passive total, requiring the 'query' parameter endpoint url /v2/enrichment method get input argument name type required description query string required parameter for get enrichment output parameter type description status code number http status code of the response reason string response reason phrase classification string output field classification sinkhole boolean output field sinkhole evercompromised boolean output field evercompromised querytype string type of the resource queryvalue string value for the parameter primarydomain string output field primarydomain tld string output field tld subdomains array output field subdomains tag meta object output field tag meta mytag object output field mytag creator string output field creator created at string output field created at global tags array output field global tags tags array output field tags system tags array output field system tags dynamicdns boolean output field dynamicdns example \[ { "status code" 200, "response headers" { "vary" "origin,access control request method,access control request headers,accept encod ", "x content type options" "nosniff", "x xss protection" "1; mode=block", "cache control" "no cache, no store, max age=0, must revalidate", "pragma" "no cache", "expires" "0", "x frame options" "deny", "content security policy" "script src 'self' 'nonce env' wcpstatic microsoft com", "content encoding" "gzip", "content type" "application/json", "transfer encoding" "chunked", "date" "wed, 27 nov 2024 10 20 59 gmt", "strict transport security" "max age=63072000; includesubdomains; preload;" }, "reason" "", "json body" { "classification" "non malicious", "sinkhole" false, "evercompromised" false, "querytype" "domain", "queryvalue" "passivetotal org", "primarydomain" "passivetotal org", "tld" "org", "subdomains" \[], "tag meta" {}, "global tags" \[], "tags" \[], "system tags" \[], "dynamicdns" false } } ] get whois retrieve whois data for a specified domain or ip address using riskiq passive total, providing detailed registration information endpoint url /v2/whois method get input argument name type required description query string optional parameter for get whois compact record boolean optional parameter for get whois history boolean optional parameter for get whois output parameter type description status code number http status code of the response reason string response reason phrase admin object output field admin city string output field city country string output field country email string output field email name string name of the resource organization string output field organization postalcode string output field postalcode state string output field state street string output field street billing object output field billing registrant object output field registrant city string output field city country string output field country email string output field email name string name of the resource organization string output field organization postalcode string output field postalcode state string output field state street string output field street tech object output field tech city string output field city country string output field country email string output field email example \[ { "status code" 200, "response headers" { "vary" "origin,access control request method,access control request headers,accept encod ", "x content type options" "nosniff", "x xss protection" "1; mode=block", "cache control" "no cache, no store, max age=0, must revalidate", "pragma" "no cache", "expires" "0", "x frame options" "deny", "content security policy" "script src 'self' 'nonce env'", "content encoding" "gzip", "content type" "application/json", "transfer encoding" "chunked", "date" "mon, 03 jul 2023 19 39 36 gmt", "strict transport security" "max age=63072000; includesubdomains; preload;" }, "reason" "", "json body" { "admin" {}, "billing" {}, "registrant" {}, "tech" {}, "zone" {}, "nameservers" \[], "contactemail" "passivetotal org registrant\@anonymised email", "domain" "passivetotal org", "expiresat" "2024 04 14t13 00 56 000 07 00", "lastloadedat" "2023 07 03t12 31 37 499 07 00", "registered" "2014 04 14t13 00 56 000 07 00", "registrar" "nom iq ltd dba com laude", "registryupdatedat" "2023 03 20t16 16 30 000 07 00", "whoisserver" "whois comlaude com", "organization" "riskiq, inc " } } ] passive dns retrieve passive dns data for a specified query from riskiq passive total, using active account sources endpoint url /v2/dns/passive method get input argument name type required description query string required parameter for passive dns start string optional parameter for passive dns end string optional parameter for passive dns timeout number optional parameter for passive dns output parameter type description status code number http status code of the response reason string response reason phrase pager object output field pager queryvalue string value for the parameter querytype string type of the resource firstseen string output field firstseen lastseen string output field lastseen totalrecords number output field totalrecords results array result of the operation firstseen string output field firstseen lastseen string output field lastseen source array output field source value string value for the parameter collected string output field collected recordtype string type of the resource resolve string output field resolve resolvetype string type of the resource recordhash string output field recordhash example \[ { "status code" 200, "response headers" { "vary" "origin,access control request method,access control request headers,accept encod ", "x content type options" "nosniff", "x xss protection" "1; mode=block", "cache control" "no cache, no store, max age=0, must revalidate", "pragma" "no cache", "expires" "0", "x frame options" "deny", "content security policy" "script src 'self' 'nonce env'", "content encoding" "gzip", "content type" "application/json", "transfer encoding" "chunked", "date" "mon, 03 jul 2023 19 31 07 gmt", "strict transport security" "max age=63072000; includesubdomains; preload;" }, "reason" "", "json body" { "pager" null, "queryvalue" "passivetotal org", "querytype" "domain", "firstseen" "2014 11 16 18 02 30", "lastseen" "2023 07 03 12 31 04", "totalrecords" 5, "results" \[] } } ] response headers header description example cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate content encoding http response header content encoding gzip content security policy http response header content security policy script src 'self' 'nonce env' content type the media type of the resource application/json date the date and time at which the message was originated mon, 03 jul 2023 19 31 07 gmt expires the date/time after which the response is considered stale 0 pragma http response header pragma no cache strict transport security http response header strict transport security max age=63072000; includesubdomains; preload; transfer encoding http response header transfer encoding chunked vary http response header vary origin,access control request method,access control request headers,accept encoding x content type options http response header x content type options nosniff x frame options http response header x frame options deny x xss protection http response header x xss protection 1; mode=block notes riskiq passivetotal api documentation http //api passivetotal org/api/docs/