RiskIQ PassiveTotal expedites investigations by connecting internal activity, event, and incident indicator of compromise (IOC) artifacts to what is happening outside the firewall-external threats, attackers, and their related infrastructure.

Connect RiskIQ PassiveTotal with Devo SOAR

1. Navigate to Automations > Integrations.

2. Search for RiskIQ PassiveTotal.

3. Click Details, then the + icon. Enter the required information in the following fields.

4. Label: Enter a connection name.

5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

8. API Key: The API key to connect to the RiskIQ PassiveTotal.

9. Username: The Username to connect to the RiskIQ PassiveTotal.

10. After you've entered all the details, click Connect.

Actions for RiskIQ PassiveTotal

Host Scan

Submits a host name or IP address to RiskIQ PassiveTotal for lookup against their database. Based off of the results, automate how Incident Response is handled.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Scan Result.

``` {json}{ "ip_list": "['uatu.useed.fr', 'dc-7ef8afd4dd38.freshspam.tools', 'freshtoolsx.com', 'dc-f859fcc9d787.fudtoolvideos.com', 'dc-c5611aa9b71d.claysendervideos.com', 'dc-5a675cfa30ef.freshspamtools.io', 'www.fudsender.com', 'dc-f6356b7f68a2.freshscamtools.com', 'dc-97a425cb514e.fudpages.store', 'dc-d2294fcd139a.politicalshub.com', 'alicg.fudsell.com', 'dc-3f851d5396fa.fudtoolx.com', 'tamilmov.net', 'fudspamtoolshop.com', 'www.bg-gledai.tv', 'dc-2519f8039198.sellonline.tools', 'fudpagetools.com', 'whoarewe.cc', 'dl.mytamilhdmovies.com', 'www.heartsenderpages.com', 'xleetshop.com', 'dc-0cd40b7ab2a7.buyspamtools.com', 'mail.heartsender.com', 'fudtoolmarket.com', 'fudninja.com', 'webdisk.fudsell.com', 'dc-8c82a8fb6c36.fudpage.ru', 'cpanel.fudsell.com', 'hostmaster.fudsell.com', 'dc-445c117b2372.fudsender.com', 'image.whoarewe.cc', 'dc-26af7fbfee86.fudletter.com', 'onlintoolspayment.com', 'mta-sts.mail.fudsell.com', 'dc-29c0deaca007.heartsender.com', 'dc-7a3a42658a94.fudscam.com', 'fudtool.com', 'dc-59799231c095.fudspamvideos.com', '62-210-178-100.rev.poneytelecom.eu', 'dl.tamilsrc.xyz', 'bg-gledai.tv', 'dc-39172d7351b5.fudspam.com', 'freshscamtool.com', 'm1.xxaiai.xyz', 'dc-17ca623f2693.mrcodertools.com', 'fudscampage.com', 'mail.fudsell.com', 'fudscamtool.com', 'dc-122b16482fed.fudpagegateway.com', 'www.fudtool.com', 'fudscamtools.com', 'dc-6546831540f8.seliunx.com', 'mail.heartsenderpages.com', 'dlm.fullmob.net', 'fudsender.com', 'dl1.tamilsrc.xyz', 'heartsenderpages.com', 'v1.aiaixx.top', 'avleak.com', 'dc-42edc694d94e.heartsenderscampages.com', 'dc-d447e8e62bed.techsmithpro.com', 'd29sender.com', 'www.spammarket.com', 'cpanel.fudsender.com', 'dc-7aacbea34d7b.scrapercode.net', 'dc-fcada5615da0.fudninja.com', 'dc-e3c48c5aa1dc.claysender.com', 'dc-0bb404909276.freshfudpages.com', 'dc-cec0389c92bf.fudsenderstore.com', 'dc-ea4581343e13.fudpagevideos.com', 'mail.fudteambilling.com', 'dc-4b66a8da3ce1.fudtool.ru', 'dl2.tamilmov.net', 'webmail.fudsell.com', 'dc-3f9c20d8de7e.heartsendervideos.com', 'm3u8.xxaiai.xyz', 'mail.freshspamtool.com', 'freshspamtoolshop.com']", "record_list": "['A']" }

Get OSINT

Get OSINT data for a query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: OSINT Data.

``` {json}{ "compromised": [], "creator": "RiskIQ", "derived": [], "description": "LogoKit: Actor Deepdive", "error": null, "guid": "81e748fa-25b8-4553-9ecd-cf9df54cc788", "has_error": false, "inReport": [], "indicators": [], "name": "LogoKit: Actor Deepdive", "source": "RiskIQ Intel", "sourceUrl": "https://community.riskiq.com/article/a9d3b8b8", "tags": [ "RiskIQ Intel" ] }

Get History

Read API usage history of the account

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get History Data

``` {json}{ "source":"api", "dt":"2021-07-02 08:48:35", "guid":"e24632ab-8df3-40cf-b40f-f1b051b2ed0d", "username":"i36833117@gmail.com", "context":1, "has_error":false, "focus":"aa", "error":null, "type":"search" }

Get Organization

Read current organization metadata

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Organization Data

``` {json}{ "has_error":true, "error":{ "error_response":{ "features":null, "attackSurfaces":null, "acceptableDomains":null, "watchQuota":null, "seats":null, "licenses":null, "showTeamSearchHistory":null, "id":null, "usersNotSignedUpYet":null, "inactiveMembers":null, "hasFalconCreds":false, "status":null, "defaultDomains":null, "searchQuota":null, "disableTeamSearchHistory":null, "registered":null, "lastActive":null, "active":null, "activeMembers":null, "licensedMembers":null, "trialMembers":null, "name":null, "sources":null, "disableIndividualSearchHistory":null, "admins":null, "disabledMembers":null } } }

Get Sources

Check sources being used for queries.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Sources Data

``` {json}{ "org_configuration":null, "website":"https://www.circl.lu", "source":"circl_lu", "authMethod":{ "password":"", "username":"" }, "auth":true, "authRequired":true, "description":"", "label":"CIRCL.lu", "controllable":true, "has_error":false, "error":null, "configuration":{

}, "type":[ "pdns" ], "access":[ "free", "private" ], "active":false }

Get Items With The Specified Classification

Retrieve items with the specified classification

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Items With The Specified Classification Data

``` {json}{ "has_error":false, "malicious":[ "04zyp.trudemocracy.com", "b.com", "a.com" ], "error":null }

Get Tags

Retrieves tags for a given artifact.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Tags Data

``` {json}{ "error":null, "has_error":false, "result":"ds2" }

Set Tags

Adds tags to a given artifact.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Set Tags Data

``` {json}{ "has_error":false, "error":null, "tags":[ "rig", "exploit kit", "crimeware", "phish", "triage" ] }

Set Bulk Classification Status

Set classification statuses for given domains.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Set Bulk Classification Status Data

``` {json}{ "has_error":false, "classification":"malicious", "error":null }

Set Classification Status

Sets the classification status for a given domain.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Set Classification Status Data

``` {json}{ "has_error":false, "classification":"malicious", "error":null }

Set Compromised Status

Sets status for a domain to indicate if it has ever been compromised.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Set Compromised Status Data

``` {json}{ "everCompromised":true, "has_error":false, "error":null }

Set Dynamic DNS Status

Sets a domain's status to indicate whether or not its DNS records are updated via dynamic DNS

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Set Dynamic DNS Status Data

``` {json}{ "query": "riskiq.net", "status": false }

Get Sinkhole Status

Indicates whether or not an IP address is a sinkhole.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Sinkhole Status Data

``` {json}{ "has_error":false, "error":null, "sinkhole":true }

Search Tags

Retrieve artifacts for a given tag.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Search Tags Data

``` {json}{ "has_error":false, "results":[ { "username":"", "user_tags":[

], "error":null }

Bulk Update Artifacts

Perform artifact updates in bulk.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Bulk Update Artifacts Data

``` {json}{ "'7bf706b4-5d3e-4572-b402-8ba8d03a8839'":{ "success":false, "error":"no artifact with that ID" }, "has_error":false, "'d84d8ada-416f-4c67-a1b6-5050fc4c3d7f'":{ "success":false, "error":"no artifact with that ID" }, "error":null }

Delete Artifact

Delete an artifact with a UUID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.I

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Delete Artifact Data

``` {json}{ "has_error":true, "error_response":{ "message":"No artifact found matching the given artifact id=cac04b2e-fefe-45ef-9afa-877ce6a72814", "requestID":"38ec53a4-56df-4a4a-b099-125e661b77bc" }, "error":"Some error occurred" }

Update Artifact

Update artifact, or toggle monitoring status. If you want to change the query or artifact type, simply delete it and create a new one. Use /pt/v2/artifact/tag to add or delete tags without setting everything at once.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Update Artifact Data

``` {json}{ "organization":"", "monitor":true, "success":true, "monitorable":true, "guid":"e53a2898-22b5-49f9-9c1f-7b0553caec42", "project":"76f6f7ec-5283-4f39-a789-a84c059b1af1", "system_tags":[

], "query":"example.org", "creator":"i36833117@gmail.com", "user_tags":[ "fizzfreferferfbuzz", "fooferfefefbar" ], "tag_meta":{

}, "links":{ "project":"/v2/project?project=76f6f7ec-5283-4f39-a789-a84c059b1af1", "self":"/v2/artifact?artifact=e53a2898-22b5-49f9-9c1f-7b0553caec42", "tag":"/v2/artifact/tag?artifact=e53a2898-22b5-49f9-9c1f-7b0553caec42" }, "has_error":false, "error":null, "owner":"i36833117@gmail.com", "type":"domain", "global_tags":[

], "created":"2021-07-01T10:12:23.328000" }

Threat Intel Indicators

Retrieves all articles indicators ordered by its article publish date from oldest to newest.
For consideration:
If you want to consult the indicators of a single article then use only the articleGuid parameter.
If you want to consult the indicators of multiple articles then you can use the startDate parameter to start looking from a specific publish date or you just can call the api without parameters.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Threat Intel Indicators Data

``` {json}{ "success": true, "indicators": [ { "value": "047af34af65efd5c6ee38eb7ad100a01", "type": "hash_md5", "source": "public", "guid": "f990eb3b", "link": "https://api.community.riskiq.com/article/f990eb3b", "publishedDate": "2020-05-06T14:30:00.000+0000", "tags": [ "RAT", "FireEye", "Malware", "DarkCrystal", ".NET", "Windows" ] }, { "value": "b478d340a787b85e086cc951d0696cb1", "type": "hash_md5", "source": "public", "guid": "f990eb3b", "link": "https://api.community.riskiq.com/article/f990eb3b", "publishedDate": "2020-05-12T13:30:00.000+0000", "tags": [ "RAT", "FireEye", "Malware", "DarkCrystal", ".NET", "Windows" ] } ], "totalRecords": 2 }

Get Articles

Retrieves all articles.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Articles Data

``` {json}{ "has_error":true, "error_response":{ "message":"Unable to parse request parameters.", "requestID":"c4964217-7d10-4b45-aff5-dc2da8ec8686" }, "error":"Some error occurred" }

Get Attack Surface

Finds the Attack Surface information of the given account.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Attack Surface Data

``` {json}{ "has_error":true, "error":{ "error_response":{ "message":"Attack Surface Intel not included in license level", "requestID":"88811587-41d8-47e2-8437-77a60c3f3400" } } }

Get Attack Surface Insight Information

Finds the Attack Surface Insight Information given the insight ID for the given account

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Attack Surface Insight Information Data

``` {json}{ "has_error":true, "error_response":{ "message":"Attack Surface Intel not included in license level", "requestID":"56adb0d4-7fbb-4245-9f61-6146bcfa45d7" }, "error":"Some error occurred" }

Get All Attack Surface Third-Party Vendors

Finds all vendors associated with the given account.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get All Attack Surface Third-Party Vendors Data

``` {json}{ "has_error":true, "error":{ "error_response":{ "message":"Attack Surface Intel not included in license level", "requestID":"ac797042-87c5-474a-a14f-24ff22dd69bf" } } }

Get Attack Surface Third-Party Insight Information

Finds the Attack Surface Third-Party Insight Information given the vendor ID and insight ID

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Attack Surface Third-Party Insight Information Data

``` {json}{ "has_error":true, "error_response":{ "message":"Attack Surface Intel not included in license level", "requestID":"7995bd48-82fd-4f80-aa54-2c3ca93dea3d" }, "error":"Some error occurred" }

Get Profile Details

Retrieves the details for the given profile.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Profile Details Data

``` {json}{ "has_error":true, "error_response":{ "message":"Cyber Threat Intelligence is not included in your license level.", "requestID":"fd622033-881a-4a65-8158-b6b24b11486d" }, "error":"Some error occurred" }

Get All Intel Profiles

Retrieves all profiles.
Types: actor, tool, backdoor

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get All Intel Profiles Data

``` {json}{ "totalCount": 2, "results": [ { "id": "apt33", "title": "APT33", "link": "https://community.riskiq.com/intel-profiles/apt33", "osintIndicatorsCount": 429, "riskIqIndicatorsCount": 122, "indicators": "https://api.community.riskiq.com/v2/intel-profiles/apt33/indicators", "aliases": [ "Elfin", "Magnallium" ], "tags": [ { "label": "Espionage", "countryCode": null }, { "label": "Sabotage", "countryCode": null }, { "label": "Windows", "countryCode": null } ] }, { "id": "shadowpad", "title": "ShadowPad", "link": "https://community.riskiq.com/intel-profiles/shadowpad", "osintIndicatorsCount": 100, "riskIqIndicatorsCount": 50, "indicators": "https://api.community.riskiq.com/v2/intel-profiles/shadowpad/indicators", "aliases": [ "SHADOWPAD" ], "tags": [ { "label": "Shadowpad", "countryCode": null }, { "label": "POISONPLUG", "countryCode": null }, { "label": "State Sponsored Usage: Axiom", "countryCode": "cn" } ] } ] }

Get Malware

Get malware data for a query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Malware Data

``` {json}{ "has_error":false, "noResults":"no results returned", "error":null }

Get Services

Retrieves the exposed services related to the query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output of Action**:

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Services Data

``` {json}{ "totalRecords": 1, "success": true, "results": [ { "portNumber": 443, "firstSeen": "2018-08-29 22:04:12", "lastSeen": "2020-06-02 20:52:44", "count": 197, "status": "open", "protocol": "TCP", "banners": [ { "banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8", "scanType": "http", "firstSeen": "2020-06-02 20:52:44", "lastSeen": "2020-06-02 20:52:44", "count": 1 }, { "banner": "220 mailking.irinaogneva.ru ESMTP Postfix (Ubuntu)", "scanType": "http", "firstSeen": "2020-05-11 05:52:09", "lastSeen": "2020-06-01 19:50:09", "count": 8 } ], "currentServices": [ { "firstSeen": "2020-05-08 20:53:11", "lastSeen": "2020-06-02 20:52:44", "version": "1.18.0", "category": "Server", "label": "nginx" } ], "recentServices": [ { "firstSeen": "2020-04-18 05:17:13", "lastSeen": "2020-05-26 16:00:06", "version": null, "category": "Email Server", "label": "SMTP Server" }, { "firstSeen": "2020-04-11 23:35:29", "lastSeen": "2020-05-26 16:00:06", "version": "4.92.3", "category": "Server", "label": "Exim Internet Mailer" } ], "mostRecentSslCert": { "firstSeen": 1459148400000, "lastSeen": 1591082058400, "fingerprint": "e6:a3:b4:5b:06:2d:50:9b:33:82:28:2d:19:6e:fe:97:d5:95:6c:cb", "sslVersion": "3", "expirationDate": 1615999246000, "issueDate": 1458232846000, "sha1": "e6a3b45b062d509b3382282d196efe97d5956ccb", "serialNumber": "13298795840390663119752826058995181320", "subjectCountry": null, "issuerCommonName": null, "issuerProvince": null, "subjectStateOrProvinceName": null, "subjectStreetAddress": null, "issuerStateOrProvinceName": null, "subjectSurname": null, "issuerCountry": null, "subjectLocalityName": null, "subjectAlternativeNames": null, "issuerOrganizationUnitName": null, "issuerOrganizationName": null, "subjectEmailAddress": null, "subjectOrganizationName": null, "issuerLocalityName": null, "subjectCommonName": null, "subjectProvince": null, "issuerGivenName": null, "subjectOrganizationUnitName": null, "issuerEmailAddress": null, "subjectGivenName": null, "subjectSerialNumber": null, "issuerStreetAddress": null, "issuerSerialNumber": null, "issuerSurname": null } } ] }

Delete Project

Delete Project

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Delete Project Data

``` {json}{ "organization":"", "name":"My Public Project", "success":true, "guid":"8d575aec-0fc5-49be-8d82-d437a1076311", "subscribers":[

], "description":"my project!", "tags":[ "newproject", "myownproject" ], "featured":false, "creator":"i36833117@gmail.com", "links":{ "self":"/v2/project?project=8d575aec-0fc5-49be-8d82-d437a1076311", "tag":"/v2/project/tag?project=8d575aec-0fc5-49be-8d82-d437a1076311", "artifact":"/v2/artifact?project=8d575aec-0fc5-49be-8d82-d437a1076311" }, "has_error":false, "error":null, "link":null, "can_edit":true, "owner":"i36833117@gmail.com", "collaborators":[

], "visibility":"community", "created":"2021-07-05T01:15:38.293+00:00", "active":true }

Update Project

Updates a project denoted by project ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Update Project Data

``` {json}{ "organization":"", "name":"My Public Project edited!!!", "success":true, "guid":"76f6f7ec-5283-4f39-a789-a84c059b1af1", "subscribers":[ "i36833117@gmail.com" ], "description":"my profreferfject!", "tags":[ "quux" ], "featured":true, "creator":"i36833117@gmail.com", "links":{ "self":"/v2/project?project=76f6f7ec-5283-4f39-a789-a84c059b1af1", "tag":"/v2/project/tag?project=76f6f7ec-5283-4f39-a789-a84c059b1af1", "artifact":"/v2/artifact?project=76f6f7ec-5283-4f39-a789-a84c059b1af1" }, "has_error":false, "error":null, "link":null, "can_edit":true, "owner":"i36833117@gmail.com", "collaborators":[

], "visibility":"community", "created":"2021-07-01T09:26:21.810+00:00", "active":true }

Remove Project Tags

Remove project tags

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Remove Project Tags Data

``` {json}{ "organization":"", "name":"My Public Project edited!!!", "success":true, "guid":"76f6f7ec-5283-4f39-a789-a84c059b1af1", "subscribers":[ "i36833117@gmail.com" ], "description":"my profreferfject!", "tags":[ "baz" ], "featured":true, "creator":"i36833117@gmail.com", "links":{ "self":"/v2/project?project=76f6f7ec-5283-4f39-a789-a84c059b1af1", "tag":"/v2/project/tag?project=76f6f7ec-5283-4f39-a789-a84c059b1af1", "artifact":"/v2/artifact?project=76f6f7ec-5283-4f39-a789-a84c059b1af1" }, "has_error":false, "error":null, "link":null, "can_edit":true, "owner":"i36833117@gmail.com", "collaborators":[

], "visibility":"community", "created":"2021-07-01T09:26:21.810+00:00", "active":true }

Set Project Tags

Set project tags

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Set Project Tags Data

``` {json}{ "organization":"", "name":"My Public Project edited!!!", "success":true, "guid":"76f6f7ec-5283-4f39-a789-a84c059b1af1", "subscribers":[ "i36833117@gmail.com" ], "description":"my profreferfject!", "tags":[ "baz", "quux" ], "featured":true, "creator":"i36833117@gmail.com", "links":{ "self":"/v2/project?project=76f6f7ec-5283-4f39-a789-a84c059b1af1", "tag":"/v2/project/tag?project=76f6f7ec-5283-4f39-a789-a84c059b1af1", "artifact":"/v2/artifact?project=76f6f7ec-5283-4f39-a789-a84c059b1af1" }, "has_error":false, "error":null, "link":null, "can_edit":true, "owner":"i36833117@gmail.com", "collaborators":[

], "visibility":"community", "created":"2021-07-01T09:26:21.810+00:00", "active":true }

Get SSL Certificate History

Retrieves the SSL certificate history for a given certificate SHA-1 hash or IP address.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get SSL Certificate History Data

``` {json}{ "results": [ { "sha1": "240461b20dbb24a61b0a986821c2ad01bd3a8522", "firstSeen": "2015-02-09", "ipAddresses": [ "194.42.46.143", "194.42.46.243" ], "lastSeen": "2017-01-09" }, ... ], "success": true }

Search SSL Certificates By Keyword

Retrieves SSL certificates for a given keyword.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Search SSL Certificates By Keyword Data

``` {json}{ "queryValue": "sinkhole", "results": [ { "matchType": "sha1", "fieldMatch": "certificate", "focusPoint": "ff5288f55f58c52ed654b8eb815b6d40973e0f17" }, ... ], "success": true }

Get Artifact Tags

Retrieve the tags of an artifact or artifacts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Artifact Tags Data

``` {json}{ "user_tags": [ "mytag" ], "tags": [ "registered", "mytag" ], "system_tags": [ "registered" ], "tag_meta": { "mytag": { "created_at": "2017-03-30T01:05:12.629000", "creator": "sim.gretina@example.org" } }, "success": true }

Set Artifact Tags

Set the tags of an artifact or artifacts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Set Artifact Tags Data

``` {json}{ "success":true, "tags":[

], "system_tags":[

], "user_tags":[

], "tag_meta":{

}, "has_error":false, "error":null }

Get Components

Retrieves the host attribute components of a query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Components Data

``` {json}{ "totalRecords": 376, "success": true, "results": [ { "label": "BootStrap CDN", "category": "CDN", "lastSeen": null, "firstSeen": null, "version": null, "hostname": "blog.passivetotal.org" }, { "label": "blog.passivetotal.org", "category": "Tracking Pixel", "lastSeen": null, "firstSeen": null, "version": null, "hostname": "blog.passivetotal.org" } ] }

Get Trackers

Retrieves the host attribute trackers.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Trackers Data

``` {json}{ "success": true, "totalRecords": 3, "results": [ { "lastSeen": "2016-12-25 16:04:51", "attributeValue": "121115074576192", "firstSeen": "2016-11-18 10:03:38", "attributeType": "FacebookId", "hostname": "adtags.riskiq.net" }, { "lastSeen": "2017-01-19 18:40:12", "attributeValue": "121704674506485", "firstSeen": "2017-01-11 21:18:17", "attributeType": "FacebookId", "hostname": "adtags.riskiq.net" }, { "lastSeen": "2016-09-19 13:04:34", "attributeValue": "1439828989613328", "firstSeen": "2016-09-19 13:04:16", "attributeType": "FacebookId", "hostname": "adtags.riskiq.net" } ] }

Get Addresses By Cookie Domain

Searches the cookies addresses information by cookie domain.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output of Action**:

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Addresses By Cookie Domain Data

``` {json}{ "totalRecords": 70, "success": true, "results": [ { "firstSeen": "2020-03-12 18:06:39", "lastSeen": "2020-08-16 06:57:37", "hostname": "114.80.187.73", "cookieName": "AWSALB", "cookieDomain": "www.passivetotal.org" }, ... { "firstSeen": "2019-01-16 17:59:03", "lastSeen": "2020-08-15 06:04:32", "hostname": "34.224.34.209", "cookieName": "AWSALB", "cookieDomain": "www.passivetotal.org" } ] }

Get Hosts By Cookie Domain

Searches the cookies hosts information by cookie domain.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Hosts By Cookie Domain Data

``` {json}{ "totalRecords": 100, "success": true, "results": [ { "firstSeen": "2020-03-12 18:06:39", "lastSeen": "2020-08-16 06:57:37", "hostname": "community.riskiq.com", "cookieName": "AWSALB", "cookieDomain": "www.passivetotal.org" }, ... { "firstSeen": "2020-01-16 17:59:03", "lastSeen": "2020-08-15 06:04:32", "hostname": "www.passivetotal.org", "cookieName": "AWSALB", "cookieDomain": "www.passivetotal.org" } ] }

Get Addresses By Component Name

Searches the components addresses information by component name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Addresses By Component Name Data

``` {json}{ "has_error":false, "noResults":"no results returned", "error":null }

Get Passive DNS

Retrieves the passive DNS results from active account sources.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Passive DNS Data

``` {json}{ "lastSeen":"2021-07-04 18:58:13", "queryValue":"passivetotal.org", "firstSeen":"2014-11-16 18:02:30", "has_error":false, "results":[ { "recordHash":"73f595c2334d7cbaf4c3dd107fbfe3bb57c76f3fcc2444152a9b8287a63bd196", "resolve":"ns-1460.awsdns-54.org", "recordType":"NS", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq" ], "lastSeen":"2021-07-04 18:24:37", "collected":"2021-07-05 01:58:13", "firstSeen":"2015-12-29 16:40:00" }, { "recordHash":"a30939cd907ca1960d467211936b2ee5c7be84fd845b5d005c18b3ff2fe5381e", "resolve":"alt1.aspmx.l.google.com", "recordType":"MX", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:13", "firstSeen":"2014-11-16 18:02:30" }, { "recordHash":"d2f0cec950ed230b852b0fa460a9e91d70e80afb10a9433e140ea15e8bd56857", "resolve":"ns-613.awsdns-12.net", "recordType":"NS", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq" ], "lastSeen":"2021-07-04 18:24:37", "collected":"2021-07-05 01:58:13", "firstSeen":"2015-12-29 16:40:00" }, { "recordHash":"34c7953c189582972d13bad0e4b2a9e2a24f4aeb3c9b73d448cf9307ff20a16e", "resolve":"52.53.86.200", "recordType":"A", "resolveType":"ip", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:14", "firstSeen":"2021-05-25 15:21:05" }, { "recordHash":"0a686492a37d43a869b7874e57bc3c654f22c91915bb9938a9a950b15d66235b", "resolve":"ns-1868.awsdns-41.co.uk", "recordType":"NS", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq" ], "lastSeen":"2021-07-04 18:24:37", "collected":"2021-07-05 01:58:13", "firstSeen":"2015-12-29 16:40:00" }, { "recordHash":"9e56ef4c9cfdc9143f0d69edd1a25eddd2ebfcfbf943dc0be950e57b4794c46a", "resolve":"ns-218.awsdns-27.com", "recordType":"SOA", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq" ], "lastSeen":"2021-07-04 17:21:47", "collected":"2021-07-05 01:58:13", "firstSeen":"2015-12-29 16:40:00" }, { "recordHash":"6328cd3a181574308e8f914553b759890cf06729a06ff2817e1a16cd76d4df07", "resolve":"alt3.aspmx.l.google.com", "recordType":"MX", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:13", "firstSeen":"2014-11-16 18:02:30" }, { "recordHash":"1d27057459d3af69ef61349a0e9fbbc31eb43e130182aab711fda9f4dd6c4b2c", "resolve":"spf.google.com", "recordType":"TXT (SPF1)", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:13", "firstSeen":"2015-08-09 06:26:36" }, { "recordHash":"55deb5e91f243152c260e10656a4c9a5075462a94c4914e6c6010aeb80178647", "resolve":"ns-218.awsdns-27.com", "recordType":"NS", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq" ], "lastSeen":"2021-07-04 18:24:37", "collected":"2021-07-05 01:58:13", "firstSeen":"2015-12-29 16:40:00" }, { "recordHash":"ce05b65b626a6d9543c749639306c5e0b03167eab1b2b18031abe7c956b61957", "resolve":"aspmx.l.google.com", "recordType":"MX", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:13", "firstSeen":"2014-11-16 18:02:30" }, { "recordHash":"8a8a20a54b450a0ec8e5977782b9e718adc833a52e0ea56102d57180db589e65", "resolve":"alt4.aspmx.l.google.com", "recordType":"MX", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:13", "firstSeen":"2014-11-16 18:02:30" }, { "recordHash":"29aa5aa850b21a456940db1c6a8dc6d2edc67c49c1ffbfa696ab48e123a38496", "resolve":"alt2.aspmx.l.google.com", "recordType":"MX", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:13", "firstSeen":"2014-11-16 18:02:30" }, { "recordHash":"c1fa0e67abd7bfe0d38618b619003a4ef13d5443b9f2f856aa7aa81f212ae465", "resolve":"awsdns-hostmaster@amazon.com", "recordType":"SOA", "resolveType":"email", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:13", "firstSeen":"2015-12-29 16:40:00" }, { "recordHash":"3f837bd078dbd00fde890c13d379cfbc58174d829fbb40a221cd36cb968ebcba", "resolve":"servers.mcsv.net", "recordType":"TXT (SPF1)", "resolveType":"domain", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:13", "firstSeen":"2016-04-22 00:00:48" }, { "recordHash":"4a89135b8cb46e4dd231c4cc398b19b315f3e5ca687bec137c0531c4c2181c77", "resolve":"54.215.155.216", "recordType":"A", "resolveType":"ip", "value":"passivetotal.org", "source":[ "riskiq", "pingly" ], "lastSeen":"2021-07-04 18:58:13", "collected":"2021-07-05 01:58:14", "firstSeen":"2021-05-25 15:21:05" } ], "error":null, "totalRecords":15, "queryType":"domain", "pager":null }

Search Passive DNS

Searches the Passive DNS data for a keyword query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Search Passive DNS Data

``` {json}{ "has_error":false, "error":null, "queryValue":"passivetotal", "results":[ { "focusPoint":"passivetotal.org.us.cas.bak.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us2.cas-pro.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us.cas-sec.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.fmbc.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-eu2.cas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us2.cas-s3.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.fubt.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us3.cas2.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.mcas.export.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.s.us.west.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu.cas.temp.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.mcas.dev.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us2.cas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.hub.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu.casapi.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-eu2.cassec.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us2.cas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.s3.us.west.1.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us.cas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.s.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.gw.checkupdirigenti.fca-initiatives.test.fcagroup.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.vhx.tv.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.10.zalando.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us3.cas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.ph.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu2.cas.app.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu.cas-iam.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.beta.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.hbo.sk.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu2.cas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.adap.tv.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us.cas.main.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us2.casjs.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu2.cas-s3.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us.cas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.icq.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu2.casec2.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-eu2.cas.aws.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.s3.us.west.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.mcas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us2.casimg.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us.cas.videos.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us.cas.splunk.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-mcas.photos.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us2.cas.dynamo.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu.cas.bak.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu2.cassrc.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us.cas.fonts.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.club.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.tmp.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.ecs.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us.cas.club.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu.cas.data.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us.west.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-mcas.blog.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.eu.cas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us3.cas.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us3.cas.mobile.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.admin-us.cas.social.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" }, { "focusPoint":"passivetotal.org.us.caselb.s3.amazonaws.com.", "matchType":"domain", "fieldMatch":"domain" } ] }

Search WHOIS Keyword

Search WHOIS data for a keyword.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Search WHOIS Keyword Data

``` {json}{ "queryValue": "riskiq", "results": [ { "matchType": "domain", "fieldMatch": "name", "focusPoint": "riskiq.co.za" }, ... { "matchType": "domain", "fieldMatch": "organization", "focusPoint": "riskiq.com.au" } ] }

Get Enrichment Data Bulk

Get bulk enrichment data for many queries.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Enrichment Data Bulk Data

``` {json}{ "has_error":false, "results":{ "passivetotal.org":{ "classification":null, "tags":[ "foo" ], "system_tags":[

}, "error":null }

Get Osint Bulk

Get bulk osint data for many queries.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Osint Bulk Data

``` {json}{ "has_error":false, "results":{ "riskiq.net":{ "hasOsint":false, "results":[

}, "success":true, "error":null }

Release Notes

• v5.0.0 - Updated architecture to support IO via filesystem