Keeping track of activity on known bad infrastructure can provide security operations groups with the needed insight to proactively defend their networks. PassiveTotal allows analysts to artifacts of interest for record changes across data sets, making it easy to keep tabs on bad actors.
What is Monitored?
Leveraging the datasets from RiskIQ, our monitoring framework will inspect for differences in resolutions, whois records, data records and associations. With this release of our monitoring framework, we have added support for the following datasets:
- Passive DNS
- WHOIS records
- SSL Certificates
- Open Source Intelligence
- RiskIQ’s Blacklist entities
By utilizing these monitors, analysts can automate a critical portion of their work flow. Instead of constantly checking for changes in infrastructure, or worse, missing them altogether, they'll now be notified both in email and the PassiveTotal platform. These alerts are also available through our API, allowing users to automate their responses.
How Do I Receive Notifications
PassiveTotal projects provide users with in platform real time notifications of alerting entities. Additionally users also receive a weekly email digest outlining the specific changes that occur for each entity an analyst is monitoring. The digest includes a summary in the email and csv attachments for each data set with key information about what changed.
The alert summary lets an analysts know how many data sets were alerted on in a given day, the days since this indicator last alerted in the PassiveTotal system and the number of previous alerts seen for a given indicator across our data sets.