PassiveTotal
Integration version: 10.0
Configure PassiveTotal to work with Google Security Operations SOAR
Credentials
For more information about how to obtain API keys, see Getting Started with RiskIQ Community API.
Network
Function | Default Port | Direction | Protocol |
---|---|---|---|
API | Multivalues | Outbound | apikey |
Configure PassiveTotal integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Actions
Ping
Description
Test connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_succeed | True/False | is_succeed:False |
JSON Result
N/A
WhoIs Address Reputation
Description
Request an address reputation from RiskIQ.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
results | Returns if it exists in JSON result |
totalRecords | Returns if it exists in JSON result |
queryValue | Returns if it exists in JSON result |
pager | Returns if it exists in JSON result |
queryType | Returns if it exists in JSON result |
firstSeen | Returns if it exists in JSON result |
lastSeen | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
Entity:Result | N/A | N/A |
JSON Result
[
{
"EntityResult": {
"results": [{
"recordHash": "1cb21131ee1c1be14c862d446d149d43296fa8bfa9678374f25ea9ab3c38b777",
"resolve": "com-abhut.cricket",
"recordType": "A",
"resolveType": "domain",
"value": "1.1.1.1",
"source": ["virustotal"],
"lastSeen": "2015-11-09 00:00:00",
"collected": "2015-11-09 00:00:00",
"firstSeen": "2015-11-09 00:00:00"
}],
"totalRecords": 6912,
"queryValue": "1.1.1.1",
"pager": "None",
"queryType": "ip",
"firstSeen": "1970-01-01 00:00:00",
"lastSeen": "2019-01-24 09:43:20"
},
"Entity": "1.1.1.1"
}
]
WhoIs Scan Address
Description
RiskIQ address WHOIS query.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
contactEmail | Returns if it exists in JSON result |
domain | Returns if it exists in JSON result |
name | Returns if it exists in JSON result |
billing | Returns if it exists in JSON result |
admin | Returns if it exists in JSON result |
text | Returns if it exists in JSON result |
registered | Returns if it exists in JSON result |
lastLoadedAt | Returns if it exists in JSON result |
whoisServer | Returns if it exists in JSON result |
telephone | Returns if it exists in JSON result |
registryUpdatedAt | Returns if it exists in JSON result |
nameServers | Returns if it exists in JSON result |
tech | Returns if it exists in JSON result |
organization | Returns if it exists in JSON result |
registrar | Returns if it exists in JSON result |
zone | Returns if it exists in JSON result |
registrant | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
Entity:Result | N/A | N/A |
JSON Result
[
{
"EntityResult": {
"contactEmail": "john_doe@example.com",
"domain": "1.1.1.1",
"name": "N/A",
"billing": {},
"admin": {
"organization": "Abuse",
"email": "john_doe@example.com",
"telephone": "1-650-253-0000"
},
"text": "IANA WHOIS server for more information on IANA.",
"registered": "2014-03-14T00:00:00.000-0700",
"lastLoadedAt": "2018-06-22T10:35:52.694-0700",
"whoisServer": "whois.arin.net",
"telephone": "N/A",
"registryUpdatedAt": "1991-11-02T00:00:00.000-0800",
"nameServers": [],
"tech": {
"organization": "test LLC",
"email": "john_doe@example.com",
"telephone": "1-650-253-0000"
},
"organization": "test LLC",
"registrar": "Administered by ARIN",
"zone": {},
"registrant": {
"city": "Mountain View",
"country": "US",
"state": "CA",
"street": "1600 Amphitheatre Parkway",
"postalCode": "94043",
"organization": "test LLC"
}},
"Entity": "1.1.1.1"
}
]
WhoIs Scan Domain
Description
RiskIQ domain WHOIS query.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
domain | Returns if it exists in JSON result |
name | Returns if it exists in JSON result |
billing | Returns if it exists in JSON result |
admin | Returns if it exists in JSON result |
text | Returns if it exists in JSON result |
registered | Returns if it exists in JSON result |
lastLoadedAt | Returns if it exists in JSON result |
whoisServer | Returns if it exists in JSON result |
telephone | Returns if it exists in JSON result |
registryUpdatedAt | Returns if it exists in JSON result |
nameServers | Returns if it exists in JSON result |
expiresAt | Returns if it exists in JSON result |
tech | Returns if it exists in JSON result |
organization | Returns if it exists in JSON result |
registrar | Returns if it exists in JSON result |
zone | Returns if it exists in JSON result |
registrant | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
Entity:Result | N/A | N/A |
JSON Result
[
{
"EntityResult": {
"domain": "example.com",
"name": "N/A",
"billing": {},
"admin": {},
"text": "Domain Name: test.COM Registry Domain ID: 2138514_DOMAIN_COM-VRSN.",
"registered": "1997-09-14T21:00:00.000-0700",
"lastLoadedAt": "2018-10-01T15:38:19.795-0700",
"whoisServer": "whois.markmonitor.com",
"telephone": "N/A",
"registryUpdatedAt": "2018-02-21T10:36:40.000-0800",
"nameServers": ["ns1.example.com", "ns2.example.com", "ns3.example.com"],
"expiresAt": "2020-09-13T21:00:00.000-0700",
"tech": {},
"organization": "N/A",
"registrar": "MarkMonitor Inc.",
"zone": {},
"registrant": {
}},
"Entity": "example.com"
}
]
WhoIs Host Reputation
Description
Request host reputation from RiskIQ.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
results | Returns if it exists in JSON result |
totalRecords | Returns if it exists in JSON result |
queryValue | Returns if it exists in JSON result |
pager | Returns if it exists in JSON result |
queryType | Returns if it exists in JSON result |
firstSeen | Returns if it exists in JSON result |
lastSeen | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
Entity:Result | N/A | N/A |
JSON Result
[
{
"EntityResult": {
"results": [
{
"recordHash": "0aad10e23953813834d28098db21c0902f01190c3eba7e38869f798ca56abda7",
"resolve": "1.1.1.1",
"recordType": "A",
"resolveType": "ip",
"value": "example.com",
"source": ["riskiq"],
"lastSeen": "2013-09-12 13:08:07",
"collected": "2019-01-24 12:36:12",
"firstSeen": "2013-09-12 13:08:07"
}],
"totalRecords": 5099,
"queryValue": "example.com",
"pager": "None",
"queryType": "domain",
"firstSeen": "2009-09-01 19:59:32",
"lastSeen": "2019-01-24 12:36:11"
},
"Entity": "example.com"
}
]