PassiveTotal

Integration version: 9.0

Configure PassiveTotal to work with Google Security Operations SOAR

Credentials

For more information about how to obtain API keys, see Getting Started with RiskIQ Community API.

Network

Function	Default Port	Direction	Protocol
API	Multivalues	Outbound	apikey

Configure PassiveTotal integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Ping

Description

Test connectivity.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_succeed	True/False	is_succeed:False

JSON Result

N/A

WhoIs Address Reputation

Description

Request an address reputation from RiskIQ.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic - When to apply
results	Returns if it exists in JSON result
totalRecords	Returns if it exists in JSON result
queryValue	Returns if it exists in JSON result
pager	Returns if it exists in JSON result
queryType	Returns if it exists in JSON result
firstSeen	Returns if it exists in JSON result
lastSeen	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
Entity:Result	N/A	N/A

JSON Result

[
    {
    "EntityResult": {
        "results": [{
            "recordHash": "1cb21131ee1c1be14c862d446d149d43296fa8bfa9678374f25ea9ab3c38b777",
            "resolve": "com-abhut.cricket",
            "recordType": "A",
            "resolveType": "domain",
            "value": "1.1.1.1",
            "source": ["virustotal"],
            "lastSeen": "2015-11-09 00:00:00",
            "collected": "2015-11-09 00:00:00",
            "firstSeen": "2015-11-09 00:00:00"
        }],
        "totalRecords": 6912,
        "queryValue": "1.1.1.1",
        "pager": "None",
        "queryType": "ip",
        "firstSeen": "1970-01-01 00:00:00",
        "lastSeen": "2019-01-24 09:43:20"
    },
        "Entity": "1.1.1.1"
    }
]

WhoIs Scan Address

Description

RiskIQ address WHOIS query.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic - When to apply
contactEmail	Returns if it exists in JSON result
domain	Returns if it exists in JSON result
name	Returns if it exists in JSON result
billing	Returns if it exists in JSON result
admin	Returns if it exists in JSON result
text	Returns if it exists in JSON result
registered	Returns if it exists in JSON result
lastLoadedAt	Returns if it exists in JSON result
whoisServer	Returns if it exists in JSON result
telephone	Returns if it exists in JSON result
registryUpdatedAt	Returns if it exists in JSON result
nameServers	Returns if it exists in JSON result
tech	Returns if it exists in JSON result
organization	Returns if it exists in JSON result
registrar	Returns if it exists in JSON result
zone	Returns if it exists in JSON result
registrant	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
Entity:Result	N/A	N/A

JSON Result

[
    {
        "EntityResult": {
            "contactEmail": "john_doe@example.com",
            "domain": "1.1.1.1",
            "name": "N/A",
            "billing": {},
            "admin": {
                "organization": "Abuse",
                "email": "john_doe@example.com",
                "telephone": "1-650-253-0000"
            },
            "text": "IANA WHOIS server for more information on IANA.",
            "registered": "2014-03-14T00:00:00.000-0700",
            "lastLoadedAt": "2018-06-22T10:35:52.694-0700",
            "whoisServer": "whois.arin.net",
            "telephone": "N/A",
            "registryUpdatedAt": "1991-11-02T00:00:00.000-0800",
            "nameServers": [],
            "tech": {
                "organization": "test LLC",
                "email": "john_doe@example.com",
                "telephone": "1-650-253-0000"
            },
            "organization": "test LLC",
            "registrar": "Administered by ARIN",
            "zone": {},
            "registrant": {
                "city": "Mountain View",
                "country": "US",
                "state": "CA",
                "street": "1600 Amphitheatre Parkway",
                "postalCode": "94043",
                "organization": "test LLC"
            }},
        "Entity": "1.1.1.1"
    }
]

WhoIs Scan Domain

Description

RiskIQ domain WHOIS query.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Hostname entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic - When to apply
domain	Returns if it exists in JSON result
name	Returns if it exists in JSON result
billing	Returns if it exists in JSON result
admin	Returns if it exists in JSON result
text	Returns if it exists in JSON result
registered	Returns if it exists in JSON result
lastLoadedAt	Returns if it exists in JSON result
whoisServer	Returns if it exists in JSON result
telephone	Returns if it exists in JSON result
registryUpdatedAt	Returns if it exists in JSON result
nameServers	Returns if it exists in JSON result
expiresAt	Returns if it exists in JSON result
tech	Returns if it exists in JSON result
organization	Returns if it exists in JSON result
registrar	Returns if it exists in JSON result
zone	Returns if it exists in JSON result
registrant	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
Entity:Result	N/A	N/A

JSON Result

[
    {
        "EntityResult": {
            "domain": "example.com",
            "name": "N/A",
            "billing": {},
            "admin": {},
            "text": "Domain Name: test.COM   Registry Domain ID: 2138514_DOMAIN_COM-VRSN.",
            "registered": "1997-09-14T21:00:00.000-0700",
            "lastLoadedAt": "2018-10-01T15:38:19.795-0700",
            "whoisServer": "whois.markmonitor.com",
            "telephone": "N/A",
            "registryUpdatedAt": "2018-02-21T10:36:40.000-0800",
            "nameServers": ["ns1.example.com", "ns2.example.com", "ns3.example.com"],
            "expiresAt": "2020-09-13T21:00:00.000-0700",
            "tech": {},
            "organization": "N/A",
            "registrar": "MarkMonitor Inc.",
            "zone": {},
            "registrant": {
            }},
        "Entity": "example.com"
    }
]

WhoIs Host Reputation

Description

Request host reputation from RiskIQ.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Hostname entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic - When to apply
results	Returns if it exists in JSON result
totalRecords	Returns if it exists in JSON result
queryValue	Returns if it exists in JSON result
pager	Returns if it exists in JSON result
queryType	Returns if it exists in JSON result
firstSeen	Returns if it exists in JSON result
lastSeen	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
Entity:Result	N/A	N/A

JSON Result

[
    {
        "EntityResult": {
            "results": [
                {
                    "recordHash": "0aad10e23953813834d28098db21c0902f01190c3eba7e38869f798ca56abda7",
                    "resolve": "1.1.1.1",
                    "recordType": "A",
                    "resolveType": "ip",
                    "value": "example.com",
                    "source": ["riskiq"],
                    "lastSeen": "2013-09-12 13:08:07",
                    "collected": "2019-01-24 12:36:12",
                    "firstSeen": "2013-09-12 13:08:07"
                }],
            "totalRecords": 5099,
            "queryValue": "example.com",
            "pager": "None",
            "queryType": "domain",
            "firstSeen": "2009-09-01 19:59:32",
            "lastSeen": "2019-01-24 12:36:11"
        },
        "Entity": "example.com"
    }
]