As lookups return data on nearly every IPv4 address and domain, this integration is set to run in "On-Demand" mode only.
The Polarity RiskIQ Community (PassiveTotal) integration retrieves the "Data Summary Card" for both IPv4 addresses and domains. The integration can also perform additional lookups against malware and open source intelligence endpoints via the details view.
Furthermore, the integration will also recognize Google Tracker ID's (i.e. UA-XXXXXX-X) and return a list of associated entities that have the identified tracker present.
To learn more about RiskIQ Community (PassiveTotal), please visit the official website.
Check out the integration in action:
PassiveTotal Domain Lookup | Resolutions | PassiveTotal Google Tracker lookup |
WHOIS History View | WHOIS Diff View |
The following REST API endpoints are used by the integration.
https://api.passivetotal.org/v2/cards/summary
https://api.passivetotal.org/v2/articles (on details)
https://api.passivetotal.org/v2/whois (on details)
https://api.passivetotal.org/v2/dns/passive (on details)
https://api.passivetotal.org/v2/ssl-certificates/search (on details)
https://api.passivetotal.org/v2/host-attributes/pairs (on details)
https://api.passivetotal.org/v2/reputation (on details)
https://api.passivetotal.org/v2/enrichment/subdomains (on details)
https://api.passivetotal.org/v2/enrichment/malware (on details)
https://api.passivetotal.org/v2/enrichment/osint (on details)
https://api.passivetotal.org/v2/trackers/search
https://api.passivetotal.org/v2/account/quota
The URL of the RiskIQ Community (PassiveTotal) API including the schema (i.e., https://). Default is set to: https://api.passivetotal.org
PassiveTotal Username, used to access the API.
PassiveTotal API Key
Select which datasources are enabled. Certain datasources require an enterprise key. This option should be set to "Users can view only"
Maximum number of Malware, Host Pairs, and OSINT results to return in the Polarity Overlay. Please note the higher the number to longer it will take for the query to return. Defaults to 100.
List of domains that you never want to send to PassiveTotal.
Domains that match the given regex will not be looked up.
IPs that match the given regex will not be looked up.
Maximum number of concurrent search requests (defaults to 10). Integration must be restarted after changing this option.
Minimum amount of time in milliseconds between each entity search (defaults to 50). Integration must be restarted after changing this option.
Returns a count of available data for various OSINT sources including a link to view the data in PassiveTotal. The Data Card also includes a drop down to view your current PassiveTotal API Search Quota based on the provide API key option.
Allows you to see services on recently open ports for an IP Address.
Searches open source intelligences sources
Returns subdomains of the given domain
The integration will use the article search endpoint to search for articles associated with the given indicator. Note that articles are only returned if the entity in question is listed as an indicator in the article. As a result, the Articles tab can return no results even if the Data Card view shows a non-zero Article count.
The integration searches certificates' subjectCommonName
field for the given entity and returns any results. As only a single field is searched, it is possible for no certificate results to be returned even if the "Data Card" views show hits.
This tab will be displayed if the "Enable Reputation Lookup" option is enabled
This tab will be displayed if the "Enable Host Pairs" option is enabled. The tab will display matches on both the child and parent fields.
This tab will display any associated Malware.
This tab will display WHOIS information for the entity.
This tab will display Passive DNS information for the given IP or domain.
If you reach your PassiveTotal API Search Quota you will see a message informing you your quota has been reached.
PassiveTotal search quota exceeded while running a new lookup | PassiveTotal search quota exceeded while reviewing OSINT data via tabs |
The Polarity Server requires that APIs respond within 30 seconds.
The PassiveTotal API can sometimes take longer than this to respond to a request. When this happens you will see a timeout message and be given the option to rerun the search. The timeout message will also provide a link to run the search from the PassiveTotal web search interface.
PassiveTotal API timeout |
Sometimes the PassiveTotal API will be temporarily unavailable due to PassiveTotal search restrictions. When this occurs you will be given the ability to retry the search.
PassiveTotal temporary outage while running a new lookup | PassiveTotal temporary outage while reviewing OSINT data via tabs |
Installation instructions for integrations are provided on the PolarityIO GitHub Page.
Polarity is a memory-augmentation platform that improves and accelerates analyst decision making. For more information about the Polarity platform please see: