PassiveTotal¶
Table of Contents¶
Release Notes¶
Version |
Date |
Notes |
|---|---|---|
1.0.0 |
03/2022 |
Initial Release |
Overview¶
IBM Security SOAR app for PassiveTotal
This app uses RiskIQ PassiveTotal to check artifacts with the type DNS Name or IP address and adds a hit if the site is deemed compromised by your predefined definition.
Key Features¶
Checks if a site is compromised against predefined definitions and creates a hit with information on the site.
Requirements¶
resilient-circuits>=43.0.0
This app supports the IBM Security QRadar SOAR Platform and the IBM Security QRadar SOAR for IBM Cloud Pak for Security.
SOAR platform¶
The SOAR platform supports two app deployment mechanisms, App Host and integration server.
If deploying to a SOAR platform with an App Host, the requirements are:
SOAR platform >=
43.1.49.The app is in a container-based format (available from the AppExchange as a
zipfile).
If deploying to a SOAR platform with an integration server, the requirements are:
SOAR platform >=
43.1.49.The app is in the older integration format (available from the AppExchange as a
zipfile which contains atar.gzfile).Integration server is running
resilient-circuits>=43.0.0.If using an API key account, make sure the account provides the following minimum permissions:
Name
Permissions
Org Data
Read
Function
Read
The following SOAR platform guides provide additional information:
App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.
Integration Server Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.
System Administrator Guide: provides the procedure to install, configure and deploy apps.
The above guides are available on the IBM Documentation website at ibm.biz/soar-docs. On this web page, select your SOAR platform version. On the follow-on page, you can find the App Host Deployment Guide or Integration Server Guide by expanding Apps in the Table of Contents pane. The System Administrator Guide is available by expanding System Administrator.
Cloud Pak for Security¶
If you are deploying to IBM Cloud Pak for Security, the requirements are:
IBM Cloud Pak for Security >= 1.9
Cloud Pak is configured with an App Host.
The app is in a container-based format (available from the AppExchange as a
zipfile).
The following Cloud Pak guides provide additional information:
App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings. From the Table of Contents, select Case Management and Orchestration & Automation > Orchestration and Automation Apps.
System Administrator Guide: provides information to install, configure, and deploy apps. From the IBM Cloud Pak for Security IBM Documentation table of contents, select Case Management and Orchestration & Automation > System administrator.
These guides are available on the IBM Documentation website at ibm.biz/cp4s-docs. From this web page, select your IBM Cloud Pak for Security version. From the version-specific IBM Documentation page, select Case Management and Orchestration & Automation.
Proxy Server¶
The app does support a proxy server.
Python Environment¶
Python 3.6 is supported. Additional package dependencies may exist for each of these packages:
resilient-circuits>=43.0.0
Endpoint Developed With¶
This app has been implemented using:
Product Name |
Product Version |
API URL |
API Version |
|---|---|---|---|
RiskIQ PassiveTotal |
——- |
https://api.passivetotal.org/v2/account |
v2 |
Prerequisites¶
RiskIQ Account
RiskIQ API key
Installation¶
Install¶
To install or uninstall an App or Integration on the SOAR platform, see the documentation at ibm.biz/soar-docs.
To install or uninstall an App on IBM Cloud Pak for Security, see the documentation at ibm.biz/cp4s-docs and follow the instructions above to navigate to Orchestration and Automation.
App Configuration¶
The following table provides the settings you need to configure the app. These settings are made in the app.config file. See the documentation discussed in the Requirements section for the procedure.
Config |
Required |
Example |
Description |
|---|---|---|---|
passivetotal_account_api_url |
Yes |
|
– |
passivetotal_actions_class_api_url |
Yes |
|
– |
passivetotal_actions_tags_api_url |
Yes |
|
– |
passivetotal_api_key |
Yes |
– |
– |
passivetotal_base_url |
Yes |
|
– |
passivetotal_community_url |
Yes |
|
– |
passivetotal_enrich_subdom_api_url |
Yes |
|
– |
passivetotal_passive_dns_api_url |
Yes |
|
– |
passivetotal_tags |
Yes |
|
– |
passivetotal_username |
Yes |
– |
– |
Function - PassiveTotal¶
Queries PassiveTotal and checks if the site is compromised according to your definition. Needs a PassiveTotal account and api key to work.
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
|---|---|---|---|---|
|
|
Yes |
|
- |
|
|
Yes |
|
- |
Outputs:
NOTE: This example might be in JSON format, but
resultsis a Python Dictionary on the SOAR platform.
result = {
"version": 2.0,
"success": true,
"reason": null,
"content": {
"pager": null,
"queryValue": "45.146.165.37",
"queryType": "ip",
"firstSeen": null,
"lastSeen": null,
"totalRecords": 0,
"results": [],
"classification": null,
"primaryDomain": "45.146.165.37.null",
"success": true,
"subdomains": [],
"tags_hits_str": "ransomeware, compromised",
"report_url": "https://community.riskiq.com/search/45.146.165.37"
},
"raw": null,
"inputs": {
"passivetotal_artifact_type": "IP Address",
"passivetotal_artifact_value": "45.146.165.37"
},
"metrics": {
"version": "1.0",
"package": "fn-passivetotal",
"package_version": "1.0.0",
"host": "My Host",
"execution_time_ms": 2086,
"timestamp": "2022-03-16 13:16:50"
}
}
Example Pre-Process Script:
inputs.passivetotal_artifact_type = artifact.type
inputs.passivetotal_artifact_value = artifact.value
Example Post-Process Script:
if results.success:
if results.content:
data =results.content
pdns_hit_number = data["totalRecords"]
pdns_first_seen = data["firstSeen"]
pdns_last_seen = data["lastSeen"]
subdomain_hits = data["subdomains"]
subdomain_hits_number = len(subdomain_hits) if subdomain_hits else None
first_ten_subdomains = ', '.join(subdomain_hits[:10]) if subdomain_hits else None
tags_hits = data["tags_hits_str"]
classification_hit = data["classification"]
report_url = data["report_url"]
hit = [
{
"name": "Number of Passive DNS Records",
"type": "number",
"value": "{}".format(pdns_hit_number)
},
{
"name": "First Seen",
"type": "string",
"value": "{}".format(pdns_first_seen)
},
{
"name": "Last Seen",
"type": "string",
"value": "{}".format(pdns_last_seen)
},
{
"name": "Subdomains - All",
"type": "number",
"value": "{}".format(subdomain_hits_number)
},
{
"name": "Subdomains - First ten Hostnames",
"type": "string",
"value": "{}".format(first_ten_subdomains)
},
{
"name": "Tags",
"type": "string",
"value": "{}".format(tags_hits)
},
{
"name": "Classification",
"type": "string",
"value": "{}".format(classification_hit)
},
{
"name": "Report Link",
"type": "uri",
"value": "{}".format(report_url)
}
]
artifact.addHit("PassiveTotal Function hits added", hit)
else:
incident.addNote("PassiveTotal Query failed: {}".format(results.reason))
Rules¶
Rule Name |
Object |
Workflow Triggered |
|---|---|---|
RiskIQ PassiveTotal Query |
artifact |
|
Troubleshooting & Support¶
Refer to the documentation listed in the Requirements section for troubleshooting information.
For Support¶
This is a IBM Community provided App. Please search the Community ibm.biz/soarcommunity for assistance.