Skip to main content

PassiveTotal v2

Analyze and understand threat infrastructure from a variety of sources-passive DNS, active DNS, WHOIS, SSL certificates and more-without devoting resources to time-intensive manual threat research and analysis. This integration was integrated and tested with enterprise version of PassiveTotal v2.

Configure PassiveTotal v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for PassiveTotal v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlAPI URLTrue
usernameUsernameTrue
secretAPI SecretTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
request_timeoutHTTP(S) Request Timeout (in seconds)False
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

pt-whois-search#


Gets WHOIS information records based on field matching queries.

Base Command#

pt-whois-search

Input#

Argument NameDescriptionRequired
queryQuery value to use in your request.Required
fieldWHOIS field to execute the search on: domain, email, name, organization, address, phone, nameserver.Required

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: 'google.com'.
Domain.WHOIS.CreationDateDateThe date that the domain was created.
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated.
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.NameServersStringName servers of the domain.
Domain.OrganizationStringThe organization of the domain.
Domain.Admin.EmailStringThe email address of the domain administrator.
Domain.Admin.NameStringThe name of the domain administrator.
Domain.Admin.PhoneStringThe phone number of the domain administrator.
Domain.Admin.CountryStringThe country of the domain administrator.
Domain.Registrant.EmailStringThe email address of the registrant.
Domain.Registrant.NameStringThe name of the registrant.
Domain.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.Registrant.CountryStringThe country of the registrant.
Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator.
Domain.WHOIS.Admin.NameStringThe name of the domain administrator.
Domain.WHOIS.Admin.PhoneStringThe phone number of the domain administrator.
Domain.WHOIS.Admin.CountryStringThe country of the domain administrator.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: 'GoDaddy'.
Domain.WHOIS.Registrant.EmailStringThe email address of the registrant.
Domain.WHOIS.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.WHOIS.Registrant.CountryStringThe country of the registrant.
PassiveTotal.WHOIS.domainStringThe domain name, for example: 'google.com'.
PassiveTotal.WHOIS.registrarStringThe name of the registrar of the domain
PassiveTotal.WHOIS.whoisServerStringWHOIS server name where the details of domain registrations belong
PassiveTotal.WHOIS.registeredDateThe date that the domain was registered.
PassiveTotal.WHOIS.expiresAtDateThe expiration date of the domain.
PassiveTotal.WHOIS.registryUpdatedAtDateThe date when registry was last updated.
PassiveTotal.WHOIS.lastLoadedAtDateLast loaded date of WHOIS database.
PassiveTotal.WHOIS.nameServersStringName servers of the domain.
PassiveTotal.WHOIS.organizationStringThe organization of the domain.
PassiveTotal.WHOIS.nameStringName of the domain.
PassiveTotal.WHOIS.telephoneStringTelephone number fetched from whois details of the domain.
PassiveTotal.WHOIS.contactEmailStringContact Email address of the domain owner
PassiveTotal.WHOIS.registrantEmailStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantFaxStringThe fax number of the domain registrant.
PassiveTotal.WHOIS.registrantNameStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantOrganizationStringThe organizations of the domain registrant.
PassiveTotal.WHOIS.registrantStreetStringThe street of the domain registrant.
PassiveTotal.WHOIS.registrantCityStringThe city of the domain registrant.
PassiveTotal.WHOIS.registrantStateStringThe state of the domain registrant.
PassiveTotal.WHOIS.registrantPostalCodeStringThe postal code of the domain registrant.
PassiveTotal.WHOIS.registrantCountryStringThe country of the domain registrant.
PassiveTotal.WHOIS.registrantTelephoneStringThe telephone number of the domain registrant.
PassiveTotal.WHOIS.adminEmailStringThe email address of the domain administrator.
PassiveTotal.WHOIS.adminFaxStringThe fax number of the domain administrator.
PassiveTotal.WHOIS.adminNameStringThe name of the domain administrator.
PassiveTotal.WHOIS.adminOrganizationStringThe organizations of the domain administrator.
PassiveTotal.WHOIS.adminStreetStringThe street of the domain administrator.
PassiveTotal.WHOIS.adminCityStringThe city of the domain administrator.
PassiveTotal.WHOIS.adminStateStringThe state of the domain administrator.
PassiveTotal.WHOIS.adminPostalCodeStringThe postal code of the domain administrator.
PassiveTotal.WHOIS.adminCountryStringThe country of the domain administrator.
PassiveTotal.WHOIS.adminTelephoneStringThe telephone number of the domain administrator.
PassiveTotal.WHOIS.billingEmailStringThe email address of the domain billing.
PassiveTotal.WHOIS.billingFaxStringThe fax number of the domain billing.
PassiveTotal.WHOIS.billingNameStringThe name of the domain billing.
PassiveTotal.WHOIS.billingOrganizationStringThe organizations of the domain billing.
PassiveTotal.WHOIS.billingStreetStringThe street of the domain billing.
PassiveTotal.WHOIS.billingCityStringThe city of the domain billing.
PassiveTotal.WHOIS.billingStateStringThe state of the domain billing.
PassiveTotal.WHOIS.billingPostalCodeStringThe postal code of the domain billing.
PassiveTotal.WHOIS.billingCountryStringThe country of the domain billing.
PassiveTotal.WHOIS.billingTelephoneStringThe telephone number of the domain billing.
PassiveTotal.WHOIS.techEmailStringThe email address of the domain tech.
PassiveTotal.WHOIS.techFaxStringThe fax number of the domain tech.
PassiveTotal.WHOIS.techNameStringThe name of the domain tech.
PassiveTotal.WHOIS.techOrganizationStringThe organizations of domain tech.
PassiveTotal.WHOIS.techStreetStringThe street of the domain tech.
PassiveTotal.WHOIS.techCityStringThe city of the domain tech.
PassiveTotal.WHOIS.techStateStringThe state of the domain tech.
PassiveTotal.WHOIS.techPostalCodeStringThe postal code of the domain tech.
PassiveTotal.WHOIS.techCountryStringThe country of the domain tech.
PassiveTotal.WHOIS.techTelephoneStringThe telephone number of the domain tech.

Command Example#

!pt-whois-search field=domain query=riskiq.com

Context Example#

{
"DBotScore": [
{
"Indicator": "riskiq.com",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
}
],
"Domain": [
{
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"Name": "riskiq.com",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Organization": "RiskIQ, Inc.",
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800",
"WHOIS": {
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800"
}
}
],
"PassiveTotal": {
"WHOIS": {
"adminCity": "san francisco",
"adminCountry": "us",
"adminEmail": "domains@riskiq.com",
"adminName": "Risk IQ",
"adminOrganization": "RiskIQ, Inc.",
"adminPostalCode": "94111",
"adminState": "california",
"adminStreet": "22 Battery Street\n10th Floor",
"adminTelephone": "18884154447",
"contactEmail": "domains@riskiq.com",
"domain": "riskiq.com",
"expiresAt": "2017-01-11T16:00:00.000-0800",
"lastLoadedAt": "2016-09-27T09:40:31.180-0700",
"name": "Risk IQ",
"nameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"organization": "RiskIQ, Inc.",
"registered": "2006-01-11T16:00:00.000-0800",
"registrantCity": "san francisco",
"registrantCountry": "us",
"registrantEmail": "domains@riskiq.com",
"registrantName": "Risk IQ",
"registrantOrganization": "RiskIQ, Inc.",
"registrantPostalCode": "94111",
"registrantState": "california",
"registrantStreet": "22 Battery Street\n10th Floor",
"registrantTelephone": "18884154447",
"registrar": "GODADDY.COM, LLC",
"registryUpdatedAt": "2014-12-08T16:00:00.000-0800",
"techCity": "san francisco",
"techCountry": "us",
"techEmail": "domains@riskiq.com",
"techName": "Risk IQ",
"techOrganization": "RiskIQ, Inc.",
"techPostalCode": "94111",
"techState": "california",
"techStreet": "22 Battery Street\n10th Floor",
"techTelephone": "18884154447",
"telephone": "18884154447",
"whoisServer": "whois.godaddy.com"
}
}
}

Human Readable Output#

Total Retrieved Record(s): 2#

Associated Domains#

DomainWHOIS ServerRegistrarContact EmailName ServersRegistrantAdminTechCreation Date (GMT)Expire Date (GMT)Updated Date (GMT)Last Scanned (GMT)
riskiq.comwhois.godaddy.comGODADDY.COM, LLCdomains@riskiq.comluke.ns.cloudflare.com, serena.ns.cloudflare.comCity: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
2006-01-11T16:00:00.000-08002017-01-11T16:00:00.000-08002014-12-08T16:00:00.000-08002016-09-27T09:40:31.180-0700

pt-get-components#


Retrieves the host attribute components for a domain or IP address. Maximum 2000 records are fetched.

Base Command#

pt-get-components

Input#

Argument NameDescriptionRequired
queryDomain or IP address you want to search components for.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: "google.com".
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.AddressStringThe IP Address of the component.
PassiveTotal.Component.firstSeenDateThe date and time when the component was first observed.
PassiveTotal.Component.lastSeenDateThe date and time when the component was most recently observed.
PassiveTotal.Component.versionStringThe current version of component.
PassiveTotal.Component.categoryStringThe category under which the component falls.
PassiveTotal.Component.labelStringThe value of the component.
PassiveTotal.Component.hostnameStringThe hostname of the component.
PassiveTotal.Component.addressStringThe IP address of the component.

Command Example#

!pt-get-components query=www.furth.com.ar

Context Example#

{
"DBotScore": {
"Indicator": "www.furth.com.ar",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
},
"Domain": {
"Name": "www.furth.com.ar"
},
"PassiveTotal": {
"Component": [
{
"category": "Framework",
"firstSeen": "2020-05-29 10:57:44",
"hostname": "www.furth.com.ar",
"label": "PHP",
"lastSeen": "2020-05-29 10:57:44"
},
{
"category": "Server",
"firstSeen": "2020-05-29 10:57:44",
"hostname": "www.furth.com.ar",
"label": "Apache",
"lastSeen": "2020-05-29 10:57:44"
},
{
"category": "Server Module",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "mod_bwlimited",
"lastSeen": "2017-10-24 15:53:52",
"version": "1.4"
},
{
"category": "Server Module",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "OpenSSL",
"lastSeen": "2017-10-24 15:53:52",
"version": "1.0.1e-fips"
},
{
"category": "Server",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "Apache",
"lastSeen": "2017-10-24 15:53:52",
"version": "2.2.29"
},
{
"category": "Operating System",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "Unix",
"lastSeen": "2017-10-24 15:53:52"
},
{
"category": "Server Module",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "mod_ssl",
"lastSeen": "2017-10-24 15:53:52",
"version": "2.2.29"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 7#

COMPONENTS#

HostnameFirst (GMT)Last (GMT)CategoryValueVersion
www.furth.com.ar2020-05-29 10:57:442020-05-29 10:57:44FrameworkPHP
www.furth.com.ar2020-05-29 10:57:442020-05-29 10:57:44ServerApache
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Server Modulemod_bwlimited1.4
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Server ModuleOpenSSL1.0.1e-fips
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52ServerApache2.2.29
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Operating SystemUnix
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Server Modulemod_ssl2.2.29

pt-get-trackers#


Retrieves the host attribute trackers for a domain or IP address. Maximum 2000 records are fetched.

Base Command#

pt-get-trackers

Input#

Argument NameDescriptionRequired
queryDomain or IP address you want to search trackers for.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: "google.com".
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.AddressStringThe IP Address of the component.
PassiveTotal.Tracker.firstSeenDateThe date and time when the tracker was first observed.
PassiveTotal.Tracker.lastSeenDateThe date and time when the tracker was most recently observed.
PassiveTotal.Tracker.attributeValueStringThe value of the tracker.
PassiveTotal.Tracker.attributeTypeStringThe type under which the tracker falls.
PassiveTotal.Tracker.hostnameStringThe hostname of the tracker.
PassiveTotal.Tracker.addressStringThe IP address of the tracker.

Command Example#

!pt-get-trackers query=filmesonlinegratis.net

Context Example#

{
"DBotScore": [
{
"Indicator": "filmesonlinegratis.net",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
},
{
"Indicator": "www.filmesonlinegratis.net",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
}
],
"Domain": [
{
"Name": "filmesonlinegratis.net"
},
{
"Name": "www.filmesonlinegratis.net"
}
],
"PassiveTotal": {
"Tracker": [
{
"attributeType": "GoogleAnalyticsTrackingId",
"attributeValue": "ua-70630818-3",
"firstSeen": "2016-10-14 10:16:38",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2020-06-14 19:43:28"
},
{
"attributeType": "GoogleAnalyticsAccountNumber",
"attributeValue": "ua-70630818",
"firstSeen": "2016-10-14 10:16:38",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2020-06-14 19:43:28"
},
{
"attributeType": "GoogleAnalyticsAccountNumber",
"attributeValue": "ua-11598035",
"firstSeen": "2012-03-07 05:53:50",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2016-10-13 15:38:35"
},
{
"attributeType": "GoogleAnalyticsTrackingId",
"attributeValue": "ua-11598035-1",
"firstSeen": "2012-03-07 05:53:50",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2016-10-13 15:38:35"
},
{
"attributeType": "GoogleAnalyticsTrackingId",
"attributeValue": "ua-11598035-1",
"firstSeen": "2014-02-11 01:30:40",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2016-09-13 03:54:34"
},
{
"attributeType": "GoogleAnalyticsAccountNumber",
"attributeValue": "ua-11598035",
"firstSeen": "2014-02-11 01:30:40",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2016-09-13 03:54:34"
},
{
"attributeType": "TumblrId",
"attributeValue": "25.media",
"firstSeen": "2016-07-02 00:46:33",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2016-09-02 11:09:30"
},
{
"attributeType": "FacebookId",
"attributeValue": "filmesog",
"firstSeen": "2012-11-27 06:06:44",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2015-09-26 05:52:23"
},
{
"attributeType": "FacebookId",
"attributeValue": "filmesog",
"firstSeen": "2014-02-11 01:30:40",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2015-09-24 05:12:39"
},
{
"attributeType": "WhosAmungUsId",
"attributeValue": "6cdg",
"firstSeen": "2012-03-07 05:53:50",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2012-03-07 16:00:45"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 10#

TRACKERS#

HostnameFirst (GMT)Last (GMT)TypeValue
filmesonlinegratis.net2016-10-14 10:16:382020-06-14 19:43:28GoogleAnalyticsTrackingIdua-70630818-3
filmesonlinegratis.net2016-10-14 10:16:382020-06-14 19:43:28GoogleAnalyticsAccountNumberua-70630818
www.filmesonlinegratis.net2012-03-07 05:53:502016-10-13 15:38:35GoogleAnalyticsAccountNumberua-11598035
www.filmesonlinegratis.net2012-03-07 05:53:502016-10-13 15:38:35GoogleAnalyticsTrackingIdua-11598035-1
filmesonlinegratis.net2014-02-11 01:30:402016-09-13 03:54:34GoogleAnalyticsTrackingIdua-11598035-1
filmesonlinegratis.net2014-02-11 01:30:402016-09-13 03:54:34GoogleAnalyticsAccountNumberua-11598035
www.filmesonlinegratis.net2016-07-02 00:46:332016-09-02 11:09:30TumblrId25.media
www.filmesonlinegratis.net2012-11-27 06:06:442015-09-26 05:52:23FacebookIdfilmesog
filmesonlinegratis.net2014-02-11 01:30:402015-09-24 05:12:39FacebookIdfilmesog
www.filmesonlinegratis.net2012-03-07 05:53:502012-03-07 16:00:45WhosAmungUsId6cdg

pt-get-pdns-details#


Retrieves the passive DNS results from active account sources.

Base Command#

pt-get-pdns-details

Input#

Argument NameDescriptionRequired
queryThe domain or IP being queried.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output#

PathTypeDescription
PassiveTotal.PDNS.resolveStringThe host or ip address that indicates resolve in Passive DNS record.
PassiveTotal.PDNS.resolveTypeStringThe type of the resolve. I.e domain, ip, host, etc.
PassiveTotal.PDNS.valueStringThe value of the Passive DNS record.
PassiveTotal.PDNS.sourceStringSource of the passive DNS records.
PassiveTotal.PDNS.firstSeenStringFirst seen timestamp of the passive DNS record.
PassiveTotal.PDNS.lastSeenStringLast seen timestamp of the passive DNS record.
PassiveTotal.PDNS.collectedStringThe date when a passive DNS record is collected.
PassiveTotal.PDNS.recordTypeStringThe type of the passive DNS record. I.e CNAME, SOA, A, etc
PassiveTotal.PDNS.recordHashStringThe hash value of the passive DNS record.
Domain.NameStringThe domain name, for example: 'google.com'.
IP.AddressStringThe IP Address of the component.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!pt-get-pdns-details query=www.furth.com.ar

Context Example#

{
"DBotScore": [
{
"Indicator": "furth.com.ar",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
},
{
"Indicator": "77.81.241.5",
"Score": 0,
"Type": "ip",
"Vendor": "PassiveTotal"
},
{
"Indicator": "184.75.255.33",
"Score": 0,
"Type": "ip",
"Vendor": "PassiveTotal"
}
],
"Domain": {
"Name": "furth.com.ar"
},
"IP": [
{
"Address": "77.81.241.5"
},
{
"Address": "184.75.255.33"
}
],
"PassiveTotal": {
"PDNS": [
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2010-12-15 09:10:10",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "abf781b2484ea79d521cffb0745b71319d4db1158f71bb019b41077f8e55b035",
"recordType": "CNAME",
"resolve": "furth.com.ar",
"resolveType": "domain",
"source": [
"riskiq",
"pingly"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2020-05-29 03:57:44",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "d7183564ca617e173fc26aeff66a38bb5c1b9089e56819851183860b9a37ccca",
"recordType": "A",
"resolve": "77.81.241.5",
"resolveType": "ip",
"source": [
"riskiq",
"pingly"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2016-01-11 15:45:15",
"lastSeen": "2017-10-24 08:53:52",
"recordHash": "345780dcde96f0c28e3b93ec53bd33067f26075f30c2d4e49fafe0d2396194ca",
"recordType": "A",
"resolve": "184.75.255.33",
"resolveType": "ip",
"source": [
"riskiq"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2020-06-17 05:26:33",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "63deb7c38cbea98f631777fd3ba89de0c270178bd37eb6a270ee7e37b3cd92e5",
"recordType": "SOA",
"resolve": "webmaster@furth.com.ar",
"resolveType": "email",
"source": [
"pingly"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2020-06-17 05:26:33",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "24fa99da36eecc22b8970a33f8adf0f150598391319df4fc02128d677999e886",
"recordType": "MX",
"resolve": "furth.com.ar",
"resolveType": "domain",
"source": [
"pingly"
],
"value": "www.furth.com.ar"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 5#

PDNS detail(s)#

ResolveResolve TypeRecord TypeCollected (GMT)First (GMT)Last (GMT)SourceRecord Hash
furth.com.ardomainCNAME2020-06-17 12:26:332010-12-15 09:10:102020-06-17 05:26:33riskiq, pinglyabf781b2484ea79d521cffb0745b71319d4db1158f71bb019b41077f8e55b035
77.81.241.5ipA2020-06-17 12:26:332020-05-29 03:57:442020-06-17 05:26:33riskiq, pinglyd7183564ca617e173fc26aeff66a38bb5c1b9089e56819851183860b9a37ccca
184.75.255.33ipA2020-06-17 12:26:332016-01-11 15:45:152017-10-24 08:53:52riskiq345780dcde96f0c28e3b93ec53bd33067f26075f30c2d4e49fafe0d2396194ca
webmaster@furth.com.aremailSOA2020-06-17 12:26:332020-06-17 05:26:332020-06-17 05:26:33pingly63deb7c38cbea98f631777fd3ba89de0c270178bd37eb6a270ee7e37b3cd92e5
furth.com.ardomainMX2020-06-17 12:26:332020-06-17 05:26:332020-06-17 05:26:33pingly24fa99da36eecc22b8970a33f8adf0f150598391319df4fc02128d677999e886

pt-ssl-cert-search#


Retrieves SSL certificates for a given field value.

Base Command#

pt-ssl-cert-search

Input#

Argument NameDescriptionRequired
fieldField by which to search.

Allowed values: issuerSurname, subjectOrganizationName, issuerCountry, issuerOrganizationUnitName, fingerprint, subjectOrganizationUnitName, serialNumber, subjectEmailAddress, subjectCountry, issuerGivenName, subjectCommonName, issuerCommonName, issuerStateOrProvinceName, issuerProvince, subjectStateOrProvinceName, sha1, subjectStreetAddress, subjectSerialNumber, issuerOrganizationName, subjectSurname, subjectLocalityName, issuerStreetAddress, issuerLocalityName, subjectGivenName, subjectProvince, issuerSerialNumber, issuerEmailAddress
Required
queryField value for which to search.Required

Context Output#

PathTypeDescription
PassiveTotal.SSL.firstSeenNumberEpoch timestamp when SSL certificate identified by the system.
PassiveTotal.SSL.lastSeenNumberThe last seen epoch timestamp of the SSL certificates.
PassiveTotal.SSL.fingerprintStringA fingerprint detail from the SSL certificates.
PassiveTotal.SSL.sslVersionNumberA version of the certificate.
PassiveTotal.SSL.expirationDateStringThe expiry date of the certificate.
PassiveTotal.SSL.issueDateStringIssue date of the certificate.
PassiveTotal.SSL.sha1StringSha1 of the certificate.
PassiveTotal.SSL.serialNumberStringA serial number of the certificate.
PassiveTotal.SSL.issuerCountryStringThe country name of the certificate issuer.
PassiveTotal.SSL.issuerStateOrProvinceNameStringThe state or province name of the certificate issuer.
PassiveTotal.SSL.issuerCommonNameStringThe common name of the issuer.
PassiveTotal.SSL.issuerEmailAddressStringA contact email address of the certificate issuer.
PassiveTotal.SSL.issuerProvinceStringA province of the certificate issuer.
PassiveTotal.SSL.issuerOrganizationUnitNameStringAn organization unit name of the certificate issuer.
PassiveTotal.SSL.issuerSurnameStringThe surname of the certificate issuer.
PassiveTotal.SSL.issuerStreetAddressStringStreet address of the certificate issuer.
PassiveTotal.SSL.issuerLocalityNameStringThe locality of the certificate issuer.
PassiveTotal.SSL.issuerSerialNumberStringThe serial number of the certificate issuer.
PassiveTotal.SSL.issuerOrganizationNameStringAn organization name of the certificate issuer.
PassiveTotal.SSL.issuerGivenNameStringA given name of the certificate issuer.
PassiveTotal.SSL.subjectCommonNameStringThe common name of the subject.
PassiveTotal.SSL.subjectOrganizationNameStringAn organization name of the subject of the certificate.
PassiveTotal.SSL.subjectOrganizationUnitNameStringAn organization unit name of the subject of the certificate.
PassiveTotal.SSL.subjectGivenNameStringThe given name of the subject of the certificate.
PassiveTotal.SSL.subjectSurnameStringThe surname of the subject of the certificate.
PassiveTotal.SSL.subjectLocalityNameStringThe locality of the subject.
PassiveTotal.SSL.subjectEmailAddressStringA contact email address of the subject.
PassiveTotal.SSL.subjectProvinceStringThe province of the subject.
PassiveTotal.SSL.subjectStateOrProvinceNameStringThe state or province name of the subject.
PassiveTotal.SSL.subjectSerialNumberStringA serial number of the subject.
PassiveTotal.SSL.subjectStreetAddressStringThe street address of the subject.
PassiveTotal.SSL.subjectCountryStringThe country name of the subject from the certificate.
PassiveTotal.SSL.subjectAlternativeNamesStringAlternative names of the subject from the certificate details.

Command Example#

!pt-ssl-cert-search field=serialNumber query=61135c80f8ed28d2

Context Example#

{
"PassiveTotal": {
"SSL": [
{
"expirationDate": "Apr 09 13:15:00 2019 GMT",
"fingerprint": "88:48:e8:68:b1:90:d0:fd:cb:6f:39:c3:7b:53:82:c8:7e:09:76:b0",
"firstSeen": 1547559631314,
"issueDate": "Jan 15 13:15:00 2019 GMT",
"issuerCommonName": "Google Internet Authority G3",
"issuerCountry": "US",
"issuerOrganizationName": "Google Trust Services",
"lastSeen": 1547607634446,
"serialNumber": "6995036355238373586",
"sha1": "8848e868b190d0fdcb6f39c37b5382c87e0976b0",
"sslVersion": "3",
"subjectAlternativeNames": [
"www.google.com"
],
"subjectCommonName": "www.google.com",
"subjectCountry": "US",
"subjectLocalityName": "Mountain View",
"subjectOrganizationName": "Google LLC",
"subjectProvince": "California",
"subjectStateOrProvinceName": "California"
},
{
"expirationDate": "Apr 09 13:15:00 2019 GMT",
"fingerprint": "99:5b:00:5f:44:be:53:bf:3e:59:21:90:1d:79:a9:8e:54:af:d3:29",
"firstSeen": 1548455641692,
"issueDate": "Jan 15 13:15:00 2019 GMT",
"issuerCommonName": "Google Internet Authority G3",
"issuerCountry": "US",
"issuerOrganizationName": "Google Trust Services",
"lastSeen": 1549571983939,
"serialNumber": "6995036355238373586",
"sha1": "995b005f44be53bf3e5921901d79a98e54afd329",
"sslVersion": "3",
"subjectAlternativeNames": [
"www.google.com"
],
"subjectCommonName": "www.google.com",
"subjectCountry": "US",
"subjectLocalityName": "Mountain View",
"subjectOrganizationName": "Google LLC",
"subjectProvince": "California",
"subjectStateOrProvinceName": "California"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 2#

SSL certificate(s)#

Sha1Serial NumberIssued (GMT)Expires (GMT)SSL VersionFirst (GMT)Last (GMT)Issuer Common NameSubject Common NameSubject Alternative NamesIssuer Organization NameSubject Organization NameSubject Locality NameSubject State/Province NameIssuer CountrySubject Country
8848e868b190d0fdcb6f39c37b5382c87e0976b06995036355238373586Jan 15 13:15:00 2019 GMTApr 09 13:15:00 2019 GMT32019-01-15 13:40:312019-01-16 03:00:34Google Internet Authority G3www.google.comwww.google.comGoogle Trust ServicesGoogle LLCMountain ViewCaliforniaUSUS
995b005f44be53bf3e5921901d79a98e54afd3296995036355238373586Jan 15 13:15:00 2019 GMTApr 09 13:15:00 2019 GMT32019-01-25 22:34:012019-02-07 20:39:43Google Internet Authority G3www.google.comwww.google.comGoogle Trust ServicesGoogle LLCMountain ViewCaliforniaUSUS

pt-get-host-pairs#


Retrieves the host attribute pairs related to a domain or IP address. Maximum 2000 records are fetched.

Base Command#

pt-get-host-pairs

Input#

Argument NameDescriptionRequired
queryDomain or IP address you want to search host-pairs for.Required
directionThe direction of searching pair records for a given domain. Valid values: children, parents.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output#

PathTypeDescription
PassiveTotal.HostPair.firstSeenDateThe date and time when the host pair was first observed.
PassiveTotal.HostPair.lastSeenDateThe date and time when the host pair was most recently observed.
PassiveTotal.HostPair.causeStringThe cause of relation between parent and child.
PassiveTotal.HostPair.parentStringThe hostname of the parent of the host pair.
PassiveTotal.HostPair.childStringThe hostname of the child of the host pair.

Command Example#

!pt-get-host-pairs direction=children query=ns1.furth.com.ar

Context Example#

{
"PassiveTotal": {
"HostPair": [
{
"cause": "redirect",
"child": "furth.com.ar",
"firstSeen": "2020-05-29 07:05:22",
"lastSeen": "2020-06-10 11:53:23",
"parent": "ns1.furth.com.ar"
},
{
"cause": "parentPage",
"child": "ns1.furth.com.ar",
"firstSeen": "2020-05-02 06:47:23",
"lastSeen": "2020-06-08 03:08:38",
"parent": "ns1.furth.com.ar"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 2#

HOST PAIRS#

Parent HostnameChild HostnameFirst (GMT)Last (GMT)Cause
ns1.furth.com.arfurth.com.ar2020-05-29 07:05:222020-06-10 11:53:23redirect
ns1.furth.com.arns1.furth.com.ar2020-05-02 06:47:232020-06-08 03:08:38parentPage

domain#


Provides data enrichment for domains.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain to enrich.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: 'google.com'.
Domain.WHOIS.CreationDateDateThe date that the domain was created.
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated.
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.NameServersStringName servers of the domain.
Domain.OrganizationStringThe organization of the domain.
Domain.Admin.EmailStringThe email address of the domain administrator.
Domain.Admin.NameStringThe name of the domain administrator.
Domain.Admin.PhoneStringThe phone number of the domain administrator.
Domain.Admin.CountryStringThe country of the domain administrator.
Domain.Registrant.EmailStringThe email address of the registrant.
Domain.Registrant.NameStringThe name of the registrant.
Domain.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.Registrant.CountryStringThe country of the registrant.
Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator.
Domain.WHOIS.Admin.NameStringThe name of the domain administrator.
Domain.WHOIS.Admin.PhoneStringThe phone number of the domain administrator.
Domain.WHOIS.Admin.CountryStringThe country of the domain administrator.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: 'GoDaddy'.
Domain.WHOIS.Registrant.EmailStringThe email address of the registrant.
Domain.WHOIS.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.WHOIS.Registrant.CountryStringThe country of the registrant.
PassiveTotal.Domain.domainStringThe domain name, for example: 'google.com'.
PassiveTotal.Domain.registrarStringThe name of the registrar of the domain
PassiveTotal.Domain.whoisServerStringWHOIS server name where the details of domain registrations belong
PassiveTotal.Domain.registeredDateThe date that the domain was registered.
PassiveTotal.Domain.expiresAtDateThe expiration date of the domain.
PassiveTotal.Domain.registryUpdatedAtDateThe date when registry was last updated.
PassiveTotal.Domain.lastLoadedAtDateLast loaded date of WHOIS database.
PassiveTotal.Domain.nameServersStringName servers of the domain.
PassiveTotal.Domain.organizationStringThe organization of the domain.
PassiveTotal.Domain.nameStringName of the domain.
PassiveTotal.Domain.telephoneStringTelephone number fetched from whois details of the domain.
PassiveTotal.Domain.contactEmailStringContact Email address of the domain owner
PassiveTotal.Domain.registrantEmailStringThe name of the domain registrant.
PassiveTotal.Domain.registrantFaxStringThe fax number of the domain registrant.
PassiveTotal.Domain.registrantNameStringThe name of the domain registrant.
PassiveTotal.Domain.registrantOrganizationStringThe organizations of the domain registrant.
PassiveTotal.Domain.registrantStreetStringThe street of the domain registrant.
PassiveTotal.Domain.registrantCityStringThe city of the domain registrant.
PassiveTotal.Domain.registrantStateStringThe state of the domain registrant.
PassiveTotal.Domain.registrantPostalCodeStringThe postal code of the domain registrant.
PassiveTotal.Domain.registrantCountryStringThe country of the domain registrant.
PassiveTotal.Domain.registrantTelephoneStringThe telephone number of the domain registrant.
PassiveTotal.Domain.adminEmailStringThe email address of the domain administrator.
PassiveTotal.Domain.adminFaxStringThe fax number of the domain administrator.
PassiveTotal.Domain.adminNameStringThe name of the domain administrator.
PassiveTotal.Domain.adminOrganizationStringThe organizations of the domain administrator.
PassiveTotal.Domain.adminStreetStringThe street of the domain administrator.
PassiveTotal.Domain.adminCityStringThe city of the domain administrator.
PassiveTotal.Domain.adminStateStringThe state of the domain administrator.
PassiveTotal.Domain.adminPostalCodeStringThe postal code of the domain administrator.
PassiveTotal.Domain.adminCountryStringThe country of the domain administrator.
PassiveTotal.Domain.adminTelephoneStringThe telephone number of the domain administrator.
PassiveTotal.Domain.billingEmailStringThe email address of the domain billing.
PassiveTotal.Domain.billingFaxStringThe fax number of the domain billing.
PassiveTotal.Domain.billingNameStringThe name of the domain billing.
PassiveTotal.Domain.billingOrganizationStringThe organizations of the domain billing.
PassiveTotal.Domain.billingStreetStringThe street of the domain billing.
PassiveTotal.Domain.billingCityStringThe city of the domain billing.
PassiveTotal.Domain.billingStateStringThe state of the domain billing.
PassiveTotal.Domain.billingPostalCodeStringThe postal code of the domain billing.
PassiveTotal.Domain.billingCountryStringThe country of the domain billing.
PassiveTotal.Domain.billingTelephoneStringThe telephone number of the domain billing.
PassiveTotal.Domain.techEmailStringThe email address of the domain tech.
PassiveTotal.Domain.techFaxStringThe fax number of the domain tech.
PassiveTotal.Domain.techNameStringThe name of the domain tech.
PassiveTotal.Domain.techOrganizationStringThe organizations of domain tech.
PassiveTotal.Domain.techStreetStringThe street of the domain tech.
PassiveTotal.Domain.techCityStringThe city of the domain tech.
PassiveTotal.Domain.techStateStringThe state of the domain tech.
PassiveTotal.Domain.techPostalCodeStringThe postal code of the domain tech.
PassiveTotal.Domain.techCountryStringThe country of the domain tech.
PassiveTotal.Domain.techTelephoneStringThe telephone number of the domain tech.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual DBot score.

Command Example#

!domain domain=riskiq.com

Context Example#

{
"DBotScore": [
{
"Indicator": "riskiq.com",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
}
],
"Domain": [
{
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"Name": "riskiq.com",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Organization": "RiskIQ, Inc.",
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800",
"WHOIS": {
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800"
}
}
],
"PassiveTotal": {
"Domain": {
"adminCity": "san francisco",
"adminCountry": "us",
"adminEmail": "domains@riskiq.com",
"adminName": "Risk IQ",
"adminOrganization": "RiskIQ, Inc.",
"adminPostalCode": "94111",
"adminState": "california",
"adminStreet": "22 Battery Street\n10th Floor",
"adminTelephone": "18884154447",
"contactEmail": "domains@riskiq.com",
"domain": "riskiq.com",
"expiresAt": "2017-01-11T16:00:00.000-0800",
"lastLoadedAt": "2016-09-27T09:40:31.180-0700",
"name": "Risk IQ",
"nameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"organization": "RiskIQ, Inc.",
"registered": "2006-01-11T16:00:00.000-0800",
"registrantCity": "san francisco",
"registrantCountry": "us",
"registrantEmail": "domains@riskiq.com",
"registrantName": "Risk IQ",
"registrantOrganization": "RiskIQ, Inc.",
"registrantPostalCode": "94111",
"registrantState": "california",
"registrantStreet": "22 Battery Street\n10th Floor",
"registrantTelephone": "18884154447",
"registrar": "GODADDY.COM, LLC",
"registryUpdatedAt": "2014-12-08T16:00:00.000-0800",
"techCity": "san francisco",
"techCountry": "us",
"techEmail": "domains@riskiq.com",
"techName": "Risk IQ",
"techOrganization": "RiskIQ, Inc.",
"techPostalCode": "94111",
"techState": "california",
"techStreet": "22 Battery Street\n10th Floor",
"techTelephone": "18884154447",
"telephone": "18884154447",
"whoisServer": "whois.godaddy.com"
}
}
}

Human Readable Output#

Domain(s)#

DomainWHOIS ServerRegistrarContact EmailName ServersRegistrantAdminTechCreation Date (GMT)Expire Date (GMT)Updated Date (GMT)Last Scanned (GMT)
riskiq.comwhois.godaddy.comGODADDY.COM, LLCdomains@riskiq.comluke.ns.cloudflare.com, serena.ns.cloudflare.comCity: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
2006-01-11T16:00:00.000-08002017-01-11T16:00:00.000-08002014-12-08T16:00:00.000-08002016-09-27T09:40:31.180-0700

pt-get-services#


Retrieves exposed services on the recently open ports for an IP address.

Base Command#

pt-get-services

Input#

Argument NameDescriptionRequired
ipIP address for which the user wants to search services for.Required

Context Output#

PathTypeDescription
PassiveTotal.Service.ipStringIP address of the service.
PassiveTotal.Service.portNumberNumberPort number on which recent services were running or current services are running.
PassiveTotal.Service.firstSeenDateThe date and time when the service was started for the first time on the port.
PassiveTotal.Service.lastSeenDateThe date and time when the service was most recently used on the port.
PassiveTotal.Service.lastScanDateThe date and time when the system performed the last scan to check whether any service is running on the port or not.
PassiveTotal.Service.countNumberThe total number of times service was used on the port.
PassiveTotal.Service.statusStringThe status of the service.
PassiveTotal.Service.protocolStringThe protocol used by the service.
PassiveTotal.Service.banners.bannerStringThe description of the banner generated as a result of scanning. Can be in HTML format.
PassiveTotal.Service.banners.scanTypeStringThe type of scan when the banner was generated.
PassiveTotal.Service.banners.firstSeenDateThe date and time when the scan started.
PassiveTotal.Service.banners.lastSeenDateThe date and time when the scan ended.
PassiveTotal.Service.banners.countNumberThe total number of times the same label was generated while scanning.
PassiveTotal.Service.currentServices.firstSeenDateThe date and time when the current service started.
PassiveTotal.Service.currentServices.lastSeenDateThe date and time when the current service was most recently used.
PassiveTotal.Service.currentServices.versionStringThe version of the current service.
PassiveTotal.Service.currentServices.categoryStringThe category of the current service.
PassiveTotal.Service.currentServices.labelStringThe label of the current service.
PassiveTotal.Service.recentServices.firstSeenDateThe date and time when the recent service started.
PassiveTotal.Service.recentServices.lastSeenDateThe date and time when the recent service was most recently used.
PassiveTotal.Service.recentServices.versionStringThe version of the recent service.
PassiveTotal.Service.recentServices.categoryStringThe category of the recent service.
PassiveTotal.Service.recentServices.labelStringThe label of the recent service.
PassiveTotal.Service.mostRecentSslCert.firstSeenDateThe timestamp in epoch when the most recent SSL certificate was identified by the system.
PassiveTotal.Service.mostRecentSslCert.lastSeenDateThe timestamp in epoch when the most recent SSL certificate was last used.
PassiveTotal.Service.mostRecentSslCert.fingerprintStringA fingerprint detail from the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.sslVersionStringThe version of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.expirationDateDateThe expiry date and time of the most recent SSL certificate in GMT.
PassiveTotal.Service.mostRecentSslCert.issueDateDateThe date and time in GMT when the most recent SSL certificate was issued.
PassiveTotal.Service.mostRecentSslCert.sha1StringSha1 of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.serialNumberStringThe serial Number of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectCountryStringThe name of the Country of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerCommonNameStringThe common name of the issuer of most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerProvinceStringThe province of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectStateOrProvinceNameStringThe state or province name of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectStreetAddressStringThe street address of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerStateOrProvinceNameStringThe state or province name of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectSurnameStringThe surname of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerCountryStringThe country of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectLocalityNameStringThe subject locality name of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectAlternativeNamesStringList of alternative names of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerOrganizationUnitNameStringThe name organization unit of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerOrganizationNameStringThe organization name of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectEmailAddressStringEmail Address of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectOrganizationNameStringThe organization name of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerLocalityNameStringThe name of the locality of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectCommonNameStringCommon name of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectProvinceStringThe province of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerGivenNameStringThe given name of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectOrganizationUnitNameStringSubject organization unit name of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerEmailAddressStringThe email address of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectGivenNameStringGiven name of the subject of the the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectSerialNumberStringThe serial number of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerStreetAddressStringThe street Address of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerSerialNumberStringThe serial number of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerSurnameStringThe surname of the issuer of the most recent SSL certificate.

Command Example#

!pt-get-services ip=1.1.1.1

Context Example#

{
"PassiveTotal": {
"Service": [
{
"count": 42335,
"currentServices": [
{
"label": "Other Service"
}
],
"firstSeen": "2018-03-28 12:04:21",
"ip": "1.1.1.1",
"lastScan": "2021-03-06 02:28:14",
"lastSeen": "2021-03-04 05:11:29",
"portNumber": 53,
"protocol": "UDP",
"status": "filtered"
},
{
"banners": [
{
"banner": "<html>\r\n<head><title>301 Moved Permanently</title></head>\r\n<body>\r\n<center><h1>301 Moved Permanently</h1></center>\r\n<hr/><center>cloudflare</center>\r\n</body>\r\n</html>\r\n",
"count": 3,
"firstSeen": "2021-03-05 13:56:20",
"lastSeen": "2021-03-06 00:20:32",
"scanType": "http"
}
],
"count": 1386,
"currentServices": [
{
"category": "Server",
"firstSeen": "2019-06-18 13:45:42",
"label": "CloudFlare",
"lastSeen": "2021-03-10 07:58:44"
},
{
"category": "Server",
"firstSeen": "2020-07-09 16:19:47",
"label": "cloudflare",
"lastSeen": "2021-03-10 05:59:33"
},
{
"category": "Server",
"firstSeen": "2018-07-02 11:46:37",
"label": "yunjiasu-nginx",
"lastSeen": "2021-03-09 02:26:20"
}
],
"firstSeen": "2018-04-01 00:38:56",
"ip": "1.1.1.1",
"lastScan": "2021-03-06 13:27:15",
"lastSeen": "2021-03-06 00:20:32",
"portNumber": 80,
"protocol": "TCP",
"recentServices": [
{
"category": "Server",
"firstSeen": "2020-03-18 20:37:06",
"label": "BigIP",
"lastSeen": "2021-03-05 21:31:27"
},
{
"category": "Server",
"firstSeen": "2020-06-11 11:50:49",
"label": "F5 BIG-IP load balancer httpd",
"lastSeen": "2021-03-05 21:31:27"
},
{
"category": "Server",
"firstSeen": "2020-10-27 12:39:22",
"label": "OpenResty web app server",
"lastSeen": "2021-02-27 19:59:14"
},
{
"category": "Server",
"firstSeen": "2019-02-09 11:59:43",
"label": "openresty",
"lastSeen": "2021-02-27 19:59:14"
},
{
"category": "Server",
"firstSeen": "2018-08-05 00:56:16",
"label": "Apache",
"lastSeen": "2020-11-09 07:02:20"
}
],
"status": "open"
},
{
"count": 41,
"currentServices": [
{
"label": "Other Service"
}
],
"firstSeen": "2020-02-29 04:02:09",
"ip": "1.1.1.1",
"lastScan": "2021-03-06 06:51:11",
"lastSeen": "2021-02-27 16:00:28",
"portNumber": 111,
"protocol": "UDP",
"status": "closed"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s) 13#

Services#

Port NumberProtocolStatusCurrent Service LabelsFirst Seen Date (GMT)Last Seen Date (GMT)Last Scanned Date (GMT)
53UDPfilteredOther Service2018-03-28 12:04:212021-03-04 05:11:292021-03-06 02:28:14
80TCPopenCloudFlare, cloudflare, yunjiasu-nginx2018-04-01 00:38:562021-03-06 00:20:322021-03-06 13:27:15
111UDPclosedOther Service2020-02-29 04:02:092021-02-27 16:00:282021-03-06 06:51:11

pt-get-whois#


Gets WHOIS information records based on queries.

Base Command#

pt-get-whois

Input#

Argument NameDescriptionRequired
queryQuery value to use in the request. For example: riskiq.com, 1.1.1.1Required
historyWhether to return historical results. Valid values: true, false.Optional

Context Output#

PathTypeDescription
PassiveTotal.WHOIS.domainStringThe domain name. For example: 'google.com'.
PassiveTotal.WHOIS.registrarStringThe name of the registrar of the domain.
PassiveTotal.WHOIS.whoisServerStringWHOIS server name where the details of domain registrations belong.
PassiveTotal.WHOIS.registeredDateThe date that the domain was registered.
PassiveTotal.WHOIS.expiresAtDateThe expiration date of the domain.
PassiveTotal.WHOIS.registryUpdatedAtDateThe date when the registry was last updated.
PassiveTotal.WHOIS.lastLoadedAtDateLast loaded date of WHOIS database.
PassiveTotal.WHOIS.nameServersStringName servers of the domain.
PassiveTotal.WHOIS.organizationStringThe organization of the domain.
PassiveTotal.WHOIS.nameStringName of the domain.
PassiveTotal.WHOIS.telephoneStringTelephone number fetched from whois details of the domain.
PassiveTotal.WHOIS.contactEmailStringContact Email address of the domain owner.
PassiveTotal.WHOIS.registrantEmailStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantFaxStringThe fax number of the domain registrant.
PassiveTotal.WHOIS.registrantNameStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantOrganizationStringThe organizations of the domain registrant.
PassiveTotal.WHOIS.registrantStreetStringThe street of the domain registrant.
PassiveTotal.WHOIS.registrantCityStringThe city of the domain registrant.
PassiveTotal.WHOIS.registrantStateStringThe state of the domain registrant.
PassiveTotal.WHOIS.registrantPostalCodeStringThe postal code of the domain registrant.
PassiveTotal.WHOIS.registrantCountryStringThe country of the domain registrant.
PassiveTotal.WHOIS.registrantTelephoneStringThe telephone number of the domain registrant.
PassiveTotal.WHOIS.adminEmailStringThe email address of the domain administrator.
PassiveTotal.WHOIS.adminFaxStringThe fax number of the domain administrator.
PassiveTotal.WHOIS.adminNameStringThe name of the domain administrator.
PassiveTotal.WHOIS.adminOrganizationStringThe organizations of the domain administrator.
PassiveTotal.WHOIS.adminStreetStringThe street of the domain administrator.
PassiveTotal.WHOIS.adminCityStringThe city of the domain administrator.
PassiveTotal.WHOIS.adminStateStringThe state of the domain administrator.
PassiveTotal.WHOIS.adminPostalCodeStringThe postal code of the domain administrator.
PassiveTotal.WHOIS.adminCountryStringThe country of the domain administrator.
PassiveTotal.WHOIS.adminTelephoneStringThe telephone number of the domain administrator.
PassiveTotal.WHOIS.billingEmailStringThe email address of the domain billing.
PassiveTotal.WHOIS.billingFaxStringThe fax number of the domain billing.
PassiveTotal.WHOIS.billingNameStringThe name of the domain billing.
PassiveTotal.WHOIS.billingOrganizationStringThe organizations of the domain billing.
PassiveTotal.WHOIS.billingStreetStringThe street of the domain billing.
PassiveTotal.WHOIS.billingCityStringThe city of the domain billing.
PassiveTotal.WHOIS.billingStateStringThe state of the domain billing.
PassiveTotal.WHOIS.billingPostalCodeStringThe postal code of the domain billing.
PassiveTotal.WHOIS.billingCountryStringThe country of the domain billing.
PassiveTotal.WHOIS.billingTelephoneStringThe telephone number of the domain billing.
PassiveTotal.WHOIS.techEmailStringThe email address of the domain tech.
PassiveTotal.WHOIS.techFaxStringThe fax number of the domain tech.
PassiveTotal.WHOIS.techNameStringThe name of the domain tech.
PassiveTotal.WHOIS.techOrganizationStringThe organizations of domain tech.
PassiveTotal.WHOIS.techStreetStringThe street of the domain tech.
PassiveTotal.WHOIS.techCityStringThe city of the domain tech.
PassiveTotal.WHOIS.techStateStringThe state of the domain tech.
PassiveTotal.WHOIS.techPostalCodeStringThe postal code of the domain tech.
PassiveTotal.WHOIS.techCountryStringThe country of the domain tech.
PassiveTotal.WHOIS.techTelephoneStringThe telephone number of the domain tech.

Command Example#

!pt-get-whois query=riskiq.com

Context Example#

{
"PassiveTotal": {
"WHOIS": {
"adminCity": "san francisco",
"adminCountry": "us",
"adminEmail": "domains@riskiq.com",
"adminName": "Risk IQ",
"adminOrganization": "RiskIQ, Inc.",
"adminPostalCode": "94111",
"adminState": "california",
"adminStreet": "22 Battery Street\n10th Floor",
"adminTelephone": "18884154447",
"contactEmail": "domains@riskiq.com",
"domain": "riskiq.com",
"expiresAt": "2017-01-11T16:00:00.000-0800",
"lastLoadedAt": "2016-09-27T09:40:31.180-0700",
"name": "Risk IQ",
"nameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"organization": "RiskIQ, Inc.",
"registered": "2006-01-11T16:00:00.000-0800",
"registrantCity": "san francisco",
"registrantCountry": "us",
"registrantEmail": "domains@riskiq.com",
"registrantName": "Risk IQ",
"registrantOrganization": "RiskIQ, Inc.",
"registrantPostalCode": "94111",
"registrantState": "california",
"registrantStreet": "22 Battery Street\n10th Floor",
"registrantTelephone": "18884154447",
"registrar": "GODADDY.COM, LLC",
"registryUpdatedAt": "2014-12-08T16:00:00.000-0800",
"techCity": "san francisco",
"techCountry": "us",
"techEmail": "domains@riskiq.com",
"techName": "Risk IQ",
"techOrganization": "RiskIQ, Inc.",
"techPostalCode": "94111",
"techState": "california",
"techStreet": "22 Battery Street\n10th Floor",
"techTelephone": "18884154447",
"telephone": "18884154447",
"whoisServer": "whois.godaddy.com"
}
}
}

Human Readable Output#

Total Retrieved Record(s): 1#

Associated Domains#

DomainWHOIS ServerRegistrarContact EmailName ServersRegistrantAdminTechCreation Date (GMT)Expire Date (GMT)Updated Date (GMT)Last Scanned (GMT)
riskiq.comwhois.godaddy.comGODADDY.COM, LLCdomains@riskiq.comluke.ns.cloudflare.com, serena.ns.cloudflare.comCity: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
2006-01-11T16:00:00.000-08002017-01-11T16:00:00.000-08002014-12-08T16:00:00.000-08002016-09-27T09:40:31.180-0700

pt-get-cookies#


Retrieves cookies addresses or hostname information based on cookie name or domain.

Base Command#

pt-get-cookies

Input#

Argument NameDescriptionRequired
search_bySearch cookies information by name or domain. Valid values: 1. get addresses by cookie domain, 2. get addresses by cookie name, 3. get hosts by cookie domain, 4. get hosts by cookie name.Required
queryName or domain of cookie the user wants to search for.Required
pagePage number for paging through results. Each page contains 2000 values. Default is 0.Optional
sortField to sort the results on. Valid values: last seen, first seen. Default is last seen.Optional
orderOrder to return the results in. Valid values: asc, desc. Default is desc.Optional

Context Output#

PathTypeDescription
PassiveTotal.Cookie.hostnameStringThe hostname/IP of the machine on which the cookie was found.
PassiveTotal.Cookie.cookieNameStringThe name of the cookie that was found on the host.
PassiveTotal.Cookie.cookieDomainStringThe domain from which the cookie originated from.
PassiveTotal.Cookie.firstSeenDateThe date and time when the cookie was first observed.
PassiveTotal.Cookie.lastSeenDateThe date and time when the cookie was most recently observed.

Command Example#

!pt-get-cookies search_by="get hosts by cookie name" query=dummyCookie

Context Example#

{
"PassiveTotal": {
"Cookie": [
{
"cookieDomain": "dummy.domain",
"cookieName": "dummyCookie",
"firstSeen": "2016-11-22 03:36:07",
"hostname": "dummy.domain",
"lastSeen": "2017-07-27 21:05:10"
}
]
}
}

Human Readable Output#

Total Record(s): 1#

Total Retrieved Record(s): 1#

Cookies#

HostnameCookie NameCookie DomainFirst Seen Date (GMT)Last Seen Date (GMT)
dummy.domaindummyCookiedummy.domain2019-04-02 01:53:502021-01-22 07:15:13

pt-get-articles#


Retrieves information related to articles for a specific indicator.

Base Command#

pt-get-articles

Input#

Argument NameDescriptionRequired
queryIndicator value to search for in articles. For example: riskiq.com, 1.1.1.1Required
typeType of the indicator. For example: domain, ip, urlOptional

Context Output#

PathTypeDescription
PassiveTotal.Article.guidStringThe global unique ID of the article.
PassiveTotal.Article.titleStringThe title of the article.
PassiveTotal.Article.summaryStringThe summary of the article.
PassiveTotal.Article.typeStringThe type of an article.
PassiveTotal.Article.publishedDateDateThe date and time on which the article was published.
PassiveTotal.Article.linkStringThe link of the article for getting more details.
PassiveTotal.Article.categoriesUnknownAn array of categories of the article.
PassiveTotal.Article.tagsUnknownAn array of tags for the article.
PassiveTotal.Article.indicators.typeStringThe type of the indicator.
PassiveTotal.Article.indicators.countNumberTotal number of indicators of a particular type.
PassiveTotal.Article.indicators.valuesUnknownAn array of values related to indicators.
PassiveTotal.Article.indicators.sourceStringThe source of the indicator.

Command Example#

!pt-get-articles query=dummy.com

Context Example#

{
"PassiveTotal": {
"Article": {
"categories": [
"Categories 1",
"Categories 2"
],
"guid": "12e123b1",
"indicators": [
{
"count": 1,
"source": "public",
"type": "domain",
"values": [
"dummy.com"
]
}
],
"link": "https://community.riskiq.com/article/12e123b1",
"publishedDate": "Mon Aug 29 20:00:00 VET 2016",
"summary": "Did you know that you can get all kinds of free stuff, just by giving out your personal information? The internet is full of these fake reward scams which RiskIQ's sytems surface every hour of the day.",
"tags": [
"fake rewards",
"playstation",
"scam"
],
"title": "Free PlayStations on the Internet are Probably an Online Scam",
"type": "public"
}
}
}

Human Readable Output#

Total Retrieved Record(s): 1#

Article(s)#

GUIDTitleSummaryTypeTagsCategoriesArticle LinkPublished Date (GMT)
12e123b1Free PlayStations on the Internet are Probably an Online ScamDid you know that you can get all kinds of free stuff, just by giving out your personal information? The internet is full of these fake reward scams which RiskIQ's sytems surface every hour of the day.publicfake rewards, playstation, scamCategories 1, Categories 2https://community.riskiq.com/article/12e123b1Mon Aug 29 20:00:00 VET 2016