Skip to main content

PassiveTotal v2

This Integration is part of the PassiveTotal Pack.#

Analyze and understand threat infrastructure from a variety of sources-passive DNS, active DNS, WHOIS, SSL certificates and more-without devoting resources to time-intensive manual threat research and analysis. This integration was integrated and tested with enterprise version of PassiveTotal v2.

Configure PassiveTotal v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for PassiveTotal v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlAPI URLTrue
usernameUsernameTrue
secretAPI SecretTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
request_timeoutHTTP(S) Request Timeout (in seconds)False
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

pt-whois-search#


Gets WHOIS information records based on field matching queries.

Base Command#

pt-whois-search

Input#

Argument NameDescriptionRequired
queryQuery value to use in your request.Required
fieldWHOIS field to execute the search on: domain, email, name, organization, address, phone, nameserver.Required

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: 'google.com'.
Domain.WHOIS.CreationDateDateThe date that the domain was created.
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated.
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.NameServersStringName servers of the domain.
Domain.OrganizationStringThe organization of the domain.
Domain.Admin.EmailStringThe email address of the domain administrator.
Domain.Admin.NameStringThe name of the domain administrator.
Domain.Admin.PhoneStringThe phone number of the domain administrator.
Domain.Admin.CountryStringThe country of the domain administrator.
Domain.Registrant.EmailStringThe email address of the registrant.
Domain.Registrant.NameStringThe name of the registrant.
Domain.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.Registrant.CountryStringThe country of the registrant.
Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator.
Domain.WHOIS.Admin.NameStringThe name of the domain administrator.
Domain.WHOIS.Admin.PhoneStringThe phone number of the domain administrator.
Domain.WHOIS.Admin.CountryStringThe country of the domain administrator.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: 'GoDaddy'.
Domain.WHOIS.Registrant.EmailStringThe email address of the registrant.
Domain.WHOIS.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.WHOIS.Registrant.CountryStringThe country of the registrant.
PassiveTotal.WHOIS.domainStringThe domain name, for example: 'google.com'.
PassiveTotal.WHOIS.registrarStringThe name of the registrar of the domain
PassiveTotal.WHOIS.whoisServerStringWHOIS server name where the details of domain registrations belong
PassiveTotal.WHOIS.registeredDateThe date that the domain was registered.
PassiveTotal.WHOIS.expiresAtDateThe expiration date of the domain.
PassiveTotal.WHOIS.registryUpdatedAtDateThe date when registry was last updated.
PassiveTotal.WHOIS.lastLoadedAtDateLast loaded date of WHOIS database.
PassiveTotal.WHOIS.nameServersStringName servers of the domain.
PassiveTotal.WHOIS.organizationStringThe organization of the domain.
PassiveTotal.WHOIS.nameStringName of the domain.
PassiveTotal.WHOIS.telephoneStringTelephone number fetched from whois details of the domain.
PassiveTotal.WHOIS.contactEmailStringContact Email address of the domain owner
PassiveTotal.WHOIS.registrantEmailStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantFaxStringThe fax number of the domain registrant.
PassiveTotal.WHOIS.registrantNameStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantOrganizationStringThe organizations of the domain registrant.
PassiveTotal.WHOIS.registrantStreetStringThe street of the domain registrant.
PassiveTotal.WHOIS.registrantCityStringThe city of the domain registrant.
PassiveTotal.WHOIS.registrantStateStringThe state of the domain registrant.
PassiveTotal.WHOIS.registrantPostalCodeStringThe postal code of the domain registrant.
PassiveTotal.WHOIS.registrantCountryStringThe country of the domain registrant.
PassiveTotal.WHOIS.registrantTelephoneStringThe telephone number of the domain registrant.
PassiveTotal.WHOIS.adminEmailStringThe email address of the domain administrator.
PassiveTotal.WHOIS.adminFaxStringThe fax number of the domain administrator.
PassiveTotal.WHOIS.adminNameStringThe name of the domain administrator.
PassiveTotal.WHOIS.adminOrganizationStringThe organizations of the domain administrator.
PassiveTotal.WHOIS.adminStreetStringThe street of the domain administrator.
PassiveTotal.WHOIS.adminCityStringThe city of the domain administrator.
PassiveTotal.WHOIS.adminStateStringThe state of the domain administrator.
PassiveTotal.WHOIS.adminPostalCodeStringThe postal code of the domain administrator.
PassiveTotal.WHOIS.adminCountryStringThe country of the domain administrator.
PassiveTotal.WHOIS.adminTelephoneStringThe telephone number of the domain administrator.
PassiveTotal.WHOIS.billingEmailStringThe email address of the domain billing.
PassiveTotal.WHOIS.billingFaxStringThe fax number of the domain billing.
PassiveTotal.WHOIS.billingNameStringThe name of the domain billing.
PassiveTotal.WHOIS.billingOrganizationStringThe organizations of the domain billing.
PassiveTotal.WHOIS.billingStreetStringThe street of the domain billing.
PassiveTotal.WHOIS.billingCityStringThe city of the domain billing.
PassiveTotal.WHOIS.billingStateStringThe state of the domain billing.
PassiveTotal.WHOIS.billingPostalCodeStringThe postal code of the domain billing.
PassiveTotal.WHOIS.billingCountryStringThe country of the domain billing.
PassiveTotal.WHOIS.billingTelephoneStringThe telephone number of the domain billing.
PassiveTotal.WHOIS.techEmailStringThe email address of the domain tech.
PassiveTotal.WHOIS.techFaxStringThe fax number of the domain tech.
PassiveTotal.WHOIS.techNameStringThe name of the domain tech.
PassiveTotal.WHOIS.techOrganizationStringThe organizations of domain tech.
PassiveTotal.WHOIS.techStreetStringThe street of the domain tech.
PassiveTotal.WHOIS.techCityStringThe city of the domain tech.
PassiveTotal.WHOIS.techStateStringThe state of the domain tech.
PassiveTotal.WHOIS.techPostalCodeStringThe postal code of the domain tech.
PassiveTotal.WHOIS.techCountryStringThe country of the domain tech.
PassiveTotal.WHOIS.techTelephoneStringThe telephone number of the domain tech.

Command Example#

!pt-whois-search field=domain query=riskiq.com

Context Example#

{
"DBotScore": [
{
"Indicator": "riskiq.com",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
}
],
"Domain": [
{
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"Name": "riskiq.com",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Organization": "RiskIQ, Inc.",
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800",
"WHOIS": {
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800"
}
}
],
"PassiveTotal": {
"WHOIS": {
"adminCity": "san francisco",
"adminCountry": "us",
"adminEmail": "domains@riskiq.com",
"adminName": "Risk IQ",
"adminOrganization": "RiskIQ, Inc.",
"adminPostalCode": "94111",
"adminState": "california",
"adminStreet": "22 Battery Street\n10th Floor",
"adminTelephone": "18884154447",
"contactEmail": "domains@riskiq.com",
"domain": "riskiq.com",
"expiresAt": "2017-01-11T16:00:00.000-0800",
"lastLoadedAt": "2016-09-27T09:40:31.180-0700",
"name": "Risk IQ",
"nameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"organization": "RiskIQ, Inc.",
"registered": "2006-01-11T16:00:00.000-0800",
"registrantCity": "san francisco",
"registrantCountry": "us",
"registrantEmail": "domains@riskiq.com",
"registrantName": "Risk IQ",
"registrantOrganization": "RiskIQ, Inc.",
"registrantPostalCode": "94111",
"registrantState": "california",
"registrantStreet": "22 Battery Street\n10th Floor",
"registrantTelephone": "18884154447",
"registrar": "GODADDY.COM, LLC",
"registryUpdatedAt": "2014-12-08T16:00:00.000-0800",
"techCity": "san francisco",
"techCountry": "us",
"techEmail": "domains@riskiq.com",
"techName": "Risk IQ",
"techOrganization": "RiskIQ, Inc.",
"techPostalCode": "94111",
"techState": "california",
"techStreet": "22 Battery Street\n10th Floor",
"techTelephone": "18884154447",
"telephone": "18884154447",
"whoisServer": "whois.godaddy.com"
}
}
}

Human Readable Output#

Total Retrieved Record(s): 2#

Associated Domains#

DomainWHOIS ServerRegistrarContact EmailName ServersRegistrantAdminTechCreation Date (GMT)Expire Date (GMT)Updated Date (GMT)Last Scanned (GMT)
riskiq.comwhois.godaddy.comGODADDY.COM, LLCdomains@riskiq.comluke.ns.cloudflare.com, serena.ns.cloudflare.comCity: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
2006-01-11T16:00:00.000-08002017-01-11T16:00:00.000-08002014-12-08T16:00:00.000-08002016-09-27T09:40:31.180-0700

pt-get-components#


Retrieves the host attribute components for a domain or IP address. Maximum 2000 records are fetched.

Base Command#

pt-get-components

Input#

Argument NameDescriptionRequired
queryDomain or IP address you want to search components for.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: "google.com".
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.AddressStringThe IP Address of the component.
PassiveTotal.Component.firstSeenDateThe date and time when the component was first observed.
PassiveTotal.Component.lastSeenDateThe date and time when the component was most recently observed.
PassiveTotal.Component.versionStringThe current version of component.
PassiveTotal.Component.categoryStringThe category under which the component falls.
PassiveTotal.Component.labelStringThe value of the component.
PassiveTotal.Component.hostnameStringThe hostname of the component.
PassiveTotal.Component.addressStringThe IP address of the component.

Command Example#

!pt-get-components query=www.furth.com.ar

Context Example#

{
"DBotScore": {
"Indicator": "www.furth.com.ar",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
},
"Domain": {
"Name": "www.furth.com.ar"
},
"PassiveTotal": {
"Component": [
{
"category": "Framework",
"firstSeen": "2020-05-29 10:57:44",
"hostname": "www.furth.com.ar",
"label": "PHP",
"lastSeen": "2020-05-29 10:57:44"
},
{
"category": "Server",
"firstSeen": "2020-05-29 10:57:44",
"hostname": "www.furth.com.ar",
"label": "Apache",
"lastSeen": "2020-05-29 10:57:44"
},
{
"category": "Server Module",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "mod_bwlimited",
"lastSeen": "2017-10-24 15:53:52",
"version": "1.4"
},
{
"category": "Server Module",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "OpenSSL",
"lastSeen": "2017-10-24 15:53:52",
"version": "1.0.1e-fips"
},
{
"category": "Server",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "Apache",
"lastSeen": "2017-10-24 15:53:52",
"version": "2.2.29"
},
{
"category": "Operating System",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "Unix",
"lastSeen": "2017-10-24 15:53:52"
},
{
"category": "Server Module",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "mod_ssl",
"lastSeen": "2017-10-24 15:53:52",
"version": "2.2.29"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 7#

COMPONENTS#

HostnameFirst (GMT)Last (GMT)CategoryValueVersion
www.furth.com.ar2020-05-29 10:57:442020-05-29 10:57:44FrameworkPHP
www.furth.com.ar2020-05-29 10:57:442020-05-29 10:57:44ServerApache
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Server Modulemod_bwlimited1.4
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Server ModuleOpenSSL1.0.1e-fips
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52ServerApache2.2.29
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Operating SystemUnix
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Server Modulemod_ssl2.2.29

pt-get-trackers#


Retrieves the host attribute trackers for a domain or IP address. Maximum 2000 records are fetched.

Base Command#

pt-get-trackers

Input#

Argument NameDescriptionRequired
queryDomain or IP address you want to search trackers for.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: "google.com".
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.AddressStringThe IP Address of the component.
PassiveTotal.Tracker.firstSeenDateThe date and time when the tracker was first observed.
PassiveTotal.Tracker.lastSeenDateThe date and time when the tracker was most recently observed.
PassiveTotal.Tracker.attributeValueStringThe value of the tracker.
PassiveTotal.Tracker.attributeTypeStringThe type under which the tracker falls.
PassiveTotal.Tracker.hostnameStringThe hostname of the tracker.
PassiveTotal.Tracker.addressStringThe IP address of the tracker.

Command Example#

!pt-get-trackers query=filmesonlinegratis.net

Context Example#

{
"DBotScore": [
{
"Indicator": "filmesonlinegratis.net",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
},
{
"Indicator": "www.filmesonlinegratis.net",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
}
],
"Domain": [
{
"Name": "filmesonlinegratis.net"
},
{
"Name": "www.filmesonlinegratis.net"
}
],
"PassiveTotal": {
"Tracker": [
{
"attributeType": "GoogleAnalyticsTrackingId",
"attributeValue": "ua-70630818-3",
"firstSeen": "2016-10-14 10:16:38",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2020-06-14 19:43:28"
},
{
"attributeType": "GoogleAnalyticsAccountNumber",
"attributeValue": "ua-70630818",
"firstSeen": "2016-10-14 10:16:38",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2020-06-14 19:43:28"
},
{
"attributeType": "GoogleAnalyticsAccountNumber",
"attributeValue": "ua-11598035",
"firstSeen": "2012-03-07 05:53:50",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2016-10-13 15:38:35"
},
{
"attributeType": "GoogleAnalyticsTrackingId",
"attributeValue": "ua-11598035-1",
"firstSeen": "2012-03-07 05:53:50",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2016-10-13 15:38:35"
},
{
"attributeType": "GoogleAnalyticsTrackingId",
"attributeValue": "ua-11598035-1",
"firstSeen": "2014-02-11 01:30:40",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2016-09-13 03:54:34"
},
{
"attributeType": "GoogleAnalyticsAccountNumber",
"attributeValue": "ua-11598035",
"firstSeen": "2014-02-11 01:30:40",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2016-09-13 03:54:34"
},
{
"attributeType": "TumblrId",
"attributeValue": "25.media",
"firstSeen": "2016-07-02 00:46:33",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2016-09-02 11:09:30"
},
{
"attributeType": "FacebookId",
"attributeValue": "filmesog",
"firstSeen": "2012-11-27 06:06:44",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2015-09-26 05:52:23"
},
{
"attributeType": "FacebookId",
"attributeValue": "filmesog",
"firstSeen": "2014-02-11 01:30:40",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2015-09-24 05:12:39"
},
{
"attributeType": "WhosAmungUsId",
"attributeValue": "6cdg",
"firstSeen": "2012-03-07 05:53:50",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2012-03-07 16:00:45"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 10#

TRACKERS#

HostnameFirst (GMT)Last (GMT)TypeValue
filmesonlinegratis.net2016-10-14 10:16:382020-06-14 19:43:28GoogleAnalyticsTrackingIdua-70630818-3
filmesonlinegratis.net2016-10-14 10:16:382020-06-14 19:43:28GoogleAnalyticsAccountNumberua-70630818
www.filmesonlinegratis.net2012-03-07 05:53:502016-10-13 15:38:35GoogleAnalyticsAccountNumberua-11598035
www.filmesonlinegratis.net2012-03-07 05:53:502016-10-13 15:38:35GoogleAnalyticsTrackingIdua-11598035-1
filmesonlinegratis.net2014-02-11 01:30:402016-09-13 03:54:34GoogleAnalyticsTrackingIdua-11598035-1
filmesonlinegratis.net2014-02-11 01:30:402016-09-13 03:54:34GoogleAnalyticsAccountNumberua-11598035
www.filmesonlinegratis.net2016-07-02 00:46:332016-09-02 11:09:30TumblrId25.media
www.filmesonlinegratis.net2012-11-27 06:06:442015-09-26 05:52:23FacebookIdfilmesog
filmesonlinegratis.net2014-02-11 01:30:402015-09-24 05:12:39FacebookIdfilmesog
www.filmesonlinegratis.net2012-03-07 05:53:502012-03-07 16:00:45WhosAmungUsId6cdg

pt-get-pdns-details#


Retrieves the passive DNS results from active account sources.

Base Command#

pt-get-pdns-details

Input#

Argument NameDescriptionRequired
queryThe domain or IP being queried.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output#

PathTypeDescription
PassiveTotal.PDNS.resolveStringThe host or ip address that indicates resolve in Passive DNS record.
PassiveTotal.PDNS.resolveTypeStringThe type of the resolve. I.e domain, ip, host, etc.
PassiveTotal.PDNS.valueStringThe value of the Passive DNS record.
PassiveTotal.PDNS.sourceStringSource of the passive DNS records.
PassiveTotal.PDNS.firstSeenStringFirst seen timestamp of the passive DNS record.
PassiveTotal.PDNS.lastSeenStringLast seen timestamp of the passive DNS record.
PassiveTotal.PDNS.collectedStringThe date when a passive DNS record is collected.
PassiveTotal.PDNS.recordTypeStringThe type of the passive DNS record. I.e CNAME, SOA, A, etc
PassiveTotal.PDNS.recordHashStringThe hash value of the passive DNS record.
Domain.NameStringThe domain name, for example: 'google.com'.
IP.AddressStringThe IP Address of the component.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!pt-get-pdns-details query=www.furth.com.ar

Context Example#

{
"DBotScore": [
{
"Indicator": "furth.com.ar",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
},
{
"Indicator": "77.81.241.5",
"Score": 0,
"Type": "ip",
"Vendor": "PassiveTotal"
},
{
"Indicator": "184.75.255.33",
"Score": 0,
"Type": "ip",
"Vendor": "PassiveTotal"
}
],
"Domain": {
"Name": "furth.com.ar"
},
"IP": [
{
"Address": "77.81.241.5"
},
{
"Address": "184.75.255.33"
}
],
"PassiveTotal": {
"PDNS": [
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2010-12-15 09:10:10",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "abf781b2484ea79d521cffb0745b71319d4db1158f71bb019b41077f8e55b035",
"recordType": "CNAME",
"resolve": "furth.com.ar",
"resolveType": "domain",
"source": [
"riskiq",
"pingly"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2020-05-29 03:57:44",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "d7183564ca617e173fc26aeff66a38bb5c1b9089e56819851183860b9a37ccca",
"recordType": "A",
"resolve": "77.81.241.5",
"resolveType": "ip",
"source": [
"riskiq",
"pingly"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2016-01-11 15:45:15",
"lastSeen": "2017-10-24 08:53:52",
"recordHash": "345780dcde96f0c28e3b93ec53bd33067f26075f30c2d4e49fafe0d2396194ca",
"recordType": "A",
"resolve": "184.75.255.33",
"resolveType": "ip",
"source": [
"riskiq"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2020-06-17 05:26:33",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "63deb7c38cbea98f631777fd3ba89de0c270178bd37eb6a270ee7e37b3cd92e5",
"recordType": "SOA",
"resolve": "webmaster@furth.com.ar",
"resolveType": "email",
"source": [
"pingly"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2020-06-17 05:26:33",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "24fa99da36eecc22b8970a33f8adf0f150598391319df4fc02128d677999e886",
"recordType": "MX",
"resolve": "furth.com.ar",
"resolveType": "domain",
"source": [
"pingly"
],
"value": "www.furth.com.ar"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 5#

PDNS detail(s)#

ResolveResolve TypeRecord TypeCollected (GMT)First (GMT)Last (GMT)SourceRecord Hash
furth.com.ardomainCNAME2020-06-17 12:26:332010-12-15 09:10:102020-06-17 05:26:33riskiq, pinglyabf781b2484ea79d521cffb0745b71319d4db1158f71bb019b41077f8e55b035
77.81.241.5ipA2020-06-17 12:26:332020-05-29 03:57:442020-06-17 05:26:33riskiq, pinglyd7183564ca617e173fc26aeff66a38bb5c1b9089e56819851183860b9a37ccca
184.75.255.33ipA2020-06-17 12:26:332016-01-11 15:45:152017-10-24 08:53:52riskiq345780dcde96f0c28e3b93ec53bd33067f26075f30c2d4e49fafe0d2396194ca
webmaster@furth.com.aremailSOA2020-06-17 12:26:332020-06-17 05:26:332020-06-17 05:26:33pingly63deb7c38cbea98f631777fd3ba89de0c270178bd37eb6a270ee7e37b3cd92e5
furth.com.ardomainMX2020-06-17 12:26:332020-06-17 05:26:332020-06-17 05:26:33pingly24fa99da36eecc22b8970a33f8adf0f150598391319df4fc02128d677999e886

pt-ssl-cert-search#


Retrieves SSL certificates for a given field value.

Base Command#

pt-ssl-cert-search

Input#

Argument NameDescriptionRequired
fieldField by which to search.

Allowed values: issuerSurname, subjectOrganizationName, issuerCountry, issuerOrganizationUnitName, fingerprint, subjectOrganizationUnitName, serialNumber, subjectEmailAddress, subjectCountry, issuerGivenName, subjectCommonName, issuerCommonName, issuerStateOrProvinceName, issuerProvince, subjectStateOrProvinceName, sha1, subjectStreetAddress, subjectSerialNumber, issuerOrganizationName, subjectSurname, subjectLocalityName, issuerStreetAddress, issuerLocalityName, subjectGivenName, subjectProvince, issuerSerialNumber, issuerEmailAddress
Required
queryField value for which to search.Required

Context Output#

PathTypeDescription
PassiveTotal.SSL.firstSeenNumberEpoch timestamp when SSL certificate identified by the system.
PassiveTotal.SSL.lastSeenNumberThe last seen epoch timestamp of the SSL certificates.
PassiveTotal.SSL.fingerprintStringA fingerprint detail from the SSL certificates.
PassiveTotal.SSL.sslVersionNumberA version of the certificate.
PassiveTotal.SSL.expirationDateStringThe expiry date of the certificate.
PassiveTotal.SSL.issueDateStringIssue date of the certificate.
PassiveTotal.SSL.sha1StringSha1 of the certificate.
PassiveTotal.SSL.serialNumberStringA serial number of the certificate.
PassiveTotal.SSL.issuerCountryStringThe country name of the certificate issuer.
PassiveTotal.SSL.issuerStateOrProvinceNameStringThe state or province name of the certificate issuer.
PassiveTotal.SSL.issuerCommonNameStringThe common name of the issuer.
PassiveTotal.SSL.issuerEmailAddressStringA contact email address of the certificate issuer.
PassiveTotal.SSL.issuerProvinceStringA province of the certificate issuer.
PassiveTotal.SSL.issuerOrganizationUnitNameStringAn organization unit name of the certificate issuer.
PassiveTotal.SSL.issuerSurnameStringThe surname of the certificate issuer.
PassiveTotal.SSL.issuerStreetAddressStringStreet address of the certificate issuer.
PassiveTotal.SSL.issuerLocalityNameStringThe locality of the certificate issuer.
PassiveTotal.SSL.issuerSerialNumberStringThe serial number of the certificate issuer.
PassiveTotal.SSL.issuerOrganizationNameStringAn organization name of the certificate issuer.
PassiveTotal.SSL.issuerGivenNameStringA given name of the certificate issuer.
PassiveTotal.SSL.subjectCommonNameStringThe common name of the subject.
PassiveTotal.SSL.subjectOrganizationNameStringAn organization name of the subject of the certificate.
PassiveTotal.SSL.subjectOrganizationUnitNameStringAn organization unit name of the subject of the certificate.
PassiveTotal.SSL.subjectGivenNameStringThe given name of the subject of the certificate.
PassiveTotal.SSL.subjectSurnameStringThe surname of the subject of the certificate.
PassiveTotal.SSL.subjectLocalityNameStringThe locality of the subject.
PassiveTotal.SSL.subjectEmailAddressStringA contact email address of the subject.
PassiveTotal.SSL.subjectProvinceStringThe province of the subject.
PassiveTotal.SSL.subjectStateOrProvinceNameStringThe state or province name of the subject.
PassiveTotal.SSL.subjectSerialNumberStringA serial number of the subject.
PassiveTotal.SSL.subjectStreetAddressStringThe street address of the subject.
PassiveTotal.SSL.subjectCountryStringThe country name of the subject from the certificate.
PassiveTotal.SSL.subjectAlternativeNamesStringAlternative names of the subject from the certificate details.

Command Example#

!pt-ssl-cert-search field=serialNumber query=61135c80f8ed28d2

Context Example#

{
"PassiveTotal": {
"SSL": [
{
"expirationDate": "Apr 09 13:15:00 2019 GMT",
"fingerprint": "88:48:e8:68:b1:90:d0:fd:cb:6f:39:c3:7b:53:82:c8:7e:09:76:b0",
"firstSeen": 1547559631314,
"issueDate": "Jan 15 13:15:00 2019 GMT",
"issuerCommonName": "Google Internet Authority G3",
"issuerCountry": "US",
"issuerOrganizationName": "Google Trust Services",
"lastSeen": 1547607634446,
"serialNumber": "6995036355238373586",
"sha1": "8848e868b190d0fdcb6f39c37b5382c87e0976b0",
"sslVersion": "3",
"subjectAlternativeNames": [
"www.google.com"
],
"subjectCommonName": "www.google.com",
"subjectCountry": "US",
"subjectLocalityName": "Mountain View",
"subjectOrganizationName": "Google LLC",
"subjectProvince": "California",
"subjectStateOrProvinceName": "California"
},
{
"expirationDate": "Apr 09 13:15:00 2019 GMT",
"fingerprint": "99:5b:00:5f:44:be:53:bf:3e:59:21:90:1d:79:a9:8e:54:af:d3:29",
"firstSeen": 1548455641692,
"issueDate": "Jan 15 13:15:00 2019 GMT",
"issuerCommonName": "Google Internet Authority G3",
"issuerCountry": "US",
"issuerOrganizationName": "Google Trust Services",
"lastSeen": 1549571983939,
"serialNumber": "6995036355238373586",
"sha1": "995b005f44be53bf3e5921901d79a98e54afd329",
"sslVersion": "3",
"subjectAlternativeNames": [
"www.google.com"
],
"subjectCommonName": "www.google.com",
"subjectCountry": "US",
"subjectLocalityName": "Mountain View",
"subjectOrganizationName": "Google LLC",
"subjectProvince": "California",
"subjectStateOrProvinceName": "California"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 2#

SSL certificate(s)#

Sha1Serial NumberIssued (GMT)Expires (GMT)SSL VersionFirst (GMT)Last (GMT)Issuer Common NameSubject Common NameSubject Alternative NamesIssuer Organization NameSubject Organization NameSubject Locality NameSubject State/Province NameIssuer CountrySubject Country
8848e868b190d0fdcb6f39c37b5382c87e0976b06995036355238373586Jan 15 13:15:00 2019 GMTApr 09 13:15:00 2019 GMT32019-01-15 13:40:312019-01-16 03:00:34Google Internet Authority G3www.google.comwww.google.comGoogle Trust ServicesGoogle LLCMountain ViewCaliforniaUSUS
995b005f44be53bf3e5921901d79a98e54afd3296995036355238373586Jan 15 13:15:00 2019 GMTApr 09 13:15:00 2019 GMT32019-01-25 22:34:012019-02-07 20:39:43Google Internet Authority G3www.google.comwww.google.comGoogle Trust ServicesGoogle LLCMountain ViewCaliforniaUSUS

pt-get-host-pairs#


Retrieves the host attribute pairs related to a domain or IP address. Maximum 2000 records are fetched.

Base Command#

pt-get-host-pairs

Input#

Argument NameDescriptionRequired
queryDomain or IP address you want to search host-pairs for.Required
directionThe direction of searching pair records for a given domain. Valid values: children, parents.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output#

PathTypeDescription
PassiveTotal.HostPair.firstSeenDateThe date and time when the host pair was first observed.
PassiveTotal.HostPair.lastSeenDateThe date and time when the host pair was most recently observed.
PassiveTotal.HostPair.causeStringThe cause of relation between parent and child.
PassiveTotal.HostPair.parentStringThe hostname of the parent of the host pair.
PassiveTotal.HostPair.childStringThe hostname of the child of the host pair.

Command Example#

!pt-get-host-pairs direction=children query=ns1.furth.com.ar

Context Example#

{
"PassiveTotal": {
"HostPair": [
{
"cause": "redirect",
"child": "furth.com.ar",
"firstSeen": "2020-05-29 07:05:22",
"lastSeen": "2020-06-10 11:53:23",
"parent": "ns1.furth.com.ar"
},
{
"cause": "parentPage",
"child": "ns1.furth.com.ar",
"firstSeen": "2020-05-02 06:47:23",
"lastSeen": "2020-06-08 03:08:38",
"parent": "ns1.furth.com.ar"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s): 2#

HOST PAIRS#

Parent HostnameChild HostnameFirst (GMT)Last (GMT)Cause
ns1.furth.com.arfurth.com.ar2020-05-29 07:05:222020-06-10 11:53:23redirect
ns1.furth.com.arns1.furth.com.ar2020-05-02 06:47:232020-06-08 03:08:38parentPage

domain#


Provides data enrichment for domains.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain to enrich.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name, for example: 'google.com'.
Domain.WHOIS.CreationDateDateThe date that the domain was created.
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated.
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.NameServersStringName servers of the domain.
Domain.OrganizationStringThe organization of the domain.
Domain.Admin.EmailStringThe email address of the domain administrator.
Domain.Admin.NameStringThe name of the domain administrator.
Domain.Admin.PhoneStringThe phone number of the domain administrator.
Domain.Admin.CountryStringThe country of the domain administrator.
Domain.Registrant.EmailStringThe email address of the registrant.
Domain.Registrant.NameStringThe name of the registrant.
Domain.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.Registrant.CountryStringThe country of the registrant.
Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator.
Domain.WHOIS.Admin.NameStringThe name of the domain administrator.
Domain.WHOIS.Admin.PhoneStringThe phone number of the domain administrator.
Domain.WHOIS.Admin.CountryStringThe country of the domain administrator.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: 'GoDaddy'.
Domain.WHOIS.Registrant.EmailStringThe email address of the registrant.
Domain.WHOIS.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.WHOIS.Registrant.CountryStringThe country of the registrant.
PassiveTotal.Domain.domainStringThe domain name, for example: 'google.com'.
PassiveTotal.Domain.registrarStringThe name of the registrar of the domain
PassiveTotal.Domain.whoisServerStringWHOIS server name where the details of domain registrations belong
PassiveTotal.Domain.registeredDateThe date that the domain was registered.
PassiveTotal.Domain.expiresAtDateThe expiration date of the domain.
PassiveTotal.Domain.registryUpdatedAtDateThe date when registry was last updated.
PassiveTotal.Domain.lastLoadedAtDateLast loaded date of WHOIS database.
PassiveTotal.Domain.nameServersStringName servers of the domain.
PassiveTotal.Domain.organizationStringThe organization of the domain.
PassiveTotal.Domain.nameStringName of the domain.
PassiveTotal.Domain.telephoneStringTelephone number fetched from whois details of the domain.
PassiveTotal.Domain.contactEmailStringContact Email address of the domain owner
PassiveTotal.Domain.registrantEmailStringThe name of the domain registrant.
PassiveTotal.Domain.registrantFaxStringThe fax number of the domain registrant.
PassiveTotal.Domain.registrantNameStringThe name of the domain registrant.
PassiveTotal.Domain.registrantOrganizationStringThe organizations of the domain registrant.
PassiveTotal.Domain.registrantStreetStringThe street of the domain registrant.
PassiveTotal.Domain.registrantCityStringThe city of the domain registrant.
PassiveTotal.Domain.registrantStateStringThe state of the domain registrant.
PassiveTotal.Domain.registrantPostalCodeStringThe postal code of the domain registrant.
PassiveTotal.Domain.registrantCountryStringThe country of the domain registrant.
PassiveTotal.Domain.registrantTelephoneStringThe telephone number of the domain registrant.
PassiveTotal.Domain.adminEmailStringThe email address of the domain administrator.
PassiveTotal.Domain.adminFaxStringThe fax number of the domain administrator.
PassiveTotal.Domain.adminNameStringThe name of the domain administrator.
PassiveTotal.Domain.adminOrganizationStringThe organizations of the domain administrator.
PassiveTotal.Domain.adminStreetStringThe street of the domain administrator.
PassiveTotal.Domain.adminCityStringThe city of the domain administrator.
PassiveTotal.Domain.adminStateStringThe state of the domain administrator.
PassiveTotal.Domain.adminPostalCodeStringThe postal code of the domain administrator.
PassiveTotal.Domain.adminCountryStringThe country of the domain administrator.
PassiveTotal.Domain.adminTelephoneStringThe telephone number of the domain administrator.
PassiveTotal.Domain.billingEmailStringThe email address of the domain billing.
PassiveTotal.Domain.billingFaxStringThe fax number of the domain billing.
PassiveTotal.Domain.billingNameStringThe name of the domain billing.
PassiveTotal.Domain.billingOrganizationStringThe organizations of the domain billing.
PassiveTotal.Domain.billingStreetStringThe street of the domain billing.
PassiveTotal.Domain.billingCityStringThe city of the domain billing.
PassiveTotal.Domain.billingStateStringThe state of the domain billing.
PassiveTotal.Domain.billingPostalCodeStringThe postal code of the domain billing.
PassiveTotal.Domain.billingCountryStringThe country of the domain billing.
PassiveTotal.Domain.billingTelephoneStringThe telephone number of the domain billing.
PassiveTotal.Domain.techEmailStringThe email address of the domain tech.
PassiveTotal.Domain.techFaxStringThe fax number of the domain tech.
PassiveTotal.Domain.techNameStringThe name of the domain tech.
PassiveTotal.Domain.techOrganizationStringThe organizations of domain tech.
PassiveTotal.Domain.techStreetStringThe street of the domain tech.
PassiveTotal.Domain.techCityStringThe city of the domain tech.
PassiveTotal.Domain.techStateStringThe state of the domain tech.
PassiveTotal.Domain.techPostalCodeStringThe postal code of the domain tech.
PassiveTotal.Domain.techCountryStringThe country of the domain tech.
PassiveTotal.Domain.techTelephoneStringThe telephone number of the domain tech.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual DBot score.
PassiveTotal.Domain.scoreNumberReputation score of the indicator.
PassiveTotal.Domain.classificationStringReputation classification of the indicator. (Can be GOOD, SUSPICIOUS, MALICIOUS, or UNKNOWN)
PassiveTotal.Domain.rules.nameStringName of the rule that informed the reputation score of the indicator.
PassiveTotal.Domain.rules.descriptionStringDescription of the rule.
PassiveTotal.Domain.rules.severityNumberSeverity of the rule.
PassiveTotal.Domain.rules.linkStringLink to the rule.

Command Example#

!domain domain=riskiq.com

Context Example#

{
"DBotScore": [
{
"Indicator": "riskiq.com",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
}
],
"Domain": [
{
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"Name": "riskiq.com",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Organization": "RiskIQ, Inc.",
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800",
"WHOIS": {
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800"
}
}
],
"PassiveTotal": {
"Domain": {
"adminCity": "san francisco",
"adminCountry": "us",
"adminEmail": "domains@riskiq.com",
"adminName": "Risk IQ",
"adminOrganization": "RiskIQ, Inc.",
"adminPostalCode": "94111",
"adminState": "california",
"adminStreet": "22 Battery Street\n10th Floor",
"adminTelephone": "18884154447",
"contactEmail": "domains@riskiq.com",
"domain": "riskiq.com",
"expiresAt": "2017-01-11T16:00:00.000-0800",
"lastLoadedAt": "2016-09-27T09:40:31.180-0700",
"name": "Risk IQ",
"nameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"organization": "RiskIQ, Inc.",
"registered": "2006-01-11T16:00:00.000-0800",
"registrantCity": "san francisco",
"registrantCountry": "us",
"registrantEmail": "domains@riskiq.com",
"registrantName": "Risk IQ",
"registrantOrganization": "RiskIQ, Inc.",
"registrantPostalCode": "94111",
"registrantState": "california",
"registrantStreet": "22 Battery Street\n10th Floor",
"registrantTelephone": "18884154447",
"registrar": "GODADDY.COM, LLC",
"registryUpdatedAt": "2014-12-08T16:00:00.000-0800",
"techCity": "san francisco",
"techCountry": "us",
"techEmail": "domains@riskiq.com",
"techName": "Risk IQ",
"techOrganization": "RiskIQ, Inc.",
"techPostalCode": "94111",
"techState": "california",
"techStreet": "22 Battery Street\n10th Floor",
"techTelephone": "18884154447",
"telephone": "18884154447",
"whoisServer": "whois.godaddy.com",
"score": 3,
"classification": "UNKNOWN",
"rules": [
{
"name": "Open ports observed",
"description": "The number of open ports may indicate maliciousness",
"severity": 3
}
]
}
}
}

Human Readable Output#

Domain(s)#

DomainWHOIS ServerRegistrarContact EmailName ServersRegistrantAdminTechCreation Date (GMT)Expire Date (GMT)Updated Date (GMT)Last Scanned (GMT)
riskiq.comwhois.godaddy.comGODADDY.COM, LLCdomains@riskiq.comluke.ns.cloudflare.com, serena.ns.cloudflare.comCity: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
2006-01-11T16:00:00.000-08002017-01-11T16:00:00.000-08002014-12-08T16:00:00.000-08002016-09-27T09:40:31.180-0700

The reputation score for 'riskiq.com' is 3 and is classified as 'UNKNOWN'.

Reputation Rules#

NameDescriptionSeverity
Open ports observedThe number of open ports may indicate maliciousness3

pt-get-services#


Retrieves exposed services on the recently open ports for an IP address.

Base Command#

pt-get-services

Input#

Argument NameDescriptionRequired
ipIP address for which the user wants to search services for.Required

Context Output#

PathTypeDescription
PassiveTotal.Service.ipStringIP address of the service.
PassiveTotal.Service.portNumberNumberPort number on which recent services were running or current services are running.
PassiveTotal.Service.firstSeenDateThe date and time when the service was started for the first time on the port.
PassiveTotal.Service.lastSeenDateThe date and time when the service was most recently used on the port.
PassiveTotal.Service.lastScanDateThe date and time when the system performed the last scan to check whether any service is running on the port or not.
PassiveTotal.Service.countNumberThe total number of times service was used on the port.
PassiveTotal.Service.statusStringThe status of the service.
PassiveTotal.Service.protocolStringThe protocol used by the service.
PassiveTotal.Service.banners.bannerStringThe description of the banner generated as a result of scanning. Can be in HTML format.
PassiveTotal.Service.banners.scanTypeStringThe type of scan when the banner was generated.
PassiveTotal.Service.banners.firstSeenDateThe date and time when the scan started.
PassiveTotal.Service.banners.lastSeenDateThe date and time when the scan ended.
PassiveTotal.Service.banners.countNumberThe total number of times the same label was generated while scanning.
PassiveTotal.Service.currentServices.firstSeenDateThe date and time when the current service started.
PassiveTotal.Service.currentServices.lastSeenDateThe date and time when the current service was most recently used.
PassiveTotal.Service.currentServices.versionStringThe version of the current service.
PassiveTotal.Service.currentServices.categoryStringThe category of the current service.
PassiveTotal.Service.currentServices.labelStringThe label of the current service.
PassiveTotal.Service.recentServices.firstSeenDateThe date and time when the recent service started.
PassiveTotal.Service.recentServices.lastSeenDateThe date and time when the recent service was most recently used.
PassiveTotal.Service.recentServices.versionStringThe version of the recent service.
PassiveTotal.Service.recentServices.categoryStringThe category of the recent service.
PassiveTotal.Service.recentServices.labelStringThe label of the recent service.
PassiveTotal.Service.mostRecentSslCert.firstSeenDateThe timestamp in epoch when the most recent SSL certificate was identified by the system.
PassiveTotal.Service.mostRecentSslCert.lastSeenDateThe timestamp in epoch when the most recent SSL certificate was last used.
PassiveTotal.Service.mostRecentSslCert.fingerprintStringA fingerprint detail from the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.sslVersionStringThe version of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.expirationDateDateThe expiry date and time of the most recent SSL certificate in GMT.
PassiveTotal.Service.mostRecentSslCert.issueDateDateThe date and time in GMT when the most recent SSL certificate was issued.
PassiveTotal.Service.mostRecentSslCert.sha1StringSha1 of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.serialNumberStringThe serial Number of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectCountryStringThe name of the Country of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerCommonNameStringThe common name of the issuer of most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerProvinceStringThe province of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectStateOrProvinceNameStringThe state or province name of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectStreetAddressStringThe street address of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerStateOrProvinceNameStringThe state or province name of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectSurnameStringThe surname of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerCountryStringThe country of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectLocalityNameStringThe subject locality name of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectAlternativeNamesStringList of alternative names of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerOrganizationUnitNameStringThe name organization unit of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerOrganizationNameStringThe organization name of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectEmailAddressStringEmail Address of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectOrganizationNameStringThe organization name of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerLocalityNameStringThe name of the locality of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectCommonNameStringCommon name of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectProvinceStringThe province of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerGivenNameStringThe given name of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectOrganizationUnitNameStringSubject organization unit name of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerEmailAddressStringThe email address of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectGivenNameStringGiven name of the subject of the the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.subjectSerialNumberStringThe serial number of the subject of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerStreetAddressStringThe street Address of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerSerialNumberStringThe serial number of the issuer of the most recent SSL certificate.
PassiveTotal.Service.mostRecentSslCert.issuerSurnameStringThe surname of the issuer of the most recent SSL certificate.

Command Example#

!pt-get-services ip=1.1.1.1

Context Example#

{
"PassiveTotal": {
"Service": [
{
"count": 42335,
"currentServices": [
{
"label": "Other Service"
}
],
"firstSeen": "2018-03-28 12:04:21",
"ip": "1.1.1.1",
"lastScan": "2021-03-06 02:28:14",
"lastSeen": "2021-03-04 05:11:29",
"portNumber": 53,
"protocol": "UDP",
"status": "filtered"
},
{
"banners": [
{
"banner": "<html>\r\n<head><title>301 Moved Permanently</title></head>\r\n<body>\r\n<center><h1>301 Moved Permanently</h1></center>\r\n<hr/><center>cloudflare</center>\r\n</body>\r\n</html>\r\n",
"count": 3,
"firstSeen": "2021-03-05 13:56:20",
"lastSeen": "2021-03-06 00:20:32",
"scanType": "http"
}
],
"count": 1386,
"currentServices": [
{
"category": "Server",
"firstSeen": "2019-06-18 13:45:42",
"label": "CloudFlare",
"lastSeen": "2021-03-10 07:58:44"
},
{
"category": "Server",
"firstSeen": "2020-07-09 16:19:47",
"label": "cloudflare",
"lastSeen": "2021-03-10 05:59:33"
},
{
"category": "Server",
"firstSeen": "2018-07-02 11:46:37",
"label": "yunjiasu-nginx",
"lastSeen": "2021-03-09 02:26:20"
}
],
"firstSeen": "2018-04-01 00:38:56",
"ip": "1.1.1.1",
"lastScan": "2021-03-06 13:27:15",
"lastSeen": "2021-03-06 00:20:32",
"portNumber": 80,
"protocol": "TCP",
"recentServices": [
{
"category": "Server",
"firstSeen": "2020-03-18 20:37:06",
"label": "BigIP",
"lastSeen": "2021-03-05 21:31:27"
},
{
"category": "Server",
"firstSeen": "2020-06-11 11:50:49",
"label": "F5 BIG-IP load balancer httpd",
"lastSeen": "2021-03-05 21:31:27"
},
{
"category": "Server",
"firstSeen": "2020-10-27 12:39:22",
"label": "OpenResty web app server",
"lastSeen": "2021-02-27 19:59:14"
},
{
"category": "Server",
"firstSeen": "2019-02-09 11:59:43",
"label": "openresty",
"lastSeen": "2021-02-27 19:59:14"
},
{
"category": "Server",
"firstSeen": "2018-08-05 00:56:16",
"label": "Apache",
"lastSeen": "2020-11-09 07:02:20"
}
],
"status": "open"
},
{
"count": 41,
"currentServices": [
{
"label": "Other Service"
}
],
"firstSeen": "2020-02-29 04:02:09",
"ip": "1.1.1.1",
"lastScan": "2021-03-06 06:51:11",
"lastSeen": "2021-02-27 16:00:28",
"portNumber": 111,
"protocol": "UDP",
"status": "closed"
}
]
}
}

Human Readable Output#

Total Retrieved Record(s) 13#

Services#

Port NumberProtocolStatusCurrent Service LabelsFirst Seen Date (GMT)Last Seen Date (GMT)Last Scanned Date (GMT)
53UDPfilteredOther Service2018-03-28 12:04:212021-03-04 05:11:292021-03-06 02:28:14
80TCPopenCloudFlare, cloudflare, yunjiasu-nginx2018-04-01 00:38:562021-03-06 00:20:322021-03-06 13:27:15
111UDPclosedOther Service2020-02-29 04:02:092021-02-27 16:00:282021-03-06 06:51:11

pt-get-whois#


Gets WHOIS information records based on queries.

Base Command#

pt-get-whois

Input#

Argument NameDescriptionRequired
queryQuery value to use in the request. For example: riskiq.com, 1.1.1.1Required
historyWhether to return historical results. Valid values: true, false.Optional

Context Output#

PathTypeDescription
PassiveTotal.WHOIS.domainStringThe domain name. For example: 'google.com'.
PassiveTotal.WHOIS.registrarStringThe name of the registrar of the domain.
PassiveTotal.WHOIS.whoisServerStringWHOIS server name where the details of domain registrations belong.
PassiveTotal.WHOIS.registeredDateThe date that the domain was registered.
PassiveTotal.WHOIS.expiresAtDateThe expiration date of the domain.
PassiveTotal.WHOIS.registryUpdatedAtDateThe date when the registry was last updated.
PassiveTotal.WHOIS.lastLoadedAtDateLast loaded date of WHOIS database.
PassiveTotal.WHOIS.nameServersStringName servers of the domain.
PassiveTotal.WHOIS.organizationStringThe organization of the domain.
PassiveTotal.WHOIS.nameStringName of the domain.
PassiveTotal.WHOIS.telephoneStringTelephone number fetched from whois details of the domain.
PassiveTotal.WHOIS.contactEmailStringContact Email address of the domain owner.
PassiveTotal.WHOIS.registrantEmailStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantFaxStringThe fax number of the domain registrant.
PassiveTotal.WHOIS.registrantNameStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantOrganizationStringThe organizations of the domain registrant.
PassiveTotal.WHOIS.registrantStreetStringThe street of the domain registrant.
PassiveTotal.WHOIS.registrantCityStringThe city of the domain registrant.
PassiveTotal.WHOIS.registrantStateStringThe state of the domain registrant.
PassiveTotal.WHOIS.registrantPostalCodeStringThe postal code of the domain registrant.
PassiveTotal.WHOIS.registrantCountryStringThe country of the domain registrant.
PassiveTotal.WHOIS.registrantTelephoneStringThe telephone number of the domain registrant.
PassiveTotal.WHOIS.adminEmailStringThe email address of the domain administrator.
PassiveTotal.WHOIS.adminFaxStringThe fax number of the domain administrator.
PassiveTotal.WHOIS.adminNameStringThe name of the domain administrator.
PassiveTotal.WHOIS.adminOrganizationStringThe organizations of the domain administrator.
PassiveTotal.WHOIS.adminStreetStringThe street of the domain administrator.
PassiveTotal.WHOIS.adminCityStringThe city of the domain administrator.
PassiveTotal.WHOIS.adminStateStringThe state of the domain administrator.
PassiveTotal.WHOIS.adminPostalCodeStringThe postal code of the domain administrator.
PassiveTotal.WHOIS.adminCountryStringThe country of the domain administrator.
PassiveTotal.WHOIS.adminTelephoneStringThe telephone number of the domain administrator.
PassiveTotal.WHOIS.billingEmailStringThe email address of the domain billing.
PassiveTotal.WHOIS.billingFaxStringThe fax number of the domain billing.
PassiveTotal.WHOIS.billingNameStringThe name of the domain billing.
PassiveTotal.WHOIS.billingOrganizationStringThe organizations of the domain billing.
PassiveTotal.WHOIS.billingStreetStringThe street of the domain billing.
PassiveTotal.WHOIS.billingCityStringThe city of the domain billing.
PassiveTotal.WHOIS.billingStateStringThe state of the domain billing.
PassiveTotal.WHOIS.billingPostalCodeStringThe postal code of the domain billing.
PassiveTotal.WHOIS.billingCountryStringThe country of the domain billing.
PassiveTotal.WHOIS.billingTelephoneStringThe telephone number of the domain billing.
PassiveTotal.WHOIS.techEmailStringThe email address of the domain tech.
PassiveTotal.WHOIS.techFaxStringThe fax number of the domain tech.
PassiveTotal.WHOIS.techNameStringThe name of the domain tech.
PassiveTotal.WHOIS.techOrganizationStringThe organizations of domain tech.
PassiveTotal.WHOIS.techStreetStringThe street of the domain tech.
PassiveTotal.WHOIS.techCityStringThe city of the domain tech.
PassiveTotal.WHOIS.techStateStringThe state of the domain tech.
PassiveTotal.WHOIS.techPostalCodeStringThe postal code of the domain tech.
PassiveTotal.WHOIS.techCountryStringThe country of the domain tech.
PassiveTotal.WHOIS.techTelephoneStringThe telephone number of the domain tech.

Command Example#

!pt-get-whois query=riskiq.com

Context Example#

{
"PassiveTotal": {
"WHOIS": {
"adminCity": "san francisco",
"adminCountry": "us",
"adminEmail": "domains@riskiq.com",
"adminName": "Risk IQ",
"adminOrganization": "RiskIQ, Inc.",
"adminPostalCode": "94111",
"adminState": "california",
"adminStreet": "22 Battery Street\n10th Floor",
"adminTelephone": "18884154447",
"contactEmail": "domains@riskiq.com",
"domain": "riskiq.com",
"expiresAt": "2017-01-11T16:00:00.000-0800",
"lastLoadedAt": "2016-09-27T09:40:31.180-0700",
"name": "Risk IQ",
"nameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"organization": "RiskIQ, Inc.",
"registered": "2006-01-11T16:00:00.000-0800",
"registrantCity": "san francisco",
"registrantCountry": "us",
"registrantEmail": "domains@riskiq.com",
"registrantName": "Risk IQ",
"registrantOrganization": "RiskIQ, Inc.",
"registrantPostalCode": "94111",
"registrantState": "california",
"registrantStreet": "22 Battery Street\n10th Floor",
"registrantTelephone": "18884154447",
"registrar": "GODADDY.COM, LLC",
"registryUpdatedAt": "2014-12-08T16:00:00.000-0800",
"techCity": "san francisco",
"techCountry": "us",
"techEmail": "domains@riskiq.com",
"techName": "Risk IQ",
"techOrganization": "RiskIQ, Inc.",
"techPostalCode": "94111",
"techState": "california",
"techStreet": "22 Battery Street\n10th Floor",
"techTelephone": "18884154447",
"telephone": "18884154447",
"whoisServer": "whois.godaddy.com"
}
}
}

Human Readable Output#

Total Retrieved Record(s): 1#

Associated Domains#

DomainWHOIS ServerRegistrarContact EmailName ServersRegistrantAdminTechCreation Date (GMT)Expire Date (GMT)Updated Date (GMT)Last Scanned (GMT)
riskiq.comwhois.godaddy.comGODADDY.COM, LLCdomains@riskiq.comluke.ns.cloudflare.com, serena.ns.cloudflare.comCity: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
2006-01-11T16:00:00.000-08002017-01-11T16:00:00.000-08002014-12-08T16:00:00.000-08002016-09-27T09:40:31.180-0700

pt-get-cookies#


Retrieves cookies addresses or hostname information based on cookie name or domain.

Base Command#

pt-get-cookies

Input#

Argument NameDescriptionRequired
search_bySearch cookies information by name or domain. Valid values: 1. get addresses by cookie domain, 2. get addresses by cookie name, 3. get hosts by cookie domain, 4. get hosts by cookie name.Required
queryName or domain of cookie the user wants to search for.Required
pagePage number for paging through results. Each page contains 2000 values. Default is 0.Optional
sortField to sort the results on. Valid values: last seen, first seen. Default is last seen.Optional
orderOrder to return the results in. Valid values: asc, desc. Default is desc.Optional

Context Output#

PathTypeDescription
PassiveTotal.Cookie.hostnameStringThe hostname/IP of the machine on which the cookie was found.
PassiveTotal.Cookie.cookieNameStringThe name of the cookie that was found on the host.
PassiveTotal.Cookie.cookieDomainStringThe domain from which the cookie originated from.
PassiveTotal.Cookie.firstSeenDateThe date and time when the cookie was first observed.
PassiveTotal.Cookie.lastSeenDateThe date and time when the cookie was most recently observed.

Command Example#

!pt-get-cookies search_by="get hosts by cookie name" query=dummyCookie

Context Example#

{
"PassiveTotal": {
"Cookie": [
{
"cookieDomain": "dummy.domain",
"cookieName": "dummyCookie",
"firstSeen": "2016-11-22 03:36:07",
"hostname": "dummy.domain",
"lastSeen": "2017-07-27 21:05:10"
}
]
}
}

Human Readable Output#

Total Record(s): 1#

Total Retrieved Record(s): 1#

Cookies#

HostnameCookie NameCookie DomainFirst Seen Date (GMT)Last Seen Date (GMT)
dummy.domaindummyCookiedummy.domain2019-04-02 01:53:502021-01-22 07:15:13

pt-get-articles#


Retrieves information related to articles for a specific indicator.

Base Command#

pt-get-articles

Input#

Argument NameDescriptionRequired
queryIndicator value to search for in articles. For example: riskiq.com, 1.1.1.1Required
typeType of the indicator. For example: domain, ip, urlOptional

Context Output#

PathTypeDescription
PassiveTotal.Article.guidStringThe global unique ID of the article.
PassiveTotal.Article.titleStringThe title of the article.
PassiveTotal.Article.summaryStringThe summary of the article.
PassiveTotal.Article.typeStringThe type of an article.
PassiveTotal.Article.publishedDateDateThe date and time on which the article was published.
PassiveTotal.Article.linkStringThe link of the article for getting more details.
PassiveTotal.Article.categoriesUnknownAn array of categories of the article.
PassiveTotal.Article.tagsUnknownAn array of tags for the article.
PassiveTotal.Article.indicators.typeStringThe type of the indicator.
PassiveTotal.Article.indicators.countNumberTotal number of indicators of a particular type.
PassiveTotal.Article.indicators.valuesUnknownAn array of values related to indicators.
PassiveTotal.Article.indicators.sourceStringThe source of the indicator.

Command Example#

!pt-get-articles query=dummy.com

Context Example#

{
"PassiveTotal": {
"Article": {
"categories": [
"Categories 1",
"Categories 2"
],
"guid": "12e123b1",
"indicators": [
{
"count": 1,
"source": "public",
"type": "domain",
"values": [
"dummy.com"
]
}
],
"link": "https://community.riskiq.com/article/12e123b1",
"publishedDate": "Mon Aug 29 20:00:00 VET 2016",
"summary": "Did you know that you can get all kinds of free stuff, just by giving out your personal information? The internet is full of these fake reward scams which RiskIQ's sytems surface every hour of the day.",
"tags": [
"fake rewards",
"playstation",
"scam"
],
"title": "Free PlayStations on the Internet are Probably an Online Scam",
"type": "public"
}
}
}

Human Readable Output#

Total Retrieved Record(s): 1#

Article(s)#

GUIDTitleSummaryTypeTagsCategoriesArticle LinkPublished Date (GMT)
12e123b1Free PlayStations on the Internet are Probably an Online ScamDid you know that you can get all kinds of free stuff, just by giving out your personal information? The internet is full of these fake reward scams which RiskIQ's sytems surface every hour of the day.publicfake rewards, playstation, scamCategories 1, Categories 2https://community.riskiq.com/article/12e123b1Mon Aug 29 20:00:00 VET 2016

pt-get-data-card#


Retrieves a summary data card associated with the given query.

Base Command#

pt-get-data-card

Input#

Argument NameDescriptionRequired
queryThe domain, host or IP address to be queried. For example: riskiq.com, 1.1.1.1.Required

Context Output#

PathTypeDescription
PassiveTotal.DataCard.typeStringType of the indicator.
PassiveTotal.DataCard.nameStringName of the indicator.
PassiveTotal.DataCard.linkStringLink to the indicator.
PassiveTotal.DataCard.netblockStringNetblock associated with the indicator.
PassiveTotal.DataCard.osStringOperating system associated with the indicator.
PassiveTotal.DataCard.organizationStringThe organization of the indicator.
PassiveTotal.DataCard.asnStringAutonomous system number assigned to the indicator.
PassiveTotal.DataCard.hosting_providerStringHost provider of the indicator.
PassiveTotal.DataCard.data_summary.resolutions.countNumberNumber of resolutions attached to the indicator.
PassiveTotal.DataCard.data_summary.resolutions.linkStringLink of the resolutions attached to the indicator.
PassiveTotal.DataCard.data_summary.services.countNumberNumber of service records for the indicator.
PassiveTotal.DataCard.data_summary.services.linkStringLink to the service records of the indicator.
PassiveTotal.DataCard.data_summary.certificates.countNumberNumber of certificates for the given indicator.
PassiveTotal.DataCard.data_summary.certificates.linkStringLink to the certificates associated with the indicator.
PassiveTotal.DataCard.data_summary.hashes.countNumberNumber of hashes associated with the indicator.
PassiveTotal.DataCard.data_summary.hashes.linkStringLink to the hashes associated with the indicator.
PassiveTotal.DataCard.data_summary.projects.countNumberNumber of projects containing the indicator.
PassiveTotal.DataCard.data_summary.projects.linkStringNumber of projects containing the indicator.
PassiveTotal.DataCard.data_summary.articles.countNumberNumber of articles referencing the indicator.
PassiveTotal.DataCard.data_summary.articles.linkStringLink to the articles referencing the indicator.
PassiveTotal.DataCard.data_summary.trackers.countNumberNumber of trackers associated with the indicator.
PassiveTotal.DataCard.data_summary.trackers.linkStringLink to the trackers associated with the indicator.
PassiveTotal.DataCard.data_summary.components.countNumberNumber of components associated with the indicator.
PassiveTotal.DataCard.data_summary.components.linkStringLink to the components associated with the indicator.
PassiveTotal.DataCard.data_summary.host_pairs.countNumberNumber of host pairs associated with the indicator.
PassiveTotal.DataCard.data_summary.host_pairs.linkStringLink to the host pairs associated with the indicator.
PassiveTotal.DataCard.data_summary.reverse_dns.countNumberNumber of DNS records for the indicator.
PassiveTotal.DataCard.data_summary.reverse_dns.linkStringLink to the DNS records of the indicator.
PassiveTotal.DataCard.data_summary.cookies.countNumberNumber of available cookie records for the indicator.
PassiveTotal.DataCard.data_summary.cookies.linkStringLink to the cookie records for the indicator.

Command Example#

!pt-get-data-card query="1.1.1.1"

Context Example#

{
"PassiveTotal": {
"DataCard": {
"asn": "AS13335 - CLOUDFLARENET",
"data_summary": {
"articles": {
"count": 0,
"link": "https://community.pt.com/research/1.1.1.1"
},
"certificates": {
"count": 3742,
"link": "https://community.pt.com/search/1.1.1.1/domaincertificates"
},
"components": {
"count": 914,
"link": "https://community.pt.com/search/1.1.1.1/components"
},
"cookies": {
"count": 23346,
"link": "https://community.pt.com/search/1.1.1.1/cookies"
},
"hashes": {
"count": 1000,
"link": "https://community.pt.com/search/1.1.1.1/hashes"
},
"host_pairs": {
"count": 6987,
"link": "https://community.pt.com/search/1.1.1.1/hostpairs"
},
"projects": {
"count": 4,
"link": "https://community.pt.com/search/1.1.1.1/projects"
},
"resolutions": {
"count": 1997,
"link": "https://community.pt.com/search/1.1.1.1/resolutions"
},
"reverse_dns": {
"count": 5,
"link": "https://community.pt.com/search/1.1.1.1/dns"
},
"services": {
"count": 3,
"link": "https://community.pt.com/search/1.1.1.1/services"
},
"trackers": {
"count": 3983,
"link": "https://community.pt.com/search/1.1.1.1/trackers"
}
},
"hosting_provider": "Cloudflare",
"link": "https://community.pt.com/search/1.1.1.1",
"name": "1.1.1.1",
"netblock": "1.1.1.0/24",
"organization": "Cloudflare, Inc.",
"os": "CentOS",
"type": "IP Address"
}
}
}

Human Readable Output#

Data Card Summary#

NameTypeNetblockAutonomous System NumberHost ProviderOperating SystemData Card Summary
1.1.1.1IP Address1.1.1.0/24AS13335 - CLOUDFLARENETCloudflareCentOSResolutions: 1997, Services: 3, Certificates: 3742, Hashes: 1000, Projects: 4, Articles: 0, Trackers: 3983, Components: 914, Host Pairs: 6987, Reverse Dns: 5, Cookies: 23346

pt-get-reputation#


Gets reputation for a given domain, host or IP.

Base Command#

pt-get-reputation

Input#

Argument NameDescriptionRequired
queryThe domain, host or IP address to be queried. For example: riskiq.com, 1.1.1.1.Required

Context Output#

PathTypeDescription
PassiveTotal.Reputation.queryStringThe value of the indicator.
PassiveTotal.Reputation.scoreNumberReputation score of the indicator.
PassiveTotal.Reputation.classificationStringReputation classification of the indicator. (Can be GOOD, SUSPICIOUS, MALICIOUS, or UNKNOWN)
PassiveTotal.Reputation.rules.nameStringName of the rule that informed the reputation score of the indicator.
PassiveTotal.Reputation.rules.descriptionStringDescription of the rule.
PassiveTotal.Reputation.rules.severityNumberSeverity of the rule.
PassiveTotal.Reputation.rules.linkStringLink to the rule.

Command Example#

!pt-get-reputation query="amazon.hksupd.com"

Context Example#

{
"PassiveTotal": {
"Reputation": {
"classification": "MALICIOUS",
"query": "amazon.hksupd.com",
"rules": [
{
"description": "Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike",
"link": "https://community.pt.com/article/d0bf5d18",
"name": "RiskIQ Intel Article",
"severity": 5
}
],
"score": 100
}
}
}

Human Readable Output#

The reputation score for 'amazon.hksupd.com' is 100 and is classified as 'MALICIOUS'.

Reputation Rules#

NameDescriptionSeverity
RiskIQ Intel ArticleVermilion Strike: Linux and Windows Re-implementation of Cobalt Strike5

ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP address to check.Optional

Context Output#

PathTypeDescription
PassiveTotal.IP.queryStringThe value of the indicator.
PassiveTotal.IP.scoreNumberReputation score of the indicator.
PassiveTotal.IP.classificationStringReputation classification of the indicator. (Can be GOOD, SUSPICIOUS, MALICIOUS, or UNKNOWN)
PassiveTotal.IP.rules.nameStringName of the rule that informed the reputation score of the indicator.
PassiveTotal.IP.rules.descriptionStringDescription of the rule.
PassiveTotal.IP.rules.severityNumberSeverity of the rule.
PassiveTotal.IP.rules.linkStringLink to the rule.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
IP.AddressStringThe IP Address.

Command Example#

!ip ip=8.8.8.8

Context Example#

{
"DBotScore": {
"Indicator": "8.8.8.8",
"Score": 0,
"Type": "ip",
"Vendor": "PassiveTotal v2"
},
"IP": {
"Address": "8.8.8.8"
},
"PassiveTotal": {
"IP": {
"classification": "UNKNOWN",
"query": "8.8.8.8",
"rules": [
{
"description": "The number of open ports may indicate maliciousness",
"name": "Open ports observed",
"severity": 3
}
],
"score": 3
}
}
}

Human Readable Output#

The reputation score for '8.8.8.8' is 3 and is classified as 'UNKNOWN'.

Reputation Rules#

NameDescriptionSeverity
Open ports observedThe number of open ports may indicate maliciousness3

pt-list-intel-profiles#


Retrieves the list of all profiles.

Base Command#

pt-list-intel-profiles

Input#

Argument NameDescriptionRequired
idSpecify the ID of the profile to retrieve the specific profile.

Note: If 'id' argument is provided, all other arguments will be neglected.
Optional
queryFilter the result based on title or aliases. .Optional
typeFilter the results based on the profile type.

Possible values: actor, tool, backdoor.
Optional
indicator_valueSpecify the indicator value to retrieve the profiles containing the given indicator.

Note: To retrieve the list of indicators, execute the "pt-list-intel-profile-indicators" command.
When both indicator_value and query are provided, higher priority will be given to indicator_value.
Optional
sourceFilter the result based on the indicator source.

Possible values: osint, riskiq.

Note: Requires 'indicator_value' argument.
Optional
categoryFilter the result based on the indicator category.

Possible values: host, network.

Note: Requires 'indicator_value' argument.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is 1000. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.IntelProfile.idStringID of the intel profile.
PassiveTotal.IntelProfile.titleStringTitle of the intel profile.
PassiveTotal.IntelProfile.linkStringLink to the intel profile.
PassiveTotal.IntelProfile.osintIndicatorsCountNumberCount of the open source intelligence indicators referencing the intel profile.
PassiveTotal.IntelProfile.riskIqIndicatorsCountNumberCount of the riskiq indicators referencing the intel profile.
PassiveTotal.IntelProfile.indicatorsStringLink to the indicators referencing the intel profile.
PassiveTotal.IntelProfile.aliasesStringAliases of the intel profile.
PassiveTotal.IntelProfile.tags.labelStringLabels associated with the intel profile.
PassiveTotal.IntelProfile.tags.countryCodeStringCountry code of the tags associated with the intel profile.

Command Example#

!pt-list-intel-profiles id="apt33"

Context Example#

{
"PassiveTotal": {
"IntelProfile": {
"aliases": [
"Elfin",
"Magnallium",
"Refined Kitten",
"Holmium",
"Cobalt Trinity"
],
"id": "apt33",
"indicators": "https://api.pt.net/pt/v2/intel-profiles/apt33/indicators",
"link": "https://community.pt.com/intel-profiles/apt33",
"osintIndicatorsCount": 410,
"riskIqIndicatorsCount": 122,
"tags": [
{
"label": "Espionage"
},
{
"label": "Sabotage"
},
{
"label": "Windows"
},
{
"label": "Aviation"
},
{
"label": "Defense"
},
{
"label": "Oil & Gas"
},
{
"countryCode": "ir",
"label": "State Sponsored: Iran"
},
{
"countryCode": "sa",
"label": "Target: Saudi Arabia"
},
{
"countryCode": "us",
"label": "Target: USA"
},
{
"countryCode": "kr",
"label": "Target: South Korea"
},
{
"countryCode": "il",
"label": "Target: Israel"
}
],
"title": "APT33"
}
}
}

Human Readable Output#

Profile(s)#

IDTitleAliasesPublic IndicatorsRiskIQ Indicators
apt33APT33Elfin, Magnallium, Refined Kitten, Holmium, Cobalt Trinity410122

pt-list-intel-profile-indicators#


Retrieves the indicators for the given profile.

Base Command#

pt-list-intel-profile-indicators

Input#

Argument NameDescriptionRequired
idSpecify the ID of the profile to retrieve indicators for the specific profile.

Note: To retrieve the list of profile IDs, execute the "pt-list-intel-profile" command.
Required
typeFilter the results based on the indicator type.

Possible values: certificate_sha1, domain, email, hash_md5, hash_sha256, ip, pdb_path, soa_email, url, whois_email.
Optional
indicator_valueSpecify the indicator value to retrieve the specific indicator.Optional
sourceFilter the result based on the indicator source.

Possible values: osint, riskiq.
Optional
categoryFilter the result based on the indicator category.

Possible values: host, network.
Optional
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.IntelProfile.idStringProfile ID containing the indicator.
PassiveTotal.IntelProfile.indicator.idStringID of the indicator.
PassiveTotal.IntelProfile.indicator.typeStringType of the indicator.
PassiveTotal.IntelProfile.indicator.valueStringValue of the indicator.
PassiveTotal.IntelProfile.indicator.categoryStringCategory of the indicator.
PassiveTotal.IntelProfile.indicator.firstSeenStringDate & time the record was first seen.
PassiveTotal.IntelProfile.indicator.lastSeenStringDate & time the record was most recently observed.
PassiveTotal.IntelProfile.indicator.osintStringWhether the indicator was published in open source intelligence articles.
PassiveTotal.IntelProfile.indicator.osintUrlStringLink to the osint source of the indicator.
PassiveTotal.IntelProfile.indicator.articleGuidsStringList of RiskIQ OSINT article GUIDs associated with the indicator.

Command Example#

!pt-list-intel-profile-indicators id="apt33" page_size=1

Context Example#

{
"PassiveTotal": {
"IntelProfile": {
"id": "apt33",
"indicator": [
{
"articleGuids": [
"633605c6"
],
"category": "host",
"firstSeen": "2017-03-06T00:00:00.000+00:00",
"id": "apt33:00c417425a73db5a315d23fac8cb353f",
"osint": true,
"type": "hash_md5",
"value": "00c417425a73db5a315d23fac8cb353f",
"lastSeen": "2017-03-06T00:00:00.000+00:00"
}
]
}
}
}

Human Readable Output#

Total Retrieved Indicator(s) 532#

Indicator(s)#

IDArtifact ValueTypeFirst Seen (GMT)Last Seen (GMT)Source
apt33:00c417425a73db5a315d23fac8cb353f00c417425a73db5a315d23fac8cb353fhash_md52017-03-06T00:00:00.000+00:002017-03-06T00:00:00.000+00:00OSINT

pt-list-my-attack-surface-insights#


Retrieves the attack surface insight information of the individual's account.

Base Command#

pt-list-my-attack-surface-insights

Input#

Argument NameDescriptionRequired
priorityFilter the results based on the priority level specified.

Possible values: high, medium, low.
Required
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is 1000. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.Summary.Insight.nameStringThe command name.
PassiveTotal.Summary.Insight.activeInsightCountNumberTotal number of active insights.
PassiveTotal.Summary.Insight.totalInsightCountNumberTotal number of insights.
PassiveTotal.Summary.Insight.totalObservationsNumberTotal number of observations.
PassiveTotal.Insight.priorityLevelStringPriority level of insights.
PassiveTotal.Insight.insight.nameStringName of the insight.
PassiveTotal.Insight.insight.descriptionStringDescription of the insight.
PassiveTotal.Insight.insight.observationCountNumberNumber of observations for the given insight.
PassiveTotal.Insight.insight.linkStringLink to the insight.
PassiveTotal.Insight.insight.insightIdStringID of the third party insight.
PassiveTotal.Insight.insight.segmentByStringSegment by of the insight.

Command Example#

!pt-list-my-attack-surface-insights priority="low"

Context Example#

{
"PassiveTotal": {
"Insight": {
"insight": [
{
"description": "##### Description \nThe following SSL certificates are SHA-1 certificates and are no longer recognized by web browsers due to possible hash collision.\n\n##### Remediation\nOrganizations should replace these certificates with new SSL certificate that use SHA-256.",
"insightId": "40466",
"link": "https://api.pt.net/pt/v2/attack-surface/insight/40466?page=0&size=25&groupBy=RISK_CATEGORY&segmentBy=savedfilter_metric_29630",
"name": "ASI: SHA-1 Certificates",
"observationCount": 0,
"segmentBy": "savedfilter_metric_29630"
},
{
"description": "##### Description \nDeprecated versions of Nginx web server that are no longer supported. Running end of life or deprecated hardware or software can open organizations up to potential risks and vulnerabilities as these systems are no longer supported via regular updates and security patches\n\n##### Remediation\nOrganizations should consider upgrading to supported versions of Nginx to ensure security patches are available.\n",
"insightId": "40466",
"link": "https://api.pt.net/pt/v2/attack-surface/insight/40466?page=0&size=25&groupBy=RISK_CATEGORY&segmentBy=savedfilter_metric_29643",
"name": "ASI: Deprecated Tech - Nginx",
"observationCount": 146,
"segmentBy": "savedfilter_metric_29643"
}
],
"priorityLevel": "low"
},
"Summary": {
"Insight": {
"activeInsightCount": 6,
"name": "pt-list-my-attack-surface-insights",
"totalInsightCount": 11,
"totalObservations": 165
}
}
}
}

Human Readable Output#

Low Severity Insights#

6 Active of 11 Insights - 165 Observations

NameDescriptionObservationsInsight IDSegment By
ASI: Deprecated Tech - Nginx##### Description
Deprecated versions of Nginx web server that are no longer supported. Running end of life or deprecated hardware or software can open organizations up to potential risks and vulnerabilities as these systems are no longer supported via regular updates and security patches

##### Remediation
Organizations should consider upgrading to supported versions of Nginx to ensure security patches are available.
14640466savedfilter_metric_29643
ASI: SSL Certificates Expiring in 30 Days##### Description
The following SSL Certificates expire within the next 30 days. Expired certificates can lead to critical business functions being unavailable to customers or employees. Expired certificates could prevent customers from accessing your website and negatively impact an organization’s brand.


##### Remediation
Organizations should review these certificates and ensure appropriate policies and procedures are in place to keep SSL certificates up to date.
1340466savedfilter_metric_29632

pt-list-my-attack-surfaces#


Retrieves the attack surface information of the individual's account.

Base Command#

pt-list-my-attack-surfaces

Input#

Argument NameDescriptionRequired
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is 1000. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.AttackSurface.idNumberID of the attack surface.
PassiveTotal.AttackSurface.nameStringName of the attack surface.
PassiveTotal.AttackSurface.priority.high.observationCountNumberTotal observations of high priority attack surface.
PassiveTotal.AttackSurface.priority.high.linkStringLink to the high priority attack surface.
PassiveTotal.AttackSurface.priority.medium.observationCountNumberTotal observations of medium priority attack surface.
PassiveTotal.AttackSurface.priority.medium.linkStringLink to the medium priority attack surface.
PassiveTotal.AttackSurface.priority.low.observationCountNumberTotal observations of low priority attack surface.
PassiveTotal.AttackSurface.priority.low.linkStringLink to the low priority attack surface.

Command Example#

!pt-list-my-attack-surfaces

Context Example#

{
"PassiveTotal": {
"AttackSurface": {
"id": 88256,
"name": "RiskIQ, Inc.",
"priority": {
"high": {
"link": "https://api.pt.net/pt/v2/attack-surface/priority/high",
"observationCount": 13
},
"low": {
"link": "https://api.pt.net/pt/v2/attack-surface/priority/low",
"observationCount": 165
},
"medium": {
"link": "https://api.pt.net/pt/v2/attack-surface/priority/medium",
"observationCount": 4
}
}
}
}
}

Human Readable Output#

Attack Surface(s)#

IDNameHigh SeverityMedium SeverityLow Severity
88256RiskIQ, Inc.13 observations4 observations165 observations

pt-list-third-party-attack-surface#


Retrieves the attack surface observations by severity level for the given third-party account.

Base Command#

pt-list-third-party-attack-surface

Input#

Argument NameDescriptionRequired
idSpecify the vendor ID to retrieve the attack surface third party information.Optional
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.ThirdParty.idNumberID of the vendor.
PassiveTotal.ThirdParty.nameStringName of the vendor.
PassiveTotal.ThirdParty.priority.high.observationCountNumberTotal observations of high priority attack surface.
PassiveTotal.ThirdParty.priority.high.linkStringLink to the high priority attack surface.
PassiveTotal.ThirdParty.priority.medium.observationCountNumberTotal observations of medium priority attack surface.
PassiveTotal.ThirdParty.priority.medium.linkStringLink to the medium priority attack surface.
PassiveTotal.ThirdParty.priority.low.observationCountNumberTotal observations of low priority attack surface.
PassiveTotal.ThirdParty.priority.low.linkStringLink to the low priority attack surface.
PassiveTotal.Summary.ThirdPartyASI.nameStringThe command name.
PassiveTotal.Summary.ThirdPartyASI.totalCountNumberTotal number of attack surfaces.
PassiveTotal.Summary.ThirdPartyASI.totalPagesNumberNumber of pages.
PassiveTotal.Summary.ThirdPartyASI.nextPageStringLink to the next page.

Command Example#

!pt-list-third-party-attack-surface

Context Example#

{
"PassiveTotal": {
"Summary": {
"ThirdPartyASI": {
"name": "pt-list-third-party-attack-surface",
"totalCount": 2,
"totalPages": 1
}
},
"ThirdParty": [
{
"id": 45998,
"name": "Mitsubishi Corporation",
"priority": {
"high": {
"link": "https://api.pt.net/pt/v2/attack-surface/third-party/45998/priority/high",
"observationCount": 3
},
"low": {
"link": "https://api.pt.net/pt/v2/attack-surface/third-party/45998/priority/low",
"observationCount": 92
},
"medium": {
"link": "https://api.pt.net/pt/v2/attack-surface/third-party/45998/priority/medium",
"observationCount": 35
}
}
},
{
"id": 371662,
"name": "Aeroflot-Russian Airlines",
"priority": {
"high": {
"link": "https://api.pt.net/pt/v2/attack-surface/third-party/371662/priority/high",
"observationCount": 7
},
"low": {
"link": "https://api.pt.net/pt/v2/attack-surface/third-party/371662/priority/low",
"observationCount": 16
},
"medium": {
"link": "https://api.pt.net/pt/v2/attack-surface/third-party/371662/priority/medium",
"observationCount": 8
}
}
}
]
}
}

Human Readable Output#

Attack Surface(s)#

IDNameHigh SeverityMedium SeverityLow Severity
45998Mitsubishi Corporation3 observations35 observations92 observations
371662Aeroflot-Russian Airlines7 observations8 observations16 observations

pt-list-third-party-attack-surface-insights#


Retrieves the attack surface insight information of the given third-party account.

Base Command#

pt-list-third-party-attack-surface-insights

Input#

Argument NameDescriptionRequired
idSpecify the vendor ID to retrieve the third-party insights information.

Note: To retrieve the list of vendor IDs, execute the "pt-list-third-party-attack-surface" command.
Required
priorityFilter the results based on the priority level specified.

Possible values: high, medium, low.
Required
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is 1000. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.Summary.ThirdPartyInsight.activeInsightCountNumberTotal number of active third party insights.
PassiveTotal.Summary.ThirdPartyInsight.totalInsightCountNumberTotal number of third party insights.
PassiveTotal.Summary.ThirdPartyInsight.totalObservationsNumberTotal number of third party observations.
PassiveTotal.ThirdParty.idNumberVendor ID associated with the third party insights.
PassiveTotal.ThirdParty.priorityLevelStringPriority level of third party insights.
PassiveTotal.ThirdParty.Insight.insight.nameStringName of the third party insight.
PassiveTotal.ThirdParty.Insight.insight.descriptionStringDescription of the third party insight.
PassiveTotal.ThirdParty.Insight.insight.observationCountNumberNumber of observations for the given third party insight.
PassiveTotal.ThirdParty.Insight.insight.linkStringLink to the third party insight.
PassiveTotal.ThirdParty.Insight.insight.insightIdStringID of the third party insight.
PassiveTotal.ThirdParty.Insight.insight.segmentByStringSegment by of the third party insight.
PassiveTotal.Summary.ThirdPartyInsight.nameStringThe command name.

Command Example#

!pt-list-third-party-attack-surface-insights id="45998" priority="low"

Context Example#

{
"PassiveTotal": {
"Summary": {
"ThirdPartyInsight": {
"activeInsightCount": 9,
"name": "pt-list-third-party-attack-surface-insights",
"totalInsightCount": 11,
"totalObservations": 92
}
},
"ThirdParty": {
"Insight": {
"insight": [
{
"description": "Root page assets with any CVSS/CVSS v3 score. ",
"insightId": "40466",
"link": "https://api.pt.net/pt/v2/attack-surface/third-party/45998/insight/40466?page=0&size=25&groupBy=RISK_CATEGORY&segmentBy=savedfilter_metric_15881",
"name": "Affected CVSS Page",
"observationCount": 0,
"segmentBy": "savedfilter_metric_15881"
},
{
"description": "##### Description \nDeprecated versions of Apache server that are no longer supported. Running end of life or deprecated software can open organizations up to potential risks and vulnerabilities as these systems are no longer supported via regular updates and security patches.\n\n##### Remediation\nOrganizations should consider upgrading to supported versions of Apache to ensure security patches are available.",
"insightId": "40466",
"link": "https://api.pt.net/pt/v2/attack-surface/third-party/45998/insight/40466?page=0&size=25&groupBy=RISK_CATEGORY&segmentBy=savedfilter_metric_29644",
"name": "ASI: Deprecated Tech - Apache",
"observationCount": 2,
"segmentBy": "savedfilter_metric_29644"
}
]
},
"id": 45998,
"priorityLevel": "low"
}
}
}

Human Readable Output#

Low Severity Insights#

9 Active of 11 Insights - 92 Observations

NameDescriptionObservationsInsight IDSegment By
ASI: Deprecated Tech - Apache##### Description
Deprecated versions of Apache server that are no longer supported. Running end of life or deprecated software can open organizations up to potential risks and vulnerabilities as these systems are no longer supported via regular updates and security patches.

##### Remediation
Organizations should consider upgrading to supported versions of Apache to ensure security patches are available.
240466savedfilter_metric_29644
Affected CVSS PageRoot page assets with any CVSS/CVSS v3 score.040466savedfilter_metric_15881

pt-list-my-attack-surface-assets#


Retrieves the attack surface asset information of the individual's account.

Base Command#

pt-list-my-attack-surface-assets

Input#

Argument NameDescriptionRequired
idSpecify the insight ID to retrieve the assets.

Note: To retrieve the list of insight IDs, execute the "pt-list-my-attack-surface-insights" command.
Required
segment_bySpecify the segment_by to retrieve the assets.

Note: To retrieve the list of segment by, execute the "pt-list-my-attack-surface-insights" command.
Required
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.Summary.Asset.totalCountNumberTotal number of available assets.
PassiveTotal.Summary.Asset.totalPagesNumberNumber of pages.
PassiveTotal.Summary.Asset.nextPageStringLink to the next page.
PassiveTotal.Asset.insightIdStringInsight ID for which assets are retrieved.
PassiveTotal.Asset.segmentByStringSegment by for which assets are retrieved.
PassiveTotal.Asset.asset.typeStringType of the asset.
PassiveTotal.Asset.asset.nameStringName of the asset.
PassiveTotal.Asset.asset.firstSeenDateDate & time the record was first seen.
PassiveTotal.Asset.asset.lastSeenDateDate & time the record was most recently observed.
PassiveTotal.Summary.Asset.nameStringThe command name.

Command Example#

!pt-list-my-attack-surface-assets id="40466" segment_by="savedfilter_metric_29634"

Context Example#

{
"PassiveTotal": {
"Asset": {
"asset": [
{
"firstSeen": "2016-05-25 20:07:40",
"lastSeen": "2021-09-19 09:50:32",
"name": "financialtradie.com",
"type": "DOMAIN"
}
],
"insightId": "40466",
"segmentBy": "savedfilter_metric_29634"
},
"Summary": {
"Asset": {
"name": "pt-list-my-attack-surface-assets",
"totalCount": 1,
"totalPages": 1
}
}
}
}

Human Readable Output#

Asset(s)#

NameTypeFirst Seen (GMT)Last Seen (GMT)
financialtradie.comDOMAIN2016-05-25 20:07:402021-09-19 09:50:32

pt-list-my-attack-surface-vulnerable-components#


Retrieves the attack surface vulnerable component information of the individual's account.

Base Command#

pt-list-my-attack-surface-vulnerable-components

Input#

Argument NameDescriptionRequired
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.Summary.VulnerableComponent.nameStringThe command name.
PassiveTotal.Summary.VulnerableComponent.totalCountNumberTotal number of available vulnerable components.
PassiveTotal.Summary.VulnerableComponent.totalPagesNumberNumber of pages.
PassiveTotal.Summary.VulnerableComponent.nextPageStringLink to the next page.
PassiveTotal.VulnerableComponent.nameStringName of the vulnerable component.
PassiveTotal.VulnerableComponent.typeStringType of the vulnerable component.
PassiveTotal.VulnerableComponent.severityStringSeverity of the vulnerable component.
PassiveTotal.VulnerableComponent.countNumberNumber of assets affected.

Command Example#

!pt-list-my-attack-surface-vulnerable-components page_size=2

Context Example#

{
"PassiveTotal": {
"Summary": {
"VulnerableComponent": {
"name": "pt-list-my-attack-surface-vulnerable-components",
"nextPage": "https://api.pt.net/pt/v2/attack-surface/vuln-intel/components?page=1&size=2",
"totalCount": 24,
"totalPages": 12
}
},
"VulnerableComponent": [
{
"count": 129,
"name": "nginx 1.14.0",
"severity": "HIGH",
"type": "Server"
},
{
"count": 13,
"name": "nginx 1.16.1",
"severity": "HIGH",
"type": "Server"
}
]
}
}

Human Readable Output#

Vulnerable Component(s)#

NameTypeSeverityAsset Count
nginx 1.14.0ServerHIGH129
nginx 1.16.1ServerHIGH13

pt-list-my-attack-surface-vulnerabilities#


Retrieves the attack surface vulnerability information of the individual's account.

Base Command#

pt-list-my-attack-surface-vulnerabilities

Input#

Argument NameDescriptionRequired
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.Vulnerability.cveIdStringID of the CVE.
PassiveTotal.Vulnerability.cwes.cweIdStringCWE ID associated with the CVE.
PassiveTotal.Vulnerability.priorityScoreNumberPriority score of the CVE.
PassiveTotal.Vulnerability.observationCountNumberNumber of observations of CVE.
PassiveTotal.Vulnerability.cveLinkStringLink to the CVE.
PassiveTotal.Summary.Vulnerability.nameStringThe command name.
PassiveTotal.Summary.Vulnerability.totalCountNumberTotal number of vulnerabilities.
PassiveTotal.Summary.Vulnerability.totalPagesNumberNumber of pages.
PassiveTotal.Summary.Vulnerability.nextPageStringLink to the next page.

Command Example#

!pt-list-my-attack-surface-vulnerabilities page_size=2

Context Example#

{
"PassiveTotal": {
"Summary": {
"Vulnerability": {
"name": "pt-list-my-attack-surface-vulnerabilities",
"nextPage": "https://api.pt.net/pt/v2/attack-surface/vuln-intel/cves?page=1&size=2",
"totalCount": 413,
"totalPages": 207
}
},
"Vulnerability": [
{
"cveId": "CVE-2021-23017",
"cveLink": "https://api.pt.net/pt/v2/vuln-intel/CVE-2021-23017",
"cwes": [
{
"cweId": "CWE-193"
}
],
"observationCount": 149,
"priorityScore": 98
},
{
"cveId": "CVE-2019-20372",
"cveLink": "https://api.pt.net/pt/v2/vuln-intel/CVE-2019-20372",
"cwes": [
{
"cweId": "CWE-444"
}
],
"observationCount": 145,
"priorityScore": 53
}
]
}
}

Human Readable Output#

Vulnerabilities#

CVE IDCWE IDRiskIQ Priority ScoreAsset Count
CVE-2021-23017CWE-19398.0149
CVE-2019-20372CWE-44453.0145

pt-list-my-attack-surface-observations#


Retrieves the attack surface vulnerability observation information of the individual's account.

Base Command#

pt-list-my-attack-surface-observations

Input#

Argument NameDescriptionRequired
cve_idSpecify the CVE ID to retrieve observations of that CVE.

Note: To retrieve the list of CVE IDs, execute the "pt-list-my-attack-surface-vulnerabilities" command.
Required
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.Observation.asset.typeStringType of the asset.
PassiveTotal.Observation.asset.nameStringName of the asset.
PassiveTotal.Observation.asset.firstSeenDateDate & time the record was first seen.
PassiveTotal.Observation.asset.lastSeenDateDate & time the record was most recently observed.
PassiveTotal.Observation.cveIdStringID of the CVE.
PassiveTotal.Observation.cwe.cweIdStringCWE ID associated with the CVE.
PassiveTotal.Summary.Observation.nameStringThe command name.
PassiveTotal.Summary.Observation.totalCountNumberTotal number of vulnerabilities.
PassiveTotal.Summary.Observation.totalPagesNumberNumber of pages.
PassiveTotal.Summary.Observation.nextPageStringLink to the next page.

Command Example#

!pt-list-my-attack-surface-observations cve_id="CVE-2021-23017" page_size=2

Context Example#

{
"PassiveTotal": {
"Observation": {
"asset": [
{
"firstSeen": "2018-05-11 20:40:17",
"lastSeen": "2021-09-19 14:46:48",
"name": "riskiq.app",
"type": "HOST"
},
{
"firstSeen": "2018-06-30 00:03:32",
"lastSeen": "2021-09-15 19:36:38",
"name": "www.riskiq.app",
"type": "HOST"
}
],
"cveId": "CVE-2021-23017",
"cwe": [
{
"cweId": "CWE-193"
}
]
},
"Summary": {
"Observation": {
"name": "pt-list-my-attack-surface-observations",
"nextPage": "https://api.pt.net/pt/v2/attack-surface/vuln-intel/cves/CVE-2021-23017/observations?page=1&size=2",
"totalCount": 149,
"totalPages": 75
}
}
}
}

Human Readable Output#

Observation(s)#

NameTypeFirst Seen (GMT)Last Seen (GMT)
riskiq.appHOST2018-05-11 20:40:172021-09-19 14:46:48
www.riskiq.appHOST2018-06-30 00:03:322021-09-15 19:36:38

pt-list-third-party-attack-surface-assets#


Retrieves the attack surface asset information of the given third-party account.

Base Command#

pt-list-third-party-attack-surface-assets

Input#

Argument NameDescriptionRequired
idSpecify the insight ID to retrieve the assets.

Note: To retrieve the list of insight IDs, execute the "pt-list-third-party-attack-surface-insights" command.
Required
vendor_idSpecify the vendor ID to retrieve the assets of a specific vendor.

Note: To retrieve the list of vendor IDs, execute the "pt-list-third-party-attack-surface" command.
Required
segment_bySpecify the segment_by to retrieve the assets.

Note: To retrieve the list of segment by, execute the "pt-list-third-party-attack-surface-insights" command.
Required
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.ThirdParty.idNumberID of the vendor.
PassiveTotal.Summary.ThirdPartyInsightAsset.nameStringThe command name.
PassiveTotal.Summary.ThirdPartyInsightAsset.totalCountNumberTotal number of available assets.
PassiveTotal.Summary.ThirdPartyInsightAsset.totalPagesNumberNumber of pages.
PassiveTotal.Summary.ThirdPartyInsightAsset.nextPageStringLink to the next page.
PassiveTotal.ThirdParty.InsightAsset.insightIdNumberInsight ID for which assets are retrieved.
PassiveTotal.ThirdParty.InsightAsset.segmentByStringSegment by for which assets are retrieved.
PassiveTotal.ThirdParty.InsightAsset.asset.typeStringType of the asset.
PassiveTotal.ThirdParty.InsightAsset.asset.nameStringName of the asset.
PassiveTotal.ThirdParty.InsightAsset.asset.firstSeenDateDate & time the record was first seen.
PassiveTotal.ThirdParty.InsightAsset.asset.lastSeenDateDate & time the record was most recently observed.

Command Example#

!pt-list-third-party-attack-surface-assets id="40464" vendor_id="45998" segment_by="savedfilter_metric_29644"

Context Example#

{
"PassiveTotal": {
"Summary": {
"ThirdPartyInsightAsset": {
"name": "pt-list-third-party-attack-surface-assets",
"totalCount": 2,
"totalPages": 1
}
},
"ThirdParty": {
"InsightAsset": {
"asset": [
{
"firstSeen": "2010-06-24 07:49:19",
"lastSeen": "2021-09-21 23:02:08",
"name": "160.189.11.4",
"type": "IP_ADDRESS"
},
{
"firstSeen": "2017-12-01 09:22:21",
"lastSeen": "2021-09-21 18:23:10",
"name": "ec.soup-stock-tokyo.com",
"type": "HOST"
}
],
"insightId": "40464",
"segmentBy": "savedfilter_metric_29644"
},
"id": 45998
}
}
}

Human Readable Output#

Asset(s)#

NameTypeFirst Seen (GMT)Last Seen (GMT)
160.189.11.4IP_ADDRESS2010-06-24 07:49:192021-09-21 23:02:08
ec.soup-stock-tokyo.comHOST2017-12-01 09:22:212021-09-21 18:23:10

pt-list-third-party-attack-surface-vulnerable-components#


Retrieves the attack surface vulnerable component information of the given third-party account.

Base Command#

pt-list-third-party-attack-surface-vulnerable-components

Input#

Argument NameDescriptionRequired
idSpecify the vendor ID to retrieve the vulnerable components for a particular vendor.

Note: To retrieve the list of vendor IDs, execute the "pt-list-third-party-attack-surface" command.
Required
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.ThirdParty.idStringID of the vendor.
PassiveTotal.Summary.ThirdPartyVulnerableComponent.nameStringThe command name.
PassiveTotal.Summary.ThirdPartyVulnerableComponent.totalCountNumberTotal number of available vulnerable components.
PassiveTotal.Summary.ThirdPartyVulnerableComponent.totalPagesNumberNumber of pages.
PassiveTotal.Summary.ThirdPartyVulnerableComponent.nextPageStringLink to the next page.
PassiveTotal.ThirdParty.VulnerableComponent.nameStringName of the vulnerable component.
PassiveTotal.ThirdParty.VulnerableComponent.typeStringType of the vulnerable component.
PassiveTotal.ThirdParty.VulnerableComponent.severityStringSeverity of the vulnerable component.
PassiveTotal.ThirdParty.VulnerableComponent.countNumberNumber of assets affected.

Command Example#

!pt-list-third-party-attack-surface-vulnerable-components id="45998" page_size=2

Context Example#

{
"PassiveTotal": {
"Summary": {
"ThirdPartyVulnerableComponent": {
"name": "pt-list-third-party-attack-surface-vulnerable-components",
"nextPage": "https://api.pt.net/pt/v2/attack-surface/vuln-intel/third-party/45998/components?page=1&size=2",
"totalCount": 45,
"totalPages": 23
}
},
"ThirdParty": {
"VulnerableComponent": [
{
"count": 14,
"name": "Microsoft-IIS 8.5",
"severity": "MEDIUM",
"type": "Server"
},
{
"count": 5,
"name": "OpenSSL 1.0.2k",
"severity": "HIGH",
"type": "Server Module"
}
],
"id": 45998
}
}
}

Human Readable Output#

Vulnerable Component(s)#

NameTypeSeverityAsset Count
Microsoft-IIS 8.5ServerMEDIUM14
OpenSSL 1.0.2kServer ModuleHIGH5

pt-list-third-party-attack-surface-vulnerabilities#


Retrieves the attack surface vulnerability information of the given third-party account.

Base Command#

pt-list-third-party-attack-surface-vulnerabilities

Input#

Argument NameDescriptionRequired
idSpecify the vendor ID to retrieve the vulnerabilities for a particular vendor.

Note: To retrieve the list of vendor IDs, execute the "pt-list-third-party-attack-surface" command.
Required
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.ThirdParty.idNumberID of the vendor.
PassiveTotal.ThirdParty.Vulnerability.cveIdStringID of the CVE.
PassiveTotal.ThirdParty.Vulnerability.cwes.cweIdStringCWE ID associated with the CVE.
PassiveTotal.ThirdParty.Vulnerability.priorityScoreNumberPriority score of the CVE.
PassiveTotal.ThirdParty.Vulnerability.observationCountNumberNumber of observations of CVE.
PassiveTotal.ThirdParty.Vulnerability.cveLinkStringLink to the CVE.
PassiveTotal.Summary.ThirdPartyVulnerability.nameStringThe command name.
PassiveTotal.Summary.ThirdPartyVulnerability.totalCountNumberTotal number of vulnerabilities.
PassiveTotal.Summary.ThirdPartyVulnerability.totalPagesNumberNumber of pages.
PassiveTotal.Summary.ThirdPartyVulnerability.nextPageStringLink to the next page.

Command Example#

!pt-list-third-party-attack-surface-vulnerabilities id="45998" page_size=2

Context Example#

{
"PassiveTotal": {
"Summary": {
"ThirdPartyVulnerability": {
"name": "pt-list-third-party-attack-surface-vulnerabilities",
"nextPage": "https://api.pt.net/pt/v2/attack-surface/vuln-intel/third-party/45998/cves?page=1&size=2",
"totalCount": 548,
"totalPages": 274
}
},
"ThirdParty": {
"Vulnerability": [
{
"cveId": "CVE-2020-11022",
"cveLink": "https://api.pt.net/pt/v2/vuln-intel/CVE-2020-11022",
"cwes": [
{
"cweId": "CWE-79"
}
],
"observationCount": 19,
"priorityScore": 61
},
{
"cveId": "CVE-2020-11023",
"cveLink": "https://api.pt.net/pt/v2/vuln-intel/CVE-2020-11023",
"cwes": [
{
"cweId": "CWE-79"
}
],
"observationCount": 19,
"priorityScore": 61
}
],
"id": 45998
}
}
}

Human Readable Output#

Vulnerabilities#

CVE IDCWE IDRiskIQ Priority ScoreAsset Count
CVE-2020-11022CWE-7961.019
CVE-2020-11023CWE-7961.019

pt-list-third-party-attack-surface-observations#


Retrieves the attack surface vulnerability observation information of the given third-party account.

Base Command#

pt-list-third-party-attack-surface-observations

Input#

Argument NameDescriptionRequired
idSpecify the vendor ID to retrieve the vulnerability observations for a particular vendor.

Note: To retrieve the list of vendor IDs, execute the "pt-list-third-party-attack-surface" command.
Required
cve_idSpecify the CVE ID to retrieve observations of the CVE.

Note: To retrieve the list of CVE IDs, execute the "pt-list-third-party-attack-surface-vulnerabilities" command.
Required
page_numberPage number for paging through results.

Note: The minimum value supported is 0 and maximum value supported is int32. Default is 0.
Optional
page_sizeMaximum number of results to return per page.

Note: The minimum value supported is 1 and maximum value supported is int32. Default is 50.
Optional

Context Output#

PathTypeDescription
PassiveTotal.ThirdParty.idNumberID of the vendor.
PassiveTotal.ThirdParty.Observation.asset.typeStringType of the asset.
PassiveTotal.ThirdParty.Observation.asset.nameStringName of the asset.
PassiveTotal.ThirdParty.Observation.asset.firstSeenDateDate & time the record was first seen.
PassiveTotal.ThirdParty.Observation.asset.lastSeenDateDate & time the record was most recently observed.
PassiveTotal.ThirdParty.Observation.cveIdStringID of the CVE.
PassiveTotal.ThirdParty.Observation.cwe.cweIdStringCWE ID associated with the CVE.
PassiveTotal.Summary.ThirdPartyObservation.nameStringThe command name.
PassiveTotal.Summary.ThirdPartyObservation.totalCountNumberTotal number of observations.
PassiveTotal.Summary.ThirdPartyObservation.totalPagesNumberNumber of pages.
PassiveTotal.Summary.ThirdPartyObservation.nextPageStringLink to the next page.

Command Example#

!pt-list-third-party-attack-surface-observations id="45998" cve_id="CVE-2020-11022" page_size=2

Context Example#

{
"PassiveTotal": {
"Summary": {
"ThirdPartyObservation": {
"name": "pt-list-third-party-attack-surface-observations",
"nextPage": "https://api.pt.net/pt/v2/attack-surface/vuln-intel/third-party/45998/cves/CVE-2020-11022/observations?page=1&size=2",
"totalCount": 19,
"totalPages": 10
}
},
"ThirdParty": {
"Observation": {
"asset": [
{
"firstSeen": "2015-05-12 14:58:34",
"lastSeen": "2021-09-21 06:14:39",
"name": "blog.accesstage.com.br",
"type": "HOST"
},
{
"firstSeen": "2010-09-22 14:57:20",
"lastSeen": "2021-09-22 00:21:45",
"name": "www.accesstage.com.br",
"type": "HOST"
}
],
"cveId": "CVE-2020-11022",
"cwe": [
{
"cweId": "CWE-79"
}
]
},
"id": 45998
}
}
}

Human Readable Output#

Observation(s)#

NameTypeFirst Seen (GMT)Last Seen (GMT)
blog.accesstage.com.brHOST2015-05-12 14:58:342021-09-21 06:14:39
www.accesstage.com.brHOST2010-09-22 14:57:202021-09-22 00:21:45