Skip to main content

Cyware Threat Intelligence eXchange

RiskIQ PassiveTotal

RiskIQ PassiveTotal integration with CTIX identifies threats and attacker infrastructure and leverages machine learning to scale threat hunting and response. RiskIQ retrieves context about the attackers, their tools and systems, and indicators of compromise outside the firewall—enterprise and third party. RiskIQ also retrieves open port details of an IP address.

About RiskIQ PassiveTotal

RiskIQ PassiveTotal consolidates massive amounts of diverse internet data sources into a single platform and highlights correlated information so you can quickly connect the dots.

Feed channels and STIX objects in CTIX

Feed channels are the means to configure multiple types of feeds that you receive in the CTIX application through any integration with a feed source.

Fetch Article Feeds is the feed channel available for this integration. A new collection is created for this feed channel with the article feed data.

Configure the RiskIQ App in CTIX

RiskIQ PassiveTotal is available as an out-of-the-box integration in the CTIX application.

Before you Start

  • Your user group must have Feed Sources permission.

  • You must have the URL, username, and password of your RiskIQ PassiveTotal account.

Steps

  1. Sign to the CTIX application.

  2. From Administration, navigate to Integration Management and select the APIs under FEED SOURCES.

  3. Click Add API source.

  4. Use the search bar to locate RISKIQ and click on the app.

  5. Click Add Instance.

  6. Enter the Instance name, base URL, user name, and password.

    The password is the API access key that you can get from the Account Settings page of your RiskIQ account. You can get the user name and the key from the API Access section.

    Note

    Use https://api.passivetotal.org as the base URL.

  7. To secure the connection between CTIX and RiskIQ server, select Verify SSL.

  8. Click Save.

Configure Feed Channels for the RiskIQ Integration

After configuring your application, you have to configure the Feed Channels for your integration. This integration has one feed channel Fetch Article Feeds.

The STIX objects that are fetched from the feeds received through this integration are:

  • Report

  • Indicator

  • AttackPattern

  • CustomObjects

  • Identity

  • Observables

Steps

  1. From Administration, navigate to the Integration Management and select APIs under FEED SOURCES.

  2. Use the search bar to locate RISKIQ and click on the app.

  3. Click the ellipsis on the right-hand side and select Manage.

  4. On the Manage Instance page, click Manage Feed Channels.

  5. Select Fetch Article Feeds.

  6. Enable the Article Feeds and enter the last polled date.

  7. Enter the name of the collection in which the article feeds data will go. The system creates this collection and put all the article feeds into this collection.

  8. Select the Polling Cron Schedule to specify how to poll your RiskIQ account for article feeds.

    • Select Manual to manually poll for the article feeds.

    • Select Auto to automatically poll for the article feeds. Enter a frequency in minutes for the automatic polling.

  9. Select a default TLP to assign for the article feeds.

  10. Set a default confidence score for the article feeds.

  11. Select any tags that you may want to associate with the article feeds.

  12. Enable Broken Connection Retry Policy to allow the CTIX application to re-attempt any failed connection attempts to your RiskIQ account. The system will attempt to connect 10 times.

    • You can enter the retry interval units in minutes, days, or weeks and also specify the retry interval and the retry count.

    • Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive error responses. For example, for a 10-minute exponential retry interval, the system will re-attempt to connect in 10, 100, 1000, 10000, and so on till the retry count is met. Use this option to give your system resources some breathing time and resolve any service overload issues.

  13. Click Save

You can configure multiple instances of this integration by clicking Manage and Add More.

Poll for Feeds Manually

If you enable Auto Polling while configuring feed channels, the polling will be done automatically. However, if you want to poll for information manually, use the following process.

  1. From Administration, navigate to Integration Management and select APIs under FEED SOURCES.

  2. Use the search bar to locate RISKIQ and click on the app.

  3. Select the feed channel.

  4. Click the feed channel ellipsis and choose Poll Now.

View RiskIQ Feeds on CTIX

After configuring the RiskIQ integration on the CTIX application, you can view the intel received on the CTIX application.

  1. From Administration, navigate to the Integration Management and select APIs under FEED SOURCES.

  2. Select RiskIQ, and select a feed channel.

  3. Click the feed channel ellipsis, and select View Intel. The IOCs received in the article feeds from this source can be seen in Threat Data.