PassiveTotal v2

Analyze and understand threat infrastructure from a variety of sources-passive DNS, active DNS, WHOIS, SSL certificates and more-without devoting resources to time-intensive manual threat research and analysis. This integration was integrated and tested with enterprise version of PassiveTotal v2.

Configure PassiveTotal v2 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for PassiveTotal v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlAPI URLTrue
usernameUsernameTrue
secretAPI SecretTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
request_timeoutHTTP(S) Request Timeout (in seconds)False
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

pt-whois-search


Gets WHOIS information records based on field matching queries.

Base Command

pt-whois-search

Input

Argument NameDescriptionRequired
queryQuery value to use in your request.Required
fieldWHOIS field to execute the search on: domain, email, name, organization, address, phone, nameserver.Required

Context Output

PathTypeDescription
Domain.NameStringThe domain name, for example: 'google.com'.
Domain.WHOIS.CreationDateDateThe date that the domain was created.
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated.
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.NameServersStringName servers of the domain.
Domain.OrganizationStringThe organization of the domain.
Domain.Admin.EmailStringThe email address of the domain administrator.
Domain.Admin.NameStringThe name of the domain administrator.
Domain.Admin.PhoneStringThe phone number of the domain administrator.
Domain.Admin.CountryStringThe country of the domain administrator.
Domain.Registrant.EmailStringThe email address of the registrant.
Domain.Registrant.NameStringThe name of the registrant.
Domain.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.Registrant.CountryStringThe country of the registrant.
Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator.
Domain.WHOIS.Admin.NameStringThe name of the domain administrator.
Domain.WHOIS.Admin.PhoneStringThe phone number of the domain administrator.
Domain.WHOIS.Admin.CountryStringThe country of the domain administrator.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: 'GoDaddy'.
Domain.WHOIS.Registrant.EmailStringThe email address of the registrant.
Domain.WHOIS.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.WHOIS.Registrant.CountryStringThe country of the registrant.
PassiveTotal.WHOIS.domainStringThe domain name, for example: 'google.com'.
PassiveTotal.WHOIS.registrarStringThe name of the registrar of the domain
PassiveTotal.WHOIS.whoisServerStringWHOIS server name where the details of domain registrations belong
PassiveTotal.WHOIS.registeredDateThe date that the domain was registered.
PassiveTotal.WHOIS.expiresAtDateThe expiration date of the domain.
PassiveTotal.WHOIS.registryUpdatedAtDateThe date when registry was last updated.
PassiveTotal.WHOIS.lastLoadedAtDateLast loaded date of WHOIS database.
PassiveTotal.WHOIS.nameServersStringName servers of the domain.
PassiveTotal.WHOIS.organizationStringThe organization of the domain.
PassiveTotal.WHOIS.nameStringName of the domain.
PassiveTotal.WHOIS.telephoneStringTelephone number fetched from whois details of the domain.
PassiveTotal.WHOIS.contactEmailStringContact Email address of the domain owner
PassiveTotal.WHOIS.registrantEmailStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantFaxStringThe fax number of the domain registrant.
PassiveTotal.WHOIS.registrantNameStringThe name of the domain registrant.
PassiveTotal.WHOIS.registrantOrganizationStringThe organizations of the domain registrant.
PassiveTotal.WHOIS.registrantStreetStringThe street of the domain registrant.
PassiveTotal.WHOIS.registrantCityStringThe city of the domain registrant.
PassiveTotal.WHOIS.registrantStateStringThe state of the domain registrant.
PassiveTotal.WHOIS.registrantPostalCodeStringThe postal code of the domain registrant.
PassiveTotal.WHOIS.registrantCountryStringThe country of the domain registrant.
PassiveTotal.WHOIS.registrantTelephoneStringThe telephone number of the domain registrant.
PassiveTotal.WHOIS.adminEmailStringThe email address of the domain administrator.
PassiveTotal.WHOIS.adminFaxStringThe fax number of the domain administrator.
PassiveTotal.WHOIS.adminNameStringThe name of the domain administrator.
PassiveTotal.WHOIS.adminOrganizationStringThe organizations of the domain administrator.
PassiveTotal.WHOIS.adminStreetStringThe street of the domain administrator.
PassiveTotal.WHOIS.adminCityStringThe city of the domain administrator.
PassiveTotal.WHOIS.adminStateStringThe state of the domain administrator.
PassiveTotal.WHOIS.adminPostalCodeStringThe postal code of the domain administrator.
PassiveTotal.WHOIS.adminCountryStringThe country of the domain administrator.
PassiveTotal.WHOIS.adminTelephoneStringThe telephone number of the domain administrator.
PassiveTotal.WHOIS.billingEmailStringThe email address of the domain billing.
PassiveTotal.WHOIS.billingFaxStringThe fax number of the domain billing.
PassiveTotal.WHOIS.billingNameStringThe name of the domain billing.
PassiveTotal.WHOIS.billingOrganizationStringThe organizations of the domain billing.
PassiveTotal.WHOIS.billingStreetStringThe street of the domain billing.
PassiveTotal.WHOIS.billingCityStringThe city of the domain billing.
PassiveTotal.WHOIS.billingStateStringThe state of the domain billing.
PassiveTotal.WHOIS.billingPostalCodeStringThe postal code of the domain billing.
PassiveTotal.WHOIS.billingCountryStringThe country of the domain billing.
PassiveTotal.WHOIS.billingTelephoneStringThe telephone number of the domain billing.
PassiveTotal.WHOIS.techEmailStringThe email address of the domain tech.
PassiveTotal.WHOIS.techFaxStringThe fax number of the domain tech.
PassiveTotal.WHOIS.techNameStringThe name of the domain tech.
PassiveTotal.WHOIS.techOrganizationStringThe organizations of domain tech.
PassiveTotal.WHOIS.techStreetStringThe street of the domain tech.
PassiveTotal.WHOIS.techCityStringThe city of the domain tech.
PassiveTotal.WHOIS.techStateStringThe state of the domain tech.
PassiveTotal.WHOIS.techPostalCodeStringThe postal code of the domain tech.
PassiveTotal.WHOIS.techCountryStringThe country of the domain tech.
PassiveTotal.WHOIS.techTelephoneStringThe telephone number of the domain tech.

Command Example

!pt-whois-search field=domain query=riskiq.com

Context Example

{
"DBotScore": [
{
"Indicator": "riskiq.com",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
}
],
"Domain": [
{
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"Name": "riskiq.com",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Organization": "RiskIQ, Inc.",
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800",
"WHOIS": {
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800"
}
}
],
"PassiveTotal": {
"WHOIS": {
"adminCity": "san francisco",
"adminCountry": "us",
"adminEmail": "domains@riskiq.com",
"adminName": "Risk IQ",
"adminOrganization": "RiskIQ, Inc.",
"adminPostalCode": "94111",
"adminState": "california",
"adminStreet": "22 Battery Street\n10th Floor",
"adminTelephone": "18884154447",
"contactEmail": "domains@riskiq.com",
"domain": "riskiq.com",
"expiresAt": "2017-01-11T16:00:00.000-0800",
"lastLoadedAt": "2016-09-27T09:40:31.180-0700",
"name": "Risk IQ",
"nameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"organization": "RiskIQ, Inc.",
"registered": "2006-01-11T16:00:00.000-0800",
"registrantCity": "san francisco",
"registrantCountry": "us",
"registrantEmail": "domains@riskiq.com",
"registrantName": "Risk IQ",
"registrantOrganization": "RiskIQ, Inc.",
"registrantPostalCode": "94111",
"registrantState": "california",
"registrantStreet": "22 Battery Street\n10th Floor",
"registrantTelephone": "18884154447",
"registrar": "GODADDY.COM, LLC",
"registryUpdatedAt": "2014-12-08T16:00:00.000-0800",
"techCity": "san francisco",
"techCountry": "us",
"techEmail": "domains@riskiq.com",
"techName": "Risk IQ",
"techOrganization": "RiskIQ, Inc.",
"techPostalCode": "94111",
"techState": "california",
"techStreet": "22 Battery Street\n10th Floor",
"techTelephone": "18884154447",
"telephone": "18884154447",
"whoisServer": "whois.godaddy.com"
}
}
}

Human Readable Output

Total Retrieved Record(s): 2

Associated Domains

DomainWHOIS ServerRegistrarContact EmailName ServersRegistrantAdminTechCreation Date (GMT)Expire Date (GMT)Updated Date (GMT)Last Scanned (GMT)
riskiq.comwhois.godaddy.comGODADDY.COM, LLCdomains@riskiq.comluke.ns.cloudflare.com, serena.ns.cloudflare.comCity: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
2006-01-11T16:00:00.000-08002017-01-11T16:00:00.000-08002014-12-08T16:00:00.000-08002016-09-27T09:40:31.180-0700

pt-get-components


Retrieves the host attribute components for a domain or IP address. Maximum 2000 records are fetched.

Base Command

pt-get-components

Input

Argument NameDescriptionRequired
queryDomain or IP address you want to search components for.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output

PathTypeDescription
Domain.NameStringThe domain name, for example: "google.com".
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.AddressStringThe IP Address of the component.
PassiveTotal.Component.firstSeenDateThe date and time when the component was first observed.
PassiveTotal.Component.lastSeenDateThe date and time when the component was most recently observed.
PassiveTotal.Component.versionStringThe current version of component.
PassiveTotal.Component.categoryStringThe category under which the component falls.
PassiveTotal.Component.labelStringThe value of the component.
PassiveTotal.Component.hostnameStringThe hostname of the component.
PassiveTotal.Component.addressStringThe IP address of the component.

Command Example

!pt-get-components query=www.furth.com.ar

Context Example

{
"DBotScore": {
"Indicator": "www.furth.com.ar",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
},
"Domain": {
"Name": "www.furth.com.ar"
},
"PassiveTotal": {
"Component": [
{
"category": "Framework",
"firstSeen": "2020-05-29 10:57:44",
"hostname": "www.furth.com.ar",
"label": "PHP",
"lastSeen": "2020-05-29 10:57:44"
},
{
"category": "Server",
"firstSeen": "2020-05-29 10:57:44",
"hostname": "www.furth.com.ar",
"label": "Apache",
"lastSeen": "2020-05-29 10:57:44"
},
{
"category": "Server Module",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "mod_bwlimited",
"lastSeen": "2017-10-24 15:53:52",
"version": "1.4"
},
{
"category": "Server Module",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "OpenSSL",
"lastSeen": "2017-10-24 15:53:52",
"version": "1.0.1e-fips"
},
{
"category": "Server",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "Apache",
"lastSeen": "2017-10-24 15:53:52",
"version": "2.2.29"
},
{
"category": "Operating System",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "Unix",
"lastSeen": "2017-10-24 15:53:52"
},
{
"category": "Server Module",
"firstSeen": "2016-01-11 23:45:15",
"hostname": "www.furth.com.ar",
"label": "mod_ssl",
"lastSeen": "2017-10-24 15:53:52",
"version": "2.2.29"
}
]
}
}

Human Readable Output

Total Retrieved Record(s): 7

COMPONENTS

HostnameFirst (GMT)Last (GMT)CategoryValueVersion
www.furth.com.ar2020-05-29 10:57:442020-05-29 10:57:44FrameworkPHP
www.furth.com.ar2020-05-29 10:57:442020-05-29 10:57:44ServerApache
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Server Modulemod_bwlimited1.4
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Server ModuleOpenSSL1.0.1e-fips
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52ServerApache2.2.29
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Operating SystemUnix
www.furth.com.ar2016-01-11 23:45:152017-10-24 15:53:52Server Modulemod_ssl2.2.29

pt-get-trackers


Retrieves the host attribute trackers for a domain or IP address. Maximum 2000 records are fetched.

Base Command

pt-get-trackers

Input

Argument NameDescriptionRequired
queryDomain or IP address you want to search trackers for.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output

PathTypeDescription
Domain.NameStringThe domain name, for example: "google.com".
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.AddressStringThe IP Address of the component.
PassiveTotal.Tracker.firstSeenDateThe date and time when the tracker was first observed.
PassiveTotal.Tracker.lastSeenDateThe date and time when the tracker was most recently observed.
PassiveTotal.Tracker.attributeValueStringThe value of the tracker.
PassiveTotal.Tracker.attributeTypeStringThe type under which the tracker falls.
PassiveTotal.Tracker.hostnameStringThe hostname of the tracker.
PassiveTotal.Tracker.addressStringThe IP address of the tracker.

Command Example

!pt-get-trackers query=filmesonlinegratis.net

Context Example

{
"DBotScore": [
{
"Indicator": "filmesonlinegratis.net",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
},
{
"Indicator": "www.filmesonlinegratis.net",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
}
],
"Domain": [
{
"Name": "filmesonlinegratis.net"
},
{
"Name": "www.filmesonlinegratis.net"
}
],
"PassiveTotal": {
"Tracker": [
{
"attributeType": "GoogleAnalyticsTrackingId",
"attributeValue": "ua-70630818-3",
"firstSeen": "2016-10-14 10:16:38",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2020-06-14 19:43:28"
},
{
"attributeType": "GoogleAnalyticsAccountNumber",
"attributeValue": "ua-70630818",
"firstSeen": "2016-10-14 10:16:38",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2020-06-14 19:43:28"
},
{
"attributeType": "GoogleAnalyticsAccountNumber",
"attributeValue": "ua-11598035",
"firstSeen": "2012-03-07 05:53:50",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2016-10-13 15:38:35"
},
{
"attributeType": "GoogleAnalyticsTrackingId",
"attributeValue": "ua-11598035-1",
"firstSeen": "2012-03-07 05:53:50",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2016-10-13 15:38:35"
},
{
"attributeType": "GoogleAnalyticsTrackingId",
"attributeValue": "ua-11598035-1",
"firstSeen": "2014-02-11 01:30:40",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2016-09-13 03:54:34"
},
{
"attributeType": "GoogleAnalyticsAccountNumber",
"attributeValue": "ua-11598035",
"firstSeen": "2014-02-11 01:30:40",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2016-09-13 03:54:34"
},
{
"attributeType": "TumblrId",
"attributeValue": "25.media",
"firstSeen": "2016-07-02 00:46:33",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2016-09-02 11:09:30"
},
{
"attributeType": "FacebookId",
"attributeValue": "filmesog",
"firstSeen": "2012-11-27 06:06:44",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2015-09-26 05:52:23"
},
{
"attributeType": "FacebookId",
"attributeValue": "filmesog",
"firstSeen": "2014-02-11 01:30:40",
"hostname": "filmesonlinegratis.net",
"lastSeen": "2015-09-24 05:12:39"
},
{
"attributeType": "WhosAmungUsId",
"attributeValue": "6cdg",
"firstSeen": "2012-03-07 05:53:50",
"hostname": "www.filmesonlinegratis.net",
"lastSeen": "2012-03-07 16:00:45"
}
]
}
}

Human Readable Output

Total Retrieved Record(s): 10

TRACKERS

HostnameFirst (GMT)Last (GMT)TypeValue
filmesonlinegratis.net2016-10-14 10:16:382020-06-14 19:43:28GoogleAnalyticsTrackingIdua-70630818-3
filmesonlinegratis.net2016-10-14 10:16:382020-06-14 19:43:28GoogleAnalyticsAccountNumberua-70630818
www.filmesonlinegratis.net2012-03-07 05:53:502016-10-13 15:38:35GoogleAnalyticsAccountNumberua-11598035
www.filmesonlinegratis.net2012-03-07 05:53:502016-10-13 15:38:35GoogleAnalyticsTrackingIdua-11598035-1
filmesonlinegratis.net2014-02-11 01:30:402016-09-13 03:54:34GoogleAnalyticsTrackingIdua-11598035-1
filmesonlinegratis.net2014-02-11 01:30:402016-09-13 03:54:34GoogleAnalyticsAccountNumberua-11598035
www.filmesonlinegratis.net2016-07-02 00:46:332016-09-02 11:09:30TumblrId25.media
www.filmesonlinegratis.net2012-11-27 06:06:442015-09-26 05:52:23FacebookIdfilmesog
filmesonlinegratis.net2014-02-11 01:30:402015-09-24 05:12:39FacebookIdfilmesog
www.filmesonlinegratis.net2012-03-07 05:53:502012-03-07 16:00:45WhosAmungUsId6cdg

pt-get-pdns-details


Retrieves the passive DNS results from active account sources.

Base Command

pt-get-pdns-details

Input

Argument NameDescriptionRequired
queryThe domain or IP being queried.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output

PathTypeDescription
PassiveTotal.PDNS.resolveStringThe host or ip address that indicates resolve in Passive DNS record.
PassiveTotal.PDNS.resolveTypeStringThe type of the resolve. I.e domain, ip, host, etc.
PassiveTotal.PDNS.valueStringThe value of the Passive DNS record.
PassiveTotal.PDNS.sourceStringSource of the passive DNS records.
PassiveTotal.PDNS.firstSeenStringFirst seen timestamp of the passive DNS record.
PassiveTotal.PDNS.lastSeenStringLast seen timestamp of the passive DNS record.
PassiveTotal.PDNS.collectedStringThe date when a passive DNS record is collected.
PassiveTotal.PDNS.recordTypeStringThe type of the passive DNS record. I.e CNAME, SOA, A, etc
PassiveTotal.PDNS.recordHashStringThe hash value of the passive DNS record.
Domain.NameStringThe domain name, for example: 'google.com'.
IP.AddressStringThe IP Address of the component.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example

!pt-get-pdns-details query=www.furth.com.ar

Context Example

{
"DBotScore": [
{
"Indicator": "furth.com.ar",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
},
{
"Indicator": "77.81.241.5",
"Score": 0,
"Type": "ip",
"Vendor": "PassiveTotal"
},
{
"Indicator": "184.75.255.33",
"Score": 0,
"Type": "ip",
"Vendor": "PassiveTotal"
}
],
"Domain": {
"Name": "furth.com.ar"
},
"IP": [
{
"Address": "77.81.241.5"
},
{
"Address": "184.75.255.33"
}
],
"PassiveTotal": {
"PDNS": [
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2010-12-15 09:10:10",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "abf781b2484ea79d521cffb0745b71319d4db1158f71bb019b41077f8e55b035",
"recordType": "CNAME",
"resolve": "furth.com.ar",
"resolveType": "domain",
"source": [
"riskiq",
"pingly"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2020-05-29 03:57:44",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "d7183564ca617e173fc26aeff66a38bb5c1b9089e56819851183860b9a37ccca",
"recordType": "A",
"resolve": "77.81.241.5",
"resolveType": "ip",
"source": [
"riskiq",
"pingly"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2016-01-11 15:45:15",
"lastSeen": "2017-10-24 08:53:52",
"recordHash": "345780dcde96f0c28e3b93ec53bd33067f26075f30c2d4e49fafe0d2396194ca",
"recordType": "A",
"resolve": "184.75.255.33",
"resolveType": "ip",
"source": [
"riskiq"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2020-06-17 05:26:33",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "63deb7c38cbea98f631777fd3ba89de0c270178bd37eb6a270ee7e37b3cd92e5",
"recordType": "SOA",
"resolve": "webmaster@furth.com.ar",
"resolveType": "email",
"source": [
"pingly"
],
"value": "www.furth.com.ar"
},
{
"collected": "2020-06-17 12:26:33",
"firstSeen": "2020-06-17 05:26:33",
"lastSeen": "2020-06-17 05:26:33",
"recordHash": "24fa99da36eecc22b8970a33f8adf0f150598391319df4fc02128d677999e886",
"recordType": "MX",
"resolve": "furth.com.ar",
"resolveType": "domain",
"source": [
"pingly"
],
"value": "www.furth.com.ar"
}
]
}
}

Human Readable Output

Total Retrieved Record(s): 5

PDNS detail(s)

ResolveResolve TypeRecord TypeCollected (GMT)First (GMT)Last (GMT)SourceRecord Hash
furth.com.ardomainCNAME2020-06-17 12:26:332010-12-15 09:10:102020-06-17 05:26:33riskiq, pinglyabf781b2484ea79d521cffb0745b71319d4db1158f71bb019b41077f8e55b035
77.81.241.5ipA2020-06-17 12:26:332020-05-29 03:57:442020-06-17 05:26:33riskiq, pinglyd7183564ca617e173fc26aeff66a38bb5c1b9089e56819851183860b9a37ccca
184.75.255.33ipA2020-06-17 12:26:332016-01-11 15:45:152017-10-24 08:53:52riskiq345780dcde96f0c28e3b93ec53bd33067f26075f30c2d4e49fafe0d2396194ca
webmaster@furth.com.aremailSOA2020-06-17 12:26:332020-06-17 05:26:332020-06-17 05:26:33pingly63deb7c38cbea98f631777fd3ba89de0c270178bd37eb6a270ee7e37b3cd92e5
furth.com.ardomainMX2020-06-17 12:26:332020-06-17 05:26:332020-06-17 05:26:33pingly24fa99da36eecc22b8970a33f8adf0f150598391319df4fc02128d677999e886

pt-ssl-cert-search


Retrieves SSL certificates for a given field value.

Base Command

pt-ssl-cert-search

Input

Argument NameDescriptionRequired
fieldField by which to search.

Allowed values: issuerSurname, subjectOrganizationName, issuerCountry, issuerOrganizationUnitName, fingerprint, subjectOrganizationUnitName, serialNumber, subjectEmailAddress, subjectCountry, issuerGivenName, subjectCommonName, issuerCommonName, issuerStateOrProvinceName, issuerProvince, subjectStateOrProvinceName, sha1, subjectStreetAddress, subjectSerialNumber, issuerOrganizationName, subjectSurname, subjectLocalityName, issuerStreetAddress, issuerLocalityName, subjectGivenName, subjectProvince, issuerSerialNumber, issuerEmailAddress
Required
queryField value for which to search.Required

Context Output

PathTypeDescription
PassiveTotal.SSL.firstSeenNumberEpoch timestamp when SSL certificate identified by the system.
PassiveTotal.SSL.lastSeenNumberThe last seen epoch timestamp of the SSL certificates.
PassiveTotal.SSL.fingerprintStringA fingerprint detail from the SSL certificates.
PassiveTotal.SSL.sslVersionNumberA version of the certificate.
PassiveTotal.SSL.expirationDateStringThe expiry date of the certificate.
PassiveTotal.SSL.issueDateStringIssue date of the certificate.
PassiveTotal.SSL.sha1StringSha1 of the certificate.
PassiveTotal.SSL.serialNumberStringA serial number of the certificate.
PassiveTotal.SSL.issuerCountryStringThe country name of the certificate issuer.
PassiveTotal.SSL.issuerStateOrProvinceNameStringThe state or province name of the certificate issuer.
PassiveTotal.SSL.issuerCommonNameStringThe common name of the issuer.
PassiveTotal.SSL.issuerEmailAddressStringA contact email address of the certificate issuer.
PassiveTotal.SSL.issuerProvinceStringA province of the certificate issuer.
PassiveTotal.SSL.issuerOrganizationUnitNameStringAn organization unit name of the certificate issuer.
PassiveTotal.SSL.issuerSurnameStringThe surname of the certificate issuer.
PassiveTotal.SSL.issuerStreetAddressStringStreet address of the certificate issuer.
PassiveTotal.SSL.issuerLocalityNameStringThe locality of the certificate issuer.
PassiveTotal.SSL.issuerSerialNumberStringThe serial number of the certificate issuer.
PassiveTotal.SSL.issuerOrganizationNameStringAn organization name of the certificate issuer.
PassiveTotal.SSL.issuerGivenNameStringA given name of the certificate issuer.
PassiveTotal.SSL.subjectCommonNameStringThe common name of the subject.
PassiveTotal.SSL.subjectOrganizationNameStringAn organization name of the subject of the certificate.
PassiveTotal.SSL.subjectOrganizationUnitNameStringAn organization unit name of the subject of the certificate.
PassiveTotal.SSL.subjectGivenNameStringThe given name of the subject of the certificate.
PassiveTotal.SSL.subjectSurnameStringThe surname of the subject of the certificate.
PassiveTotal.SSL.subjectLocalityNameStringThe locality of the subject.
PassiveTotal.SSL.subjectEmailAddressStringA contact email address of the subject.
PassiveTotal.SSL.subjectProvinceStringThe province of the subject.
PassiveTotal.SSL.subjectStateOrProvinceNameStringThe state or province name of the subject.
PassiveTotal.SSL.subjectSerialNumberStringA serial number of the subject.
PassiveTotal.SSL.subjectStreetAddressStringThe street address of the subject.
PassiveTotal.SSL.subjectCountryStringThe country name of the subject from the certificate.
PassiveTotal.SSL.subjectAlternativeNamesStringAlternative names of the subject from the certificate details.

Command Example

!pt-ssl-cert-search field=serialNumber query=61135c80f8ed28d2

Context Example

{
"PassiveTotal": {
"SSL": [
{
"expirationDate": "Apr 09 13:15:00 2019 GMT",
"fingerprint": "88:48:e8:68:b1:90:d0:fd:cb:6f:39:c3:7b:53:82:c8:7e:09:76:b0",
"firstSeen": 1547559631314,
"issueDate": "Jan 15 13:15:00 2019 GMT",
"issuerCommonName": "Google Internet Authority G3",
"issuerCountry": "US",
"issuerOrganizationName": "Google Trust Services",
"lastSeen": 1547607634446,
"serialNumber": "6995036355238373586",
"sha1": "8848e868b190d0fdcb6f39c37b5382c87e0976b0",
"sslVersion": "3",
"subjectAlternativeNames": [
"www.google.com"
],
"subjectCommonName": "www.google.com",
"subjectCountry": "US",
"subjectLocalityName": "Mountain View",
"subjectOrganizationName": "Google LLC",
"subjectProvince": "California",
"subjectStateOrProvinceName": "California"
},
{
"expirationDate": "Apr 09 13:15:00 2019 GMT",
"fingerprint": "99:5b:00:5f:44:be:53:bf:3e:59:21:90:1d:79:a9:8e:54:af:d3:29",
"firstSeen": 1548455641692,
"issueDate": "Jan 15 13:15:00 2019 GMT",
"issuerCommonName": "Google Internet Authority G3",
"issuerCountry": "US",
"issuerOrganizationName": "Google Trust Services",
"lastSeen": 1549571983939,
"serialNumber": "6995036355238373586",
"sha1": "995b005f44be53bf3e5921901d79a98e54afd329",
"sslVersion": "3",
"subjectAlternativeNames": [
"www.google.com"
],
"subjectCommonName": "www.google.com",
"subjectCountry": "US",
"subjectLocalityName": "Mountain View",
"subjectOrganizationName": "Google LLC",
"subjectProvince": "California",
"subjectStateOrProvinceName": "California"
}
]
}
}

Human Readable Output

Total Retrieved Record(s): 2

SSL certificate(s)

Sha1Serial NumberIssued (GMT)Expires (GMT)SSL VersionFirst (GMT)Last (GMT)Issuer Common NameSubject Common NameSubject Alternative NamesIssuer Organization NameSubject Organization NameSubject Locality NameSubject State/Province NameIssuer CountrySubject Country
8848e868b190d0fdcb6f39c37b5382c87e0976b06995036355238373586Jan 15 13:15:00 2019 GMTApr 09 13:15:00 2019 GMT32019-01-15 13:40:312019-01-16 03:00:34Google Internet Authority G3www.google.comwww.google.comGoogle Trust ServicesGoogle LLCMountain ViewCaliforniaUSUS
995b005f44be53bf3e5921901d79a98e54afd3296995036355238373586Jan 15 13:15:00 2019 GMTApr 09 13:15:00 2019 GMT32019-01-25 22:34:012019-02-07 20:39:43Google Internet Authority G3www.google.comwww.google.comGoogle Trust ServicesGoogle LLCMountain ViewCaliforniaUSUS

pt-get-host-pairs


Retrieves the host attribute pairs related to a domain or IP address. Maximum 2000 records are fetched.

Base Command

pt-get-host-pairs

Input

Argument NameDescriptionRequired
queryDomain or IP address you want to search host-pairs for.Required
directionThe direction of searching pair records for a given domain. Valid values: children, parents.Required
startFilter for records whose last seen is after this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional
endFilter for records whose first seen is before this datetime. It accepts "yyyy-mm-dd hh:mm:ss" or "yyyy-mm-dd" format.Optional

Context Output

PathTypeDescription
PassiveTotal.HostPair.firstSeenDateThe date and time when the host pair was first observed.
PassiveTotal.HostPair.lastSeenDateThe date and time when the host pair was most recently observed.
PassiveTotal.HostPair.causeStringThe cause of relation between parent and child.
PassiveTotal.HostPair.parentStringThe hostname of the parent of the host pair.
PassiveTotal.HostPair.childStringThe hostname of the child of the host pair.

Command Example

!pt-get-host-pairs direction=children query=ns1.furth.com.ar

Context Example

{
"PassiveTotal": {
"HostPair": [
{
"cause": "redirect",
"child": "furth.com.ar",
"firstSeen": "2020-05-29 07:05:22",
"lastSeen": "2020-06-10 11:53:23",
"parent": "ns1.furth.com.ar"
},
{
"cause": "parentPage",
"child": "ns1.furth.com.ar",
"firstSeen": "2020-05-02 06:47:23",
"lastSeen": "2020-06-08 03:08:38",
"parent": "ns1.furth.com.ar"
}
]
}
}

Human Readable Output

Total Retrieved Record(s): 2

HOST PAIRS

Parent HostnameChild HostnameFirst (GMT)Last (GMT)Cause
ns1.furth.com.arfurth.com.ar2020-05-29 07:05:222020-06-10 11:53:23redirect
ns1.furth.com.arns1.furth.com.ar2020-05-02 06:47:232020-06-08 03:08:38parentPage

domain


Provides data enrichment for domains.

Base Command

domain

Input

Argument NameDescriptionRequired
domainThe domain to enrich.Optional

Context Output

PathTypeDescription
Domain.NameStringThe domain name, for example: 'google.com'.
Domain.WHOIS.CreationDateDateThe date that the domain was created.
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated.
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.NameServersStringName servers of the domain.
Domain.OrganizationStringThe organization of the domain.
Domain.Admin.EmailStringThe email address of the domain administrator.
Domain.Admin.NameStringThe name of the domain administrator.
Domain.Admin.PhoneStringThe phone number of the domain administrator.
Domain.Admin.CountryStringThe country of the domain administrator.
Domain.Registrant.EmailStringThe email address of the registrant.
Domain.Registrant.NameStringThe name of the registrant.
Domain.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.Registrant.CountryStringThe country of the registrant.
Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator.
Domain.WHOIS.Admin.NameStringThe name of the domain administrator.
Domain.WHOIS.Admin.PhoneStringThe phone number of the domain administrator.
Domain.WHOIS.Admin.CountryStringThe country of the domain administrator.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: 'GoDaddy'.
Domain.WHOIS.Registrant.EmailStringThe email address of the registrant.
Domain.WHOIS.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.WHOIS.Registrant.CountryStringThe country of the registrant.
PassiveTotal.Domain.domainStringThe domain name, for example: 'google.com'.
PassiveTotal.Domain.registrarStringThe name of the registrar of the domain
PassiveTotal.Domain.whoisServerStringWHOIS server name where the details of domain registrations belong
PassiveTotal.Domain.registeredDateThe date that the domain was registered.
PassiveTotal.Domain.expiresAtDateThe expiration date of the domain.
PassiveTotal.Domain.registryUpdatedAtDateThe date when registry was last updated.
PassiveTotal.Domain.lastLoadedAtDateLast loaded date of WHOIS database.
PassiveTotal.Domain.nameServersStringName servers of the domain.
PassiveTotal.Domain.organizationStringThe organization of the domain.
PassiveTotal.Domain.nameStringName of the domain.
PassiveTotal.Domain.telephoneStringTelephone number fetched from whois details of the domain.
PassiveTotal.Domain.contactEmailStringContact Email address of the domain owner
PassiveTotal.Domain.registrantEmailStringThe name of the domain registrant.
PassiveTotal.Domain.registrantFaxStringThe fax number of the domain registrant.
PassiveTotal.Domain.registrantNameStringThe name of the domain registrant.
PassiveTotal.Domain.registrantOrganizationStringThe organizations of the domain registrant.
PassiveTotal.Domain.registrantStreetStringThe street of the domain registrant.
PassiveTotal.Domain.registrantCityStringThe city of the domain registrant.
PassiveTotal.Domain.registrantStateStringThe state of the domain registrant.
PassiveTotal.Domain.registrantPostalCodeStringThe postal code of the domain registrant.
PassiveTotal.Domain.registrantCountryStringThe country of the domain registrant.
PassiveTotal.Domain.registrantTelephoneStringThe telephone number of the domain registrant.
PassiveTotal.Domain.adminEmailStringThe email address of the domain administrator.
PassiveTotal.Domain.adminFaxStringThe fax number of the domain administrator.
PassiveTotal.Domain.adminNameStringThe name of the domain administrator.
PassiveTotal.Domain.adminOrganizationStringThe organizations of the domain administrator.
PassiveTotal.Domain.adminStreetStringThe street of the domain administrator.
PassiveTotal.Domain.adminCityStringThe city of the domain administrator.
PassiveTotal.Domain.adminStateStringThe state of the domain administrator.
PassiveTotal.Domain.adminPostalCodeStringThe postal code of the domain administrator.
PassiveTotal.Domain.adminCountryStringThe country of the domain administrator.
PassiveTotal.Domain.adminTelephoneStringThe telephone number of the domain administrator.
PassiveTotal.Domain.billingEmailStringThe email address of the domain billing.
PassiveTotal.Domain.billingFaxStringThe fax number of the domain billing.
PassiveTotal.Domain.billingNameStringThe name of the domain billing.
PassiveTotal.Domain.billingOrganizationStringThe organizations of the domain billing.
PassiveTotal.Domain.billingStreetStringThe street of the domain billing.
PassiveTotal.Domain.billingCityStringThe city of the domain billing.
PassiveTotal.Domain.billingStateStringThe state of the domain billing.
PassiveTotal.Domain.billingPostalCodeStringThe postal code of the domain billing.
PassiveTotal.Domain.billingCountryStringThe country of the domain billing.
PassiveTotal.Domain.billingTelephoneStringThe telephone number of the domain billing.
PassiveTotal.Domain.techEmailStringThe email address of the domain tech.
PassiveTotal.Domain.techFaxStringThe fax number of the domain tech.
PassiveTotal.Domain.techNameStringThe name of the domain tech.
PassiveTotal.Domain.techOrganizationStringThe organizations of domain tech.
PassiveTotal.Domain.techStreetStringThe street of the domain tech.
PassiveTotal.Domain.techCityStringThe city of the domain tech.
PassiveTotal.Domain.techStateStringThe state of the domain tech.
PassiveTotal.Domain.techPostalCodeStringThe postal code of the domain tech.
PassiveTotal.Domain.techCountryStringThe country of the domain tech.
PassiveTotal.Domain.techTelephoneStringThe telephone number of the domain tech.

Command Example

!domain domain=riskiq.com

Context Example

{
"DBotScore": [
{
"Indicator": "riskiq.com",
"Score": 0,
"Type": "domain",
"Vendor": "PassiveTotal"
}
],
"Domain": [
{
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"Name": "riskiq.com",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Organization": "RiskIQ, Inc.",
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800",
"WHOIS": {
"Admin": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"CreationDate": "2006-01-11T16:00:00.000-0800",
"ExpirationDate": "2017-01-11T16:00:00.000-0800",
"NameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"Registrant": {
"Country": "us",
"Email": "domains@riskiq.com",
"Name": "Risk IQ",
"Phone": "18884154447"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GODADDY.COM, LLC"
},
"UpdatedDate": "2014-12-08T16:00:00.000-0800"
}
}
],
"PassiveTotal": {
"Domain": {
"adminCity": "san francisco",
"adminCountry": "us",
"adminEmail": "domains@riskiq.com",
"adminName": "Risk IQ",
"adminOrganization": "RiskIQ, Inc.",
"adminPostalCode": "94111",
"adminState": "california",
"adminStreet": "22 Battery Street\n10th Floor",
"adminTelephone": "18884154447",
"contactEmail": "domains@riskiq.com",
"domain": "riskiq.com",
"expiresAt": "2017-01-11T16:00:00.000-0800",
"lastLoadedAt": "2016-09-27T09:40:31.180-0700",
"name": "Risk IQ",
"nameServers": [
"luke.ns.cloudflare.com",
"serena.ns.cloudflare.com"
],
"organization": "RiskIQ, Inc.",
"registered": "2006-01-11T16:00:00.000-0800",
"registrantCity": "san francisco",
"registrantCountry": "us",
"registrantEmail": "domains@riskiq.com",
"registrantName": "Risk IQ",
"registrantOrganization": "RiskIQ, Inc.",
"registrantPostalCode": "94111",
"registrantState": "california",
"registrantStreet": "22 Battery Street\n10th Floor",
"registrantTelephone": "18884154447",
"registrar": "GODADDY.COM, LLC",
"registryUpdatedAt": "2014-12-08T16:00:00.000-0800",
"techCity": "san francisco",
"techCountry": "us",
"techEmail": "domains@riskiq.com",
"techName": "Risk IQ",
"techOrganization": "RiskIQ, Inc.",
"techPostalCode": "94111",
"techState": "california",
"techStreet": "22 Battery Street\n10th Floor",
"techTelephone": "18884154447",
"telephone": "18884154447",
"whoisServer": "whois.godaddy.com"
}
}
}

Human Readable Output

Domain(s)

DomainWHOIS ServerRegistrarContact EmailName ServersRegistrantAdminTechCreation Date (GMT)Expire Date (GMT)Updated Date (GMT)Last Scanned (GMT)
riskiq.comwhois.godaddy.comGODADDY.COM, LLCdomains@riskiq.comluke.ns.cloudflare.com, serena.ns.cloudflare.comCity: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
City: san francisco,
Country: us,
Email: domains@riskiq.com,
Name: Risk IQ,
Organization: RiskIQ, Inc.,
PostalCode: 94111,
State: california,
Street: 22 Battery Street
10th Floor,
Telephone: 18884154447
2006-01-11T16:00:00.000-08002017-01-11T16:00:00.000-08002014-12-08T16:00:00.000-08002016-09-27T09:40:31.180-0700