User Guide

Synapse-PassiveTotal User Guide

Synapse-PassiveTotal adds new Storm commands to allow you to query the PassiveTotal API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> passivetotal.setup.apikey --self myapiuser myapikey
Setting PassiveTotal API key for the current user.

Enrich an inet:fqdn and create subdomains

> [ inet:fqdn=fake.org ] | passivetotal.enrich
inet:fqdn=fake.org
        .created = 2024/12/20 18:11:52.466
        :domain = org
        :host = fake
        :issuffix = false
        :iszone = true
        :zone = fake.org
        #rep.pt.badguy
        #rep.pt.class.maicious
        #rep.pt.dynamicdns
        #rep.pt.evercompromised
        #rep.pt.sinkhole

Note that without a global tag prefix set by the admin the default rep.pt is used.

Search for component hosts

The command will continue fetching pages until all results are ingested. To restrict the number of results, the size argument can be used.

> passivetotal.comp.host mod_bwlimited --size 2 --version 1.4 --category Server --yield
inet:fqdn=www.cbaobank.com
        .created = 2024/12/20 18:11:52.968
        .seen = ('2020/12/28 15:40:17.000', '2021/06/29 03:17:54.000')
        :domain = cbaobank.com
        :host = www
        :issuffix = false
        :iszone = false
        :zone = cbaobank.com
        #rep.pt.server.mod_bwlimited
inet:fqdn=cbaobank.com
        .created = 2024/12/20 18:11:52.968
        .seen = ('2020/12/31 22:03:42.000', '2021/06/30 02:02:32.000')
        :domain = com
        :host = cbaobank
        :issuffix = false
        :iszone = true
        :zone = cbaobank.com
        #rep.pt.server.mod_bwlimited

Filter results by time

Many Synapse-PassiveTotal commands include a --time option which can be used to filter results. The argument to this option is cast to a Synapse ival type, and results that do not overlap the interval formed by the returned lastSeen and firstSeen timestamps will be filtered out.

Unless specified otherwise, the PassiveTotal API does not support including the timebox in the query, and therefore results are filtered after they are returned by the API.

> passivetotal.comp.host mod_bwlimited --yield --time "2021/06/30"
inet:fqdn=cbaobank.com
        .created = 2024/12/20 18:11:52.968
        .seen = ('2020/12/31 22:03:42.000', '2021/06/30 02:02:32.000')
        :domain = com
        :host = cbaobank
        :issuffix = false
        :iszone = true
        :zone = cbaobank.com
        #rep.pt.server.mod_bwlimited
> passivetotal.comp.host mod_bwlimited --yield --time ("2020/12/28", "+24hours")
inet:fqdn=www.cbaobank.com
        .created = 2024/12/20 18:11:52.968
        .seen = ('2020/12/28 15:40:17.000', '2021/06/29 03:17:54.000')
        :domain = cbaobank.com
        :host = www
        :issuffix = false
        :iszone = false
        :zone = cbaobank.com
        #rep.pt.server.mod_bwlimited

Use of meta:source nodes

Synapse-PassiveTotal uses a meta:source node and -(seen)> light weight edges to track nodes observed from the synapse-passivetotal API.

> meta:source=b142cd8e8eeb2507d670866d6fb8f61f
meta:source=b142cd8e8eeb2507d670866d6fb8f61f
        .created = 2024/12/20 18:11:52.594
        :name = passivetotal api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-PassiveTotal. The following example shows how to filter the results of a query to include only results observed by Synapse-PassiveTotal:

> #rep.pt.badguy +{ <(seen)- meta:source=b142cd8e8eeb2507d670866d6fb8f61f }
inet:fqdn=fake.org
        .created = 2024/12/20 18:11:52.466
        :domain = org
        :host = fake
        :issuffix = false
        :iszone = true
        :zone = fake.org
        #rep.pt.badguy
        #rep.pt.class.maicious
        #rep.pt.dynamicdns
        #rep.pt.evercompromised
        #rep.pt.sinkhole