User Guide
Synapse-PassiveTotal User Guide
Synapse-PassiveTotal adds new Storm commands to allow you to query the PassiveTotal API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> passivetotal.setup.apikey --self myapiuser myapikey
Setting PassiveTotal API key for the current user.
Enrich an inet:fqdn and create subdomains
> [ inet:fqdn=fake.org ] | passivetotal.enrich
inet:fqdn=fake.org
.created = 2024/04/22 20:02:45.782
:domain = org
:host = fake
:issuffix = false
:iszone = true
:zone = fake.org
#rep.pt.badguy
#rep.pt.class.maicious
#rep.pt.dynamicdns
#rep.pt.evercompromised
#rep.pt.sinkhole
Note that without a global tag prefix set by the admin the default rep.pt is used.
Search for component hosts
The command will continue fetching pages until all results are ingested. To restrict the number of results, the size argument can be used.
> passivetotal.comp.host mod_bwlimited --size 2 --version 1.4 --category Server --yield
inet:fqdn=www.cbaobank.com
.created = 2024/04/22 20:02:46.256
.seen = ('2020/12/28 15:40:17.000', '2021/06/29 03:17:54.000')
:domain = cbaobank.com
:host = www
:issuffix = false
:iszone = false
:zone = cbaobank.com
#rep.pt.server.mod_bwlimited
inet:fqdn=cbaobank.com
.created = 2024/04/22 20:02:46.256
.seen = ('2020/12/31 22:03:42.000', '2021/06/30 02:02:32.000')
:domain = com
:host = cbaobank
:issuffix = false
:iszone = true
:zone = cbaobank.com
#rep.pt.server.mod_bwlimited
Filter results by time
Many Synapse-PassiveTotal commands include a --time option which can be
used to filter results. The argument to this option is cast to a Synapse ival type,
and results that do not overlap the interval formed by the returned lastSeen and firstSeen timestamps
will be filtered out.
Unless specified otherwise, the PassiveTotal API does not support including the timebox in the query, and therefore results are filtered after they are returned by the API.
> passivetotal.comp.host mod_bwlimited --yield --time "2021/06/30"
inet:fqdn=cbaobank.com
.created = 2024/04/22 20:02:46.256
.seen = ('2020/12/31 22:03:42.000', '2021/06/30 02:02:32.000')
:domain = com
:host = cbaobank
:issuffix = false
:iszone = true
:zone = cbaobank.com
#rep.pt.server.mod_bwlimited
> passivetotal.comp.host mod_bwlimited --yield --time ("2020/12/28", "+24hours")
inet:fqdn=www.cbaobank.com
.created = 2024/04/22 20:02:46.256
.seen = ('2020/12/28 15:40:17.000', '2021/06/29 03:17:54.000')
:domain = cbaobank.com
:host = www
:issuffix = false
:iszone = false
:zone = cbaobank.com
#rep.pt.server.mod_bwlimited
Use of meta:source nodes
Synapse-PassiveTotal uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the synapse-passivetotal API.
> meta:source=b142cd8e8eeb2507d670866d6fb8f61f
meta:source=b142cd8e8eeb2507d670866d6fb8f61f
.created = 2024/04/22 20:02:45.903
:name = passivetotal api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-PassiveTotal. The following example shows how to filter the results of a query to include only results observed by Synapse-PassiveTotal:
> #rep.pt.badguy +{ <(seen)- meta:source=b142cd8e8eeb2507d670866d6fb8f61f }
inet:fqdn=fake.org
.created = 2024/04/22 20:02:45.782
:domain = org
:host = fake
:issuffix = false
:iszone = true
:zone = fake.org
#rep.pt.badguy
#rep.pt.class.maicious
#rep.pt.dynamicdns
#rep.pt.evercompromised
#rep.pt.sinkhole