Local Triage with ThreatNote and PassiveTotal

If it’s not clear by our previous postings, we have been making a push to get PassiveTotal data into as many platforms and tools as possible. You may ask yourself why, but the truth of the matter is that each analyst has their own workflow and process. We realize we can’t be all the things to all the people, so we are taking the approach of bring all the data to all the places! As the title implies, if you are a ThreatNote user, you can now access PassiveTotal data from within the application.

ThreatNote was created by Brian Warehime (@brian_warehime) over at Defense Point Security and its purpose is simple - easily store your indicators of interest when doing research in small, lightweight utility. What’s nice about ThreatNote is that it doesn’t try to take on every analyst problem and instead focuses precisely on what the analyst inputs into the system. At the time of writing this blog, ThreatNote supports network indicators, threat actors, campaigns and basic relationships between the supplied inputs.

PassiveTotal fits into ThreatNote as a 3rd-party enrichment source that can be configured within the user settings panel. When creating our integration with ThreatNote, we decided to split our different data sources into individual enrichment points, so that users can choose which data they bring into the platform.

Once your instance is configured, PassiveTotal data will show up when viewing individual indicators entered inside of the platform. To reduce the clutter from larger dataset responses, we allow the user to easily toggle the dataset from exposed to collapsed. It’s worth noting that data returned back from the PassiveTotal enrichment service is not stored directly into ThreatNote and will use a new API call every time. In order to persist results, you will need to feed them into the system manually.

What we like about ThreatNote is that analysts can easily describe a specific incident, see relevant enrichment data and then quickly share the SQLite database file with others who may provide more insight. Additionally, as you enter details into the application, it automatically creates small dashboards and breakdowns about the data that’s been added to the system.