PassiveTotal Hubot 2.0

It’s hard to believe, but just nine months ago, we rolled out our first version of Hubot scripts using Slack as an example of how you could further your analysis. Back then, we were working with limited amounts of data and could only provide passive DNS. Today, we are in a much different place and felt it was time to really build out our bot capabilities. Released on our Github repository and the NPM registry is a single script file to bring the power of PassiveTotal into your chat rooms.

Integration: Slack and PassiveTotal from RiskIQ on Vimeo.

For this initial release, we focused simply on bringing in the data from our version two release of the API and some basic actions for interacting with indicators. Using our script, you can run a bot in Slack or HipChat and perform the following:

  • Get and set classifications on indicators
  • Get detailed enrichment data
  • Identify if an indicator is sinkholed, dynamic DNS, or ever been compromised
  • Get and set tag values on indicators
  • Get OSINT details where an indicator was mentioned
  • Get malware hashes from our collection
  • Get passive DNS data (full and unique)
  • Get SSL history
  • Get certificate details by SHA-1 hash
  • Get WHOIS details
  • Get subdomains for a base domain
  • Get trackers associated with an indicator

In order to conserve space and avoid filling up an entire chat room, we built defaults into the bot to only return the top 10 entries for any given call. We see these bots as supplemental workers when doing analysis, not full replacements.

Quick answers

Where we have found the bots to be most useful is for quick questions about a specific indicator. For example, operations has been making a lot of changes to our infrastructure lately and I might want to know where PassiveTotal is currently being hosted along with else may have changed.

Using our bot, I can ask for a snippet of passive DNS results to get the latest resolving IP address.

Pingly tells me that is the most recent, but I also know that since we are using HTTPS on our website, there should be a certificate associated with that IP. Again, using our bot, I can request for the SSL history given the IP address.

Perfect! Four different results with 528ee71c4ad748ece5368f68299048bffdb31c86 appearing to be the most current one. Based on our data, it looks like our certificate was recently changed as of this year. If I wanted to know more, it’s one chat away.

Ah, great. Looks like we ditched our old SSL certificates that were restricted to just www and our primary domain for a fancy wildcard certificate. What makes this flow nice is that I never had to leave chat in order to figure all of this out. In a few simple commands, I was able to get more information than I needed and quickly move on to the next task. Additionally, Steve was able to see this same data which means he indirectly got informed by my research.

Looking ahead

At the time of writing this post, Slack appears to be one of the more mature chat solutions which also includes an app directory. PassiveTotal is working to provide our users (and those interested in testing PassiveTotal) with a one-click solution to bring the bots outlined above into directly into your channels. Building out a Slack app means we can take advantage of other features in Slack like channel posting and custom commands.

What makes bots fun and exciting is how quickly you can bring context to an unknown indicator. Keep an eye on our blog, and social media outlets for the latest news. Who knows, maybe you’ll even come across some beta features not quite ready for launch.