Steve and I love Slack. We use it for nearly everything in PassiveTotal from server monitoring alerts to source control reporting to daily chatting about new features or upcoming meetings. So, naturally, Slack is our go-to place to discuss threat-based research. When a new report comes out, we go over the findings, action any data inside the platform and carry on with business as usual. That works great, only there's one problem, why should we always need to leave the platform? Inspired by the great folks at Github, we've decided to put together a set of PassiveTotal Hubot scripts to work with our API.
The current implementation largely sticks to the present API capabilities, but we plan to add more as we identify more use cases. We see these sort of integrations as small, but really useful. Just last week, Palo Alto's Unit 42 released their Lotus Blossom report. One of the first things Steve asked me was if I had gone through and used our bulk upload service to handle all the indicators. Without leaving chat, I was able to quickly get the tags for a specific domain mentioned in the report. Grab some metadata for an IP address and then get a snippet of passive data.
Interested in using the PassiveTotal bot in your own channels? You can checkout our source code (includes other helper libraries) in the passivetotal_tools account or you can head over to npm to grab the coffescript. If you are new to the whole bot-based process in Slack, we recommend you check out their great documentation here as there are a few steps that require you to access your Slack account. We've tried to make the bot flexibile in the commmands it can process, but if you have more ideas, feel free to fork and submit pull requests back!
Looking for more Hubot scripts to aid in your research? Check these out.