Triage Faster in CRITs with PassiveTotal

For the past several years, CRITs has provided analysts with a free, open source alternative to a hosted threat intelligence platform. When support for external services went public, PassiveTotal was quick to draft up a service and release it to the community. A lot has changed since then, both in CRITs and most notably, the data that PassiveTotal provides. With our new API released, we felt it was time to update our existing service which you can now access via Github.

What Changed?

Everything. Version one of our CRITs service supported passive DNS and the ability to get unique items, but nothing more. Version two was a complete re-write built using our new python library and includes all our major datasets.

The following datasets are now supported and shown within CRITs:

  • Passive DNS
  • WHOIS
  • SSL Certificates
  • Passive SSL
  • Subdomains
  • Enrichment
  • Trackers
  • Components
  • OSINT
  • Malware

Additionally, we've provided a helper search on email addresses that will query our WHOIS repository for more domains. We'd like to provide more of these helper searches, so if you have ideas, shoot us a message.

Service Configuration

CRITs services are hosted on Github along with documentation on how to install a new one. In order to run the PassiveTotal service, you need to install our python client by running "pip install passivetotal". Once that's in place, you should see PassiveTotal from your CRITs control panel.

Our API requires both the username (email address) and API key to be associated with the service. We've also added the option for users to be prompted before each service run, so they can pick the specific datasets they want to run. By default, prompting is turned off to avoid constant form windows popping up, but the option is there.

Triaging Events

After setting up the PassiveTotal service, you can access it much like any of your other existing services. We designed our service to primarily run on Domains, IP addresses and Indicators. Depending on the input type, we try and determine the value meant for the API and use that in our outbound queries. In the event a bad type is passed to our service, we simply ignore it and continue processing. Errors, warnings and other details can be found within the log.

Having our service run on the major CRITs types means you should see PassiveTotal results more often. When outputting data, we categorize each data source into their own section to reduce clutter, but there's no escaping the fact that you will need to scroll if you plan to run all services.

Next Steps

We are excited to have our new service out in the public and look forward to feedback from our users and customers. We are keeping an eye on CRITs development and if we see any new ways to make our data easier to work with, it'll be added!