RiskIQ PassiveTotal

Updated 1 month ago by TruSTAR

This document explains how to set up the RiskIQ PassiveTotal premium intelligence source in the TruSTAR platform.

RiskIQ PassiveTotal® expedites investigations by connecting internal activity, event, and incident indicator of compromise (IOC) artifacts to what is happening outside the firewall—external threats, attackers, and their related infrastructure.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to Install: 10 minutes

Observables Supported

  • IP
  • Domain (extracted from URL)
  • Email address


  • A subscription to RiskIQ PassiveTotal
  • RiskIQ PassiveTotal API key
TruSTAR Admin rights are required to activate this Premium Intelligence source.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Click Premium Intel.
  4. Click Subscribe on the RiskIQ Passive Total box.
  5. Enter your RiskIQ PassiveTotal API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

After the integration has been enabled, you need to submit reports to your private enclave to see intelligence enrichment from Passive Total.

TruSTAR Report Mapping

The information retrieved from this intelligence source is stored in the RiskIQ PassiveTotal Enclave using this format.




Report Title

IP <IOC Value>

IP XX.45.72.XX

External ID

IP<IOC Value>


Report Body

Full JSON response

Time Begun




Known Issues

No reported issues.

Please contact support@trustar.co if you have issues with this integration.

How Did We Do?