RiskIQ PassiveTotal

Updated 1 year ago by Elvis Hovor


TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description how users can correlate reports and indicators produced by RiskIQ PassiveTotal with data stored in their TruSTAR enclaves. This integration will query PassiveTotal and return Passive DNS results for associated indicators.


  • Users need to have a subscription to RiskIQ PassiveTotal.
  • Users need RiskIQ PassiveTotal API key to enable the integration.

Configure Integration

After you have retrieved your RiskIQ PassiveTotal API key please complete these following steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on RiskIQ PassiveTotal logo and input your PassiveTotal API key.
  4. Click Submit.

TruSTAR will validate and enable the PassiveTotal integration within 48 hours. You will receive an email from TruSTAR confirming when the integration is enabled.

You will need to submit reports to your private enclave to see intelligence enrichment from PassiveTotal.


Q: What data do you currently pull from PassiveTotal? 

Our integration currently only pulls reports from RiskIQ PassiveTotal that have cyber IOC’s.

These include:

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • Email 

Please contact us if you would like to discuss additional indicators that can be queried from RiskIQ PassiveTotal.

Q: How often is the data pulled?

Please see this page for PassiveTotal details.

Please reach out to support@trustar.co for any additional questions.

How Did We Do?