RiskIQ PassiveTotal

Updated 2 months ago by Elvis Hovor


TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description how paying customers of PassiveTotal can correlate reports and indicators produced by RiskIQ PassiveTotal with data stored in their TruSTAR enclaves. This integration will query PassiveTotal and return Passive DNS results for associated indicators.


This integration requires TruSTAR users to be paying customers of RiskIQ PassiveTotal. You will also need your PassiveTotal API key.

Configure Integration

After you have retrieved your Farsight API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on RiskIQ PassiveTotal logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable the PassiveTotal integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration is enabled you should see reports from PassiveTotal being submitted into an enclave you control on TruSTAR.


    What data do you currently pull from PassiveTotal? 

    Our integration currently only pulls reports from RiskIQ PassiveTotal that have cyber IOC’s.

      These include:

      • IP
      • Domain
      • URL (Domains are extracted from URL)
      • Email 

      Please contact us if you would like to discuss additional indicators that can be queried from RiskIQ PassiveTotal.

          How often is the data pulled?

          Our integration retrieves data from RiskIQ PassiveTotal  every 15mins.

          Please reach out to support@trustar.co for any additional questions.

          How Did We Do?