RiskIQ PassiveTotal

Updated 1 month ago by Elvis Hovor

This document explains how to set up and use RiskIQ PassiveTotal with TruSTAR Station.

RiskIQ PassiveTotal® expedites investigations by connecting internal activity, event, and incident indicator of compromise (IOC) artifacts to what is happening outside the firewall—external threats, attackers, and their related infrastructure.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to Install: 10 minutes

Data Types

The integration pulls reports with these observables from PassiveTotal:

  • IP
  • Domain (extracted from URL)
  • Email 


  • A subscription to RiskIQ PassiveTotal
  • RiskIQ PassiveTotal API key
TruSTAR Admin rights are required to activate this Premium Intel feed.

Getting Started

  1. Log into TruSTAR Station.
  2. Click the Marketplace icon on the left side icon list.
  3. Click Closed Sources.
  4. Click Subscribe on the RiskIQ Passive Total box.
  5. Enter your RiskIQ PassiveTotal API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

After the integration has been enabled, you need to submit reports to your private enclave to see intelligence enrichment from Passive Total.

TruSTAR Report Mapping




Report Title

IP <IOC Value>

IP XX.45.72.XX

External ID

IP<IOC Value>


Report Body

Full JSON response

Time Begun




Known Issues

No reported issues.

Please reach out to support@trustar.co if you have issues with this integration.

How Did We Do?