Enricher - PassiveTotal Malware
This article describes the specific configuration options to set up the enricher.
To configure the general options for the enricher, see Configure the general options.
|
|
Specifications |
|
Enricher name |
PassiveTotal Malware |
|
Input |
Domain and host. |
|
Output |
Polls data from the PassiveTotal API. |
|
API endpoint |
https://api.passivetotal.org/v2 |
|
Description |
The PassiveTotal Malware enricher provides malware information related to the queried host or domain, such as malware hash and collection date. |
Requirements
Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials to access the API endpoint exposing the service.
Configure the enricher parameters
Edit the enricher.
From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the PassiveTotal Malware enricher.
The API URL field is automatically filled in with the default domain for the endpoint.
You can add a proxy or set up ports according to your needs.
Default value: https://api.passivetotal.org/v2.In the API key field, enter your API key.
In the Email field, enter the email address associated with the PassiveTotal Malware account to access and consume the PassiveTotal Malware API service.
To store your changes, click Save; to discard them, click Cancel.
Additional information
The returned malware entries are also tagged with the following metadata:
enrichment_extracts.meta.classification: bad.
To set this value, go to the top navigation bar, click Data configuration > Rules > Observable > > Action > Mark as malicious.
enrichment_extracts.meta.confidence: low .
To set this value, go to the top navigation bar, click Data configuration > Rules > Observable > > Confidence > Malicious — Low confidence/Malicious — Medium confidence/Malicious — High confidence.