RiskIQ-Data-PassiveDns

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.

Attribute	Value
Type	Playbook
Solution	RiskIQ
Source	View on GitHub

Additional Documentation

📄 Source: RiskIQ-Data-PassiveDns/readme.md

Overview

Prerequisites

This playbook inherits API connections created and established within a base playbook. Ensure you have deployed RiskIQ-Base prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).

Deployment

Post-Deployment Instructions

After deploying the playbook, you must authorize the connections leveraged.

Visit the playbook resource.
Under "Development Tools" (located on the left), click "API Connections".
Ensure each connection has been authorized.

Note: If you've deployed the RiskIQ-Base playbook, you will only need to authorize the Microsoft Sentinel connection.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Playbooks · Back to RiskIQ