RiskIQ PassiveTotal

EF_OUTPUT_RISKIQ_ENABLE

For the RiskIQ Integration to function fully, both the RiskIQ output as well as the enrichment option MUST be enabled. Only information about traffic to/from public IP addresses is transmitted to RiskIQ. No internal/private IP addresses are transmitted. This setting specifies whether the RiskIQ is enabled.

• Valid Values

  • true, false

• Default

  • false

EF_OUTPUT_RISKIQ_HOST

This setting specifies hostname of the RiskIQ service to which data is sent to RiskIQ for analysis. The value for this setting will be provided to you in your RiskIQ PassiveTotal account settings.

• Default

  • ''

EF_OUTPUT_RISKIQ_PORT

This setting specifies port number of the RiskIQ service to which data is sent to RiskIQ for analysis. The value for this setting will be provided to you in your RiskIQ PassiveTotal account settings.

• Default

  • ''

EF_OUTPUT_RISKIQ_CUSTOMER_UUID

This setting specifies the user-specific UUID required by the RiskIQ service to associate the data with your account.

• Default

  • ''

EF_OUTPUT_RISKIQ_CUSTOMER_ENCRYPTION_KEY

This setting specifies the user-specific encryption key required to transmit data securely to the RiskIQ service.

• Default

  • ''

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE

This setting specifies whether enrichment with threat attributes from the RiskIQ service is enabled.

• Valid Values

  • true, false

• Default

  • false

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENDPOINT

If RiskIQ threat enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the endpoint of the RiskIQ enrichment API to query.

:::danger Do NOT change this value unless directed by ElastiFlow support. :::

• Default

  • https://api.passivetotal.org/v2/netflow/blocklist/download

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_REFRESH_INTERVAL

If RiskIQ threat enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the interval, in minutes, at which the RiskIQ enrichment API will be queried to refresh the dataset.

:::note 60 minutes is the minimum refresh interval. The collector will fail with an error if this value is less than 60. :::

• Default

  • 1440

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_PATH

For more control of when enrichment is applied, IP addresses can be included or excluded from threat enrichment by Autonomous System or CIDR. This setting specifies the path to this file.

For more details on the format of this file and the behavior of the include/exclude functionality refer to: Scoping Enrichment with Include/Exclude

• Default

  • ''

• Recommended

  • hostname/incl_excl.yml

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_REFRESH_RATE

The file specified in EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_PATH can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.

• Default

  • 15

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_USER

If RiskIQ enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the API user from the PassiveTotal account that will be used to access the RiskIQ enrichment API.

• Default

  • ''

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_KEY

If RiskIQ enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the API key from the PassiveTotal account that will be used to access the RiskIQ enrichment API.

• Default

  • ''

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_TIMEOUT

If RiskIQ enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the timeout duration, in seconds, for API queries.

• Default

  • 30