Skip to main content

RiskIQ PassiveTotal

EF_FLOW_OUTPUT_RISKIQ_ENABLE#

For the RiskIQ Integration to function fully, both the RiskIQ output as well as the enrichment option MUST be enabled. Only information about traffic to/from public IP addresses is transmitted to RiskIQ. No internal/private IP addresses are transmitted. This setting specifies whether the RiskIQ is enabled.

  • Valid Values
    • true, false
  • Default
    • false

EF_FLOW_OUTPUT_RISKIQ_HOST#

This setting specifies hostname of the RiskIQ service to which data is sent to RiskIQ for analysis. The value for this setting will be provided to you in your RiskIQ PassiveTotal account settings.

  • Default
    • ''

EF_FLOW_OUTPUT_RISKIQ_PORT#

This setting specifies port number of the RiskIQ service to which data is sent to RiskIQ for analysis. The value for this setting will be provided to you in your RiskIQ PassiveTotal account settings.

  • Default
    • ''

EF_FLOW_OUTPUT_RISKIQ_CUSTOMER_UUID#

This setting specifies the user-specific UUID required by the RiskIQ service to associate the data with your account.

  • Default
    • ''

EF_FLOW_OUTPUT_RISKIQ_CUSTOMER_ENCRYPTION_KEY#

This setting specifies the user-specific encryption key required to transmit data securely to the RiskIQ service.

  • Default
    • ''

EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENABLE#

This setting specifies whether enrichment with autonomous system attributes from the RiskIQ service is enabled.

  • Valid Values
    • true, false
  • Default
    • false

EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENDPOINT#

If RiskIQ ASN enrichment is enabled (EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENABLE is true) this setting specifies the endpoint of the RiskIQ enrichment API to query.

warning

Do NOT change this value unless directed by ElastiFlow™ support.

  • Default
    • https://api.passivetotal.org/v2/netflow/as/download

EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_REFRESH_INTERVAL#

If RiskIQ ASN enrichment is enabled (EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENABLE is true) this setting specifies the interval, in minutes, at which the RiskIQ enrichment API will be queried to refresh the dataset.

note

60 minutes is the minimum refresh interval. The collector will fail with an error if this value is less than 60.

  • Default
    • 1440

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLE#

This setting specifies whether enrichment with threat attributes from the RiskIQ service is enabled.

  • Valid Values
    • true, false
  • Default
    • false

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENDPOINT#

If RiskIQ threat enrichment is enabled (EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLE is true) this setting specifies the endpoint of the RiskIQ enrichment API to query.

warning

Do NOT change this value unless directed by ElastiFlow™ support.

  • Default
    • https://api.passivetotal.org/v2/netflow/blocklist/download

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_REFRESH_INTERVAL#

If RiskIQ threat enrichment is enabled (EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLE is true) this setting specifies the interval, in minutes, at which the RiskIQ enrichment API will be queried to refresh the dataset.

note

60 minutes is the minimum refresh interval. The collector will fail with an error if this value is less than 60.

  • Default
    • 1440

EF_FLOW_DECODER_ENRICH_RISKIQ_API_USER#

If RiskIQ enrichment is enabled (EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENABLE or EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLE is true) this setting specifies the API user from the PassiveTotal account that will be used to access the RiskIQ enrichment API.

  • Default
    • ''

EF_FLOW_DECODER_ENRICH_RISKIQ_API_KEY#

If RiskIQ enrichment is enabled (EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENABLE or EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLE is true) this setting specifies the API key from the PassiveTotal account that will be used to access the RiskIQ enrichment API.

  • Default
    • ''

EF_FLOW_DECODER_ENRICH_RISKIQ_API_TIMEOUT#

If RiskIQ enrichment is enabled (EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENABLE or EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLE is true) this setting specifies the timeout duration, in seconds, for API queries.

  • Default
    • 30

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_PATH#

For more control of when enrichment is applied, IP addresses can be included or excluded from threat enrichment by Autonomous System or CIDR. This setting specifies the path to this file.

note

If the value of the path begins with a / this path will be interpreted as an absolute file system path. Otherwise it will be interpreted as relative to the value of EF_FLOW_DECODER_SETTINGS_PATH.

For more details on the format of this file and the behavior of the include/exclude functionality refer to: Scoping Enrichment with Include/Exclude

  • Default
    • ''
  • Recommended
    • hostname/incl_excl.yml

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_REFRESH_RATE#

The file specified in EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_PATH can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.

  • Default
    • 15