ThreatPipes is built around scans. You start a scan by specifying a target.
Without a entering license key you will not be able to:
Start a scan with multiple targets
Run a scan in manual mode
Create a scan monitor
Add a scan to an investigation
Stream scan data
To initiate a scan, click on the ‘New Scan’ button in the top menu bar.
You will then need to define a name for your scan (non-unique).
You will then need to define a seed target (also non-unique).
The seed target can be one of the following.
Domain Name: e.g. example.com
IPv4 Address: e.g. 22.214.171.124
IPv6 Address: e.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Hostname/Sub-domain: e.g. abc.example.com
Subnet: e.g. 126.96.36.199/24
ASN: e.g. 1234
E-mail address: e.g. [email protected]
Phone Number: e.g. +12345678901 (E.164 format)
Human Name: e.g. "John Smith" (must be in quotes)
ThreatPipes will automatically detect the target type based on the format of your input.
You can enter multiple seed targets by seperating them with a comma. For example:
Automated scans: specify a target and the types of enrichments (modules) you want to use. ThreatPipes will automatically search the internet for high-value intelligence on both the target and any affiliates. When complete you can analyse all the findings or integrate with other tools in your security stack.
Manual scans (paid): specify a target and manually select the enrichments (modules) to use as each data element is generated. Manual scans are a much more targeted approach to intelligence gathering, but in-turn are much more time consuming.
Monitors allow you to run the scan on an automated basis.
This is useful when you want to monitor a target.
For example, when you want to watch an asset for misconfiguration (e.g. SSL expiration), an email leaked to a paste site, a malicious IP's relationship to other indicators of compromise, and so on.
You can choose to run the scan on the following schedule:
Daily (recommended for most use-cases)
Monitors have names. All monitors will inherit the name you give to the scan.
In many cases, scans have some relationship to each other.
For example, you might be researching a particular incident that contains many indicators of compromise. Each of these IOC's can be analysed using individual scans.
To group scans together, you can add scans to an investigation.
In order to add a new scan to an investigation, the investigation must already exist. You can create new investigations by clicking Investigations in the navigation bar. Read more here.
If you choose to start a scan with a monitor, you can also choose to automatically add scans generated by the monitor to the selected investigation by selecting "Automatically add scan to investigation".
It is possible to stream the data generate by a scan in real-time over syslog.
You must first configure a destination for ThreatPipes to stream data to by navigating to Settings > Server settings.
If you enable the log stream for a monitor scan, all scans generated by a monitor in the future will also be streamed to the destination.
Now you know more about how modules work and how they are categorised you can choose the type of scan to be performed, either by:
Use-case [select 1]: prebuilt scan profiles built from some of the most common use-cases of ThreatPipes.
Categories [select multiple]: used when you want a particular type of result, like checking the reputation of the target.
Data type(s) [select multiple]: when you know exactly what you want to uncover. Note, this will enable all modules that listen for data type, that might also produce different data types not selected. This means you results can contain data types not originally selected.
Module(s) [select multiple]: for more advanced users who are familiar with the behaviour and data provided by different modules, and want more control over the scan.
Custom profile [select 1]: it is possible to create a custom scan profile by selecting modules you want to use for the scan instead of selecting them manually each time. Read more about configuring custom scan profiles here.
Unlike automated scans, manual scans need you to execute each module manually to perform a lookup. This can be done once you have started the scan under the Explore tab.
To perform a lookup on a node (data element) using a module, right click on the node and select the module.
You can return to the Explore tab at any time to perform additional analysis.