Starting a Scan

Uncover new intelligence on a target using a ThreatPipes scan.

Overview

ThreatPipes is built around scans. You start a scan by specifying a target.

Scan License Restrictions

Some features described on this page require a ThreatPipes license to use. Purchase one here.

ThreatPipes License restriction

Without a entering license key you will not be able to:

  • Start a scan with multiple targets

  • Run a scan in manual mode

  • Create a scan monitor

  • Add a scan to an investigation

  • Stream scan data

You can get a free license here.

Scan configuration

ThreatPipes scan configuration

Name

To initiate a scan, click on the ‘New Scan’ button in the top menu bar.

You will then need to define a name for your scan (non-unique).

Seed target

You will then need to define a seed target (also non-unique).

The seed target can be one of the following.

  • Domain Name: e.g. example.com

  • IPv4 Address: e.g. 1.2.3.4

  • IPv6 Address: e.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334

  • Hostname/Sub-domain: e.g. abc.example.com

  • Subnet: e.g. 1.2.3.0/24

  • ASN: e.g. 1234

  • E-mail address: e.g. bob@example.com

  • Phone Number: e.g. +12345678901 (E.164 format)

  • Human Name: e.g. "John Smith" (must be in quotes)

ThreatPipes will automatically detect the target type based on the format of your input.

You can enter multiple seed targets by seperating them with a comma. For example:

test@test.com,1.1.1.1,www.test.com

Scan type

  1. Automated scans: specify a target and the types of enrichments (modules) you want to use. ThreatPipes will automatically search the internet for high-value intelligence on both the target and any affiliates. When complete you can analyse all the findings or integrate with other tools in your security stack.

  2. Manual scans (paid): specify a target and manually select the enrichments (modules) to use as each data element is generated. Manual scans are a much more targeted approach to intelligence gathering, but in-turn are much more time consuming.

Monitors (automated scans only) (paid)

Monitors allow you to run the scan on an automated basis.

This is useful when you want to monitor a target.

For example, when you want to watch an asset for misconfiguration (e.g. SSL expiration), an email leaked to a paste site, a malicious IP's relationship to other indicators of compromise, and so on.

ThreatPipes Monitors

You can choose to run the scan on the following schedule:

  • Hourly

  • Daily (recommended for most use-cases)

  • Weekly

  • Monthly

Monitors have names. All monitors will inherit the name you give to the scan.

Investigations (paid)

In many cases, scans have some relationship to each other.

For example, you might be researching a particular incident that contains many indicators of compromise. Each of these IOC's can be analysed using individual scans.

ThreatPipes investigation

To group scans together, you can add scans to an investigation.

In order to add a new scan to an investigation, the investigation must already exist. You can create new investigations by clicking Investigations in the navigation bar. Read more here.

If you choose to start a scan with a monitor, you can also choose to automatically add scans generated by the monitor to the selected investigation by selecting "Automatically add scan to investigation".

You can add scans to an investigation after it has started by navigating to the scans list, selecting the scan you want to add to an investigations, and selecting the investigation you want to add the scan to.

Stream scan data (automated scans only) (paid)

It is possible to stream the data generate by a scan in real-time over syslog.

ThreatPipes syslog stream

You must first configure a destination for ThreatPipes to stream data to by navigating to Settings > Server settings.

If you enable the log stream for a monitor scan, all scans generated by a monitor in the future will also be streamed to the destination.

Module settings (automated scans only)

ThreatPipes start scan by required data

Now you know more about how modules work and how they are categorised you can choose the type of scan to be performed, either by:

  • Use-case [select 1]: prebuilt scan profiles built from some of the most common use-cases of ThreatPipes.

  • Categories [select multiple]: used when you want a particular type of result, like checking the reputation of the target.

  • Data type(s) [select multiple]: when you know exactly what you want to uncover. Note, this will enable all modules that listen for data type, that might also produce different data types not selected. This means you results can contain data types not originally selected.

  • Module(s) [select multiple]: for more advanced users who are familiar with the behaviour and data provided by different modules, and want more control over the scan.

  • Custom profile [select 1]: it is possible to create a custom scan profile by selecting modules you want to use for the scan instead of selecting them manually each time. Read more about configuring custom scan profiles here.

There is no dependency checking when scanning by module / data types. This means that if you select a module / data type that does not listen for the seed target data type, you will get no results.

Manual scans

ThreatPipes manual scan

Unlike automated scans, manual scans need you to execute each module manually to perform a lookup. This can be done once you have started the scan under the Explore tab.

To perform a lookup on a node (data element) using a module, right click on the node and select the module.

Currently there is no data type validation for data elements and modules. If you attempt to run a lookup on a node of data type not supported by a scan, the node will flash red.

ThreatPipes explore tab

You can return to the Explore tab at any time to perform additional analysis.

The Explore tab (and graph) is also visible for automated scans, however, the functionality is read-only.