Part of what makes Pulsedive so useful is that instead of gathering information on IOCs from a bunch of different sources, Pulsedive has a ton of data in one place: WHOIS, DNS, HTTP headers, SSL cert data, and more.
Pulsedive can also grab information from third-parties using one of our lesser understood features: Analyze/Enrich. I’m going to quickly explain what that is and then go over Pulsedive’s third-party integrations.
Analyze vs Submit
If you get an IP from a sensitive source and you want to get some data on it but don’t want to share with the rest of the community, you’ll probably want to “analyze” it versus “submit” it.
Analyzing an IOC does the following:
- Retrieve latest location, WHOIS and DNS resolution data.
- Check integrated third-parties for additional data.
- Evaluates estimated risk, but not as thoroughly as submitting.
- Caches results for 1 hour without permanent storage in Pulsedive.
More importantly, analyzed IOCs
- Are not searchable.
- Are not visible to other users, unless of course they analyze the same IOC.
- May be stored in back-end logs, which are purged over time and are not accessible to users.
- Do not have a risk score as accurate as submissions.
“Enrich” is just another term for “analyze,” but is displayed for IOCs already in Pulsedive. Enriching and analyzing are virtually the same thing, but updated information for an enriched IOC is merged with existing data before displayed.
Data pulled from VirusTotal
- AV detection ratio
- Subdomains and domain siblings, merged with existing data
- Passive DNS data for the last 3 months
Data pulled from Shodan
- Ports, merged with existing data
- Product and device type information