Help

Consortium Z (formerly OSINT-Grabber) is a tool for doing open source (and some closed source) intel lookups on indicators. Current capabilities include IP address, Domain, Hash Value, SSH Key, Email Address and full URL lookups.

To get the most out of Consortium Z, you must input any available API keys you have to power our lookups. Without any of these API keys, the value of the platform is severely restricted. Check the Account Settings page to input & edit your API keys.

If you have a PassiveTotal API key (free for 15 pulls/day, with paid options available) running an email, Consortium Z will format the PassiveTotal results (as well as provide the original pull) to sort the domain names registered by that user by date and will also run secondary searches against Cymon.io [free] and ThreatCrowd [free] to check for available OSINT on each domain. If OSINT is available, Consortium Z will display all available OSINT for that domain.

Note: Due to a rate limiting issue, VirusTotal secondary queries are not-functional through Consortium Z.

Recent Changes

June 26, 2019

Infrastructure changes:

  • The Consortium Z servers were relocated to a different infrastructure to allow future changes to be more frequest and less painful. As a result some data may have been lost. Any user profile changes (keys, history, passwords, etc.) made after Friday, June 21, 2019, have been rolled back.

Release Update - May 10, 2019
1.1.9

Bug Fixes:

  • Restored ability of non-admin users to access Account-Settings and Account-Profile pages

Release Update - April 25, 2019
1.1.8

Improvements:

  • Resubmitting indicator adds new record to history instead of updating previous
  • Will not allow empty indicator or intel scraper for better user experience

Release Update - April 18, 2019
1.1.7

Improvements:

  • Indicator history is now clickable to resubmit that history
  • Leading space in an indicator no longer causes error
  • Admins may now assign or unassign admin role for other users

Release Update - March 25, 2019
1.1.6

Improvements:

  • Various L&F changes (bolding on IBM X Force, long hashes get infix ellipses, indicator accepted doesn't persist to home screen)
  • Submission history sorted by and display last time that indicator ran
  • Bug with submitting indicator not appearing in history fixed

iRelease Update - March 20, 2019
1.1.5
Small text changes

iRelease Update - March 15, 2019
1.1.4
Launch of Consortium Z!

Improvements:

  • Design & UI upgrades
  • Added User profile image
  • Favicon :)

Single Indicator Lookups

IP Addresses
Syntax: “IP Addr” — ex. “1.2.3.4”

Standard dotted quad indicators are accepted.

IP address lookups return DNS and Whois information, PacketMail IP reputation results, results from Shodan and results from IBM XForce.

Domain Names
Syntax: “Domain Name” — ex. “www.google.com”

Domain names must not include http:// or any information after the TLD, or else the indicator will be treated as a URL and processed differently.

Domain name lookups provide Whois records, URLVoid results, and IBM XForce data on the domain, then finds the IP address that the domain resolves to and provides DNS, Whois, PacketMail, Shodan and IBM XForce results for that IP. NOTE: for domains that have a large number of associated IP addresses, Consortium Z only processes the first response from the conducted dig.

URLs
Syntax: “http(s)://‘Domain Name’/‘URI’” — ex. http://www.google.com/news

For the indicator to be submitted as a URL, it must include the information before the domain name (i.e. http://) as well as at least a trailing slash “/“ after the domain name. To get a complete set of information, ensure that the entire URI is included so that appropriate checks for badness can be conducted.

URL lookups start with a check against PacketMail’s PCRE feed to determine whether there is a known pattern match to any of the various current EKs and such. The URL is then converted to a Domain Name and processed as a standard domain as above.

Intel Scraper

Intel Scraper is a simple formatter for unformated intel. It’s intent is to be used to process incoming email based threat intel. Simply cut/paste the email (or other freeform intel) into the box and hit Submit. You’ll be returned a list of indicators that Intel Scraper found, a list of indicators that Intel Scraper is ignoring (due to known good status), host info on any IP address indicators, a regression testing string for Splunk style data repositories and finally a copy of the originally submitted intel (so that you can see what was processed).

Consortium Z does NOT save this data in any way, and it can not be accessed by other users. It is simply an input/output processor for ease of ingesting free form intel into your systems.

If you see indicators that should be on our Goodware list so that they are ignored by the processor, please let me know so that I can add them in. It doesn’t happen automagically.

Lastly, we rely on an external check against valid domains to limit “bad” domain names from being processed. Unfortunately we have to timeout this external call in the event that there is no response. If you see “domains” in the results such as “account.doc” this is because the external call is temporarily failing. Please be mindful of this and check the results for validity.

Notes
If you get a failed lookup or “Something went wrong” message, please consider letting us know so that I can fix things. contact@consortium.net

On the results page, if you see “Timeout Error, try again” this means that the individual API failed to respond to the request in a timely fashion so we killed the request. Sometimes rerunning the lookup will return results.

If there is an API that you use that you’d like to see here on Consortium Z, please let us know.