Integrate Criminal IP Threat Intelligence into Securonix ThreatQ: A Step-by-Step Guide

Introduction

Raw threat intelligence feeds often flood analysts with indicators but lack the real-world context needed to prioritize and respond effectively. Without understanding the exposure level, risk, or relevance of a given IP or domain, security teams waste precious time chasing false positives or missing critical threats. The partnership between Criminal IP and Securonix ThreatQ solves this by embedding exposure-based intelligence directly into the ThreatQ platform. This guide walks you through setting up the integration, automating the enrichment of alerts with contextual data, and accelerating your investigation workflows—turning raw data into actionable insights.

What You Need

• An active subscription to Criminal IP (API access required).
• An active Securonix ThreatQ instance (on-premises or cloud) with administrative privileges.
• API keys for both platforms (Criminal IP API token and ThreatQ API credentials).
• Network connectivity from your ThreatQ environment to the Criminal IP API endpoints.
• A basic understanding of ThreatQ threat intelligence objects (indicators, sources, workbenches).
• Optional: Python or a scripting tool if you prefer custom automation beyond built-in connectors.

Step-by-Step Integration Guide

Step 1: Prepare Your Criminal IP API Token

Log into your Criminal IP account and navigate to the API Management section. Generate a new API token with scope for IP enrichment and domain lookups. Copy the token and store it securely—you’ll need it in later steps. Ensure your token has sufficient quota for the expected volume of queries from ThreatQ.

Step 2: Configure ThreatQ Source for Criminal IP

Inside ThreatQ, go to Administration > Sources and click Add Source. Name it “Criminal IP Exposure Intelligence”. Choose the type as “External API”. Enter the base URL provided by Criminal IP (e.g., https://api.criminalip.io/v1). In the authentication field, select Bearer Token and paste the API token from Step 1. Save the source. This creates a bridge that pushes enriched context back into the ThreatQ indicator lifecycle.

Step 3: Map Data Fields and Classification

In the same source configuration, define how Criminal IP fields map to ThreatQ indicator attributes. At minimum, map:

• IP address → Indicator value
• Exposure score (0–100) → Custom attribute “Criminal IP Score”
• Risk category (malicious, suspicious, etc.) → Indicator classification
• First seen / last seen → Timestamp fields
• Geolocation, ASN, and associated domains → Additional context tags

Use ThreatQ’s field mapping tool to create these associations. This step ensures that every enriched indicator carries the exposure context visible in investigation workbenches.

Step 4: Create Automation Rules for Real-Time Enrichment

Navigate to Automation > Rules and create a new rule. Name it “Auto-Enrich Indicators with Criminal IP”. Set the trigger to On Indicator Creation or On Indicator Ingestion. Define conditions: for example, if the indicator type is IP address or domain. Then add an action: Enrich via External API and select the Criminal IP source configured earlier.

Configure the enrichment action to automatically query the indicator against Criminal IP’s IP/domain exposure endpoint. Set the response handling to update the indicator’s attributes (score, classification, tags) immediately. Enable the rule and run a test with a known indicator to verify the enrichment works.

Step 5: Integrate with ThreatQ Workbenches for Analyst Efficiency

Now that indicators are enriched automatically, analysts can see the Criminal IP score next to each indicator in the Workbench. Create a custom dashboard widget that filters indicators with high exposure scores (e.g., >80). This prioritizes critical threats. Additionally, configure a notification rule to alert teams when a new high-score indicator appears—this speeds up response to the riskiest exposures.

To further reduce manual effort, set up a contextual search action that adds one-click links from the indicator detail page to the full Criminal IP report for deep investigation.

Step 6: Test and Validate the Pipeline

Before going live, perform a limited test:

1. Ingest a small batch of sample IP addresses (both known benign and known malicious).
2. Verify that each indicator receives a Criminal IP exposure score and tags in ThreatQ.
3. Check that the automation rule fires correctly (logs in ThreatQ’s automation history).
4. Simulate an alert scenario in a workbench and confirm the contextual data appears.
5. If using ThreatQ’s Object Relationships, ensure associated domains and ASNs are linked.

Fix any mapping or connectivity issues. Once satisfied, activate the rule for all incoming indicators.

Step 7: Monitor and Refine Over Time

After deployment, monitor the enrichment performance via ThreatQ’s Reporting & Analytics. Look for:

• Number of indicators enriched per day
• Quota usage on your Criminal IP API
• False positive rates (e.g., low-score indicators that are actually malicious)

Adjust the automation rule conditions (e.g., only enrich external IPs, or those with a certain threat level) to avoid wasting API calls. Also consider creating a white list for known internal IPs to skip enrichment.

Tips for a Successful Integration

• Start small, then scale: Begin with a subset of high-priority sources (e.g., only indicators from your SIEM) to avoid overwhelming the system.
• Use data aging policies: Criminal IP exposure scores change over time. Configure ThreatQ to re-enrich indicators periodically (e.g., every 24 hours) to keep context fresh.
• Combine with other threat feeds: The true power comes from overlaying Criminal IP’s exposure context with other enrichment sources (e.g., VirusTotal, AlienVault) for a multi-layered picture.
• Train analysts: Ensure your SOC team understands how to interpret Criminal IP scores—especially the difference between risk (likelihood of threat) and exposure (visibility of the asset).
• Watch API rate limits: Plan your enrichment volume to stay within Criminal IP’s usage tiers. Use ThreatQ’s enforcement rules to throttle if needed.
• Leverage automation for immediate response: Consider adding a rule that automatically blocks IPs exceeding a certain exposure threshold (e.g., 90) on your firewall via ThreatQ’s external response actions.

By following these steps, you transform raw threat data into enriched, contextual intelligence that accelerates investigations and reduces false positives. The Criminal IP / Securonix ThreatQ integration closes the gap between noise and actionable insight.