RiskIQ Blacklist Intelligence

Updated 1 month ago by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. RiskIQ's blacklist intelligence delivers curated lists of known bad URLs, Domains, and IP addresses associated with malware, phishing, and scam events. TruSTAR's integration with RiskIQ blacklist intelligence allows users to enrich suspicious IOCs with RiskIQ intelligence and pull that into their workflow tools.

Prerequisites

This integration requires TruSTAR users to be paying customers of RiskIQ and have access to RiskIQ API keys with access to the blacklist lookup endpoint

Configure Integration

After you have retrieved your RiskIQ blacklist lookup API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on RiskIQ blacklist lookup logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable the RiskIQ blacklist lookup integrations within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration is enabled any new report submitted into the users enclave in TruSTAR will have all applicable indicators in that report extracted and queried against the RiskIQ blacklist database every 15 mins. The associated responses will be submitted into an enclave the user controls.

FAQ

What data do you currently pull from RiskIQ blacklist lookup? 

Our integration currently only queries indicators of the types stated below against the RiskIQ blacklist lookup database

These include:

  • IP
  • URL
  • Hostname (Domain/url in TruSTAR)

Please contact us if you would like to discuss additional indicators that can be queried from RiskIQ blacklist lookup

How often is the data pulled?

Our integration queries indicators against the RiskIQ blacklist lookup every 15mins.

Technical Details 

Type: Query based TruStash

API Timeout : 30 seconds

BASE_URL - http://api.riskiq.net/

API Mapping: API Key, API Secret

Stash Type: stash_riskiqblacklist

SourceType: Closed source

API Endpoint Technical Details

API endpoints we will be ingesting reports from:

Blacklist Lookup - http://api.riskiq.net/api/blacklist/

Blacklist Lookup Request:

curl -X GET --header 'Accept: application/json' --header "Authorization: Basic $ENCODED_API_KEY" 'https://api.riskiq.net/v0/blacklist/lookup?url=http://77z4.cvogqcola.download/101636/1396/37lmy6x/luxb06/5077'

Blacklist Lookup Response::

{
"url":"http://77z4.cvogqcola.download/101636/1396/37lmy6x/luxb06/5077",
"hostname":"77z4.cvogqcola.download",
"rank":2147483647,
"phishing":true,
"malware":false,
"spam":false,
"scam":true,
"matchType":"URL",
"score":100,
"description":"riq.auto.model SCAM Fake Software (Flash)",
"entries":[
{
"type":"GSBPhishing",
"matchType":"HOST",
"url":"cvogqcola.download/",
"ruleID":0
},
{
"type":"RiskIQScam",
"matchType":"URL",
"id":135788646,
"url":"http://77z4.cvogqcola.download/101636/1396/37lmy6x/luxb06/5077",
"target":"Fake Software (Flash)",
"description":"riq.auto.model SCAM Fake Software (Flash)",
"detectedAt":"2017-05-10T17:29:33.000-0700",
"source":"RiskIQ",
"ruleID":0
}
]
}
TruSTAR Report Content Mapping:

Report Mapping fields:

Report Title -  IOC Type <IOC Value> (e.g IP 99.45.72.34)

External ID - <base64(IOC Value)> (e.g OTkuNDUuNzIuMzQ=) alternative IOC Type<IOC  Value> (e.g. IP99.45.72.34)

Report Body -  full json response 

Time Begun - "detectedAt" field of response (e.g. 2017-05-10T17:29:33.000-0700)

Tags - "score" field of response (e.g. Score:100) + phishing:true (note only when value is true for either of these fields: "phishing":true,"malware":false,"spam":false,"scam":true)

Tags > 32 chars will be ignored.

Deeplink - No Deeplink

Client Type - PYTHON_SDK

Client Meta Tag - stash_riskiqblacklist

Please reach out to support@trustar.co for any additional questions.


How Did We Do?