RiskIQ Blacklist Intelligence

Updated 1 week ago by Elvis Hovor

This document explains how to set up and use RiskIQ Blacklist Intelligence with TruSTAR Station.

RiskIQ's Blacklist Intelligence delivers curated lists of known bad URLs, Domains, and IP addresses associated with malware, phishing, and scam events.

  • Time to Install: 10 minutes
  • Type of Feed: Automatic updates
  • Update Frequency: 15 minutes
  • Intel Type: Premium Feed

Data Types

The integration pulls reports with these observables from RiskIQ Blacklist Intelligence:

  • IP
  • URL
  • Hostname (Domain/url in TruSTAR)

Requirements

  • Licensed user of RiskIQ
  • API key for RiskIQ Blacklist lookup
TruSTAR Admin rights are required to activate this Premium Intel feed.

Getting Started

  1. Log into TruSTAR Station.
  2. Click the Marketplace icon on the left side icon list.
  3. Click  Closed Sources.
  4. Click Subscribe on the RiskIQ Blacklist box.
  5. Enter your PassiveTotal API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

Report Mapping

Field 

Explanation

Report Title

IOC Type <IOC Value> Example: IP 99.45.72.34

External ID

<base64(IOC Value)> Example: OTkuNDUuNzIuMzQ=

Alternative IOC Type <IOC  Value> Example:  IP99.45.72.34

Report Body

Full JSON response

Time Begun

"detectedAt" field of response Example: 2017-05-10T17:29:33.000-0700

Tags

"score" field of response (Example: Score:100) + phishing:true

Note only when value is true for either of these fields: "phishing":true,"malware":false,"spam":false,"scam":true)

Note: Tags of more than 32 characters are ignored.

Deeplink

None

Client Type

PYTHON SDK

Client Meta Tag

stash_riskiqblacklist

Known Issues

No reported issues.

Please reach out to support@trustar.co if you have issues with this integration.


How Did We Do?