RiskIQ Blacklist Intelligence
Introduction
TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. RiskIQ's blacklist intelligence delivers curated lists of known bad URLs, Domains, and IP addresses associated with malware, phishing, and scam events. TruSTAR's integration with RiskIQ blacklist intelligence allows users to enrich suspicious IOCs with RiskIQ intelligence and pull that into their workflow tools.
Prerequisites
This integration requires TruSTAR users to be paying customers of RiskIQ and have access to RiskIQ API keys with access to the blacklist lookup endpoint
Configure Integration
After you have retrieved your RiskIQ blacklist lookup API key follow these steps:
- Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
- Click on Closed Sources.
- Click on RiskIQ blacklist lookup logo and fill in your API key.
- Click Submit.
TruSTAR will validate and enable the RiskIQ blacklist lookup integrations within 48 hours. You will receive an email from us informing you as soon as it is enabled.
After the integration is enabled any new report submitted into the users enclave in TruSTAR will have all applicable indicators in that report extracted and queried against the RiskIQ blacklist database every 15 mins. The associated responses will be submitted into an enclave the user controls.
FAQ
What data do you currently pull from RiskIQ blacklist lookup?
Our integration currently only queries indicators of the types stated below against the RiskIQ blacklist lookup database
These include:
- IP
- URL
- Hostname (Domain/url in TruSTAR)
Please contact us if you would like to discuss additional indicators that can be queried from RiskIQ blacklist lookup
How often is the data pulled?
Our integration queries indicators against the RiskIQ blacklist lookup every 15mins.
Technical Details
Type: Query based TruStash
API Timeout : 30 seconds
BASE_URL - http://api.riskiq.net/
API Mapping: API Key, API Secret
Stash Type: stash_riskiqblacklist
SourceType: Closed source
API Endpoint Technical Details
API endpoints we will be ingesting reports from:
Blacklist Lookup - http://api.riskiq.net/api/blacklist/
Blacklist Lookup Request:
curl -X GET --header 'Accept: application/json' --header "Authorization: Basic $ENCODED_API_KEY" 'https://api.riskiq.net/v0/blacklist/lookup?url=http://77z4.cvogqcola.download/101636/1396/37lmy6x/luxb06/5077'
Blacklist Lookup Response::
{
"url":"http://77z4.cvogqcola.download/101636/1396/37lmy6x/luxb06/5077",
"hostname":"77z4.cvogqcola.download",
"rank":2147483647,
"phishing":true,
"malware":false,
"spam":false,
"scam":true,
"matchType":"URL",
"score":100,
"description":"riq.auto.model SCAM Fake Software (Flash)",
"entries":[
{
"type":"GSBPhishing",
"matchType":"HOST",
"url":"cvogqcola.download/",
"ruleID":0
},
{
"type":"RiskIQScam",
"matchType":"URL",
"id":135788646,
"url":"http://77z4.cvogqcola.download/101636/1396/37lmy6x/luxb06/5077",
"target":"Fake Software (Flash)",
"description":"riq.auto.model SCAM Fake Software (Flash)",
"detectedAt":"2017-05-10T17:29:33.000-0700",
"source":"RiskIQ",
"ruleID":0
}
]
}TruSTAR Report Content Mapping:
Report Mapping fields:
Report Title - IOC Type <IOC Value> (e.g IP 99.45.72.34)
External ID - <base64(IOC Value)> (e.g OTkuNDUuNzIuMzQ=) alternative IOC Type<IOC Value> (e.g. IP99.45.72.34)
Report Body - full json response
Time Begun - "detectedAt" field of response (e.g. 2017-05-10T17:29:33.000-0700)
Tags - "score" field of response (e.g. Score:100) + phishing:true (note only when value is true for either of these fields: "phishing":true,"malware":false,"spam":false,"scam":true)
Deeplink - No Deeplink
Client Type - PYTHON_SDK
Client Meta Tag - stash_riskiqblacklist
Please reach out to support@trustar.co for any additional questions.
