RiskIQ Blacklist Intelligence

Updated 6 days ago by Elvis Hovor

This document explains how to set up and use RiskIQ Blacklist Intelligence with TruSTAR Station.

RiskIQ's Blacklist Intelligence delivers curated lists of known bad URLs, Domains, and IP addresses associated with malware, phishing, and scam events. This intel feed enables you to enrich suspicious IOCs with RiskIQ intelligence and pull that into your workflow tools.

  • Time to Install: 10 minutes
  • Type of Feed: Automatic updates
  • Update Frequency: 15 minutes
  • Source Type: Closed Feed (requires subscription to RiskIQ Blacklist)


  • Licensed user of RiskIQ
  • API key for RiskIQ Blacklist lookup
TruSTAR Admin rights are required to activate this closed source feed.

Getting Started

  1. Log into TruSTAR Station.
  2. Click the Marketplace icon on the left side icon list.
  1. Click  Closed Sources.
  2. Click Subscribe on the RiskIQ Blacklist box.
  1. Enter your PassiveTotal API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

How It Works

After the integration has been enabled, any new report submitted into your enclave in TruSTAR will have all applicable indicators in that report extracted and queried against the RiskIQ blacklist database every 15 minutes. The associated responses will be submitted into your private RiskIQ Blacklist enclave.

Report Mapping



Report Title

IOC Type <IOC Value> Example: IP

External ID

<base64(IOC Value)> Example: OTkuNDUuNzIuMzQ=

Alternative IOC Type <IOC  Value> Example:  IP99.45.72.34

Report Body

Full JSON response

Time Begun

"detectedAt" field of response Example: 2017-05-10T17:29:33.000-0700


"score" field of response (Example: Score:100) + phishing:true

Note only when value is true for either of these fields: "phishing":true,"malware":false,"spam":false,"scam":true)

Note: Tags of more than 32 characters are ignored.



Client Type


Client Meta Tag



Q. What data is pulled from the RiskIQ Blacklist? 

A. The integration queries for these indicators on the Blacklist:

  • IP
  • URL
  • Hostname (Domain/url in TruSTAR)

Contact TruSTAR to discuss additional indicators that can be queried from RiskIQ Blacklist.

Q. What is the API timeout?

A. 30 seconds

Please reach out to support@trustar.co for any additional questions.

Known Issues

No reported issues.

Please reach out to support@trustar.co if you have issues with this integration.

Technical Details 

API Endpoint Details

API endpoint: Blacklist Lookup - http://api.riskiq.net/api/blacklist/

Blacklist Lookup Request:

curl -X GET --header 'Accept: application/json' --header "Authorization: Basic $ENCODED_API_KEY" 'https://api.riskiq.net/v0/blacklist/lookup?url=http://77z4.cvogqcola.download/101636/1396/37lmy6x/luxb06/5077'

Blacklist Lookup Response::

"description":"riq.auto.model SCAM Fake Software (Flash)",
"target":"Fake Software (Flash)",
"description":"riq.auto.model SCAM Fake Software (Flash)",

How Did We Do?