RiskIQ Blacklist Intelligence

Updated 2 weeks ago by TruSTAR

This document explains how to set up and use the RiskIQ Blacklist Intelligence premium intelligence source with the TruSTAR Web App.

RiskIQ's Blacklist Intelligence delivers curated lists of known bad URLs, Domains, and IP addresses associated with malware, phishing, and scam events.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to Install: 10 minutes

Data Types

The integration pulls reports with these Observables from RiskIQ Blacklist Intelligence:

  • IP
  • URL
  • Domain (Extracted from URL by TruSTAR)


  • Licensed user of RiskIQ
  • API key for RiskIQ Blacklist lookup
TruSTAR Admin rights are required to activate this Premium Intelligence source.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the Navigation Bar.
  3. Click Premium Intel.
  4. Click Subscribe on the RiskIQ Blacklist box.
  5. Enter your RiskIQ API key and click Save Credentials & Request Subscription.
You can find your RiskIQ API keys here: https://api.riskiq.net/api/manage_apikey.html

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

Report Mapping




Report Title

IOC Type <IOC Value>

IP XX.45.72.XX

External ID

<base64(IOC Value)>

Alternative IOC Type <IOC  Value>


Report Body

Full JSON response

Time Begun

"detectedAt" field of response



"score" field of response. Tags of more than 32 characters are ignored.

Note only when value is true for either of these fields: "phishing":true,"malware":false,"spam":false,"scam":true)

Score:100) + phishing:true



Client Type


Client Meta Tag


Known Issues

No reported issues.

Please contact support@trustar.co if you have issues with this integration.

How Did We Do?