Streamline Threat Investigations: A Step-by-Step Guide to Integrating Criminal IP Intelligence with Securonix ThreatQ
Step-by-step guide to integrating Criminal IP exposure-based intelligence with Securonix ThreatQ to automate enrichment, speed investigations, and prioritize high-risk indicators.
Introduction
Raw threat intelligence feeds often fail to deliver the real-world context that security teams need to prioritize and respond to incidents effectively. The partnership between Criminal IP and Securonix solves this gap by embedding exposure-based intelligence directly into the ThreatQ platform. This integration automates analysis, enriches indicators with risk context, and speeds up investigations. In this guide, you'll learn exactly how to set up the connection between Criminal IP and Securonix ThreatQ, enabling your team to transform raw data into actionable threat insights. Whether you're a SOC analyst or a threat intelligence manager, following these steps will help you leverage the combined power of both tools.
What You Need
- Active accounts for Criminal IP (with API access) and Securonix ThreatQ (with admin or integration privileges).
- API credentials from Criminal IP: an API key and secret token.
- ThreatQ host URL and API endpoint details (provided by your Securonix admin).
- Network connectivity between your ThreatQ instance and the Criminal IP API (HTTPS outbound allowed).
- Basic understanding of threat intelligence workflows, indicators (IPs, domains, hashes), and enrichment processes.
- Optional: A test environment to verify the integration before pushing to production.
Step-by-Step Integration Guide
Step 1: Obtain and Secure Criminal IP API Credentials
Log in to your Criminal IP account and navigate to the API Settings section (usually under your profile or developer tools). Generate a new API key and secret token. Important: Store these credentials securely — treat them like passwords. You'll need them in later steps. If your organization uses a secrets manager, load the keys there. For this guide, we assume you'll copy them temporarily for configuration.
Tip: Criminal IP offers different API tiers. Ensure your subscription includes exposure-based intelligence and sufficient rate limits for your expected query volume.
Step 2: Prepare ThreatQ for Incoming Data Feeds
Access your Securonix ThreatQ console with admin rights. Navigate to Integrations or Data Sources (exact menu names may vary by version). Click Add New Integration and select Criminal IP from the list of available threat feed providers. If you don't see it, you may need to install the integration package provided by Securonix — contact support. Once selected, give your integration a descriptive name, such as Criminal IP Exposure Feed.
Step 3: Configure the API Connection
In the integration setup form, paste the Criminal IP API key and secret token into the corresponding fields. Enter the default API endpoint URL provided by Criminal IP (e.g., https://api.criminalip.io/v1). Set the Update Frequency — for real-time threat intelligence, choose “Every 5 minutes” or as close to real-time as your license allows. For batch processing, hourly is acceptable. Click Test Connection. A green success message confirms your credentials and network are working. If it fails, double-check the URL, credentials, and firewall rules.
Step 4: Map Indicator Types and Risk Context
ThreatQ organizes data into indicators (IOCs), campaigns, and adversaries. In this step, you map Criminal IP’s exposure-based intelligence to ThreatQ’s indicator schema. Typically, the integration will auto-detect indicator types (IP, domain, URL, etc.) but you may adjust the mapping for specific fields like risk score or exposure type (e.g., open ports, vulnerable services, leaked credentials). In the integration settings, look for “Field Mapping” and assign each Criminal IP attribute to a ThreatQ indicator property. For example:
- criminalip.risk_score → threatq.indicator.score
- criminalip.exposure_type → threatq.indicator.tags
- criminalip.last_seen → threatq.indicator.last_updated
Step 5: Activate Enrichment and Automation Rules
Once the feed is live, Configure Enrichment Policies within ThreatQ to automatically query Criminal IP for additional context whenever a new indicator is ingested. In the Automation tab, create a rule that triggers on indicator creation: If indicator source contains “Criminal IP”, then run enrichment. You can also set up Correlation Rules to flag indicators with high exposure scores and push them to the top of investigation queues. For example: criminalip_risk_score > 80 → assign priority “High”. This automation replaces manual threat intelligence lookups and speeds up triage.
Step 6: Test the Integration with Sample Indicators
Before full deployment, validate the integration using known malicious or suspicious indicators. In ThreatQ, manually submit an IP address that you know appears in Criminal IP’s exposure database (or use a test indicator provided by Criminal IP). Run the enrichment job manually. Check the indicator details page: you should see enriched fields like open ports, related malware, risk score, and exposure classification. Verify that the data updates automatically within the scheduled interval. If everything looks correct, proceed to production. If not, revisit step 3 and 4 to correct mapping or connectivity issues.
Step 7: Monitor, Tune, and Scale
After the integration is live, regularly review the Integration Health Dashboard in ThreatQ. Monitor API usage against your Criminal IP rate limits. Tune the enrichment frequency and correlation rules based on the volume of false positives. For example, if a certain exposure type generates too many low‑priority alerts, adjust the mapping to ignore that field or lower its weight. Over time, fine‑tune the integration to match your organization’s risk appetite. Consider setting up a weekly report that shows how many indicators were enriched and how many led to confirmed incidents.
Tips for Success
- Start small: Begin with a single indicator type (e.g., IP addresses) and gradually add domains, hashes, and URLs as you gain confidence.
- Align with existing workflows: Ensure the enriched fields integrate with your SIEM and SOAR solutions. For instance, sending indicators with a Criminal IP risk score above 90 directly to a ticketing system can reduce analyst toil.
- Use tags for visibility: Create ThreatQ tags like criminalip-exposed or criminalip-high-risk to quickly filter and search for enriched indicators.
- Educate your team: Hold a training session to explain how exposure‑based intelligence differs from traditional feeds (e.g., it reveals real‑world attack surface risks). Analysts will then know how to interpret the enriched context.
- Keep credentials rotated: Schedule periodic rotation of Criminal IP API keys – follow your organization’s security policy. Update the integration settings immediately after rotation to avoid service disruption.
- Monitor billing: Criminal IP may charge per API call. Set a budget alert and review usage monthly to avoid unexpected costs.
- Leverage threat intelligence communities: Share your lessons learned on forums or with the Securonix user group – others may have additional configuration tweaks for Criminal IP.
By following these seven steps, you’ve transformed your threat intelligence operations from passive data ingestion to an active, context-aware defense system. The Criminal IP and Securonix ThreatQ integration empowers your team to focus on the threats that matter most.