RiskIQ
Connector Category: Enrichment Tool
About Integration
CTIX integrates with RiskIQ to enrich IPs, URLs, and domains. This integration adds contextual information to seemingly isolated threat data, gives you visibility into the threats, and makes threat investigation faster.
Configure RiskIQ as Enrichment Tool
Configure RiskIQ to enrich IP addresses, domains, and URLs.
Before you Start
You must have the view, create, and update permissions for Enrichment Management in CTIX.
You must have the base URL, username, and password of your RiskIQ account.
Note
Ensure that the account includes the permissions to retrieve the details of IP addresses, domains, and URLs.
Steps
To configure RiskIQ as an enrichment tool in CTIX, do the following:
Sign in to CTIX and go to Administration > Enrichment Management > Enrichment Tools.
Search and select the RiskIQ enrichment tool.
Click Add Account.
Enter a unique account name to identify the instance. For example, Prod_RiskIQ.
Enter the base URL of your RiskIQ instance. The default base URL is
https://api.passivetotal.org.Enter the username and password of your RiskIQ account to authenticate communication between the CTIX and RiskIQ servers.
Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and Recorded Future servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.
Click Save.
After successfully adding an account, you can view and enable the RiskIQ feed enrichment types to enable users to enrich IP addresses, domains, and URLs.
You can also configure quota to define a limit to the number of enrichment requests a RiskIQ account makes. After the quota expires, you can not make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.
To understand the number of API calls and quota units consumed by the RiskIQ enrichment tool per polling, refer to the following table.
Enrichment Tool | Feed Enrichment Type | No. of API calls | Quota Consumed |
|---|---|---|---|
RiskIQ | Domain | 11 | 11 |
IP | 11 | 11 | |
URL | 11 | 11 |
You can configure an enrichment policy to automatically enrich threat data objects using the RiskIQ enrichment tool. For more information, see Configure Enrichment Policy.