How to Enhance Threat Prioritization with Securonix ThreatQ and AI SPERA Criminal IP Integration

Introduction

In today's cybersecurity landscape, security teams are overwhelmed with alerts, many of which lack sufficient context to prioritize effectively. The recent partnership between Securonix and AI SPERA addresses this challenge by integrating Criminal IP threat intelligence directly into the Securonix ThreatQ Platform. This guide provides a step-by-step approach to setting up and leveraging this integration to enrich your threat intelligence with real-time IP context, enabling faster, more accurate incident response. By the end, you'll be able to transform raw IP data into actionable insights that reduce false positives and focus your team on the most critical threats.

How to Enhance Threat Prioritization with Securonix ThreatQ and AI SPERA Criminal IP Integration — Source: siliconangle.com

What You Need

Before you begin, ensure you have the following materials and prerequisites:

Active Securonix ThreatQ Platform Subscription – The platform must be configured and accessible with administrative privileges.
AI SPERA Criminal IP API Access – A valid subscription to Criminal IP with an API key. Register at the AI SPERA website if not already done.
Network Connectivity – Your ThreatQ instance must be able to reach AI SPERA's API endpoints (outbound HTTPS).
User Permissions – You need roles that allow configuring data sources, integration settings, and playbooks in ThreatQ.
Basic Understanding of Threat Intelligence Enrichment – Familiarity with IP reputation, threat scoring, and orchestration concepts is helpful.

Step-by-Step Integration Guide

Step 1: Access ThreatQ Integration Settings

Log in to your Securonix ThreatQ console as an administrator. Navigate to the Administration menu and select Integration Settings (or Data Sources, depending on your version). This is where you'll manage all third-party connectors. Look for the option to add a new integration – typically labeled “Add Integration” or “+ New Data Source.”

Step 2: Configure the Criminal IP Data Source

In the integration catalog, locate AI SPERA Criminal IP. If it does not appear, verify your ThreatQ version supports custom integrations, or contact Securonix support. Click on it and provide the following details:

Name – Give it a descriptive label, e.g., “Criminal IP – Real-Time IP Intel.”
API Key – Enter the API key provided by AI SPERA. Ensure it is stored securely.
Base URL – Use the standard endpoint: https://api.criminalip.io (or as specified in your subscription).
Polling Interval – Define how often ThreatQ should fetch new intelligence. For real-time enrichment, set a short interval (e.g., every 5 minutes).

Click Test Connection to validate the credentials. A success message confirms the integration is ready.

Step 3: Map Fields and Enable Enrichment

After saving the data source, you need to map fields so ThreatQ can automatically enrich incoming IP indicators. Go to Enrichment Rules under the integration settings. Create a new rule:

Trigger Condition – Choose “When an IP indicator is added or updated.”
Action – Select “Query Criminal IP” and specify the enrichment type (e.g., reputation, abuse score, geolocation).
Field Mapping – Map ThreatQ's IP Address field to the Criminal IP API's ip parameter. Then map returned fields like abuse_confidence_score, country, isp into corresponding ThreatQ fields.
Priority – Set a priority for enriched data (e.g., “High”) to ensure it appears prominently in alerts.

Save the rule. Now every new or updated IP in ThreatQ will automatically trigger a lookup against Criminal IP.

Step 4: Build Playbooks for Automated Response

To maximize value, use ThreatQ's orchestration capabilities to create playbooks that act on enriched intelligence. Go to Playbooks and choose Create New Playbook. Example workflow:

Trigger – When an IP with a Criminal IP abuse score above 80 is detected.
Actions – Block the IP at the firewall (via SIEM integration), send a high-priority alert to the SOC, and automatically create a ticket in your ITSM system.
Conditional Logic – If the IP is from a known bad ISP, escalate to a senior analyst.

Save and activate the playbook. This automation reduces manual investigation time.

Step 5: Analyze and Prioritize Indicators

With integration running, open the Indicators tab. You'll see IP addresses now display enriched data from Criminal IP, such as:

Abuse Confidence Score – A percentage indicating likelihood of malicious activity.
Historical Context – First seen, last seen, and related incidents.
Geolocation & ISP – Helps distinguish between legitimate cloud providers and anonymous proxies.

Use the Prioritization View to sort IPs by score. This allows you to focus on the most dangerous threats first. For example, an IP with a score of 95 and recent activity should be investigated immediately, while a score of 10 with no history can be deprioritized.

Step 6: Monitor and Refine Integration Performance

Regularly review the integration's health under Logs & Monitoring. Look for errors such as API timeouts or quota limits (Criminal IP may impose daily request caps). Adjust the polling interval if needed. Also, periodically refine your enrichment rules – for instance, add extra fields like threat type or associated malware as new API features become available. Share feedback with your team to fine-tune playbooks for evolving threats.

Tips for Success

Start Small – Initially enable enrichment for a subset of indicators (e.g., external IPs only) to avoid overwhelming the system.
Combine with Local Intel – Don't rely solely on Criminal IP; integrate with other threat feeds (e.g., VirusTotal, AlienVault) for multi-source validation.
Monitor API Usage – Keep track of your monthly query volume to avoid overage charges. Set up alerts when you reach 80% of your quota.
Use Tags for Context – Automatically tag IPs with Criminal IP's “botnet,” “scanner,” or “proxy” labels to simplify filtering in dashboards.
Test Thoroughly – Before rolling out to production, test the integration in a sandbox environment. Verify that field mappings produce accurate values.
Document Your Workflow – Maintain internal documentation of the integration steps, playbook logic, and enrichment rules for future reference and training.

By following this guide, your security operations center will gain deeper context for IP indicators, reduce false positives, and accelerate incident response. The Securonix–AI SPERA partnership transforms raw data into a powerful decision-making tool. Start implementing today and experience the impact of enriched threat intelligence.