In security operations environments, many security alerts are not the beginning of an attack but rather the result of activity that has already occurred. For example, consider the following scenarios:
- Malware detection by an EDR
- Detection of a phishing site connection through URL filtering
- An administrator account login event
When such events occur, it often implies that the system has already communicated with external infrastructure. Therefore, security analysis should not stop at confirming the event itself. It is equally important to rapidly verify the external infrastructure associated with the event.
One approach to achieving this is an Event-Driven Threat Validation Pipeline. This method begins with a security event, analyzes related network logs, evaluates the risk of associated external IP infrastructure, and, if necessary, performs automated response actions such as blocking malicious IP addresses.
Event-Driven Threat Validation Pipeline
This pipeline operates by using a security event as the starting point, analyzing network logs, evaluating the risk of external IP infrastructure, and triggering automated blocking if required.
The overall process is illustrated below.
This architecture analyzes post-event network activity, quickly identifies external infrastructure associated with the attack, and enables coordinated response through existing security infrastructure within the operational environment.
Validation Model: Event-Driven + Timeline-Based Analysis
The pipeline operates based on three key analytical principles.
Event-Driven
Instead of continuously analyzing all network traffic, the analysis is triggered at the time of a detected security event. This approach reduces unnecessary processing while focusing on high-relevance events.
Timeline-Based Analysis
The system analyzes a specific time window prior to the security event. For example:
Event time: 10:00
Analysis window: 09:55 ~ 10:00
This timeline-based approach helps identify network activity that may have directly contributed to the security event.
Selective Threat Validation
Not all network traffic is analyzed. Only traffic meeting specific conditions is evaluated, such as:
- Network connections immediately before the event
- Connections to external public IP addresses
- Non-standard port traffic
- Traffic occurring outside business hours
By focusing on these indicators, the pipeline reduces unnecessary analysis while improving detection accuracy.
Infrastructure Verification Using Criminal IP
To evaluate the risk of external infrastructure, the pipeline utilizes the Criminal IP API. Verification is performed through the following endpoint:
https://search.criminalip.io/developer/api/get-asset-ip-report
This API provides infrastructure-level intelligence, not just simple IP reputation data. Key security indicators include:
- IP Risk Score (Inbound / Outbound)
- Exposed services and open ports
- Detection of proxy or VPN infrastructure
- Cryptocurrency mining infrastructure indicators
- Presence of vulnerable services
- SSL certificate status
These indicators are combined to perform Infrastructure Risk Evaluation, enabling deeper analysis of potentially malicious infrastructure.
Multi-Factor Risk Evaluation Criteria
The Criminal IP threat validation pipeline determines risk levels using multiple infrastructure indicators, rather than relying on reputation alone. Key evaluation factors include:
| Indicator | Risk Criteria |
|---|---|
| Reputation Score | Dangerous or Critical |
| SSL Certificate Issues | Self-signed or expired certificates |
| Directory Listing Exposure | Public directory listing on web servers |
| Mining Infrastructure | Detection of crypto-mining activity |
| Anonymous Infrastructure | VPN, Tor, or Proxy usage |
| SSH Service Exposure | Port 22 or OpenSSH detected |
This multi-factor analysis model enables a more reliable infrastructure-level risk evaluation.
Example of Infrastructure Risk Evaluation Results
The risk evaluation engine analyzes infrastructure risk based on Criminal IP API data. For example, the system may produce output such as the following:
If an IP address receives a Dangerous risk score or exposes services such as SSH, the infrastructure may be flagged as suspicious. These evaluation results can then be used by the automated response pipeline to determine whether blocking actions should be executed.
The same infrastructure data can also be verified directly through the Criminal IP platform. This demonstrates that the CLI output is based on the same real infrastructure intelligence provided by Criminal IP.
Threat Validation Pipeline Execution Example
An example implementation of this architecture can be found in the following GitHub repository:
This repository contains IP validation scripts using the Criminal IP API, allowing users to test risk analysis for individual IP addresses.
Step 1. Clone the Repository
!git clone https://github.com/criminalip/threat-validation-pipeline.git%cd threat-validation-pipeline!pip install requests |
Step 2. Configure the API Key
Your API key can be found by: Logging in to criminalip.io → My Page → API Key
Step 3. Run a Single IP Validation Test
The following command retrieves risk information for a specific IP address:
!python cip_ip_report_check.py --ip 23.XXX.XXX.XX --pretty |
This command calls the Criminal IP API and outputs the IP risk score and exposed services.
You can also analyze specific ports:
!python cip_ip_report_check.py --ip 23.XXX.XXX.XX --port 22 --pretty |
To view the raw API response in JSON format:
!python cip_ip_report_check.py --ip 23.XXX.XXX.XX --dump-json |
The JSON response may include associated domain information, which can help identify additional services or infrastructure hosted on the same server.
This example demonstrates how the validation engine functions within the pipeline. In real operational environments, IP addresses are automatically extracted from network logs and validated. Automated blocking actions require integration with firewalls, SOAR platforms, or other security infrastructure.
Operational Use Cases
This pipeline can be applied in various real-world security scenarios.
Malware Infection
When malware is detected by an EDR:
Network logs before the event are analyzed
External IPs are extracted → validated with Criminal IP → malicious infrastructure is blocked
Phishing Site Access
When a user clicks a phishing link:
Related network connections are analyzed
Additional attack infrastructure is discovered → malicious infrastructure blocking can be triggered
Administrator System Login
When an administrator login event occurs:
Network activity prior to login is analyzed
External infrastructure risk is validated
Abnormal Network Traffic
Examples include:
- Non-standard port connections
- Late-night network activity
- Suspicious outbound communications from internal systems
Conclusion
In modern attack environments, it is difficult to understand the full attack flow based on a single security event. Therefore, it is important to track network activity following a security event and quickly verify the risk level of the related external infrastructure. The event-driven threat validation pipeline using Criminal IP data automates this analysis process, identifies risky infrastructure, and provides an effective security operations model that can be integrated with automated response systems within each operational environment. This approach can be effectively utilized in SOC operations, threat hunting, MSSP automation, and automated response environments within security infrastructure.
The full code and architecture documentation can be found in the following GitHub repository.