Criminal IP Threat Intelligence is now integrated into the IBM QRadar security analytics environment.
IBM QRadar is widely used by global enterprises and public-sector organizations as a SIEM and SOAR platform, serving as a central component of security operations through large-scale log collection, event correlation, and automated incident response.
With this integration, Criminal IP threat intelligence can be directly utilized within the QRadar environment through a product-level integration.
As a result, QRadar users can apply IP-based external threat intelligence seamlessly across detection, investigation, and response workflows—without switching to external tools or consoles.
Real-Time IP Threat Visibility in QRadar SIEM
Criminal IP data is integrated into IBM QRadar SIEM to provide real-time, dashboard-driven threat visibility based on firewall traffic logs.
When customers forward firewall logs from network security devices such as Fortinet or Palo Alto into QRadar SIEM, the collected traffic logs are analyzed in real time through the Criminal IP API.
During this process, external threat intelligence context, including IP characteristics, historical malicious activity, and the use of anonymization or hosting infrastructure, is applied to each observed IP address.
The analyzed results are reflected directly on the Criminal IP dashboard inside QRadar, where traffic is automatically categorized into High, Medium, and Low risk levels from a threat intelligence perspective.
This allows security teams to visually monitor inbound and outbound traffic flows, quickly identify high-risk IP addresses, and prioritize response actions such as access blocking or further investigation.
In addition, analysts can right-click on any IP address displayed in QRadar Log Activity or the Criminal IP dashboard to immediately access a detailed Criminal IP IP report. This enables deeper investigation without leaving the QRadar environment.
🔗 QRadar SIEM Integration App
https://apps.xforce.ibmcloud.com/extension/5cac70bff4767157ac0602606dd6453
Automated Response Extended with QRadar SOAR
Criminal IP is also integrated with IBM QRadar SOAR to support automated threat enrichment during the incident response phase.
Using preconfigured playbooks, when an IP address or URL artifact is created within a SOAR case, QRadar SOAR automatically triggers the corresponding Criminal IP playbook to collect threat intelligence data.
The analysis results are returned as artifact hits or incident notes, providing analysts with immediate context required for response decision-making.
This integration includes the following two playbooks:
- Criminal IP: IP Threat Service automatically enriches IP address artifacts with threat intelligence data.
- Criminal IP: URL Threat Service performs lite or full URL scans and reflects the results directly within the SOAR case.
By reducing repetitive manual lookups, security teams can operate a faster and more consistent incident response process.
🔗 QRadar SOAR Integration App
https://apps.xforce.ibmcloud.com/extension/a8549f6c6fee6ef7935b944e09c75691
Advancing Intelligence-Driven SOC Operations
Through the integration of Criminal IP with IBM QRadar SIEM and SOAR, customers can combine QRadar’s detection, investigation, and response capabilities with Criminal IP’s context-rich external threat intelligence.
This integration enables QRadar customers, including global enterprises and public-sector organizations, to more clearly distinguish threats that require immediate action, even in large-scale log environments, and to improve both the accuracy and speed of security decision-making.
By automating threat analysis across SIEM and SOAR workflows, security teams can move beyond alert volume and focus on threats that pose real impact to their organizations.
Criminal IP will continue to expand technical integrations with global security platforms to ensure that threat intelligence is applied effectively in real-world security operations.