Contact Us
Notice

Criminal IP Threat Intelligence Integration with OpenCTI

Criminal IP is now integrated with OpenCTI, an open-source cyber threat intelligence platform.

Criminal IP is now integrated with OpenCTI, an open-source cyber threat intelligence platform.

OpenCTI uses a graph-based model to structure, store, and analyze cyber threat data. It connects indicators, vulnerabilities, threat actors, attack campaigns, and other threat information within a unified knowledge base, supporting investigation, collaboration, and intelligence sharing.

Through this integration, IP addresses, domains, and URLs collected in OpenCTI can be automatically enriched with Criminal IP threat intelligence.

The Criminal IP Connector structures risk scores, infrastructure intelligence, vulnerability data, behavioral signals, and phishing analysis results as entities and relationships aligned with the OpenCTI data model. This allows analysts to move beyond reviewing isolated reputation data and analyze related infrastructure and threat context directly within the OpenCTI knowledge graph.

Expanding Threat Context for OpenCTI Indicators

Criminal IP enrichment results for an IP address in OpenCTI, including risk scores and behavioral signals

The Criminal IP Connector enriches IP addresses, domains, and URLs with the following information:

  • Inbound and outbound IP risk scores
  • Malicious classifications and behavioral signals
  • Use of anonymization technologies such as VPNs, proxies, and Tor
  • Externally observed services and related CVEs
  • Autonomous System and geolocation information
  • Domain and URL phishing analysis
  • Detection of credential harvesting, suspicious files, and impersonation techniques

This information is structured as OpenCTI entities and relationships rather than being added as simple tags. Analysts can start from an individual indicator and expand their investigation across related vulnerabilities, Autonomous Systems, geolocation data, and connected infrastructure.

Dual-Perspective Risk Scoring and Infrastructure Analysis

Criminal IP provides both inbound and outbound risk scores for IP addresses.

The inbound risk score reflects how an IP is targeted from external sources, while the outbound risk score reflects behavior observed from the IP toward external systems.

This dual-perspective model gives analysts a more granular basis for prioritizing high-risk indicators than a single reputation score.

Criminal IP data is also represented in the OpenCTI knowledge graph through relationships between IP addresses, Autonomous Systems, geolocation data, observed services, and CVEs.

Criminal IP intelligence structured as OpenCTI entities and relationships

Analysts can use these relationships to explore related infrastructure and identify shared infrastructure components, hosting patterns, and regional clustering.

Service Exposure and Phishing Intelligence

Criminal IP links externally observed services with known CVEs, providing insight into potential attack surfaces.

This allows analysts to assess not only whether an IP is classified as malicious, but also whether it may be exploitable or actively used in attacks.

For domains and URLs, Criminal IP provides the following phishing intelligence:

  • Phishing activity detection
  • Credential harvesting detection
  • Suspicious file detection
  • Impersonation technique analysis
  • Confidence scores based on phishing probability

Analysts can also review the IP addresses, Autonomous Systems, and geolocation data associated with phishing domains to investigate related infrastructure and broader campaign patterns.

How the Criminal IP Connector Works

The integration process works as follows:

  1. IP addresses, domains, and URLs are ingested into OpenCTI.
  2. The Criminal IP Connector automatically enriches each indicator.
  3. Risk scores, infrastructure intelligence, and phishing analysis results are collected.
  4. The enriched data is structured as OpenCTI entities and relationships.
  5. Analysts use the knowledge graph for investigation, correlation, and threat analysis.

Key Use Cases

SOC Triage and Alert Validation

Validate suspicious IP addresses and domains using dual-perspective risk scoring, infrastructure intelligence, and phishing analysis, while prioritizing high-risk indicators for further investigation.

Threat Hunting and Infrastructure Pivoting

Use relationships involving CVEs, Autonomous Systems, and geolocation data to pivot across connected infrastructure and investigate related assets.

Phishing and Campaign Analysis

Analyze malicious domains, credential harvesting pages, and supporting infrastructure to identify phishing activity and understand broader campaign patterns.

Strengthening Threat Intelligence with a Knowledge Graph

The integration between Criminal IP and OpenCTI allows security teams to use IP addresses, domains, and URLs as structured threat intelligence rather than isolated reputation data.

By connecting indicators with vulnerabilities, network ownership, geolocation data, and related infrastructure, the integration supports investigation, correlation, and threat prioritization within the OpenCTI knowledge graph.

Criminal IP will continue to expand its integrations with global security platforms, helping organizations apply threat intelligence across security investigation, analysis, and response workflows.

🔗 View the integration documentation

https://hub.filigran.io/en/cybersecurity-solutions/opencti-integrations/criminal-ip