How the Integration Works
Cyber threat intelligence becomes significantly more valuable when raw indicators are enriched with contextual data that supports deeper investigation and correlation. The Criminal IP integration with OpenCTI transforms IP addresses, domains, and URLs into structured intelligence within the OpenCTI knowledge graph. Indicators are first ingested into OpenCTI, then the Criminal IP connector automatically enriches each one with reputation scoring, infrastructure intelligence, vulnerability data, behavioral signals, and phishing analysis. The enriched data is organized as entities and relationships, allowing analysts to pivot across connected infrastructure, uncover shared components, and identify related assets within the graph.
Key Capabilities and Benefits
The integration provides dual perspective risk scoring for IP addresses, reflecting both inbound targeting and outbound behavior, which offers a more nuanced signal than traditional single score reputation models. Infrastructure intelligence is embedded directly into the graph, including vulnerability data tied to observed services, autonomous system information, and geolocation. This enables security teams to quickly assess whether an IP address is not only malicious but also exploitable or actively leveraged in attacks. For domains, full URL analysis detects phishing activity, credential harvesting, and impersonation techniques, with confidence scores tied to phishing probability. These capabilities support SOC triage, threat hunting, and campaign analysis by enabling rapid validation of suspicious indicators and infrastructure pivoting.
Source: BleepingComputer
