Knogin
[API-Domänen]

Threat Intelligence Integration

The Threat Intelligence Integration domain provides intelligence lookups for domains, IP addresses, URLs, and passive DNS records.

Modulmetadaten

The Threat Intelligence Integration domain provides intelligence lookups for domains, IP addresses, URLs, and passive DNS records.

Zurück zur Liste

Quellreferenz

content/modules/domain-cloudflare-intel.md

Letzte Aktualisierung

24. Feb. 2026

Kategorie

API-Domänen

Inhaltsprufsumme

ea03aba2f5c4811b

Tags

api-domains

Gerenderte Dokumentation

Diese Seite rendert das Markdown und Mermaid des Moduls direkt aus der offentlichen Dokumentationsquelle.

Overview#

The Threat Intelligence Integration domain provides intelligence lookups for domains, IP addresses, URLs, and passive DNS records. It delivers risk scoring, categorization, geolocation, network ownership identification, and verdict analysis to help analysts quickly assess the threat level of digital indicators encountered during investigations.

Key Features#

  • Domain Intelligence -- Retrieves risk scores, risk type classifications, content categories, DNS resolution data, and global popularity rankings for any domain
  • IP Intelligence -- Provides risk scoring, geolocation, network ownership (ASN), and detection of anonymization services including VPN, Tor, and proxy usage
  • Passive DNS Lookups -- Returns historical DNS records associated with hostnames or IP addresses, including first-seen and last-seen timestamps and observation counts
  • WHOIS Lookups -- Retrieves domain registration information including registrar, registration dates, expiry dates, and nameserver records
  • URL Scanning -- Submits URLs for analysis and retrieves detailed verdicts, certificate information, and network data
  • Entity Auto-Detection -- Automatically identifies whether a submitted indicator is a domain, IP address, or URL, and routes it to the appropriate intelligence lookup
  • Consolidated Enrichment -- A single enrichment query returns combined intelligence from domain analysis, IP analysis, passive DNS, and WHOIS data sources
  • Risk Scoring -- Numeric risk scores (0-100) for domains and IP addresses provide quick threat level assessment
  • Anonymization Detection -- Identifies IP addresses associated with VPNs, Tor exit nodes, proxies, and hosting providers for infrastructure analysis
  • Status-Wrapped Responses -- All query results include clear success or error status indicators with descriptive messages

Use Cases#

  • Analysts investigate suspicious domains by retrieving risk scores, content categories, and DNS resolution data to quickly determine if a domain is associated with known threats.
  • Investigators assess IP addresses encountered in case data, identifying their geographic location, network ownership, and whether they are associated with anonymization services.
  • Threat intelligence teams enrich indicators of compromise with passive DNS history to understand the infrastructure timeline and identify related indicators.
  • Security teams submit suspicious URLs for scanning and receive detailed verdicts about their safety, certificate validity, and hosting infrastructure.
  • Automated enrichment workflows pass indicators through the entity auto-detection system, which identifies the type and returns consolidated intelligence without requiring manual classification.

Integration#

The Threat Intelligence Integration domain operates as a self-contained intelligence lookup service that enriches investigation data with external threat intelligence. It provides enrichment data that can be consumed by investigation workflows, alert triage processes, and threat analysis dashboards across the platform.

Last Reviewed: 2026-02-24