Knogin
[Developers]

Threat Intelligence Integration

An investigator encounters a suspicious domain in a phishing email targeting her organisation. She needs to know immediately: is this a known threat infrastructure domain? What is its risk profile? Who registered it and

Back to All Modules
Category: Api DomainsLast Updated: Feb 24, 2026
api-domains

Overview#

An investigator encounters a suspicious domain in a phishing email targeting her organisation. She needs to know immediately: is this a known threat infrastructure domain? What is its risk profile? Who registered it and when? Is the IP hosting it associated with anonymisation services? Rather than querying four separate external tools, she submits the domain to the Threat Intelligence Integration module. One query returns risk scores, DNS history, WHOIS data, and IP anonymisation flags, all consolidated in under a second.

Speed matters in threat investigation. The Threat Intelligence Integration domain provides that consolidated, fast enrichment for domains, IP addresses, URLs, and passive DNS records.

Key Features#

  • Domain Intelligence: Retrieves risk scores, risk type classifications, content categories, DNS resolution data, and global popularity rankings for any domain.
  • IP Intelligence: Provides risk scoring, geolocation, network ownership (ASN), and detection of anonymisation services including VPN, Tor, and proxy usage.
  • Passive DNS Lookups: Returns historical DNS records associated with hostnames or IP addresses, including first-seen and last-seen timestamps and observation counts.
  • WHOIS Lookups: Retrieves domain registration information including registrar, registration dates, expiry dates, and nameserver records.
  • URL Scanning: Submits URLs for analysis and retrieves detailed verdicts, certificate information, and network data.
  • Entity Auto-Detection: Automatically identifies whether a submitted indicator is a domain, IP address, or URL, and routes it to the appropriate intelligence lookup.
  • Consolidated Enrichment: A single enrichment query returns combined intelligence from domain analysis, IP analysis, passive DNS, and WHOIS data sources.
  • Risk Scoring: Numeric risk scores (0-100) for domains and IP addresses provide quick threat level assessment.
  • Anonymisation Detection: Identifies IP addresses associated with VPNs, Tor exit nodes, proxies, and hosting providers for infrastructure analysis.
  • Status-Wrapped Responses: All query results include clear success or error status indicators with descriptive messages.

Use Cases#

Security analysts investigate suspicious domains by retrieving risk scores, content categories, and DNS resolution data to quickly determine whether a domain is associated with known threats, condensing what would be a multi-tool workflow into a single API call.

Law enforcement investigators assess IP addresses encountered in case data, identifying geographic location, network ownership, and whether they are associated with anonymisation services used to obscure criminal infrastructure.

Threat intelligence teams enrich indicators of compromise with passive DNS history to understand infrastructure timelines and identify related indicators that share hosting history with known malicious domains.

Financial crime analysts submit suspicious URLs encountered in transaction metadata for scanning, receiving detailed verdicts about their safety and hosting infrastructure to determine whether they represent active phishing or fraud sites.

Automated enrichment workflows pass indicators through the entity auto-detection system, which identifies the type and returns consolidated intelligence without requiring manual classification, enabling high-volume indicator processing at scale.

Integration#

The Threat Intelligence Integration domain operates as a self-contained intelligence lookup service that enriches investigation data with external threat intelligence. It provides enrichment data consumed by investigation workflows, alert triage processes, and threat analysis dashboards across the platform.

Open Standards#

  • DNS (RFC 1034 / RFC 1035): Domain intelligence and passive DNS lookups retrieve structured DNS resource records (A, AAAA, MX, NS, PTR, and others) conforming to the core Domain Name System specifications.
  • WHOIS (RFC 3912): Domain registration queries return registrar, registration and expiry dates, and nameserver data sourced from WHOIS services as defined by this protocol.
  • Autonomous System Numbers and BGP routing (RFC 1930 / RFC 4271): IP intelligence results include ASN ownership data derived from Border Gateway Protocol routing registries, identifying the network operator responsible for each address block.
  • IPv4 and IPv6 addressing (RFC 791 / RFC 8200): The IP intelligence lookups accept and distinguish both IPv4 and IPv6 addresses, with ip_version returned explicitly in all responses.
  • X.509 Public Key Infrastructure (RFC 5280): URL scan results return TLS certificate data in the certificates field, reflecting the X.509 certificate chain presented by the scanned endpoint.
  • GraphQL (June 2018 specification): All enrichment queries and mutations are exposed through a typed GraphQL API, enabling clients to request precisely the intelligence fields they require.
  • JSON (RFC 8259): Enrichment payloads for categories, geolocation, ASN detail, verdicts, and raw WHOIS data are transmitted and stored as JSON, the interchange format for all variable-structure fields.

Last Reviewed: 2026-02-24 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.