Knogin
[Developers]

Connector Domain

An intelligence team has approved 12 data sources for their investigation platform: two SIEM systems, four threat intelligence feeds, three OSINT providers, a blockchain monitor, and two custom API integrations. Each one

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsblockchain

Overview#

An intelligence team has approved 12 data sources for their investigation platform: two SIEM systems, four threat intelligence feeds, three OSINT providers, a blockchain monitor, and two custom API integrations. Each one was connected and configured at a different time by different administrators. When one SIEM starts misbehaving, flooding the platform with duplicate alerts, the administrator needs to disable it immediately without losing the configuration or affecting the other 11 sources.

The Connector domain makes that a one-click operation. Connectors can be disabled and re-enabled without losing configuration, tested before activation, and monitored continuously for health issues.

Key Features#

  • Centralised data source catalog with status monitoring and health tracking.
  • Dynamic enable/disable of data sources without configuration deletion.
  • Connection testing with authentication validation, sample query execution, and latency measurement.
  • Support for SIEM, threat intelligence, OSINT, blockchain, cloud logs, endpoint, network, and custom API integrations.
  • Credential management with secure storage and rotation support.
  • Connector health monitoring with automatic status updates.
  • Organisation-scoped data source management with tenant isolation.
  • Ingestion pipeline integration for automatic start/stop on toggle.

Use Cases#

Security operations centres manage and monitor their full suite of external data source integrations from a single admin panel, with health status indicators providing early warning when a connector degrades before it impacts alert quality.

Intelligence analysts temporarily disable a misbehaving connector without losing its configuration, re-enabling it cleanly once the upstream issue is resolved rather than having to reconfigure the integration from scratch.

Platform administrators test data source connectivity and credentials before enabling ingestion for new sources, validating authentication and data format before live data starts flowing into investigation workflows.

Multi-tenant deployments manage connector configurations independently per organisation, with each tenant's data sources isolated from other tenants even when connecting to the same upstream provider.

Integration#

Integrates with data source definitions, ingestion pipelines, and monitoring systems. Supports organisation-level multi-tenancy for connector management.

Open Standards#

  • GraphQL (June 2018 specification): all connector catalogue queries, toggle, and test operations are exposed through a GraphQL API, allowing clients to request exactly the fields required and compose connector management into broader investigation queries.
  • OAuth 2.0 (RFC 6749): the generic REST connector and all named SIEM clients support the OAuth 2 client-credentials flow to obtain short-lived Bearer tokens when authenticating to upstream data sources that require delegated authorisation.
  • HTTP Bearer Token (RFC 6750): Bearer tokens are transmitted in Authorization headers when connecting to REST data sources and SIEM APIs, conforming to the RFC 6750 scheme for token-based HTTP authentication.
  • Web Linking / HTTP Link Header Pagination (RFC 5988): the generic REST connector implements RFC 5988 Link-header cursor pagination, enabling traversal of paginated REST APIs that signal the next-page URL through the Link: <url>; rel="next" response header.
  • Common Vulnerabilities and Exposures / NVD API 2.0 (CVE/NVD): a dedicated connector fetches and normalises CVE records from the NIST National Vulnerability Database REST API v2.0, including CVSS v2 and v3.1 base scores, CPE 2.3 affected-product identifiers, and CWE weakness classifications.
  • Common Vulnerability Scoring System (CVSS v2 / v3.1): severity scoring data retrieved from NVD is parsed and stored in normalised form, with baseScore and baseSeverity fields mapped to the platform's unified schema for cross-source risk comparison.
  • ISO 8601 date/time format: date range parameters sent to the NVD API and other time-bounded REST sources use ISO 8601 datetime strings, ensuring interoperable temporal filtering across all connector implementations.
  • Common Event Format (CEF) and Log Event Extended Format (LEEF): the SIEM normalisation model explicitly catalogues CEF (ArcSight) and LEEF (IBM QRadar) as supported inbound source formats, allowing raw log records in those formats to be mapped to the platform's unified event schema.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.