Knogin
[Developers]

Indicator Domain

A threat analyst receives a phishing report containing a suspicious URL, two IP addresses, and a reference to CVE-2024-3400. She needs to assess each one quickly: is the IP known malicious infrastructure? Is the URL a kn

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domains

Overview#

A threat analyst receives a phishing report containing a suspicious URL, two IP addresses, and a reference to CVE-2024-3400. She needs to assess each one quickly: is the IP known malicious infrastructure? Is the URL a known phishing domain? Does the CVE affect systems her organisation runs? The Indicator domain handles all four types, each with type-appropriate enrichment, through a single unified interface. She submits the indicators, and within seconds has geolocation, ASN ownership, threat intelligence flags, WHOIS registration data, and CVSS severity scoring assembled in one place.

Indicators of Compromise span fundamentally different data types. An IP address needs geolocation and ASN data; a domain needs DNS records and SSL certificate history; a vulnerability needs CVE metadata and CVSS scoring. The polymorphic design of the Indicator domain means analysts do not need to navigate separate tools for each type.

Key Features#

  • Polymorphic indicator handling with automatic type resolution: IP, URL, domain, vulnerability, and generic
  • Common base fields inherited across all indicator types for consistent querying
  • IP address indicators with geolocation, ASN information, threat intelligence, and reputation scoring
  • URL and domain indicators with WHOIS data, DNS records, and SSL certificate information
  • Vulnerability indicators with CVE references and CVSS scoring
  • Search across indicator types with type and limit filtering
  • Enrichment from multiple external sources: geolocation, ASN, threat intelligence, reputation, WHOIS, DNS
  • Threat level classification from unknown through critical

Use Cases#

  • Looking up and enriching indicators of compromise during threat investigations, covering IP, domain, URL, and vulnerability types in one workflow
  • Searching for related IOCs across multiple indicator types simultaneously to identify shared infrastructure or campaign patterns
  • Profiling IP addresses with geolocation, network ownership, and threat intelligence for attribution analysis
  • Tracking vulnerabilities with CVE references linked to investigations where exploitation is suspected or confirmed

Industry Context#

National computer security incident response teams (CSIRTs) use IOC enrichment to assess indicators from reported incidents before sharing them with sector partners. Financial services cybersecurity teams profile IP addresses seen in card fraud and account takeover attacks. Defence cyber operations centres evaluate malware command-and-control domains and IPs against threat intelligence feeds to assess adversary infrastructure. Government agencies correlate CVE indicators with affected asset inventories to prioritise remediation. Telecommunications operators check IP and domain indicators from abuse reports against reputation databases for automated traffic filtering decisions.

Integration#

The Indicator domain integrates with IP Address for IP-specific operations, URL for analysis, Domain for profiling, Vulnerability for CVE tracking, Threat Intel for IOC enrichment, and OSINT for open-source intelligence. Indicator records are stored in PostgreSQL with organisation-scoped access control.

Open Standards#

  • STIX 2.1 (OASIS): Indicators are expressed as STIX 2.1 Structured Threat Information Expression objects, with bidirectional conversion between internal indicator records and STIX SDOs, including typed patterns for IP, domain, URL, and file-hash indicators.
  • TAXII 2.1 (OASIS): The platform ingests and publishes indicator collections via an async TAXII 2.1 polling client, using the application/taxii+json;version=2.1 content type and X-TAXII-Date-Added-Last pagination headers.
  • CVE (MITRE / NIST NVD): Vulnerability indicators are keyed by Common Vulnerabilities and Exposures identifiers (e.g. CVE-2024-3400), enabling cross-referencing against national vulnerability databases.
  • CVSS (FIRST): Vulnerability severity is stored and presented as a CVSS score on the 0.0, 10.0 scale, allowing analysts to immediately gauge exploitability and impact.
  • TLP (Traffic Light Protocol, FIRST): Every indicator record carries a Traffic Light Protocol classification (WHITE, GREEN, AMBER, RED) to govern information-sharing boundaries between organisations and sector partners.
  • WHOIS / RDAP (RFC 3912 / RFC 7483): Domain and URL indicators are enriched with WHOIS registration data including registrar, name servers, registration and expiry dates, sourced from RDAP-compatible lookups.
  • DNS (RFC 1034 / RFC 1035): Domain indicators include structured DNS record enrichment (A, MX, NS, and related record types) to support passive DNS analysis and infrastructure pivoting.
  • GraphQL (GraphQL Foundation): All indicator queries, enrichment mutations, and union-typed polymorphic indicator responses are exposed through a typed GraphQL API, enabling clients to retrieve precisely the fields they need for each indicator type.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.