Knogin
[Developers]

Investigation Domain

A serious crime detective opens a new case the morning after a major fraud is reported. She creates an investigation, sets the priority, links the initial complainant as an entity, and attaches the first documentary evid

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsaiblockchain

Overview#

A serious crime detective opens a new case the morning after a major fraud is reported. She creates an investigation, sets the priority, links the initial complainant as an entity, and attaches the first documentary evidence. Over the following weeks, a team of analysts adds more entities, links related cases, annotates a timeline of events, and generates AI-assisted summaries as the picture develops. When the case reaches a senior reviewing officer, the investigation's analytics dashboard shows entity connection strength, activity heatmaps across the team's work, and AI-generated next action recommendations. The Investigation domain is the structure that makes all of that possible.

Every other domain in the platform ultimately connects back to investigations. Entities, evidence, tasks, documents, timelines, exports, and reports all carry investigation identifiers. The investigation is the unit of case management: it has a lifecycle, a priority, an assigned team, and a secrecy level that governs who can access it.

Key Features#

  • Investigation lifecycle management: create, update, archive, and delete, with status and priority tracking
  • Entity and profile linking with relationship tracking and batch operations
  • Timeline event tracking for investigation activities and external events
  • Analytics dashboard with entity statistics, activity heatmaps, source distribution, and connection strength
  • AI-powered next action recommendations with confidence scoring and rationale
  • AI-generated investigation summaries with key findings and recommendations
  • Secrecy level controls from unclassified through top secret, with user clearance validation enforced on every access
  • Full-text search with faceted filtering across status, priority, date range, tags, and assigned user
  • Evidence and task counting per investigation
  • Investigation notes for collaborative annotations
  • Batch update operations for efficient bulk modifications across multiple investigations

Use Cases#

  • Managing complex investigations from creation through closure with a full audit trail covering all actions, accesses, and modifications
  • Linking entities, evidence, and documents to build a comprehensive case record that can be presented in court or to oversight bodies
  • Using AI-powered next action recommendations to guide investigator workflows, particularly when teams are managing multiple concurrent cases
  • Analysing investigation patterns through activity heatmaps and entity connection strength to direct analytical effort to the most productive areas

Industry Context#

National detective divisions use investigation management to coordinate teams of analysts across multi-year organised crime cases. Financial intelligence units manage hundreds of concurrent financial investigations with varying priorities and secrecy levels. Counter-terrorism agencies enforce strict secrecy level controls: an officer without appropriate clearance cannot access the investigation record at all. Irish District through Supreme Court proceedings require comprehensive case documentation with a demonstrable chain of custody and complete access logs. Defence intelligence organisations link investigations across classification levels and enforce compartment access through the secrecy level hierarchy.

Integration#

The Investigation domain integrates with Entity for profile management, Timeline for event tracking, Evidence for attachments, Task for work tracking, Document for file management, Report for case reporting, and Alert for notifications. Investigation records are the primary organisational unit in PostgreSQL, with organisation-level and secrecy-level isolation enforced on every query.

Open Standards#

  • GraphQL (June 2018 specification): All investigation queries, mutations, and subscriptions are exposed through a typed GraphQL API using Strawberry, covering lifecycle management, entity linking, analytics, and state machine operations.
  • OASIS STIX 2.1: Investigations natively link to STIX 2.1 Domain Objects including attack-pattern, malware, threat-actor, campaign, indicator, and vulnerability profiles, enabling intelligence sharing in a standardised format.
  • MITRE ATT&CK: Attack pattern profiles linked to investigations carry MITRE ATT&CK technique identifiers (T-numbers), tactic names, and kill chain phases, allowing adversary behaviour to be documented against the ATT&CK taxonomy.
  • W3C SCXML / OMG BPMN 2.0: The investigation lifecycle state machine is implemented against the W3C State Chart XML standard and OMG BPMN 2.0, with an XState-compatible machine definition queryable over the API and all transitions recorded in an INSERT-only audit table.
  • ISO 3166-1 alpha-3: Investigation records carry three-letter country codes conforming to ISO 3166-1 alpha-3, which are enforced at query time to restrict access to investigations within a user's permitted jurisdictions.
  • ISO 8601: All investigation timestamps (created, updated, last modified, event timeline) are stored and serialised as ISO 8601 UTC datetime strings throughout the API and persistence layers.
  • RFC 4122 UUID: Every investigation record and derived identifier is assigned a version-4 UUID conforming to RFC 4122, guaranteeing globally unique, collision-resistant identifiers without centralised coordination.
  • FIPS 180-4 SHA-256: Evidence provenance integrity fields and analytics cache keys are computed using SHA-256, providing cryptographically verifiable fingerprints for tamper-evident audit records.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.