Knogin
[Developers]

IP Address Domain

A cybercrime analyst investigating an intrusion into a critical infrastructure operator's network extracts 23 IP addresses from firewall logs. She submits them for bulk lookup: three resolve to Tor exit nodes, two are fl

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsgeospatial

Overview#

A cybercrime analyst investigating an intrusion into a critical infrastructure operator's network extracts 23 IP addresses from firewall logs. She submits them for bulk lookup: three resolve to Tor exit nodes, two are flagged as known attacker infrastructure in threat intelligence feeds, and one belongs to a datacenter in a jurisdiction of concern. The others are clean residential or commercial ranges. That triage, completed in seconds rather than requiring manual checks across multiple external tools, is what the IP Address domain provides.

IP addresses are a fundamental artefact in digital investigations. They connect online activity to physical infrastructure, reveal network ownership and geolocation, and often carry historical intelligence from threat databases that transforms a raw log entry into an actionable lead.

Key Features#

  • Geolocation mapping: city, region, country, coordinates, timezone, and organisation
  • ASN intelligence: network identifier, organisation, CIDR block, and network type
  • Threat intelligence indicators: Tor exit node detection, VPN and proxy identification, datacenter classification, and known attacker and abuser list flags
  • Reputation scoring on a 0 to 100 scale with confidence levels
  • IP profile creation and management with investigation linking
  • Enrichment from external data sources with force-refresh capability
  • Bulk lookup for multiple IP addresses simultaneously
  • Search across IP profiles with threat level and investigation filters
  • Secrecy level classification for sensitive IP intelligence

Use Cases#

  • Profiling suspicious IP addresses with geolocation and threat intelligence during intrusion and cybercrime investigations
  • Detecting Tor, VPN, and proxy usage to identify anonymised infrastructure used by subjects
  • Bulk analysing IP addresses from firewall logs, access logs, or malware callback lists for rapid triage
  • Enriching IP profiles with external intelligence feeds for comprehensive attribution analysis

Industry Context#

National CSIRT teams profile IP addresses from reported cyber incidents to assess whether infrastructure belongs to known threat actor groups. Financial crime investigators profile IP addresses seen in fraud and account takeover attacks to identify shared infrastructure across multiple incidents. Defence cyber operations centres enrich IP indicators from malware samples to map adversary command-and-control infrastructure. Telecommunications operators check IP addresses from abuse reports against reputation databases for network-level blocking decisions. Critical infrastructure protection teams flag IPs associated with reconnaissance scanning activity for escalation.

Integration#

The IP Address domain integrates with Threat Intel for IOC enrichment, Investigation for case linking, Profile for entity management, Alert for threat notifications, and Digital Footprint for digital presence tracking. IP profiles are stored in PostgreSQL with organisation-scoped access and secrecy level enforcement.

Open Standards#

  • STIX 2.1 (OASIS): IP address indicators are represented as ipv4-addr and ipv6-addr Cyber Observable Objects with STIX pattern matching, enabling bidirectional exchange of IP-based IOCs with external threat intelligence platforms.
  • TAXII 2.1 (OASIS): IP threat intelligence is ingested from and shared with external feeds via an async TAXII 2.1 polling client, using the standard collection and object endpoints.
  • IPv4 (RFC 791) and IPv6 (RFC 8200): Both address families are natively supported; the platform detects IP version automatically and stores, enriches, and queries each format according to the respective IETF specifications.
  • BGP Autonomous System Numbers (IANA/RFC 4271 ecosystem): ASN attribution is a first-class enrichment field, returning the AS number, registered organisation, network type, and CIDR route prefix that the BGP routing system associates with each IP address.
  • CIDR (RFC 4632): Network range notation is used in ASN route data and in trusted-proxy allowlist configuration, following the classless inter-domain routing specification.
  • TLP (FIRST Traffic Light Protocol): Secrecy level classifications on IP profiles map directly to TLP marking-definition identifiers (TLP:CLEAR, TLP:GREEN, TLP:AMBER, TLP:AMBER+STRICT, TLP:RED) as defined in the STIX 2.1 marking framework.
  • ISO 3166-1 alpha-2: Country codes returned by geolocation enrichment and stored against IP profiles follow the ISO two-letter country code standard, which also drives country-restriction access control for users.
  • GraphQL (June 2018 specification): All queries, mutations, and subscriptions for IP address profile management are exposed through a typed GraphQL API, including bulk lookup and enrichment operations.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.