Knogin
[Developers]

Malware Domain

A cyber team responding to an intrusion recovers a binary they cannot immediately attribute. Within minutes they create a malware profile capturing the file hashes, observed capabilities, and suspected family lineage, th

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsaiblockchain

Overview#

A cyber team responding to an intrusion recovers a binary they cannot immediately attribute. Within minutes they create a malware profile capturing the file hashes, observed capabilities, and suspected family lineage, then link it directly to the active incident case. The Malware domain provides exactly that structured environment for cataloguing, attributing, and tracking malware samples throughout an investigation.

Key Features#

  • Malware profile creation and management with detailed metadata
  • Family attribution for categorising malware by lineage
  • Capability tracking for documenting malware behaviours
  • File hash management for sample identification
  • Reference linking to external intelligence sources
  • Investigation association for case context
  • Threat level and secrecy level classification

Use Cases#

Relevant sectors include financial crime, defence, and law enforcement cyber units.

  • Cataloguing malware samples discovered during cyber investigations
  • Tracking malware family relationships and capability evolution
  • Linking malware profiles to threat actors and investigations
  • Managing file hashes for malware sample identification and correlation

Integration#

The Malware domain integrates with Investigation for case linking, Threat Intel for enrichment, and the intelligence service for AI-powered analysis.

Open Standards#

  • OASIS STIX 2.1: Malware profiles are modelled as STIX 2.1 malware Structured Data Objects; the platform bidirectionally converts Argus malware records to and from STIX 2.1 bundles, including object_marking_refs and relationship SDOs.
  • FIRST Traffic Light Protocol (TLP): Secrecy classification on every malware profile is expressed using TLP marking-definitions (WHITE, GREEN, AMBER, AMBER+STRICT, RED, CLEAR) in line with the STIX 2.1 TLP specification.
  • MITRE ATT&CK: Malware capability tracking is aligned with the MITRE ATT&CK technique and tactic taxonomy; the linked attribution service stores and queries ATT&CK technique IDs to associate malware with observed TTPs.
  • FIPS 180-4 (SHA-1 / SHA-256) and RFC 1321 (MD5): The malware profile model stores MD5, SHA-1, and SHA-256 cryptographic digests for sample identification and cross-source correlation.
  • YARA: YARA rules are a supported threat-intelligence indicator type within the platform and are correlated against malware records for detection-rule linkage.
  • GraphQL (June 2018 Specification): All malware profile queries and mutations are exposed through a typed GraphQL API, enabling structured creation and retrieval of malware data by client applications.
  • OAuth 2.0 / JWT (RFC 7519): Access to all malware API operations is gated by JWT bearer tokens issued under OAuth 2.0 flows, enforced via per-request authentication checks.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.