Knogin
[Developers]

OSINT Domain

When an analyst encounters a suspicious IP address or domain during an investigation, the next step is pulling everything the open internet knows about it: threat reputation, DNS history, WHOIS records, and any malware a

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsreal-timecompliance

Overview#

When an analyst encounters a suspicious IP address or domain during an investigation, the next step is pulling everything the open internet knows about it: threat reputation, DNS history, WHOIS records, and any malware associations. The OSINT domain provides a unified query interface across multiple external intelligence providers, returning enriched results classified by Traffic Light Protocol sharing level so analysts know exactly what they can do with the data.

Key Features#

  • Unified query interface across multiple external intelligence providers
  • IP and domain analysis for infrastructure reconnaissance
  • File scanning and malware reputation checking
  • Threat intelligence enrichment from external feeds
  • Traffic Light Protocol (TLP) compliance for data sharing classification: white, green, amber, and red
  • Provider-specific deep dive capabilities for detailed analysis
  • Observable enrichment for indicators of compromise

Use Cases#

Relevant sectors include financial crime, law enforcement cyber units, and intelligence agencies.

  • Enriching investigation data with external intelligence on IP addresses and domains
  • Scanning files and URLs for malware indicators through external analysis platforms
  • Querying DNS and WHOIS intelligence for domain investigation
  • Running deep analysis with extensible playbooks on suspicious observables

Integration#

The OSINT domain integrates with Threat for threat intelligence correlation, Malware for malware analysis, Indicator for IOC management, Investigation for case context, and Enrichment for data enrichment workflows.

Open Standards#

  • STIX 2.1 (OASIS CTI TC): The domain models threat intelligence objects, indicators, observables, and collection results in accordance with the Structured Threat Information Expression 2.1 specification, enabling interoperability with external intelligence platforms.
  • TAXII 2.1 (OASIS CTI TC): Analyst-configured feed subscriptions poll external threat intelligence collections via the Trusted Automated eXchange of Intelligence Information 2.1 transport protocol, with subscription state tracked per analyst.
  • Traffic Light Protocol (TLP): Every enriched result is classified at one of the four TLP sharing levels (white, green, amber, red) so analysts understand the permitted distribution of data returned from each external provider.
  • WHOIS (RFC 3912): Domain ownership and registration records are queried through WHOIS-capable providers, surfacing registrant, nameserver, and registration history data during infrastructure investigations.
  • Domain Name System (DNS, RFC 1034/1035): DNS record enumeration, including historical record lookups, is a first-class provider capability, used to map domain infrastructure and detect changes over time.
  • Certificate Transparency (RFC 6962): Integration with Certificate Transparency logs allows analysts to discover all TLS certificates ever issued for a domain, revealing subdomains and infrastructure that may not appear in DNS alone.
  • Malware Attribute Enumeration and Characterisation (MAEC, OASIS): File scanning and malware reputation results are structured using the MAEC vocabulary, providing a common language for describing malware behaviours, attributes, and artefacts across providers.
  • Server-Sent Events (W3C): Multi-provider OSINT searches stream real-time progress updates to the analyst's browser using the Server-Sent Events specification, delivering query status, partial results, and narrative storyboard generation over a single HTTP connection.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.