Knogin
[Developers]

Threat Intelligence Domain

A security engineer finds an unfamiliar IP address making repeated requests to a staging server. She submits it to the threat intelligence domain, which queries multiple feeds simultaneously, returns three separate verdi

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domains

Overview#

A security engineer finds an unfamiliar IP address making repeated requests to a staging server. She submits it to the threat intelligence domain, which queries multiple feeds simultaneously, returns three separate verdicts, and confirms the address belongs to a command-and-control cluster linked to a known ransomware group. The whole process takes seconds rather than the half-hour of manual lookups it would otherwise require.

The domain provides indicator of compromise (IOC) enrichment, correlation analysis, and threat feed management. Investigators enrich IOCs with intelligence from multiple sources, identify relationships between indicators, assess threat severity, and monitor the health of threat intelligence feeds. Results are cached in PostgreSQL to reduce latency and external API costs while keeping data current.

Key Features#

  • IOC Enrichment: Enrich indicators of compromise (IP addresses, domains, file hashes, URLs, email addresses) with intelligence from multiple threat data sources for comprehensive context.

  • Multi-Source Aggregation: Query multiple threat intelligence sources simultaneously and aggregate results into a unified view with confidence scoring and source attribution.

  • Correlation Analysis: Identify relationships between indicators to uncover connections between seemingly unrelated threats and build a broader picture of adversary infrastructure.

  • Batch Processing: Enrich multiple indicators in a single operation for efficient processing of large indicator sets during investigations.

  • Threat Feed Monitoring: Track the health and freshness of connected threat intelligence feeds to ensure enrichment data is current and reliable.

  • IOC Type Support: Analyse a wide range of indicator types, including IP addresses, domain names, file hashes, URLs, and email addresses, with type-specific enrichment logic.

  • Caching and Performance: Intelligent caching of enrichment results reduces query latency and external API usage while ensuring timely updates.

Mermaid Diagram#

Use Cases#

  • Incident Response: Enrich indicators discovered during an active breach to understand their threat context, associated campaigns, and known adversary infrastructure so responders can act faster.

  • Cybersecurity Operations: Evaluate the severity and credibility of detected threats by correlating indicators against multiple intelligence sources before escalating to the SOC.

  • Defence Intelligence: Hunt for relationships between indicators to proactively identify adversary infrastructure before it is used in attacks against government or military networks.

  • Critical Infrastructure Protection: Aggregate and correlate threat data from multiple sources to produce finished intelligence products for operational teams protecting energy, water, and transport systems.

Integration#

The Threat Intelligence domain enriches security operations across the platform:

  • Investigation Management: IOC enrichment results link to active investigations.
  • Alert System: High-severity threat indicators trigger automated alerts.
  • Threat Actor Profiles: Indicators associate with known threat actor profiles.
  • SIEM Connector: Security events correlate with threat intelligence data.

Open Standards#

  • MITRE ATT&CK: Tactics, techniques, and procedures (TTPs) are stored against MITRE ATT&CK technique and tactic identifiers, enabling attribution scoring and adversary profiling against the canonical knowledge base.
  • CVE (Common Vulnerabilities and Exposures): Vulnerability indicators are typed and stored using CVE identifiers, allowing cross-referencing with the national vulnerability database and third-party feeds.
  • CVSS (Common Vulnerability Scoring System): Vulnerability records carry CVSS numeric scores and vector strings to provide standardised severity ratings across enrichment sources.
  • YARA: YARA rule signatures are a supported IOC type, enabling the domain to ingest and correlate malware detection rules produced by the broader security community.
  • DNS over HTTPS (RFC 8484): Domain and IP indicators are enriched through DNS-over-HTTPS queries, using the HTTPS-based resolution protocol to obtain passive-DNS context securely.
  • WHOIS (RFC 3912): Domain and IP registrant data is retrieved via WHOIS queries and surfaced as a first-class enrichment field alongside other source verdicts.
  • GraphQL (June 2018 specification): All threat intelligence queries, mutations, and enrichment responses are exposed through a typed GraphQL API that enforces schema-level validation on every request.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.