Knogin
[Developers]

Tool Domain

An analyst needs to run a company registration lookup, a social media scrape, and a dark web search as part of a single investigation. Rather than switching between three separate applications, logging in to each, and ma

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domains

Overview#

An analyst needs to run a company registration lookup, a social media scrape, and a dark web search as part of a single investigation. Rather than switching between three separate applications, logging in to each, and manually copying results into a case file, she selects all three from the tool catalog and executes them through a single interface. Results land directly in the investigation record. That unified, extensible approach is what the Tool domain provides.

The domain manages tool profiles and dynamic tool execution capabilities. Tool profiles represent investigative and analytical tools tracked within the platform with documented capabilities, versions, and references. A unified execution interface supports dynamic invocation of any registered provider-based tool without requiring dedicated endpoints for each one.

Key Features#

  • Tool Profile Management: Create and maintain profiles for investigative and analytical tools including names, descriptions, capabilities, versions, and reference documentation.

  • Dynamic Tool Execution: Execute any registered provider-based tool through a unified interface without requiring dedicated endpoints for each tool, providing flexible extensibility.

  • Provider Integration: Connect to multiple external tool providers through a pluggable architecture that supports adding new tools and data sources without platform changes.

  • Result Handling: Receive and process tool execution results in a standardised format regardless of the underlying provider, simplifying integration with investigative workflows.

  • Tool Catalog: Browse available tools with their capabilities and descriptions to discover relevant tools for specific investigative needs.

  • Programmable API Access: Create tool profiles, browse the tool catalog, and execute tools through a structured API for integration with automated workflows and custom interfaces.

Mermaid Diagram#

Use Cases#

  • Law Enforcement: Execute specialised investigation tools to gather intelligence, perform lookups, and collect data from external sources as part of active criminal investigations.

  • Intelligence Analysis: Browse the tool catalog to find available tools and understand their capabilities when planning an investigation or research approach.

  • Cybersecurity Operations: Integrate tool execution into automated pipelines that chain multiple tools together for comprehensive data collection, enrichment, and threat analysis.

  • Corporate Investigations: Add new tool providers to the platform without code changes by registering tool profiles and configuring provider connections as the investigative toolkit grows.

Integration#

The Tool domain supports investigative operations across the platform:

  • Investigation Management: Tool results link to active investigations.
  • Profile Management: Tool-gathered data enriches entity profiles.
  • Evidence Management: Tool outputs can be captured as evidence.
  • Workflow Automation: Tool execution integrates with automated pipelines.

Open Standards#

  • GraphQL (June 2018 specification): the entire API surface, tool profile queries, mutations, and the generic runTool invocation, is defined as a strongly typed GraphQL schema, enabling introspection and structured parameterisation of any registered provider tool.
  • JSON (ECMA-404 / RFC 8259): tool execution parameters and results are exchanged as JSON objects; all list-valued profile fields (aliases, capabilities, references, tags) are serialised and deserialised as JSON within the persistence layer.
  • RFC 4122 (UUID): every tool profile is assigned a version-4 UUID as its canonical identifier, ensuring globally unique, collision-resistant references across distributed investigation records.
  • OAuth 2.0 Bearer Token (RFC 6749 / RFC 7519 JWT): all tool catalog queries and tool execution mutations require an authenticated JWT Bearer token; the IsAuthenticated permission class enforces this on every resolver.
  • ISO 8601 / RFC 3339 (UTC timestamps): created_at and updated_at fields on every tool profile are stored and exchanged as UTC-aware ISO 8601 datetime values, enabling consistent chronological ordering across investigations.
  • MITRE ATT&CK software taxonomy: the tool_type field adopts ATT&CK vocabulary values (for example, "exploit") to categorise tools consistently with the ATT&CK framework; tool profiles are co-indexed alongside attack-pattern profiles in the platform intelligence knowledge graph.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.