Knogin
[Developers]

Threat Intelligence Integration

An analyst investigating a phishing campaign has a list of forty domains, sixty IP addresses, and twenty URLs extracted from email headers and malicious documents. Manually querying each one through separate threat intel

Back to All Modules
Category: IntelligenceLast Updated: Feb 5, 2026
intelligencegeospatial

Overview#

An analyst investigating a phishing campaign has a list of forty domains, sixty IP addresses, and twenty URLs extracted from email headers and malicious documents. Manually querying each one through separate threat intelligence portals would take hours. Bulk enrichment through the Threat Intelligence Integration module processes the entire batch in seconds, returning reputation scores, geolocation data, historical DNS resolution chains, and WHOIS ownership records for every indicator, directly within the investigation workflow.

Platform architects and enterprise IT teams integrating Argus into existing SOC workflows can connect this module to their broader threat intelligence pipeline, feeding enriched indicators into alert management, case records, and automated correlation rules.

Open Standards#

  • GraphQL (June 2018 specification): All enrichment queries and mutations, domain intelligence, IP intelligence, passive DNS, WHOIS, and URL scanning, are exposed through a typed GraphQL API, enabling structured, self-documenting queries from any compliant client.
  • DNS-over-HTTPS (RFC 8484): The enrichment pipeline queries DNS resolution data for domain and IP indicators via DNS-over-HTTPS, protecting resolution lookups from passive interception and enabling resolution from any HTTPS-capable provider.
  • WHOIS / RDAP (RFC 7483): Domain and IP ownership intelligence, registrar, registration dates, nameservers, and contact records, is retrieved in accordance with the Registration Data Access Protocol, the successor to the plain-text WHOIS service.
  • CVE / CVSS (NIST NVD, FIRST CVSS v3.1): The indicator model supports CVE identifiers and CVSS severity scores as first-class IOC fields, enabling vulnerability indicators to carry standardised severity ratings alongside other enrichment data.
  • MITRE ATT&CK: Enriched indicators and threat actor attribution data are mapped to MITRE ATT&CK technique and tactic identifiers, providing a common taxonomy for describing adversary behaviour across the investigation workflow.
  • STIX 2.1 / TAXII 2.1 (OASIS): Enriched indicators of compromise produced by this module are compatible with the platform's STIX 2.1 / TAXII 2.1 integration, allowing enriched threat objects to be shared with or ingested from external threat intelligence platforms via the TAXII polling client.
  • OAuth 2.0 / JSON Web Tokens (RFC 6749 / RFC 7519): All enrichment endpoints enforce authentication via RS256-signed JWTs validated against a JWKS endpoint, ensuring only authorised, organisation-scoped users can query or submit indicators.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Key Features#

  • Domain Reputation Analysis: Risk scoring and categorisation for domains, identifying malicious, phishing, spam, and suspicious infrastructure
  • IP Geolocation and Risk Assessment: Geographic attribution with threat indicators covering hosting provider, ASN, and known malicious activity history
  • Historical DNS Resolution Data: Infrastructure analysis through DNS history, mapping how threat actor domains have resolved over time and identifying shared hosting patterns
  • URL Scanning: Threat detection and categorisation for URLs including phishing, malware distribution, and command-and-control infrastructure
  • WHOIS Lookup: Domain and IP ownership intelligence including registrar, registration dates, and contact information for attribution analysis
  • Bulk Enrichment Support: Process multiple indicators simultaneously for rapid threat assessment during active incidents or large indicator sets
  • Configurable Risk Thresholds: Automated alerting when enriched indicators exceed defined risk score thresholds
  • Caching Layer: Frequently queried indicators served from cache to optimise performance and reduce external API call volume
  • Integration with Threat Intelligence Pipeline: Enrichment results feed into the broader platform intelligence workflow

Use Cases#

  • Enriching investigation indicators (domains, IPs, URLs) with threat intelligence context during active investigations
  • Assessing domain and IP risk levels to prioritise investigation of suspicious infrastructure identified through monitoring
  • Analysing historical DNS data to map threat actor infrastructure evolution and identify connections between campaigns
  • Bulk-processing indicators of compromise for rapid threat assessment during incident response

Integration#

Connects with the platform's intelligence enrichment pipeline, alert management, and investigation workflows for automated indicator analysis. Results are organisation-scoped and subject to standard RBAC access controls.

Ready to Build?

Get started with our APIs or contact our integration team for support.