IP Address Intelligence

Overview#

A bank's SOC analyst is reviewing a fraud alert triggered by an unusual login to a high-value account. The source IP is unfamiliar. Running it through IP Address Intelligence reveals that the address belongs to a residential ISP in Eastern Europe, has appeared in 14 abuse complaints in the past six months, is listed on three threat feeds as associated with credential stuffing infrastructure, and was previously used by a domain that hosted a banking trojan C2 server. Passive DNS shows it resolved to four other domains in the past year, two of which also appear in the threat feed. The analyst's context has shifted from "unusual login" to "likely compromised credential used by established criminal infrastructure" in under 90 seconds. That context changes the response entirely.

The Argus IP Address Intelligence module provides comprehensive analysis and enrichment of IP addresses encountered during investigations. Geolocation, threat intelligence, reputation scoring, autonomous system information, and historical tracking support cyber investigations and digital evidence analysis. Every digital interaction leaves an IP footprint, and understanding the context behind those addresses is essential for attributing cyber activity, mapping threat infrastructure, and building digital evidence chains.

Open Standards#

• OASIS STIX 2.1: IP addresses are represented as ipv4-addr and ipv6-addr SCOs within STIX 2.1 Indicator SDOs; the platform includes a bidirectional adapter that parses inbound bundles and exports enriched IP indicators as fully compliant STIX 2.1 objects.
• OASIS TAXII 2.1: Threat feed integration uses an async TAXII 2.1 client with application/taxii+json;version=2.1 content negotiation for collection polling and bundle publishing, enabling interoperability with any compliant threat intelligence platform.
• RFC 791 (IPv4) / RFC 4291 (IPv6): Both address families are natively supported; the module performs explicit IP version detection and handles CIDR notation (per RFC 4632) for network block analysis and trusted-proxy range evaluation.
• RFC 3912 / RDAP (RFC 7483), WHOIS: Organisational attribution, registration data, and historical ownership lookups are performed via WHOIS and RDAP queries; the platform integrates multiple WHOIS providers (including WhoisXMLAPI) and exposes WHOIS as a named provider capability.
• IANA Autonomous System Number Registry / BGP (RFC 4271): ASN enrichment extracts AS number, network name, route prefix, and AS type from operator-format strings (AS<num> <name>), enabling attribution to specific network operators and identification of hosting infrastructure and peering relationships.
• FIRST Traffic Light Protocol (TLP): Intelligence sharing controls use TLP marking-definition identifiers as defined in the STIX 2.1 specification (TLP:CLEAR through TLP:RED), governing how enriched IP profiles may be disseminated.
• MITRE ATT&CK: Command-and-control infrastructure identification and threat actor attribution are aligned to MITRE ATT&CK technique classifications; the platform integrates the MITRE ATT&CK and MITRE ATLAS frameworks for technique-level context on malicious IP activity.
• GraphQL: All IP address intelligence queries, mutations, and bulk lookups are exposed through a strongly typed GraphQL API, enabling structured interoperability with SIEM, case management, and forensics platforms.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Key Features#

Geolocation and Attribution#

• Geolocation with country, region, and city-level accuracy including ISP identification and timezone detection.
• WHOIS and registration data lookup with organisational attribution and contact information.
• Autonomous system (AS) information including ownership, network ranges, and peering relationships.
• Historical IP assignment tracking showing changes in ownership and allocation over time.
• Hosting provider identification distinguishing commercial hosting, cloud platforms, and residential connections.
• CDN and load balancer detection identifying infrastructure that may mask origin server locations.
• IPv6 analysis supporting the growing deployment of next-generation internet protocol addresses.

Threat Intelligence#

• Threat intelligence with reputation scoring, malware association, and botnet identification.
• Abuse history tracking with complaint records and blacklist status monitoring.
• Real-time threat feed integration for current threat indicator matching.
• Command and control infrastructure identification linking IP addresses to known malicious campaigns.
• Tor exit node and anonymization service identification for privacy network detection.

Analysis and Investigation#

• Proxy and VPN detection identifying anonymization services and obfuscation techniques.
• Bulk IP analysis for processing large datasets of addresses from logs and network captures.
• IP range analysis mapping network blocks and identifying related infrastructure.
• Passive DNS integration revealing domain names associated with IP addresses over time.
• Network neighborhood analysis identifying other services and domains hosted on the same infrastructure.
• SSL certificate analysis correlating certificates with IP addresses for infrastructure mapping.
• Port scan history tracking open services and protocol changes over time.

Visualisation and Reporting#

• Geographic visualisation mapping IP addresses and network infrastructure on interactive maps.
• Network topology visualisation showing relationships between IP addresses, autonomous systems, and hosting infrastructure.
• Investigation timeline tracking showing how IP address usage and associations change over time.
• Exportable intelligence reports for inclusion in investigation files and court documentation.
• Alert configuration for monitoring specific IP ranges or network blocks of investigative interest.
• Attribution confidence scoring helping analysts assess the reliability of IP-based intelligence.

Use Cases#

Cyber Investigation. Enrich IP addresses from network logs, email headers, and digital evidence with geolocation, ownership, threat intelligence, and historical data to identify suspects and attack infrastructure. Build comprehensive digital evidence packages for prosecution.

Threat Intelligence Analysis. Analyse IP addresses associated with malicious activity to identify threat actors, map command and control infrastructure, and assess organisational exposure to known threats. Correlate threat indicators across multiple investigations.

Network Forensics. Process large volumes of IP addresses from network captures and security logs to identify anomalous connections, unauthorized access, and data exfiltration channels. Distinguish between legitimate traffic and suspicious activity through enrichment and behavioural analysis.

Attribution and Infrastructure Mapping. Map the network infrastructure of threat actors and criminal organisations by analysing IP ranges, autonomous systems, hosting relationships, and historical allocation records. Track infrastructure changes over time to maintain current intelligence.

Integration#

• Connects with threat intelligence platforms and indicator feeds for real-time enrichment.
• Integrates with SIEM and network security monitoring systems for automated analysis.
• Links to investigation and case management workflows for evidence integration.
• Works with digital forensics platforms for comprehensive evidence enrichment.
• Supports bulk processing of IP data from network logs and captures.
• Compatible with email forensics tools for header analysis and sender attribution.
• Feeds into organisational threat dashboards for cyber intelligence awareness.
• Connects with MISP for indicator correlation and community sharing.
• Integrates with law enforcement subpoena management for IP subscriber information requests.
• Supports darknet monitoring for IP intelligence related to Tor and anonymization services.