Cross-Cutting Recipes

Recipes that span personas: full-context investigations, threat-score breakdowns, and multi-step pivots.

Updated May 2026Use cases

Cross-Cutting Recipes Documentation

Patterns that work across multiple use cases and personas.

CNAME Chain Traversal

Follow an arbitrary CNAME chain to find the canonical hostname.

// Follow CNAME aliases to the canonical target
MATCH (h:HOSTNAME {name: "www.github.com"})-[:ALIAS_OF*1..5]->(canonical:HOSTNAME)
RETURN h.name AS alias, canonical.name AS canonical_host

Sample output:

[{"alias": "www.github.com", "canonical_host": "github.com"}]

Registered Allocation for an IP

// Registered allocation block and organization for an IP
MATCH (ip:IPV4 {name: "1.1.1.1"})
      -[:BELONGS_TO]->(rp:REGISTERED_PREFIX)
OPTIONAL MATCH (rp)-[:REGISTERED_BY]->(org:ORGANIZATION)
OPTIONAL MATCH (rp)-[:HAS_COUNTRY]->(co:COUNTRY)
RETURN ip.name AS ip, rp.name AS allocation,
       org.name AS registered_org, co.name AS country

Sample output:

[{"ip": "1.1.1.1", "allocation": "1.1.1.0/24", "registered_org": "APNIC Research and Development", "country": "AU"}]

Tip: The organization name under REGISTERED_BY comes from RIR WHOIS records. Some entries are organization handles; others are full names depending on how the registry published the data.

Threat Assessment for a CIDR Range

Get network-level threat density for a subnet.

// Threat assessment for a CIDR range
CALL explain("185.220.101.0/24")

Sample output:

[{
  "indicator": "185.220.101.0/24",
  "type": "network",
  "found": true,
  "score": 0.0,
  "level": "MEDIUM",
  "explanation": "Network 185.220.101.0/24 contains 176 listed IP(s) and 28 listed subnet(s). Threat density: 68.7500%. Score 74.7 (Medium risk - investigate further).",
  "factors": [
    "Listed IPs: 176 IPs found → 10 × log₂(176 + 1) = 74.68",
    "Listed subnets: 28 found, max score 4.44 → contributes 3.55 (80% inheritance)",
    "Threat density: 176 listed / 256 addresses = 68.7500%"
  ]
}]

Tip: Scoring a whole network is heavier than scoring a single IP. If the response comes back with "available": false and a retryAfter value, the assessment timed out — wait that many seconds and run it again. The result is cached once computed, so the retry is fast.

Find Domains Linking Out to a Suspicious Site

// Who links to a suspicious domain?
MATCH (source:HOSTNAME)-[:LINKS_TO]->(h:HOSTNAME {name: "cloudflare.com"})
RETURN source.name LIMIT 15

Classify an Indicator by Threat Category

You want more than a yes/no — you want to know what kind of threat an IP represents: command-and-control, malware hosting, a scanner, an anonymizer, and so on. Threat-enriched IP and hostname nodes carry category flags you can read directly.

// Read threat category flags off an IP node
MATCH (ip:IPV4 {name: "185.220.101.1"})
RETURN ip.name, ip.threatScore, ip.threatLevel, ip.isThreat,
       ip.isTor, ip.isProxy, ip.isAnonymizer, ip.isMalware, ip.isC2

Sample output:

[{
  "ip.name": "185.220.101.1",
  "ip.threatScore": 4.4,
  "ip.threatLevel": "MEDIUM",
  "ip.isThreat": true,
  "ip.isTor": true,
  "ip.isProxy": false,
  "ip.isAnonymizer": true,
  "ip.isMalware": false,
  "ip.isC2": false
}]

Tip: Category flags include isThreat, isC2, isMalware, isPhishing, isSpam, isTor, isProxy, isAnonymizer, isScanner, isBruteforce, isBlacklist, and isWhitelist. They are fastest when you anchor on a specific node with {name: "..."} — filtering an unanchored label scan on a flag will time out. To find indicators of a given category, start from a known node or prefix and traverse outward.

PreviousSecurity Researchers & Academics