Cross-Cutting Recipes
Recipes that span personas: full-context investigations, threat-score breakdowns, and multi-step pivots.
Updated May 2026recipes Integration
Cross-Cutting Recipes Documentation
Patterns that work across multiple use cases and personas.
CNAME Chain Traversal
Follow an arbitrary CNAME chain to find the canonical hostname.
-- Follow CNAME aliases to the canonical target
MATCH (h:HOSTNAME {name: "www.github.com"})-[:ALIAS_OF*1..5]->(canonical:HOSTNAME)
RETURN h.name AS alias, canonical.name AS canonical_host
Sample output:
[{"alias": "www.github.com", "canonical_host": "github.com"}]
Registered Allocation for an IP
-- Registered allocation block and organization for an IP
MATCH (ip:IPV4 {name: "1.1.1.1"})
-[:BELONGS_TO]->(rp:REGISTERED_PREFIX)
OPTIONAL MATCH (rp)-[:REGISTERED_BY]->(org:ORGANIZATION)
OPTIONAL MATCH (rp)-[:HAS_COUNTRY]->(co:COUNTRY)
RETURN ip.name AS ip, rp.name AS allocation,
org.name AS registered_org, co.name AS country
Sample output:
[{"ip": "1.1.1.1", "allocation": "1.1.1.0/24", "registered_org": "APNIC Research and Development", "country": "AU"}]
Tip: The organization name under
REGISTERED_BYcomes from RIR WHOIS records. Some entries are organization handles; others are full names depending on how the registry published the data.
Threat Assessment for a CIDR Range
Get network-level threat density for a subnet.
-- Threat assessment for a CIDR range
CALL explain("185.220.101.0/24")
Sample output:
[{
"indicator": "185.220.101.0/24",
"type": "network",
"found": true,
"score": 0.0,
"level": "MEDIUM",
"explanation": "Network 185.220.101.0/24 contains 167 listed IPs across multiple threat feeds."
}]
Find Domains Linking Out to a Suspicious Site
-- Who links to a suspicious domain?
MATCH (source:HOSTNAME)-[:LINKS_TO]->(h:HOSTNAME {name: "cloudflare.com"})
RETURN source.name LIMIT 15