Threat Intelligence Analysts
Hunt across 40+ threat feeds, score indicators, follow campaign infrastructure, and map operator footprints.
Threat Intelligence Analysts Documentation
You're building a picture of threat actor infrastructure, mapping campaigns, and correlating indicators across sources.
Quick Triage
Expand from One Domain to Its Full Campaign
You have one suspicious domain and want to find other domains hosted on the same infrastructure.
-- Pivot on shared IP: find all domains co-hosted with a suspicious domain
MATCH (h1:HOSTNAME {name: "paypal--confirm.com"})
-[:RESOLVES_TO]->(ip:IPV4)
<-[:RESOLVES_TO]-(h2:HOSTNAME)
WHERE h1 <> h2
RETURN h2.name AS related_domain, ip.name AS shared_ip LIMIT 20
Tip: If the result is empty, the domain may have been taken down (no current A record). Use
CALL whisper.history("domain")to check if it had IP records in the past.
Pivot on Shared WHOIS Contact Email
A threat actor reused the same contact email across multiple registrations — find them all.
-- All domains registered with the same WHOIS email
MATCH (h1:HOSTNAME {name: "cloudflare.com"})
-[:HAS_EMAIL]->(e:EMAIL)
<-[:HAS_EMAIL]-(h2:HOSTNAME)
WHERE h1 <> h2
RETURN h2.name AS related_domain, e.name AS shared_email LIMIT 20
Sample output:
[
{"related_domain": "amp8ball.com", "shared_email": "domains@cloudflare.com"},
{"related_domain": "as13335.com", "shared_email": "domains@cloudflare.com"},
{"related_domain": "asap-cloudflare.com", "shared_email": "domains@cloudflare.com"}
]
Tip: Registrar privacy services often replace real emails with proxy addresses. Check whether the shared email is from a privacy service before drawing attribution conclusions.
Deep Dive Investigation
Pivot on Shared Registrar
When a specific threat actor consistently uses the same registrar, find other domains in that cohort.
-- All domains registered through the same registrar as the seed domain
MATCH (h1:HOSTNAME {name: "cloudflare.com"})
-[:HAS_REGISTRAR]->(r:REGISTRAR)
<-[:HAS_REGISTRAR]-(h2:HOSTNAME)
WHERE h1 <> h2
RETURN h2.name AS related_domain, r.name AS registrar LIMIT 10
Sample output:
[
{"related_domain": "3-m.ac", "registrar": "iana:1910"},
{"related_domain": "180.academy", "registrar": "iana:1910"},
{"related_domain": "1111systems.academy", "registrar": "iana:1910"}
]
Tip: High-volume registrars like MarkMonitor or CSC are used by thousands of legitimate enterprises. More interesting are smaller or obscure registrars that appear in multiple suspicious registrations.
Nameserver Clustering
Find all domains that delegate DNS to the same nameserver — a classic indicator of shared threat actor infrastructure.
-- All domains using a specific nameserver
MATCH (ns:HOSTNAME {name: "ns1.google.com"})
-[:NAMESERVER_FOR]->(h:HOSTNAME)
RETURN h.name LIMIT 20
Sample output:
[
{"h.name": "forum.unicloud.ai"},
{"h.name": "blogspot.al"},
{"h.name": "google.al"}
]
Tip: For investigation, look for private or unusual nameservers rather than major providers. Domains sharing a custom nameserver operated by the attacker are a strong clustering signal.
ASN Threat Profiling
Score the network an IP or domain belongs to.
-- Threat reputation of an entire ASN
CALL explain("AS60729")
Sample output:
[{
"indicator": "AS60729",
"type": "asn",
"found": true,
"score": 0.0,
"level": "NONE",
"explanation": "AS60729 (TORSERVERS-NET, DE) has a reputation score of 51.0 (Suspicious)."
}]
Tip: An ASN with a high threat density score means a large fraction of its IP space is listed in threat feeds. Even if your specific indicator isn't listed, hosting on a high-density ASN is a meaningful risk factor.
Investigate Domain History
Pull historical WHOIS snapshots to see how a domain's registration changed over time.
-- Historical WHOIS snapshots for a domain
CALL whisper.history("cloudflare.com")
Sample output (first 3 of 27 snapshots):
[
{"indicator": "cloudflare.com", "type": "domain", "queryTime": "2024-06-13 18:31:16", "createDate": "2009-02-17", "updateDate": "2024-01-09", "expiryDate": "2033-02-17", "registrar": "CloudFlare, Inc.", "nameServers": "..."},
{"indicator": "cloudflare.com", "type": "domain", "queryTime": "2020-05-01 07:03:56", "createDate": "2009-02-17", "registrar": "Cloudflare, Inc."},
{"indicator": "cloudflare.com", "type": "domain", "queryTime": "2017-06-07 20:16:00", "createDate": "2009-02-17", "registrar": "CloudFlare, Inc."}
]
Tip: Sudden changes in registrar, nameserver, or registrant contact are the most meaningful signals in domain history. A domain that changed registrar and nameserver in the same week is worth investigating.
Evidence Collection
Web Link Analysis
Trace hyperlinks between domains to find sites that reference or redirect to a suspicious target.
-- Sites that link to this domain
MATCH (source:HOSTNAME)-[:LINKS_TO]->(h:HOSTNAME {name: "cloudflare.com"})
RETURN source.name LIMIT 15
Sample output:
[
{"source.name": "0x1.academy"},
{"source.name": "12345.ae"},
{"source.name": "151.ae"}
]
Tip: Outbound links (
h -[:LINKS_TO]-> target) show what sites this domain references. Inbound links (this query) show what sites reference it — useful for finding phishing pages that link to legitimate brand pages to appear credible.
Compare Multiple Indicators at Once
Check registration details for a batch of suspicious domains in one request.
-- Batch WHOIS lookup for multiple domains
UNWIND ["google.com", "cloudflare.com", "microsoft.com"] AS domain
MATCH (h:HOSTNAME {name: domain})
OPTIONAL MATCH (h)-[:HAS_REGISTRAR]->(r:REGISTRAR)
RETURN domain, h.name, collect(DISTINCT r.name) AS registrars
Sample output:
[
{"domain": "cloudflare.com", "h.name": "cloudflare.com", "registrars": ["iana:1910"]},
{"domain": "google.com", "h.name": "google.com", "registrars": ["iana:292"]},
{"domain": "microsoft.com", "h.name": "microsoft.com", "registrars": ["iana:292"]}
]
Tip: Domains that don't match in the
MATCHclause won't appear in results. If a domain from your input list is missing from results, it's not in the graph — treat it as an unknown rather than clean.
Splunk equivalents
For inline threat-intel enrichment in SPL, see Splunk Use Cases for Infrastructure Intel and Enterprise Security Integration. For the underlying feed catalog see Feed Catalog.