Home
Get Started
API Usage Guides
Use Cases
Developer Tools
Integrations
Community
API ExplorerAPI Reference
Use Cases

Threat Intelligence Enrichment

This guide explains how to use the Whisper API to enrich your threat intelligence data, turning simple indicators of compromise (IoCs) into a rich, correlated map of attacker infrastructure. By adding context to IPs and domains, you can reduce false positives and accelerate your investigations.

Goal: Context is Key

In threat intelligence, an IP address or a domain is just a starting point. To make an informed decision, you need context. Enrichment is the process of asking questions like:

  • Who owns this IP or domain?
  • Where is it located?
  • What is its reputation or risk score?
  • What other infrastructure is it connected to?

The Whisper API is designed to answer these questions instantly.

API Endpoints for Enrichment

Your two primary tools for enrichment will be the IP Intelligence and Domain Intelligence endpoints.

  1. IP Intelligence (GET /intelligence/v1/ip/{address})This endpoint is your go-to for analyzing IP addresses. For threat intelligence, you'll focus on key data points like:
    • summary.risk_score: A quick assessment of the IP's reputation.
    • geolocation: The physical location of the IP, which can help identify anomalous activity.
    • network: Information about the IP's ASN and network prefixes, helping you understand who controls the network space.
    • relationships: A crucial section for pivoting, showing all known domains, DNS records, and related IPs associated with your target.
  2. Domain Intelligence (GET /intelligence/v1/domain/{domain})Use this endpoint to investigate suspicious domains discovered during your analysis. Pay close attention to:
    • whois: Registration data, including the creation_date, registrar, and registrant contacts, can reveal recently created domains or attacker patterns.
    • dns: The domain's DNS records (A, AAAA, MX, etc.) show what IPs it points to and whether it's configured to send email.
    • infrastructure: A summary of the IPs and ASNs the domain relies on, giving you more IoCs to investigate.

Example Investigation Workflow

Imagine you receive an alert for a suspicious IP address, 8.8.8.8.

  1. Enrich the IP: Make a request to GET /intelligence/v1/ip/8.8.8.8. You see it has a risk_score of 85.5 and its relationships.ptr_records list includes dns.google.
  2. Pivot to Domains: From the relationships.a_records in the response, you find a list of domains hosted on that IP. You can now investigate each of these domains.
  3. Analyze a Domain: You pick a domain from the list and query it with GET /intelligence/v1/domain/{domain}. By checking its whois.registration.created date and comparing its associated infrastructure with other IoCs, you can determine if it's part of a larger malicious campaign.

Python Code Example

Here’s how you could quickly get the summary and risk score for an IP using the Python SDK.

import noctis_frontgraph_sdk
from noctis_frontgraph_sdk.rest import ApiException
import os

# Configure authentication
configuration = noctis_frontgraph_sdk.Configuration(access_token = os.environ["BEARER_TOKEN"])

with noctis_frontgraph_sdk.ApiClient(configuration) as api_client:
    api_instance = noctis_frontgraph_sdk.IntelligenceServicesApi(api_client)
    ip_address = '8.8.8.8' 

    try:
        # Get comprehensive IP address intelligence
        api_response = api_instance.get_ip_intelligence(ip_address)
        
        # Print key enrichment data
        print(f"Location: {api_response.summary.location}")
        print(f"Organization: {api_response.summary.organization}")
        print(f"Risk Score: {api_response.summary.risk_score}")

    except ApiException as e:
        print("Exception when calling IntelligenceServicesApi->get_ip_intelligence: %s\n" % e)