Intelligence X Integration Guide
Overview
The Intelligence X integration allows your NINA workflows to search Intelligence X's vast data archive for OSINT and threat intelligence. Search for leaked credentials, exposed data, domain information, and more across multiple data sources.
Key Capabilities:
- Search by email, domain, IP, URL, or Bitcoin address
- Retrieve leaked credentials and data breaches
- Search multiple data buckets (pastes, leaks, whois, etc.)
- Preview and download files from search results
- Export leaked accounts as CSV
Quick Start
Simple Domain Search
Search for information about a domain:
{
"integration_service": "intelx",
"resource": "search",
"operation": "intelligent",
"parameters": {
"term": "github.com"
}
}
Search for Leaked Email
Find data breaches containing an email address:
{
"integration_service": "intelx",
"resource": "search",
"operation": "intelligent",
"parameters": {
"term": "[email protected]",
"maxResults": 50
}
}
IMPORTANT: Strong Selectors Required
Intelligence X intelligent search only works with "strong selectors" - specific identifiers that can be precisely searched.
Valid Strong Selectors
| Type | Examples | Use Case |
|---|---|---|
| Domain | github.com, example.org | Find data related to a domain |
[email protected], [email protected] | Search for leaked credentials | |
| URL | https://example.com/page, http://site.com | Find specific URLs in data |
| IPv4 Address | 192.168.1.1, 8.8.8.8 | Search by IP address |
| IPv6 Address | 2001:db8::1 | Search by IPv6 |
| Bitcoin Address | 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa | Find Bitcoin transactions |
| Phone Number | +1-555-0123 | Search by phone number |
Invalid Terms (Will Fail)
| Invalid Input | Why It Fails |
|---|---|
test | Generic text - not a specific identifier |
password | Generic word - not searchable |
admin | Username without domain - too generic |
123456 | Generic number - not a specific identifier |
malware | Generic keyword - use phonebook search instead |
Common Error: "search ID not found or expired"
This error occurs when you use an invalid search term. The API accepts the request initially but rejects it during result retrieval because the term is not a strong selector.
Solution: Always use a specific identifier (domain, email, IP, URL, or Bitcoin address) as your search term.
How Intelligent Search Works
- You submit a search with a strong selector (e.g.,
github.com) - Intelligence X creates a search ID and begins processing
- The integration automatically polls for results every 1-2 seconds
- Results are returned automatically when ready (typically within 5 seconds)
- You receive all matching records in the response
Note: You do NOT need to manually call "Get Search Results" - the intelligent search operation handles polling automatically.
Supported Operations
Credential Configuration
Before using the Intelligence X integration in your workflows, configure credentials for API access.
Authentication Method
API Key
| Field | Description | Example |
|---|---|---|
| API Key | Your Intelligence X API key | ix_api_key_abc123... |
| Base URL | Base URL for Intelligence X API | https://2.intelx.io |
How to get your API Key:
- Sign up or log in at
https://intelx.io - Go to your account/API settings
- Generate or copy your API key
Creating an Intelligence X Credential
- Navigate to the Credentials section in NINA
- Click Add New Credential
- Set:
- Name (e.g., "Intelligence X Production")
- Integration Service: "Intelligence X"
- Auth Type: "API Key"
- API Key and Base URL (default
https://2.intelx.io)
- Click Test Connection
- Click Save
Supported Operations
Search Resource
| Operation | Description | When to Use |
|---|---|---|
| intelligent | Search for strong selectors (domain, email, IP, URL, Bitcoin address) | Primary search operation - automatically polls and returns results |
| phonebook | Search for domain/email relationships and WHOIS data | Find related domains and emails for a given selector |
| results | Manually retrieve results from a search ID | Advanced: Only needed if manually managing search sessions |
| terminate | Stop an active search | Advanced: Cancel a long-running search |
Recommendation: Use intelligent for most searches. It handles result polling automatically.
File Resource
| Operation | Description | When to Use |
|---|---|---|
| preview | Get first few lines of a file | Quick preview before downloading |
| viewAsText | View full file content (converted to text) | Read file contents without downloading (uses storageId) |
| download | Download raw file bytes | Get original file for processing (uses systemId) |
| bulkDownload | Download multiple files in one request (max 20) | Batch download files efficiently |
Note: File operations require storageId (preview, viewAsText) or systemId (download, bulkDownload) from search results.
Identity Resource
| Operation | Description | When to Use |
|---|---|---|
| search | Search Identity portal for leaked accounts (requires strong selectors) | Find credential breaches for a domain or email |
| exportAccounts | Export leaked accounts as CSV (requires strong selectors) | Bulk export for reporting |
Note: Identity operations require strong selectors (domains, emails, IPs, URLs, Bitcoin addresses). Generic text searches will fail.
Parameter Merging and Templating
The Intelligence X integration supports parameter merging and templating:
- Node parameters (highest precedence)
- Extracted parameters from input
- Full input data
Template variables (e.g., {{variable}}) are resolved before execution.
Common Use Cases
Use Case 1: Search for Leaked Credentials by Email
Goal: Find all data breaches containing a specific email address.
{
"integration_service": "intelx",
"resource": "search",
"operation": "intelligent",
"parameters": {
"term": "[email protected]",
"maxResults": 100,
"timeout": 10
}
}
Response:
{
"records": [
{
"name": "linkedin-2021-breach.txt",
"bucket": "leaks.public",
"date": "2021-04-09T10:15:00Z",
"storageId": "abc123...",
"media": 1
}
],
"status": 0,
"searchId": "e7aacca3-1cdd-4bc4-adee-b03be6089697",
"totalResults": 15
}
Use Case 2: Search for Domain Information
Goal: Find all mentions of a domain across Intelligence X databases.
{
"integration_service": "intelx",
"resource": "search",
"operation": "intelligent",
"parameters": {
"term": "github.com",
"maxResults": 50,
"sort": 4
}
}
Common sort values:
0= No sorting3= Date ascending (oldest first)4= Date descending (newest first) - recommended
Use Case 3: Search with Date Range Filter
Goal: Find data breaches within a specific time period.
{
"integration_service": "intelx",
"resource": "search",
"operation": "intelligent",
"parameters": {
"term": "[email protected]",
"dateFrom": "2024-01-01 00:00:00",
"dateTo": "2024-12-31 23:59:59",
"maxResults": 100
}
}
Use Case 4: Phonebook Search for Related Domains
Goal: Find all related domains and emails for a domain using WHOIS/phonebook data.
{
"integration_service": "intelx",
"resource": "search",
"operation": "phonebook",
"parameters": {
"term": "example.com",
"target": 1,
"maxResults": 50
}
}
target values:
0= Emails only1= Domains only2= URLs only3= All (emails, domains, URLs)
Get Search Results
Node Configuration
{
"integration_service": "intelx",
"resource": "search",
"operation": "results",
"parameters": {
"id": "search-id-from-previous-call",
"limit": 100
}
}
Terminate Search
Node Configuration
{
"integration_service": "intelx",
"resource": "search",
"operation": "terminate",
"parameters": {
"id": "active-search-id"
}
}
File Preview
Node Configuration
{
"integration_service": "intelx",
"resource": "file",
"operation": "preview",
"parameters": {
"storageId": "storage-id-here",
"contentType": 1,
"mediaType": 1,
"format": 0,
"bucket": "leaks.public", // Required if storageId has an associated bucket
"escape": 0,
"lines": 8
}
}
Note: The bucket parameter is required if the storageId has an associated bucket. Omit it if the storageId does not have a bucket.
View File as Text
Node Configuration
{
"integration_service": "intelx",
"resource": "file",
"operation": "viewAsText",
"parameters": {
"storageId": "storage-id-here",
"format": 0,
"bucket": "leaks.public", // Required if storageId has an associated bucket
"escape": 0
}
}
Note: The bucket parameter is required if the storageId has an associated bucket. Omit it if the storageId does not have a bucket.
Download File
Node Configuration
{
"integration_service": "intelx",
"resource": "file",
"operation": "download",
"parameters": {
"systemId": "system-id-here",
"bucket": "leaks.public" // Required if systemId has an associated bucket
}
}
Note: The bucket parameter is required if the systemId has an associated bucket. Omit it if the systemId does not have a bucket.
Bulk Download Files
Download multiple files in a single request (maximum 20 files). The operation continues even if individual files fail, returning both successful downloads and error details.
Node Configuration
{
"integration_service": "intelx",
"resource": "file",
"operation": "bulkDownload",
"parameters": {
"files": [
{"systemId": "system-id-1", "bucket": "leaks.public"},
{"systemId": "system-id-2", "bucket": ""},
{"systemId": "system-id-3"}
]
}
}
Response Structure
{
"files": [
{
"index": 0,
"systemId": "system-id-1",
"bucket": "leaks.public",
"data": "file contents...",
"size": 1024,
"contentType": "application/octet-stream"
}
],
"totalRequested": 3,
"totalSuccess": 2,
"totalErrors": 1,
"errors": [
{
"index": 2,
"systemId": "system-id-3",
"error": "file not found"
}
]
}
Identity Search
Search the Identity portal for leaked accounts. Requires strong selectors - use domains, emails, IPs, URLs, or Bitcoin addresses. Generic text will fail.
Node Configuration
{
"integration_service": "intelx",
"resource": "identity",
"operation": "search",
"parameters": {
"term": "example.com", // Must be a strong selector (domain, email, IP, etc.)
"maxResults": 100,
"buckets": "leaks.identity",
"dateFrom": "2023-01-01 00:00:00",
"dateTo": "2024-12-31 23:59:59"
}
}
Export Accounts (CSV)
Export leaked accounts in CSV format. Requires strong selectors - use domains, emails, IPs, URLs, or Bitcoin addresses. Generic text will fail.
Node Configuration
{
"integration_service": "intelx",
"resource": "identity",
"operation": "exportAccounts",
"parameters": {
"term": "example.com", // Must be a strong selector (domain, email, IP, etc.)
"maxResults": 10,
"buckets": "leaks.identity",
"dateFrom": "2023-01-01 00:00:00",
"dateTo": "2024-12-31 23:59:59"
}
}
Dynamic Fields
- Test Connection: Validates API key and connectivity
{
"integration_service": "intelx",
"resource": "__dynamic__",
"operation": "testConnection"
}
License and Terms
Integration capabilities depend on your Intelligence X license. As per Intelligence X terms:
"The API, Identity Portal and Enterprise licenses allow integrating the API into third-party products. All other licenses do not grant the right to integrate our API into third-party products."
Source: Intelligence X Product page
Ensure your chosen license grants the appropriate integration rights before using this integration within third-party workflows or products.
Troubleshooting
Common Errors
Error: "search ID not found or expired"
Cause: You used an invalid search term that is not a strong selector.
Examples of invalid terms:
test,password,admin,malware,123456
Solution:
- Check if your search term is a strong selector (domain, email, IP, URL, Bitcoin address)
- Replace generic text with a specific identifier:
- Instead of
test→ useexample.com - Instead of
admin→ use[email protected] - Instead of
password→ use a specific domain or email
- Instead of
Valid example:
{
"term": "github.com" // Valid - specific domain
}
Invalid example:
{
"term": "test" // Invalid - generic text
}
Error: "Authentication failed"
Solution:
- Verify your API key is correct at https://intelx.io/account?tab=developer
- Check that Base URL is
https://2.intelx.io - Ensure your Intelligence X account is active and has API access
Error: "maximum concurrent searches reached"
Solution:
- Wait a few seconds and retry
- Terminate unused searches using the
terminateoperation - Reduce the number of parallel workflow executions
Other Issues
| Issue | Resolution |
|---|---|
| Timeout reached | Increase timeout parameter (default: 5s, max: 300s) |
| No results returned | Verify date range is correct; some searches legitimately return no results |
| Access denied to bucket | Ensure your Intelligence X license includes access to the specified bucket |
Best Practices
- Use Strong Selectors: For intelligent search, prefer emails, domains, URLs, or IPs.
- Scope by Buckets: Limit searches to relevant buckets to improve speed and reduce noise.
- Tune Sorting/Media: Choose appropriate
sort,media, andtargetfor your use case. - Paginate Results: Use
limitsensibly and loop to collect large result sets. - Respect Timeouts: Keep
timeoutreasonable; terminate or re-run as needed. - Store IDs: Persist
search idto retrieve results later or terminate when necessary. - Sanitize Output: Use
escapewhen viewing HTML to avoid rendering issues.