Knogin
[Nachrichtendienst]

Threat Intelligence: OpenCTI Platform

Argus connects to OpenCTI (Open Cyber Threat Intelligence), the open-source threat intelligence management platform backed by the French ANSSI and Luatix. OpenCTI structures intelligence using the STIX 2.1 data model and

Modulmetadaten

Argus connects to OpenCTI (Open Cyber Threat Intelligence), the open-source threat intelligence management platform backed by the French ANSSI and Luatix. OpenCTI structures intelligence using the STIX 2.1 data model and

Zurück zur Liste

Quellreferenz

content/modules/threat-intel-opencti.md

Letzte Aktualisierung

18. März 2026

Kategorie

Nachrichtendienst

Inhaltsprufsumme

609cfb17031834fc

Tags

intelligencegeospatial

Gerenderte Dokumentation

Diese Seite rendert das Markdown und Mermaid des Moduls direkt aus der offentlichen Dokumentationsquelle.

Overview#

Argus connects to OpenCTI (Open Cyber Threat Intelligence), the open-source threat intelligence management platform backed by the French ANSSI and Luatix. OpenCTI structures intelligence using the STIX 2.1 data model and provides a GraphQL API for querying threat actors, campaigns, indicators, attack patterns, and relationships. The Argus integration pulls entity data from connected OpenCTI instances and surfaces it within investigation, alert enrichment, and threat actor tracking workflows.

Key Features#

Entity Synchronisation#

Sync OpenCTI entities -- including indicators, malware, threat actors, intrusion sets, and campaigns -- into Argus via the 

syncOpenCti
mutation. The 
fetch_opencti_data
client connects to the OpenCTI GraphQL API, retrieves the entity payload, and persists records to PostgreSQL scoped to the organisation. Each sync generates an interop ingest audit entry satisfying EDF Golden Rule 15.

Clearance-Filtered Entity Listing#

Query the OpenCTI entity inventory via 

openCtiItems
with optional filters on entity type and confidence score. Row-level secrecy filtering prevents lower-clearance users from accessing entities tagged at higher classification levels -- important when a single OpenCTI instance aggregates intelligence across multiple trust domains.

Stats and Coverage View#

The 

openCtiStats
query returns entity counts by type, giving threat intelligence analysts a dashboard-level view of what intelligence categories are currently populated from the connected OpenCTI platform without loading the full entity list.

Multi-Instance Support#

Each 

syncOpenCti
call accepts a 
base_url
and 
api_token
, allowing an organisation to pull from different OpenCTI instances (e.g., a national CERT instance and an internal instance) and consolidate their entity sets within one Argus tenant.

Use Cases#

  • Threat Actor Library: Pull the threat actor and intrusion set catalogue from an ANSSI-operated OpenCTI instance to populate the Argus threat actor reference library used in investigation attribution workflows.
  • MITRE ATT&CK Integration: OpenCTI's ATT&CK-enriched data provides technique-to-actor mappings that Argus surfaces alongside Sigma rule coverage, allowing analysts to identify detection gaps for specific threat actors.
  • Cross-Platform Intelligence Lifecycle: Use Argus for operational case management and OpenCTI as the strategic intelligence repository -- syncing curated entities in one direction while case-derived indicators flow back through STIX export.

Integration#

Available via GraphQL: 

openCtiItems
, 
openCtiStats
(queries); 
syncOpenCti
(mutation). All operations require authentication and organisation scoping.

Compatible with OpenCTI 5.x+ GraphQL API. Works alongside MISP (complementary threat sharing), STIX/TAXII (shared data model), and TheHive (incident case correlation).

Last Reviewed: 2026-03-18