Knogin
[Developers]

Campaign Domain

An intelligence analyst investigating a series of coordinated cyberattacks across three critical infrastructure operators realises the incidents are not isolated. The same threat actor, the same tools, the same targeting

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domains

Overview#

An intelligence analyst investigating a series of coordinated cyberattacks across three critical infrastructure operators realises the incidents are not isolated. The same threat actor, the same tools, the same targeting logic. Rather than keeping that assessment locked in individual case notes, she creates a Campaign profile: a structured intelligence record linking the threat actors, attack patterns, objectives, and all three investigations into a single coherent picture.

Now any analyst who touches one of those cases can immediately see the broader campaign context. Pattern recognition happens at the team level, not just the individual analyst level.

Key Features#

  • Campaign profile management with objectives, associated actors, and references.
  • Multi-tier access control with tenant, organisation, secrecy level, and country restrictions.
  • Investigation linking for associating campaigns with active investigations.
  • Graph-based relationship modelling for campaign-to-actor and campaign-to-target connections.
  • Dual naming convention support for frontend (camelCase) and backend (snake_case) compatibility.
  • Threat level and secrecy level classification with enum validation.
  • Automatic metadata assignment including tenant and organisation context.
  • Superuser bypass for cross-tenant analysis workflows.

Use Cases#

Intelligence agencies track Advanced Persistent Threat (APT) campaigns across multiple target organisations, building a structured intelligence picture that enables attribution and strategic threat assessment at the national level.

Financial sector security teams document ransomware campaigns with associated threat actors and objectives, linking campaign intelligence to ongoing investigations and sharing structured profiles with peer institutions through formal intelligence-sharing channels.

Law enforcement cyber units link campaign intelligence to ongoing investigations for contextual analysis, ensuring individual case investigators can see the broader criminal enterprise they are contributing to disrupting.

Multi-national defence alliances correlate campaigns across member nation investigations, identifying shared infrastructure and tactics that only become visible when evidence from multiple independent investigations is viewed together.

Integration#

Integrates with investigations for contextual linkage, threat actor profiles for attribution, and the graph database for relationship traversal and campaign visualisation.

Open Standards#

  • OASIS STIX 2.1: Campaign profiles, associated threat actors, and attack patterns are structured as STIX 2.1 SDOs (threat-actor, attack-pattern, campaign) via a bidirectional STIX 2.1 adapter, enabling import and export of intelligence in the standard bundle format.
  • OASIS TAXII 2.1: A dedicated TAXII 2.1 client handles collection discovery, paginated polling, and bundle push against external threat intelligence feeds, allowing campaign intelligence to be shared with peer platforms over a standard channel.
  • MITRE ATT&CK: Attack patterns linked to campaigns carry MITRE ATT&CK technique identifiers (e.g. T1003) and kill-chain phase labels, aligning campaign documentation with the widely adopted adversarial tactics and techniques framework.
  • TLP (Traffic Light Protocol): Each campaign record carries a secrecy level derived from TLP markings (TLP:WHITE through TLP:RED, TLP:CLEAR, and TLP:AMBER+STRICT) as defined by FIRST, controlling how intelligence may be shared across organisational boundaries.
  • GraphQL (June 2018 specification): All campaign queries and mutations are exposed through a typed GraphQL API (using the Strawberry library), with explicit field naming conventions for camelCase frontend compatibility and backwards-compatible deprecation of snake_case fields.
  • JSON Web Token / RFC 7519: All campaign API endpoints are protected by RS256-signed JWTs verified against a JWKS endpoint, enforcing authenticated access to sensitive intelligence records.
  • RFC 4122 (UUID): Campaign profile identifiers are generated as version-4 UUIDs per RFC 4122, ensuring globally unique and collision-resistant record identifiers across multi-tenant deployments.
  • ISO 8601: All campaign timestamps (created_at, updated_at, start_date, end_date) are stored and serialised as UTC ISO 8601 datetime values, ensuring unambiguous time representation in cross-system exchanges.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.