Knogin
[Developers]

Report

After closing a three-month financial crime investigation, an analyst writes up the findings as an intelligence report, classifies it TLP:AMBER, tags it for the investigation record, and sets the secrecy level so that on

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domains

Overview#

After closing a three-month financial crime investigation, an analyst writes up the findings as an intelligence report, classifies it TLP:AMBER, tags it for the investigation record, and sets the secrecy level so that only cleared personnel can view it. The Report domain stores that document, links it to the investigation, and makes it searchable within the boundaries set by the analyst's organisation. A second use of the same domain is the extended report profile type, which connects reports into the broader entity relationship graph alongside persons, organisations, locations, objects, and events, so that a report can be cross-referenced against the other entities it describes.

Key Features#

  • Report creation with title, content, tags, and type classification
  • Report listing with user-scoped visibility and organisation isolation
  • Extended report profiles with threat level, secrecy level, and investigation linking
  • Report type classification including intelligence, investigation, threat, incident, summary, and technical
  • TLP (Traffic Light Protocol) classifications for information sharing control
  • Author tracking and published date management
  • Source references and citation linking
  • Custom metadata attachment for additional context

Use Cases#

Structured report management matters wherever intelligence products must be classified, version-controlled, and shared under defined access rules. Key industries include law enforcement, defence, and financial intelligence.

  • Generating and storing intelligence analysis reports linked to investigations
  • Classifying reports with threat levels and TLP markings for controlled distribution
  • Searching and retrieving reports within user-scoped and organisation-scoped boundaries
  • Linking report profiles to the broader entity relationship graph for cross-referencing

Integration#

The Report domain connects with the profile system, investigation management, intelligence analysis, and report generation services.

Open Standards#

  • STIX 2.1 (OASIS): Intelligence reports are serialised as STIX 2.1 Report SDOs (type: "report", spec_version: "2.1") and exported via a bidirectional adapter that maps Argus report fields to the full SDO schema.
  • TLP v2 (FIRST Traffic Light Protocol): Every report carries a STIX object_marking_refs entry using the canonical TLP marking-definition UUIDs (WHITE, GREEN, AMBER, AMBER+STRICT, RED, CLEAR), controlling distribution at ingest and export.
  • TAXII 2.1 (OASIS): Report bundles are received from and published to TAXII 2.1 collection endpoints, with configurable poll intervals and per-feed authentication tokens.
  • GraphQL (June 2018 specification): All report queries (listReports, getReport) and profile types are defined as strongly-typed GraphQL schema objects served over a Strawberry GraphQL layer.
  • OAuth 2.0 / JWT (RFC 7519): Every GraphQL report resolver enforces IsAuthenticated, which verifies RS256-signed JWTs issued via an OAuth 2.0 JWKS endpoint before any report data is returned.
  • ISO 8601: All temporal fields, created_at, updated_at, published_date, and retrieved_date, are stored and exchanged as timezone-aware UTC timestamps in ISO 8601 format.
  • NATO Security Policy C-M(2002)49 / EU classification: The secrecy-level model maps TLP markings onto a unified rank alongside NATO COSMIC and EU classification tiers (RESTRICTED through TOP SECRET), enabling cross-domain clearance comparisons on report access.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.