Knogin
[Developers]

Partner Orchestration

An investigator tracing a fraud network needs blockchain transaction history, corporate registry records, and a sanctions check in the same session. Without partner orchestration, that means three separate logins, three

Back to All Modules
Category: ModulesLast Updated: Feb 23, 2026
modulesreal-timecomplianceblockchain

Overview#

An investigator tracing a fraud network needs blockchain transaction history, corporate registry records, and a sanctions check in the same session. Without partner orchestration, that means three separate logins, three different result formats, and no automatic cross-referencing. With Argus Partner Orchestration, a single query fans out to the relevant providers simultaneously and returns normalised, deduplicated results in a unified view.

The module connects investigations with over 153 intelligence providers, enrichment services, and government databases through a single integration platform. It handles the complexity of diverse authentication mechanisms, data formats, rate limits, and service agreements across all partner systems. Financial crime units, organised crime investigators, and corporate intelligence teams all depend on this layer to access threat intelligence, blockchain analytics, identity verification, social media, and financial intelligence without managing individual provider integrations.

Key Features#

  • Unified Partner Access: Single interface to 153 intelligence providers spanning threat intelligence, blockchain analytics, identity verification, big data platforms, social media, government databases, and financial intelligence. Investigators access all sources without managing individual provider interfaces.
  • Authentication Abstraction: Manages diverse authentication mechanisms including API keys, OAuth, certificates, and session-based authentication across all partner systems. Credentials are stored with tenant-level encryption and never shared across organisations.
  • Data Normalisation: Translates heterogeneous partner response formats into consistent schemas for unified analysis and cross-provider correlation. Raw provider responses are preserved for audit purposes alongside normalised output.
  • Rate Limit Management: Automated request throttling, queuing, and retry logic across all providers ensures reliable data access within partner service agreements, preventing quota exhaustion during intensive investigations.
  • Cost Tracking: Per-query cost monitoring, budget controls, and usage analytics across all partner providers support financial management and help teams stay within approved spending limits.
  • Partner Health Monitoring: Real-time availability tracking, response time measurement, and automatic failover for partner services with degradation alerts, so investigators know when a provider is unreliable before building a case on its output.
  • Credential Security: Encrypted storage and management of partner API credentials with tenant-level isolation and access controls. Credential access is logged to the audit trail.
  • Query Optimisation: Intelligent routing selects the most appropriate provider combination based on query type, coverage requirements, and cost constraints, avoiding unnecessary calls to expensive providers when cheaper alternatives suffice.

Use Cases#

  • Multi-Source Investigation: Access intelligence from multiple providers simultaneously during investigations without switching between systems or managing individual provider interfaces.
  • Entity Enrichment: Automatically enrich investigation entities with data from relevant partners including identity records, threat intelligence, blockchain analysis, and social media profiles.
  • Government Database Access: Query NICS, NCIC, DMV, court records, and other government databases through standardised interfaces with appropriate access controls and audit logging.
  • Financial Intelligence: Connect investigations with SWIFT, correspondent banks, payment processors, and financial intelligence providers for money trail analysis.
  • Threat Intelligence Fusion: Aggregate threat data from multiple commercial and government providers into unified intelligence products for investigation support.

Integration#

The module serves as the partner connectivity layer for the Argus platform, providing all investigation, enrichment, and intelligence modules with access to external data sources. All partner query activity is logged to PostgreSQL with userId, organizationId, action, timestamp, and resourceId for RBAC and compliance audit purposes. Supports Enterprise and Professional plan configurations with partner-specific licensing and credential management.

Open Standards#

  • OASIS STIX 2.1: Threat intelligence objects received from and exported to partner providers are parsed and serialised as STIX 2.1 Structured Threat Information Expression bundles, preserving SDO types (indicator, threat-actor, malware, attack-pattern, vulnerability, relationship) and their relationships.
  • OASIS TAXII 2.1: The platform connects to external threat intelligence feeds via TAXII 2.1 collection discovery, paginated object polling, and bundle push, using the standard application/taxii+json;version=2.1 media type.
  • MITRE ATT&CK: Threat intelligence enrichment maps partner-sourced attack behaviours to MITRE ATT&CK technique IDs (e.g. T1566), enabling TTP overlap scoring against known threat actor profiles during multi-source investigations.
  • Traffic Light Protocol (TLP): Partner-sourced intelligence objects carry TLP marking-definitions (TLP:CLEAR, TLP:GREEN, TLP:AMBER, TLP:AMBER+STRICT, TLP:RED) as defined in the STIX 2.1 specification, which are resolved to platform secrecy levels at ingest.
  • OAuth 2.0 (RFC 6749): OAuth 2.0 is one of the supported authentication mechanisms managed by the platform's credential abstraction layer when connecting to partner APIs that require delegated authorisation flows.
  • GraphQL (June 2018 specification): The entire partner orchestration surface, task creation, status queries, performance metrics, and real-time intelligence streaming, is exposed through GraphQL queries, mutations, and subscriptions with tenant-scoped access control.
  • ISO 8601: All partner task lifecycle timestamps (created_at, started_at, completed_at) and audit records are serialised in ISO 8601 format, ensuring interoperability with downstream analysis and compliance tooling.

Last Reviewed: 2026-02-23 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.