Overview#
The French ANSSI's OpenCTI instance maintains one of the most comprehensive structured threat actor catalogues in European open-source intelligence. When Argus analysts working a suspected APT intrusion need to verify whether the observed TTPs match any tracked intrusion sets, they sync the relevant OpenCTI entities directly into the Argus investigation context. Attack patterns, associated malware, and campaign history arrive pre-linked in the STIX 2.1 graph model. What would have required three browser tabs and manual note-taking becomes a single integration query that populates the investigation graph automatically.
Argus connects to OpenCTI (Open Cyber Threat Intelligence), the open-source threat intelligence management platform backed by the French ANSSI and Luatix. OpenCTI structures intelligence using the STIX 2.1 data model and provides a GraphQL API for querying threat actors, campaigns, indicators, attack patterns, and relationships. The Argus integration pulls entity data from connected OpenCTI instances and surfaces it within investigation, alert enrichment, and threat actor tracking workflows, making the full depth of structured STIX intelligence available at the point of operational use.
Diagram
flowchart LR
A[ANSSI OpenCTI Instance] --> E[Argus OpenCTI Connector]
B[Internal OpenCTI Instance] --> E
C[Partner OpenCTI Feed] --> E
E --> F[STIX 2.1 Entity Parse]
E --> G[Clearance Tag Assignment]
E --> H[Audit Record Generation]
F --> I[PostgreSQL Entity Store]
I --> J[Investigation Attribution]
I --> K[ATT&CK Coverage Mapping]
I --> L[Sigma Rule Gap Analysis]Key Features#
Entity Synchronisation#
Sync OpenCTI entities, including indicators, malware, threat actors, intrusion sets, and campaigns, into Argus via the syncOpenctiEntity mutation. The fetch_opencti_data client connects to the OpenCTI GraphQL API, retrieves the entity payload, and persists records to PostgreSQL scoped to the organisation. Each sync generates an interop ingest audit entry satisfying EDF Golden Rule 15, providing a complete lineage record of where intelligence entered the platform.
Clearance-Filtered Entity Listing#
Query the OpenCTI entity inventory via openctiEntities with optional limits on returned results. Row-level secrecy filtering prevents lower-clearance users from accessing entities tagged at higher classification levels. This is important when a single OpenCTI instance aggregates intelligence across multiple trust domains, as is common in national CERT and defence community deployments.
Stats and Coverage View#
The openctiStats query returns entity counts by type, giving threat intelligence analysts a dashboard-level view of what intelligence categories are currently populated from the connected OpenCTI platform without loading the full entity list. This supports regular coverage reviews where teams assess whether their OpenCTI synchronisation is keeping pace with the live intelligence picture.
Multi-Instance Support#
Each syncOpenctiEntity call accepts connection details for the target OpenCTI instance, allowing an organisation to pull from different OpenCTI deployments, for example a national CERT instance and an internal instance, and consolidate their entity sets within one Argus tenant. This flexibility accommodates the layered OpenCTI architectures used by organisations that participate in both national and sector-specific intelligence sharing communities.
Use Cases#
- Threat Actor Library: Pull the threat actor and intrusion set catalogue from an ANSSI-operated OpenCTI instance to populate the Argus threat actor reference library used in investigation attribution workflows. Analysts get access to ANSSI's structured threat intelligence without needing direct OpenCTI access or manual data export.
- MITRE ATT&CK Integration: OpenCTI's ATT&CK-enriched entity data provides technique-to-actor mappings that Argus surfaces alongside Sigma rule coverage, letting analysts identify detection gaps for specific threat actors and prioritise new rule development accordingly.
- Cross-Platform Intelligence Lifecycle: Use Argus for operational case management and OpenCTI as the strategic intelligence repository, syncing curated entities in one direction while case-derived indicators flow back through STIX export. This division of responsibilities plays to each platform's strengths without duplicating data management overhead.
Integration#
Available via GraphQL: openctiEntities, openctiStats (queries); syncOpenctiEntity (mutation). All operations require authentication and organisation scoping.
Compatible with OpenCTI 5.x and above GraphQL API. Works alongside MISP (complementary threat sharing), STIX/TAXII (shared data model and exchange protocol), and TheHive (incident case correlation).
Last Reviewed: 2026-03-18 Last Updated: 2026-04-14