Overview#
Connect Argus directly to any OpenCTI instance to bring structured, graph-linked threat intelligence into investigation, alert enrichment, and threat actor tracking workflows without manual data export.
Argus integrates with OpenCTI (Open Cyber Threat Intelligence), the open-source threat intelligence management platform backed by the French ANSSI and Luatix. OpenCTI structures intelligence using the STIX 2.1 data model and exposes a GraphQL API for querying threat actors, campaigns, indicators, attack patterns, and relationships. The Argus integration pulls entity data from one or more connected OpenCTI instances and makes the full depth of structured STIX intelligence available at the point of operational use, within investigation graphs, alert enrichment pipelines, and threat actor attribution workflows.
When analysts working a suspected APT intrusion need to verify whether observed TTPs match any tracked intrusion sets, they can pull the relevant OpenCTI entities directly into their investigation context. Attack patterns, associated malware, and campaign history arrive pre-linked in the STIX 2.1 graph model. What would otherwise require multiple browser tabs and manual note-taking becomes a single query that populates the investigation graph automatically.
Key Features#
-
Entity synchronisation. Pull OpenCTI entities, including indicators, malware families, threat actors, intrusion sets, and campaigns, into Argus via the platform API. The connector retrieves the entity payload over the OpenCTI GraphQL API and persists records scoped to your organisation. Each synchronisation generates a complete lineage record showing where intelligence entered the platform and under which interoperability standard.
-
Clearance-filtered entity listing. Query the OpenCTI entity inventory with optional result limits. Row-level clearance filtering prevents lower-clearance users from accessing entities tagged at higher classification levels, which is important when a single OpenCTI instance aggregates intelligence across multiple trust domains, as is common in national CERT and defence community deployments.
-
Coverage and statistics view. Request entity counts broken down by type to get a dashboard-level picture of which intelligence categories are currently populated from the connected OpenCTI platform, without loading the full entity list. This supports regular coverage reviews where teams assess whether their OpenCTI synchronisation is keeping pace with the live intelligence picture.
-
Multi-instance support. Each synchronisation call accepts connection details for the target OpenCTI instance, allowing an organisation to pull from different OpenCTI deployments, for example a national CERT instance and an internal instance, and consolidate their entity sets within one Argus tenant. This accommodates the layered OpenCTI architectures used by organisations that participate in both national and sector-specific intelligence sharing communities.
Use Cases#
National CERT and Government Security Teams#
Pull the threat actor and intrusion set catalogue from an ANSSI-operated or national CERT OpenCTI instance to populate the Argus threat actor reference library used in investigation attribution workflows. Analysts gain access to structured, authoritative threat intelligence without needing direct OpenCTI access or manual data export.
SOC and Detection Engineering#
OpenCTI's MITRE ATT&CK-enriched entity data provides technique-to-actor mappings that Argus surfaces alongside Sigma rule coverage, letting detection engineers identify coverage gaps for specific threat actors and prioritise new rule development accordingly.
Strategic and Operational Intelligence Separation#
Use Argus for operational case management and OpenCTI as the strategic intelligence repository, synchronising curated entities from OpenCTI into Argus while case-derived indicators flow back through STIX export. This division of responsibilities plays to each platform's strengths without duplicating data management overhead.
Defence and Multi-National Intelligence Sharing#
In environments where multiple national or coalition partners operate separate OpenCTI instances, Argus acts as the operational convergence layer, pulling from each instance while maintaining strict tenant and clearance-level isolation between participating organisations.
Integration#
The OpenCTI capability is accessible through the Argus GraphQL API using your authenticated tenant session. Available operations include entity listing with optional clearance filtering, entity count statistics by type, and entity synchronisation from any reachable OpenCTI instance.
Synchronisation accepts the target OpenCTI base URL and an API token; the connector queries the OpenCTI GraphQL API, parses the STIX-modelled response, and persists the resulting entities within your organisation's scope. TLP marking is carried through from the source entity and used in clearance-level filtering.
The integration is compatible with OpenCTI 5.x and above. It works alongside the Argus MISP integration (complementary threat sharing), supports the TAXII 2.1 exchange protocol for broader feed ingestion, and correlates with TheHive incident data where case-level context is relevant.
All API operations require OAuth 2.0 authentication and JWT-based authorisation scoped to your tenant. Multi-instance configurations are supported by supplying separate connection parameters per source; all entities are normalised into a unified STIX-aligned model before storage.
Open Standards#
- STIX 2.1 (OASIS). The native data model used by OpenCTI; all entities synchronised into Argus carry their STIX identifiers, type labels, and relationship references, preserving graph fidelity across platforms.
- TAXII 2.1 (OASIS). The companion exchange protocol for STIX-based threat intelligence sharing, used when ingesting feeds from TAXII-capable sources alongside direct OpenCTI synchronisation.
- MITRE ATT&CK. The adversary behaviour framework; OpenCTI entities arrive pre-mapped to ATT&CK techniques and tactics, enabling coverage analysis and detection gap identification within Argus.
- Sigma (Open Sigma). Detection rule format surfaced alongside ATT&CK mappings; Argus correlates synchronised OpenCTI technique coverage against the Sigma rule library to highlight detection gaps.
- TLP (Traffic Light Protocol, FIRST). Marking protocol carried on each entity from the source OpenCTI instance; Argus enforces TLP markings through clearance-level filtering so entities reach only appropriately authorised users.
- GraphQL (June 2018 specification). The query and mutation protocol used for both the Argus API and the upstream OpenCTI API; all entity retrieval and synchronisation operations are expressed as standard GraphQL queries and mutations.
- OAuth 2.0 / JWT (RFC 6749 / RFC 7519). Authentication and authorisation layer for all Argus API operations, ensuring every synchronisation and query is bound to an authenticated, tenant-scoped session.
Security & Compliance#
All OpenCTI entity data is stored with strict organisation isolation; no entity is visible outside the tenant that ingested it unless explicitly shared through a governed Community of Interest channel. Clearance-level enforcement is applied at query time, ensuring entities tagged at higher classification levels are not returned to users whose clearance does not meet the threshold.
Every synchronisation operation generates an immutable audit record capturing the source instance, the standard used, and the entities ingested, providing a complete and auditable lineage trail for all third-party intelligence entering the platform. This lineage record satisfies the data provenance requirements common in national security and defence audit frameworks.
API tokens for connected OpenCTI instances are held as tenant-scoped secrets and are never logged or exposed through the GraphQL API.
Last Reviewed: 2026-03-18 / Last Updated: 2026-04-14