Knogin
[Developers]

Threat Intelligence: STIX 2.1 and TAXII 2.1

During a multinational cyber exercise involving NATO member states, each participating nation needed to share threat indicators in real time without exposing proprietary intelligence formats or requiring bespoke bilatera

Back to All Modules
Category: IntelligenceLast Updated: Mar 18, 2026
intelligencegeospatial

Overview#

During a multinational cyber exercise involving NATO member states, each participating nation needed to share threat indicators in real time without exposing proprietary intelligence formats or requiring bespoke bilateral integrations. The answer was STIX/TAXII: a single open standard that every participant's platform could consume. Argus pulled fresh STIX bundles from the exercise TAXII server every five minutes, ingesting threat actor profiles, campaign indicators, and attack patterns into each participant's operational workspace. When an analyst at one national SOC identified a new C2 indicator, they exported it as a signed STIX bundle and pushed it back to the collection within minutes. Every other participant's platform had the indicator before the debrief ended.

Argus implements full STIX 2.1 (Structured Threat Information eXpression) and TAXII 2.1 (Trusted Automated eXchange of Intelligence Information) support, enabling standards-compliant threat intelligence exchange with national CERTs, ISACs, and defence intelligence networks. STIX bundles can be ingested from TAXII channels, imported directly, or exported as signed packages for sharing with partner organisations, all with Neo4j graph replication for relationship traversal alongside PostgreSQL as the source of truth.

Key Features#

STIX 2.1 Bundle Ingestion#

Import complete STIX 2.1 bundles from JSON, submitted directly or received via TAXII channel polling. The ingestion pipeline uses the parse_stix_bundle adapter to extract indicators, reports, threat actors, campaigns, attack patterns, and relationships from the bundle. Each STIX object is persisted to PostgreSQL and, where relationships exist, replicated to Neo4j for graph analysis. Every ingest event generates an EDF interop audit record, providing complete data lineage from source bundle to operational indicator.

TAXII 2.1 Channel Polling#

Configure named TAXII feed endpoints with collection IDs and API root URLs. The pollTaxiiFeed mutation connects to the TAXII server, retrieves the latest manifest, downloads new objects since last poll, and ingests the bundle contents. Feed configurations are stored per organisation and support both token-based and certificate-based authentication. The last-polled timestamp is tracked to prevent duplicate ingestion on subsequent polls, ensuring idempotent operation across scheduled and on-demand synchronisation cycles.

STIX Bundle Export#

Argus threat intelligence can be exported as standards-compliant STIX 2.1 bundles via the exportStixBundle mutation. The adapter converts Argus entities, including indicators and intelligence records, to STIX indicator and report objects, assembles them into a valid bundle, and returns the serialised JSON. Exported bundles are ready for direct submission to partner TAXII servers or delivery via Eurydice data diode for cross-domain transfers to higher-classification networks.

Argus Entity to STIX Mapping#

The argus_entity_to_stix_indicator and argus_intel_to_stix_report adapter functions map Argus domain objects to their STIX 2.1 counterparts. Indicators carry STIX pattern expressions; intelligence reports carry external references and confidence scores. This bidirectional mapping ensures round-trip fidelity when ingesting and re-exporting intelligence, preventing data loss or structural degradation across sharing cycles.

SecrecyLevel-Aware Access#

Individual STIX objects carry secrecy_level tags. The filter_rows_by_clearance utility enforces that users can only retrieve objects at or below their clearance level, satisfying EDF data sovereignty requirements for multi-classification intelligence sharing in coalition environments. This allows a single Argus deployment to serve analysts at different classification levels from a unified STIX object store without cross-domain contamination.

Use Cases#

  • CERT-to-Platform Integration: Subscribe to TAXII collections from CERT-EU or national CERTs and automatically populate the Argus indicator database with fresh intelligence without manual import steps. Automated polling means the indicator database stays current through scheduled synchronisation cycles that require no analyst attention.
  • Coalition Intelligence Exchange: Export a curated STIX bundle to a partner nation's TAXII server as part of a Community of Interest (COI) intelligence-sharing agreement. The STIX 2.1 format ensures the bundle is immediately consumable by any STIX-compliant platform the partner operates, regardless of vendor.
  • Threat Actor Attribution: Ingest STIX bundles containing threat-actor, campaign, and attack-pattern objects and use the Neo4j graph layer to trace relationships between observed indicators and known adversary groups. Graph traversal surfaces connections that are invisible in flat indicator lists.
  • Cross-Domain Classification Transfer: Use the Eurydice domain alongside STIX export to push STIX bundles across data diodes to higher-classification networks, supporting intelligence workflows that span multiple security domains within a single operational chain.

Integration#

Available via GraphQL: stixIndicators, stixBundles, taxiiFeedConfigs (queries); ingestStixBundle, pollTaxiiFeed, saveTaxiiFeedConfig, exportStixBundle (mutations). All operations require authentication and organisation scoping.

Compatible with TAXII 2.1 specification and STIX 2.1 specification (OASIS standard). Works alongside the MISP integration, where MISP events can be cross-walked to STIX via the threat intelligence pipeline for organisations that operate both sharing ecosystems simultaneously.

Open Standards#

  • OASIS STIX 2.1 (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html): the primary wire format for all threat intelligence exchange; every indicator, threat-actor, campaign, attack-pattern, and report object produced or consumed by this module is validated against the OASIS STIX 2.1 normative JSON schemas (https://github.com/oasis-open/cti-stix2-json-schemas), ensuring bundles are interoperable with any STIX-compliant platform without format translation.
  • OASIS TAXII 2.1 (https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html): the transport protocol for automated threat intelligence distribution; feed polling, manifest retrieval, and bundle push operations all conform to the TAXII 2.1 REST API specification, making the Argus client compatible with CERT-EU, national CERT, and sector ISAC TAXII servers out of the box.
  • MITRE ATT&CK (https://attack.mitre.org/): attack-pattern STIX objects ingested or exported reference ATT&CK technique IDs (e.g. T1566, T1190) as external references, aligning analyst-visible tactic and technique labels to the published MITRE ATT&CK Enterprise and ICS matrices.
  • RFC 5652, Cryptographic Message Syntax (CMS) (https://www.rfc-editor.org/rfc/rfc5652): STIX bundle exports intended for cross-domain Eurydice transfer are wrapped as CMS-signed objects, providing a verifiable chain of custody from the exporting Argus instance to the receiving higher-classification network.
  • GraphQL (June 2018 specification) (https://spec.graphql.org/June2018/): all STIX/TAXII operations, stixIndicators, stixBundles, taxiiFeedConfigs, ingestStixBundle, pollTaxiiFeed, saveTaxiiFeedConfig, and exportStixBundle, are exposed through a standards-compliant GraphQL schema, giving downstream tools a single typed contract regardless of the underlying intelligence format.
  • JSON / RFC 8259 (https://www.rfc-editor.org/rfc/rfc8259): STIX bundles are serialised and exchanged as standards-compliant JSON documents; the ingestion pipeline parses bundle JSON without proprietary encoding, enabling any RFC 8259-compliant tool to produce or consume bundles alongside Argus.
  • JSON Web Token (JWT) / RFC 7519 (https://www.rfc-editor.org/rfc/rfc7519): all TAXII feed API calls are authenticated with signed JWT session credentials, providing stateless, verifiable authorisation that is auditable in the EDF interoperability audit trail without reliance on session-side-channel state.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.