Knogin
[Developers]

Unified Operations Graph

An analyst investigating a series of vehicle thefts has case records in the case management module, surveillance observations in the ALPR system, and communications intelligence in a separate tool. None of those systems

Back to All Modules
Category: ModulesLast Updated: Mar 2, 2026
modulesreal-timegeospatial

Overview#

An analyst investigating a series of vehicle thefts has case records in the case management module, surveillance observations in the ALPR system, and communications intelligence in a separate tool. None of those systems show that three of the suspects share an address with a fourth person who appeared as a witness in an unrelated robbery six months ago. The Unified Operations Graph surfaces that connection automatically: by linking entities across all platform domains into a single queryable graph, it reveals multi-hop relationships that remain invisible when data stays siloed.

This cross-domain entity correlation layer serves law enforcement intelligence units, corporate security operations centres, and national security analysts who need to understand networks rather than individual data points. Criminal organisations, financial fraud rings, and insider threat actors all operate across multiple domains simultaneously; the graph makes their cross-domain footprint visible in a way that no single-source query can achieve.

Key Features#

  • Cross-Domain Entity Linking: Automatically discovers and creates relationships between entities across different platform domains including persons, vehicles, locations, communications, incidents, cases, and intelligence reports. Links are updated as new data enters the platform.
  • Multi-Hop Relationship Traversal: Query the graph to find connections between entities separated by multiple relationship hops, discovering indirect associations not apparent from any single data source. A person linked to a vehicle linked to a location linked to an incident is surfaced in a single graph query.
  • Real-Time Graph Updates: The graph is continuously updated as new data enters the platform, with entity linking and relationship discovery running in near real-time to maintain an accurate operational picture.
  • Temporal Graph Analysis: Query the graph at any point in time to understand how relationships evolved, when connections were established, and how entity networks changed over the course of operations or investigations.
  • Graph Visualisation: Interactive visual exploration of entity networks with configurable layout algorithms, relationship filtering, entity grouping, and drill-down from high-level network views to individual entity details.
  • Pattern Detection: Automated identification of significant graph patterns including hub entities, dense clusters, bridging nodes, and anomalous relationship structures that warrant analyst attention.
  • Federated Graph Queries: Support for graph queries spanning multiple organisational tenants through explicit COI sharing agreements, enabling allied organisations to discover cross-boundary connections while maintaining data sovereignty and organization_id scoping.
  • Graph-Powered Search: Enhances platform search with graph context, surfacing both direct keyword matches and closely connected entities in the graph related to the search results.

Use Cases#

  • Criminal Network Analysis: Map the full extent of criminal networks by traversing relationships across communications, financial transactions, surveillance observations, and intelligence reports to identify key players, intermediaries, and organisational structure.
  • Incident Correlation: Discover connections between apparently unrelated incidents by analysing shared entities, temporal patterns, geographic proximity, and modus operandi similarity across the incident graph.
  • Intelligence Fusion: Combine intelligence from multiple sources and domains into a unified picture where analysts can trace how a single entity connects to different intelligence threads, investigations, and operational activities.
  • Operational Planning: Visualise the complete operational environment including personnel, assets, locations, and their relationships to support resource allocation, risk assessment, and coordination planning.

Integration#

The Unified Operations Graph connects to all platform data domains as entity and relationship sources, including case management, incident management, surveillance, OSINT intelligence, geospatial data, and personnel management. It feeds into the graph visualisation engine for interactive exploration and the analytics platform for pattern-based reporting. Federated queries operate through the platform's COI cross-tenant sharing framework with full audit logging in PostgreSQL.

Availability:

  • Enterprise Plan: Full unified operations graph included
  • Professional Plan: Single-domain graph analysis included; cross-domain correlation and federated queries available as add-on

Open Standards#

  • GraphQL (June 2018 Specification): the entire cross-domain graph API is exposed as a GraphQL service via Strawberry, covering queries, mutations, and real-time subscriptions for nodes, edges, and traversal results.
  • W3C PROV-DM / PROV-JSON / PROV-O (W3C Recommendations, 2013): entity merge, split, and creation operations are recorded using the W3C Provenance Data Model; provenance records are serialised as PROV-JSON and emitted as PROV-O JSON-LD documents for external verification.
  • GEXF 1.3 (Graph Exchange XML Format): the graph export service produces GEXF 1.3 XML, allowing analysts to open full entity networks in standard external graph analysis tools such as Gephi.
  • OASIS STIX 2.1 / TAXII 2.1: threat-intelligence objects ingested via TAXII 2.1 feeds are normalised into the graph as typed entity nodes (including ATTACK_PATTERN), enabling cross-domain correlation of cyber-threat indicators with operational data.
  • MITRE ATT&CK: tactics, techniques, and procedures (TTPs) are stored against threat-actor entities and weighted in attribution scoring, with technique IDs drawn directly from the MITRE ATT&CK framework taxonomy.
  • RFC 4122 (UUID): all graph node and edge identifiers are version-4 UUIDs, ensuring globally unique, collision-resistant keys across federated COI queries.
  • ISO 8601 / RFC 3339: all temporal graph attributes, relationship timestamps, and provenance records use ISO 8601 date-time strings, supporting precise temporal graph analysis and historical state queries.

Last Reviewed: 2026-03-02 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.