Knogin
[Developers]

Threat Intelligence

When an analyst receives a tip about a new malware campaign targeting critical infrastructure, they need to correlate indicators of compromise across dozens of data feeds, map actor tactics to a shared taxonomy, and shar

Back to All Modules
Category: IntelligenceLast Updated: May 26, 2026
intelligencegeospatial

Overview#

When an analyst receives a tip about a new malware campaign targeting critical infrastructure, they need to correlate indicators of compromise across dozens of data feeds, map actor tactics to a shared taxonomy, and share vetted intelligence with partner agencies within minutes rather than days. The Argus platform integrates with YETI, the open-source threat intelligence management platform, to provide exactly this workflow: structured ingestion, enrichment, and sharing of threat data within a multi-tenant, clearance-enforced environment.

YETI serves as the central repository for indicators of compromise (IoCs), threat actor profiles, attack patterns, and observable relationships. Analysts can pivot from a suspicious IP address to a full MITRE ATT&CK technique chain, see which partner organisations have reported the same artefact, and push curated intelligence packages to downstream consumers, all while the platform enforces data sovereignty, multi-level access controls, and an immutable audit trail compliant with European Defence Fund (EDF) and PESCO requirements.

Key Features#

  • Observable Enrichment: IP addresses, domain names, file hashes, URLs, and email addresses are automatically enriched against YETI's graph of known indicators, surfacing related threat actors, malware families, and campaigns with supporting evidence.
  • MITRE ATT&CK Mapping: Threat artefacts are tagged to ATT&CK techniques and tactics, enabling analysts to understand adversary behaviour patterns and prioritise defensive actions based on observed TTPs.
  • Multi-Feed Aggregation: The platform ingests threat intelligence from MISP event feeds, OpenCTI exports, commercial TAXII collections, and analyst-curated sources, deduplicating and normalising records into a consistent format.
  • Relationship Graph Navigation: Analysts can traverse the relationship graph between observables, campaigns, threat actors, and vulnerabilities, with each traversal respecting the operator's clearance level and organisational scope.
  • Clearance-Enforced Visibility: Intelligence records carry classification markings aligned with NATO Traffic Light Protocol (TLP) designations and multi-level access controls, so restricted or confidential items are invisible to operators without the appropriate clearance.
  • Automated Feed Scheduling: Configured threat feeds are polled on a defined schedule, with new indicators ingested, tagged, and made available for correlation without manual intervention.
  • Vetted Sharing Packages: Analysts can compose STIX 2.1 bundles from curated observables and push them to partner organisations via authenticated TAXII 2.1 channels, with every outbound share logged immutably.
  • Immutable Audit Trail: Every enrichment query, classification change, and intelligence share is recorded with the operator's identity, timestamp, clearance level, and organisational context, satisfying EDF and PESCO audit requirements.

Use Cases#

  • A SOC analyst pivots from a phishing email header to a full threat actor profile, correlating the sending infrastructure against known campaigns and sharing a TLP:AMBER package with national CERT partners within a single workflow.
  • A national law enforcement agency ingests IoCs from multiple partner feeds, deduplicates overlapping indicators, and builds a unified picture of a ransomware campaign affecting multiple jurisdictions.
  • A defence organisation maps newly observed malware samples to MITRE ATT&CK techniques, assesses coverage of existing detection rules, and generates a prioritised gap report for their defensive capabilities team.
  • A multi-agency task force operating under a Community of Interest arrangement shares intelligence across organisational boundaries while the platform enforces that each agency sees only the indicators it is authorised to receive.
  • A threat intelligence team schedules automated ingestion from open-source feeds (AlienVault OTX, Abuse.ch, Feodo Tracker) alongside commercial sources, allowing analysts to focus on analysis rather than data wrangling.

Integration#

The threat intelligence capability connects to YETI through its REST API, enabling bidirectional synchronisation of observables, entities, and relationships. Incoming indicators are normalised into the platform's shared data model before being made available to other modules such as case management, geospatial visualisation, and the alert triage workflow, ensuring that a newly enriched IoC surfaces automatically in open investigations and active alerts without additional analyst effort. Outbound intelligence sharing leverages authenticated TAXII 2.1 server and client roles, and the platform can act as a collection host for partner organisations that wish to pull curated feeds on a schedule.

Open Standards#

  • STIX 2.1 (OASIS): Structured Threat Information eXpression is used as the canonical format for representing threats, indicators, campaigns, and relationships, both for internal storage and for outbound intelligence packages.
  • TAXII 2.1 (OASIS): Trusted Automated eXchange of Intelligence Information defines the transport protocol for sharing STIX bundles between organisations, with the platform supporting both server and client roles over authenticated HTTPS.
  • MISP Galaxy / MISP Taxonomies: The MISP project's open galaxy clusters and taxonomy vocabularies provide structured tagging for threat actors, malware families, and sectors, enabling consistent labelling across federated organisations.
  • MITRE ATT&CK (MITRE): The ATT&CK framework provides the reference taxonomy for mapping observed adversary techniques and tactics to a shared, versioned knowledge base used across partner agencies.
  • Traffic Light Protocol (TLP, FIRST): TLP markings (CLEAR, GREEN, AMBER, AMBER+STRICT, RED) are applied to all intelligence records to govern permissible sharing boundaries between organisations and individuals.
  • OpenIOC (Mandiant / open standard): OpenIOC indicator format is supported for import from legacy tooling and forensic platforms that produce OpenIOC artefacts.
  • ISO/IEC 27001: The information security management controls applied to threat data handling, access control, and audit logging align with ISO/IEC 27001 requirements, supporting accreditation by member-state agencies.

Availability#

  • Enterprise Plan: Included
  • Professional Plan: Available with YETI integration licence; feed scheduling and TAXII sharing require the Intelligence add-on

Last Reviewed: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.