Knogin
[Inteligencia]

Threat Intelligence: OpenCTI Platform

Argus connects to OpenCTI (Open Cyber Threat Intelligence), the open-source threat intelligence management platform backed by the French ANSSI and Luatix. OpenCTI structures intelligence using the STIX 2.1 data model and

Metadatos del modulo

Argus connects to OpenCTI (Open Cyber Threat Intelligence), the open-source threat intelligence management platform backed by the French ANSSI and Luatix. OpenCTI structures intelligence using the STIX 2.1 data model and

Volver a la Lista

Referencia de origen

content/modules/threat-intel-opencti.md

Última Actualización

18 mar 2026

Categoría

Inteligencia

Checksum de contenido

609cfb17031834fc

Etiquetas

intelligencegeospatial

Documentacion renderizada

Esta pagina renderiza Markdown y Mermaid del modulo directamente desde la fuente publica de documentacion.

Overview#

Argus connects to OpenCTI (Open Cyber Threat Intelligence), the open-source threat intelligence management platform backed by the French ANSSI and Luatix. OpenCTI structures intelligence using the STIX 2.1 data model and provides a GraphQL API for querying threat actors, campaigns, indicators, attack patterns, and relationships. The Argus integration pulls entity data from connected OpenCTI instances and surfaces it within investigation, alert enrichment, and threat actor tracking workflows.

Key Features#

Entity Synchronisation#

Sync OpenCTI entities -- including indicators, malware, threat actors, intrusion sets, and campaigns -- into Argus via the 

syncOpenCti
mutation. The 
fetch_opencti_data
client connects to the OpenCTI GraphQL API, retrieves the entity payload, and persists records to PostgreSQL scoped to the organisation. Each sync generates an interop ingest audit entry satisfying EDF Golden Rule 15.

Clearance-Filtered Entity Listing#

Query the OpenCTI entity inventory via 

openCtiItems
with optional filters on entity type and confidence score. Row-level secrecy filtering prevents lower-clearance users from accessing entities tagged at higher classification levels -- important when a single OpenCTI instance aggregates intelligence across multiple trust domains.

Stats and Coverage View#

The 

openCtiStats
query returns entity counts by type, giving threat intelligence analysts a dashboard-level view of what intelligence categories are currently populated from the connected OpenCTI platform without loading the full entity list.

Multi-Instance Support#

Each 

syncOpenCti
call accepts a 
base_url
and 
api_token
, allowing an organisation to pull from different OpenCTI instances (e.g., a national CERT instance and an internal instance) and consolidate their entity sets within one Argus tenant.

Use Cases#

  • Threat Actor Library: Pull the threat actor and intrusion set catalogue from an ANSSI-operated OpenCTI instance to populate the Argus threat actor reference library used in investigation attribution workflows.
  • MITRE ATT&CK Integration: OpenCTI's ATT&CK-enriched data provides technique-to-actor mappings that Argus surfaces alongside Sigma rule coverage, allowing analysts to identify detection gaps for specific threat actors.
  • Cross-Platform Intelligence Lifecycle: Use Argus for operational case management and OpenCTI as the strategic intelligence repository -- syncing curated entities in one direction while case-derived indicators flow back through STIX export.

Integration#

Available via GraphQL: 

openCtiItems
, 
openCtiStats
(queries); 
syncOpenCti
(mutation). All operations require authentication and organisation scoping.

Compatible with OpenCTI 5.x+ GraphQL API. Works alongside MISP (complementary threat sharing), STIX/TAXII (shared data model), and TheHive (incident case correlation).

Last Reviewed: 2026-03-18