Threat Intelligence: STIX 2.1 and TAXII 2.1

Overview#

Argus implements full STIX 2.1 (Structured Threat Information eXpression) and TAXII 2.1 (Trusted Automated eXchange of Intelligence Information) support, enabling standards-compliant threat intelligence exchange with national CERTs, ISACs, and defence intelligence networks. STIX bundles can be ingested from TAXII channels, imported directly, or exported as signed packages for sharing with partner organisations -- all with Neo4j graph replication for relationship traversal alongside PostgreSQL as the source of truth.

Key Features#

STIX 2.1 Bundle Ingestion#

Import complete STIX 2.1 bundles from JSON, either submitted directly or received via TAXII channel polling. The ingestion pipeline uses the

parse_stix_bundle

adapter to extract indicators, reports, threat actors, campaigns, attack patterns, and relationships from the bundle. Each STIX object is persisted to PostgreSQL and, where relationships exist, replicated to Neo4j for graph analysis. Every ingest event generates an EDF interop audit record.

TAXII 2.1 Channel Polling#

Configure named TAXII feed endpoints with collection IDs and API root URLs. The

pollTaxiiFeed

mutation connects to the TAXII server, retrieves the latest manifest, downloads new objects since last poll, and ingests the bundle contents. Feed configurations are stored per organisation and support token-based and certificate-based authentication. The last-polled timestamp is tracked to prevent duplicate ingestion on subsequent polls.

STIX Bundle Export#

Argus threat intelligence can be exported as standards-compliant STIX 2.1 bundles via the

exportStixBundle

mutation. The adapter converts Argus entities (indicators, intelligence records) to STIX indicator and report objects, assembles them into a valid bundle, and returns the serialized JSON. Exported bundles are ready for direct submission to partner TAXII servers or delivery via Eurydice data diode for cross-domain transfers.

Argus Entity to STIX Mapping#

The

argus_entity_to_stix_indicator

and

argus_intel_to_stix_report

adapter functions map Argus domain objects to their STIX 2.1 counterparts. Indicators carry STIX pattern expressions; intelligence reports carry external references and confidence scores. This bidirectional mapping ensures round-trip fidelity when ingesting and re-exporting intelligence.

SecrecyLevel-Aware Access#

Individual STIX objects carry

secrecy_level

tags. The

filter_rows_by_clearance

utility enforces that users can only retrieve objects at or below their clearance level, satisfying EDF data sovereignty requirements for multi-classification intelligence sharing in coalition environments.

Use Cases#

CERT-to-Platform Integration: Subscribe to TAXII collections from CERT-EU or national CERTs and automatically populate the Argus indicator database with fresh intelligence without manual import steps.
Coalition Intelligence Exchange: Export a curated STIX bundle to a partner nation's TAXII server as part of a Community of Interest (COI) intelligence-sharing agreement.
Threat Actor Attribution: Ingest STIX bundles containing
```
threat-actor
```
,
```
campaign
```
, and
```
attack-pattern
```
objects and use the Neo4j graph layer to trace relationships between observed indicators and known adversary groups.
Cross-Domain Classification Transfer: Use the Eurydice domain alongside STIX export to push STIX bundles across data diodes to higher-classification networks.

Integration#

Available via GraphQL:

stixIndicators

stixBundles

taxiiFeedConfigs

(queries);

ingestStixBundle

pollTaxiiFeed

saveTaxiiFeedConfig

exportStixBundle

(mutations). All operations require authentication and organisation scoping.

Compatible with TAXII 2.1 specification, STIX 2.1 specification (OASIS standard). Works alongside MISP integration (MISP events can be cross-walked to STIX via the threat intel pipeline).

Last Reviewed: 2026-03-18

Metadatos del modulo

Documentacion renderizada