II.
Workflow overview
Reference · liveworkflow:threat-intelligence-feed-review
Threat Intelligence Feed Review overview
Evaluates and tunes threat intelligence sources and indicator-of-compromise feeds -- reviewing feed quality metrics including true-positive rate, timeliness, and relevance to organizational threat landscape, deduplicating and normalizing IOCs across commercial, open-source, and ISAC feeds, tuning detection rules and SIEM correlation logic based on feed performance, retiring stale or low-fidelity indicators that generate false positives, assessing coverage gaps against MITRE ATT&CK techniques relevant to the organization, and evaluating emerging threat intelligence vendors. Produces feed quality scorecard, tuning recommendations, and coverage gap report. Excludes incident response and threat hunting.
Attributes
displayName
Threat Intelligence Feed Review
workflowKind
operational
triggerType
scheduled
typicalCadence
weekly
complexity
single-team
description
Evaluates and tunes threat intelligence sources and
indicator-of-compromise feeds -- reviewing feed quality metrics
including true-positive rate, timeliness, and relevance to
organizational threat landscape, deduplicating and normalizing IOCs
across commercial, open-source, and ISAC feeds, tuning detection
rules and SIEM correlation logic based on feed performance, retiring
stale or low-fidelity indicators that generate false positives,
assessing coverage gaps against MITRE ATT&CK techniques relevant to
the organization, and evaluating emerging threat intelligence vendors.
Produces feed quality scorecard, tuning recommendations, and coverage
gap report. Excludes incident response and threat hunting.
Outgoing edges
applies_to_domain2
- domain:cybersecurity-grc·DomainCybersecurity GRC
- domain:security·DomainSecurity
involves_role2
- role:security-risk-analyst·RoleSecurity Risk Analyst
- role:security-reviewer·RoleSecurity Reviewer
performed_by_org_unit2
- org-unit:security-team·OrgUnitSecurity Team
- org-unit:application-security-team·OrgUnitApplication Security Team
requires_skill_area2
- skill-area:incident-response·SkillAreaIncident Response
- skill-area:threat-modeling·SkillAreaThreat Modeling
triggers_responsibility2
- responsibility:run-security-scans·ResponsibilityRun security scans
- responsibility:threat-modeling·ResponsibilityThreat modeling
Incoming edges
follows_workflow1
- stack-profile:siem-platform·StackProfileSIEM Platform (Elasticsearch, Python, RabbitMQ, Redis, React, PostgreSQL)