Best Practices & Frameworks

 Audience: SOC Analysts, Threat Intelligence Analysts, Security Operations LeadersProduct Module:Threat Intelligence Management (ThreatQ Platform)Last Updated: December 18, 2025KB ID: KB‑20251218‑ThreatQ‑Scoring‑ExpirationTags: Threat Intelligence, Lifecycle Management, Scoring, Expiration, Indicator Management, ThreatQ, SOC OperationsProblemOrganizations often ingest large volumes of threat intelligence but still experience security gaps, alert fatigue, and false positives. Without a way to prioritize and retire data, threat intelligence becomes noisy instead of actionable.ObjectiveHelp security teams understand how scoring and expiration can be used to manage the full threat intelligence lifecycle—from ingestion to retirement—so analysts can focus on intelligence that is relevant, timely, and ali

 Grouping in Securonix is a two-fold process: Create Data Sources (DS) correctly — Syslog and API logs must be separated into their own DS so that grouping is clean and meaningful. Use functionality and Spotter searches — Once DS are created properly, Securonix automatically groups the logs and allows you to search, drill down, and correlate them easily. Both steps together form the basis of how grouping works end-to-end. Creating Data Sources Correctly (Foundation of Grouping) A. Syslog When onboarding syslog data, for example Palo Alto firewall data, we can use separate Data Sources to maintain zone-based segmentation such as Trust, Untrust, DMZ.Example using different ports:Palo_Untrust → TCP 514 Palo_Trust → TCP 515If using multiple ports is not an option, we can use Syslog filters to sp

During an undetermined number of executions of my playbook, it crashes. Is there a way to validate how many executions have been performed and whether they are causing instability in my service?

Why Network Visibility MattersMany security teams rely on Proxy and Web Application Firewall (WAF) logs for visibility, but that’s only part of the picture.🛡️ Firewalls, especially their allowed traffic logs, reveal critical activity that other tools can’t see.🔍 They’re essential for detecting, investigating, and preventing threats across the entire attack lifecycle, from the first probe to the final exfiltration attempt. ✨ Where to StartTo unlock this visibility and close detection gaps, focus on the following six best practices.We’ll begin with the foundation: capturing Layer 3/4 network visibility. 🌐 1. Capture Layer 3/4 Network Visibility