threat_intelligence650 wordsRead on Arc Codex

Keyword lists: Stop re-entering the same organizational context across every workflow

SOC and CTI teams spend a significant part of their day maintaining context that should already be there. The assets they monitor, the technologies they protect, the threat actors they track, this organizational knowledge gets re-entered manually across searches, rules, and requirements, duplicated across individual analyst workflows, and updated inconsistently when environments change. The intelligence keeps up with the threat landscape. The context that scopes it rarely does. That is why Intelligence Center 3.8 introduces Keyword lists, a capability that lets teams define organizational context once and apply it automatically across every workflow. The problem: Duplicated context, inconsistent coverage Picture a fairly routine afternoon: you're building a new monitoring rule for a threat actor your team started tracking last week, and you need to scope it to your organization's critical assets, the usual mix of domains, IP ranges, hostnames, and executive names. You know this list well because you've entered it before, multiple times, across different workflows. But the version you need right now lives scattered across a saved search from six months ago, a rule a former colleague built, and a spreadsheet someone updates when they remember to. So you reconstruct it from memory, paste it in, and move on, reasonably confident you got it right. Three weeks later, two new servers get added to your environment. You update the search and the spreadsheet, but the rule gets missed. A coverage gap opens up quietly and will sit there until something surfaces it. When a new office location is added, or an executive changes, or your tech stack shifts, the same pattern repeats. A significant part of the maintenance burden isn't tracking new threats; it's keeping your organizational context synchronized across every workflow that depends on it. Keyword lists In EclecticIQ Intelligence Center, a Keyword list is a named, reusable collection of terms that represents a slice of your organizational context: assets, vendors, threat actor names, brand identifiers, geographic locations, executive names. You create it once, give it an identifier, and from that point any search, monitoring rule, or Intelligence Compass configuration can reference it by name. Typing @ in the search bar pulls up your available lists with favorited ones surfacing first, so you can quickly identify what you're referencing without leaving the search. When something in your environment changes, you update the Keyword list and every workflow referencing it picks up the change automatically. There's no need to track down which rules or searches depend on that context, because the usage panel on each list shows exactly where it's referenced: every rule, search, and requirement that pulls from it. That same view shows you if a list is actively used or orphaned, helping you manage impact and clean up unused context. Why this changes how your team works Your monitoring stays focused on what actually matters to your organization. When organizational context is defined centrally rather than reconstructed from memory each time, the intelligence that surfaces reflects your environment accurately, not approximately. Updating organizational context once is enough. No more making the same change across multiple searches, rules, and requirements. One update to a Keyword List and every workflow referencing it stays current. The same context applies across every workflow, automatically. Searches, monitoring rules, and Intelligence Compass all draw from the same lists, so coverage doesn't vary depending on who built a particular workflow or when. You can see where your context is used and where it isn't. The usage panel on each list shows exactly which workflows depend on it, so coverage gaps are something you can identify and close rather than discover after the fact. See it working This feature is available now in Intelligence Center 3.8. If your team is currently maintaining the same list of assets, vendors, or threat actor names across more than one workflow, that's the right place to start. Reach out to your EclecticIQ contact and we'll walk through it.

How it works

Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.

Questions are cached — you'll always get the same 5 for this article.