Reference architectureFreshness + governanceRecurring queries

IOC Integration Architecture

A pragmatic architecture for operationalizing IOCs end-to-end—designed to balance freshness, governance, and platform constraints while delivering detection-ready data to security teams.

Back to program

High-level flow

Indicators move through a consistent lifecycle from ingestion to detection, with freshness and provenance enforced at every step.

Ingest

External + internal sources

Normalize

Canonical schema + dedupe

Store

Time-series datasets + audit

Query

Recurring + ad-hoc execution

Consume

Detection + investigation

IOC ingestion and storage

Indicators are ingested from multiple producers and normalized into a canonical schema. Due to platform constraints, indicators are stored as time-series datasets rather than mutable reference tables.

• Each ingest batch is timestamped and immutable
• Deduplication occurs during normalization, not mutation
• Expiry is enforced at query/publish time

Why time-series?

The underlying analytics platform favors append-only datasets. Treating IOCs as time-series preserves provenance and history, while avoiding expensive rewrite patterns.

Freshness + controls

Freshness is enforced through metadata, not mutation. Every record carries timestamps, source identity, confidence, and TTL.

• Source trust and allow/deny lists
• TTL-based expiry at publish time
• Full audit history for reviews

Self-service recurring query capability (new)

To operationalize IOCs at scale, the architecture introduces a recurring query mechanism that executes detection logic on a defined cadence.

What it enables

• Self-service scheduling of IOC evaluations without manual execution
• Consistent freshness windows enforced across teams and detections
• Reproducible, explainable results for audits and reviews

Operating model impact

Shifts IOC evaluation from ad-hoc, analyst-driven execution to a standardized, platform-owned operating model.

Before / After

Metric	Before	After
Executions per day	~24 hourly runs (team-specific)	1 recurring execution (platform)
Typical execution time	~10 minutes	~30 seconds
Freshness consistency	Varies by team and schedule drift	Standard freshness window + SLO
Operational overhead	Manual coordination + repeated runs	Self-service scheduling + governance
Auditability	Hard to reproduce consistently	Reproducible executions + traceability

Note: Replace approximate values with your measured baselines where possible.

Why it matters

Without recurring queries, teams rely on ad-hoc execution. This introduces drift, stale results, and operational risk.

Consumption paths

Results are consumed through two primary paths: real-time detection workflows and investigative analysis.

• Detection systems consume fresh, non-expired results only
• Investigative paths can access historical archives
• Access patterns are explicitly separated for safety

Observability

The architecture exposes metrics that allow teams to reason about quality, freshness, and coverage.

• Freshness SLO compliance
• Indicator volume and dedupe rates
• Query success and latency

Known limitations / tech debt

Design tradeoff: We intentionally optimized for near-term business value to unblock detection workflows, while keeping technical debt explicit, bounded, and reversible.

• IOC mutation is not supported; expiry is enforced via query logic rather than record updates
• Time-series modeling increases query complexity for some consumers
• Recurring queries introduce additional platform overhead that must be capacity-planned
• Results are not queryable in-place, so teams export and re-ingest to enable analysis.

These tradeoffs were accepted intentionally to unblock delivery, preserve provenance, and avoid high-risk data rewrites. Future iterations could introduce native reference-data support.

This architecture is intentionally generic. Internal system names have been abstracted to highlight design decisions rather than implementation specifics.

IOC ingestion and storage

• Each ingest batch is timestamped and immutable

• Deduplication occurs during normalization, not mutation

• Expiry is enforced at query/publish time