Case Study: SecOps

Turn Log Noise
Into Intelligence.

False Positives
-60%
Less alert fatigue
Triage Time
3 mins
Down from 20 mins
Context Added
100%
Every IP fully enriched

The Challenge: Alert Fatigue

A Managed Security Provider (MSSP) was processing 500 million firewall logs per day. Their SIEM (Splunk) was generating 10,000 alerts daily for "Suspicious Traffic."

The problem? Analysts were drowning. They couldn't tell the difference between a harmless web crawler, a corporate VPN user, and a targeted Russian botnet. They were treating every "Datacenter IP" as a threat, leading to thousands of false alarms.

The Solution: Automated Enrichment

They integrated CandycornDB into their SOAR playbook (Security Orchestration, Automation, and Response). Now, before an alert ever reaches a human analyst, the system auto-enriches the IP.

# Python SOAR Script (Simplified) def enrich_alert(ip_address): intel = candycorn.lookup(ip_address) # 1. Auto-Close if it's just a scanner if intel['asn_name'] == 'Shodan' or intel['asn_name'] == 'Googlebot': return close_alert("Benign Scanner") # 2. Escalate if it's a known threat if intel['subnet_risk'] > 90 or intel['is_tor']: return escalate_alert("High Priority - Anonymized Threat") # 3. Add Context return update_ticket( asn=intel['asn_name'], type=intel['connection_type'], risk=intel['score'] )

The Result

By filtering out known benign scanners and enriching IPs with ASN context, the SOC team reduced their daily alert volume by 60%. Analysts now only focus on high-fidelity threats, drastically reducing their Mean Time to Respond (MTTR).

Enrich your security logs.

Get Your API Key