Cybersecurity Enrichment for SIEMs
Industry: Cybersecurity, SOC & Threat Detection
The Challenge
Security teams were overwhelmed by unactionable alerts in their SIEM (Security Information and Event Management) system. IPs were just numbers — lacking threat context or enrichment.
Without contextual IP data (ASN reputation, VPN flags, subnet risk), high-value signals were buried in noisy logs.
The CandycornDB Solution
- Real-time API enrichment: Enhance IPs in logs/alerts with VPN/proxy flags, geolocation, ASN trust level, and Tor indicators.
- Bulk Enrichment Mode: Batch process daily threat logs via simple script using our IP score API.
- Subnet Behavior Modeling: Detect coordinated activity across suspicious subnets tied to known abuse networks.
Integration Snapshot
# Example Python script (SIEM webhook) to enrich IPs
import requests
def enrich_ip(ip):
headers = { "Authorization": "Bearer YOUR_API_KEY" }
res = requests.get(f"https://api.candycorndb.com/ip/lookup?ip={ip}", headers=headers)
return res.json()
Real-World Results
A SOC team at a B2B SaaS company used CandycornDB to enrich their Splunk alert pipeline:
- ✅ Reduced false positives by 37%
- ✅ Identified 16 previously undetected Tor-based credential stuffing attacks
- ✅ Created SIEM rules using CandycornDB’s
riskLevelandsubnetClusterIdfields
Why It Works
- Contextual threat scoring instead of binary flags
- Improved analyst triage by highlighting risky traffic
- Operationalized threat data in < 2 hours with no infrastructure changes