From Reactive to Proactive: Automating IP Threat Intelligence in SIEM Systems for Cyber Threat Detection

Abstract

Digital transformation has provided more opportunities for cybercriminals and exposed organizations to sophisticated threats. Organizations should continuously evaluate their security measures and implement defensive actions to prevent attacks by cybercriminals. Security Information and Event Management (SIEM) systems, deployed within Security Operations Centers (SOCs), allow organizations to identify security risks and vulnerabilities, monitor unusual behavior, and automatically respond to security events. However, SIEM platforms require certain functional enhancements. For instance, security analysts often use external threat intelligence platforms to check suspicious IP addresses manually. This results in longer response times and a greater likelihood of human error. Hence, this paper proposes an integration framework that correlates the functionality of an external threat intelligence platform (AbuseIPDB) with a SIEM system (IBM QRadar) to automatically validate suspicious IP addresses without the need for manual checking. The goal of this integration is to increase the efficiency of threat analysis, incident response, and SIEM-based threat detection. Tests demonstrated that our proposed framework shortens the threat validation time by up to 97.7%, compared to manual processes. Additionally, our system reduces false positives by capitalizing on contextual threat intelligence, thus allowing SOC teams to prioritize critical alerts.