About Integration with threat intelligence and external signals

  • 1 minute(s) read
Prev Next

Connectivity with Threat Intelligence and SIEM/SOAR

The Behavior Engine of the Segura platform is designed to operate not only with internal data from the environment but also by integrating external signals and events for a comprehensive view of risk. This integration multiplies the system's detection, response, and adaptation power.

  • Threat intelligence feeds: the Behavior Engine consumes threat intelligence feeds in real time, such as lists of Indicators of Compromise (IOCs), data on emerging attacks, phishing campaigns, and global threats. Suspicious events in user sessions can be automatically correlated with external information for faster and more contextualized risk detection.
  • SIEM/SOAR integration: bidirectional integration with Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) systems allows the Behavior Engine to receive external alerts and also send critical behavioral events, triggering automatic response or investigation playbooks.

Orchestrated and Automated Actions

The connection to external risk sources enables orchestrated actions and adaptive responses:

  • Triggering playbooks: Detection of anomalous behavior, when aligned with threat intelligence or SIEM alerts, can initiate automatic playbooks, such as session blocking, credential revocation, or incident creation.
  • Dynamic risk-scoring: The risk score of each user or session is adjusted in real time according to signals received from external sources, making enforcement decisions even more precise and contextualized.
  • Adaptive policy execution: Risk changes coming from external intelligence immediately impact permissions, MFA requirements, approval workflows, and other policies.

Practical examples

  • IOC detected: if an endpoint used in a session is listed in an IOC feed, the session can be automatically blocked, and the incident forwarded for investigation.
  • Event correlation: if a suspicious behavior in a session coincides with an active attack campaign identified by threat intelligence, automatic responses are prioritized.
  • Integrated response: the Behavior Engine can be configured to work together with SOC teams, ITSM, and risk analysts, ensuring that relevant alerts are handled in multiple defense systems.

Extensibility and customization

  • APIs and webhooks: allows easy integration with new threat intelligence sources, proprietary SIEM/SOAR, or third-party solutions.
  • Custom triggers: administrators can create custom triggers based on threat intelligence signals, allowing tailored responses to the organization's risk profile.