BrightCloud IP Reputation Service for Security Incident & Event Management (SIEM)

Detect, Alert & Respond to Known Bad IPs & Unknown Malicious IPs in SIEM

Faced with an onslaught of perimeter breaches, targeted attacks and unknown threats, even large and well-funded IT security organizations may struggle to detect and respond to incidents in a timely fashion, increasing the risk of data theft. Many breaches can go undetected for months because enterprises lack real-time insight into emerging threats.

One of the most effective ways to decrease this "time exposed to danger" is with predictive threat intelligence which correlates multiple attack vectors, such as URLs, IPs, files and mobile apps, to identify known threats, and accurately predict which unknown objects are likely to be malicious. This highly-accurate, real-time intelligence can eliminate or greatly reduce the effects of an attack by detecting malicious activities as soon as possible so InfoSec teams can quickly respond, investigate and remediate.

BrightCloud IP Reputation Service for SIEM integrates BrightCloud's highly-accurate, constantly updated IP predictive threat intelligence into SIEM environments. This enables the SIEM solution to correlate real-world IP threat data from BrightCloud against IP logs, identify malicious activities from known bad IPs and unknown malicious IPs in real-time, and alert InfoSec teams so they can quickly investigate, respond to active endpoint breaches or even take proactive actions by sending attacking IPs to firewall for blocking.

SIEM for BrightCloud

BrightCloud IP Reputation Service catches unknown, malicious IP threats with predictive threat intelligence

BrightCloud IP Reputation Service is powered by the Webroot Intelligence Network, an advanced, cloud-based threat analysis platform, which continuously collects real-world data from tens of millions of protected endpoint and network devices around the world, as well as vast array of internet sensors and global threat databases.

Webroot Intelligence Network (WIN)

In order to identify known bad IPs and predict the likelihood of an unknown IP being malicious, the Webroot Intelligence Network analyzes the behavioral history of all 4.3 billion IPs as well as their contextual relationships with other objects (IPs, URLs, files and mobile applications). This is made possible by a big data architecture which includes technologies such as Cassandra, 3rd-generation machine learning (Maximum Entropy Discrimination) and a massive number of classifiers (e.g. 400 IP classifiers that can classify 20,000 IPs per second). Not only does this provide higher accuracy than human-based analysis, but it also provides several very unique benefits:

  1. Accurately predicts the likelihood that a never-before-seen IP is malicious based on its relationships with other IPs, URLs, files and mobile apps

  2. Continuously updates risk prediction using behavioral analysis as well as contextual relationships between objects to reduce false positives and missed threats

  3. Predicts which other malicious IPs, URLs, files or mobile apps are likely to attack in the future

The Webroot Intelligence Network then assigns an IP reputation score to each of the 4.3 billion IPs to indicate the likelihood of it being malicious, and updates this reputation score every 5 min with new behavioral data and contextual relationships with other objects. BrightCloud IP Reputation Service exposes this predictive IP reputation score so it can be easily consumed by enterprises to detect malicious IP activities.

IP Reputation Score



Number of IPs in this category


High Risk IPs

There is a high risk that these IPs will deliver attacks to your infrastructure and endpoints in one of the following categories: botnets, Windows exploits, web attacks, phishing, anonymous proxies, spam sources and scanners.

~12 million


Suspicious IPs

There is a higher than average risk that these IPs will deliver attacks to your infrastructure and endpoints in one of the aforementioned categories.


Benign IPs

These IPs have exhibited some potential risk characteristics. There is some risk that they will deliver attacks to your infrastructure and endpoints.

~882 million


Low Risk IPs

These IPs rarely exhibit characteristics that expose your infrastructure and endpoints to security risks. There is a low risk of attack.


Trustworthy IPs

These are clean IPs that have not been tied to a security risk. There is very low risk that your infrastructure and endpoints will be exposed to attack.

~3.4 billion

BrightCloud IP Reputation Service for LogRhythm

BrightCloud IP Reputation Service for LogRhythm integrates highly-accurate, real-time threat intelligence from the BrightCloud IP Reputation Service into the LogRhythm environment for advanced monitoring, alerting and correlation analysis. It enables LogRhythm to detect malicious IP activities and invoke customer-defined actions such as adding attacking IPs to a firewall ACL.

Download datasheet

BrightCloud Threat Intelligence for Splunk

BrightCloud Threat Intelligence for Splunk provides customers with either a Splunk App or a Splunk Add-on to integrate BrightCloud IP Reputation Service data into their Splunk environment. The Splunk App provides Splunk Enterprise customers with industry leading BrightCloud IP threat intelligence to detect malicious IP activities in incoming and outgoing IP traffic, alert infosec teams of such activities, and provide them with detailed contextual information on each malicious IP so the infosec teams can respond and remediate quickly before those activities lead to security breaches. The Splunk Add-on provides the same benefits to Splunk Enterprise and Splunk App for Enterprise Security customers.

Download datasheet

I'm Interested.

Webroot Security Intelligence Solutions Contact Form

Please fill out all the fields.