This paper presents an open-source, modular framework that enhances the Wazuh Security Information and Event Management (SIEM) system by integrating real-time threat intelligence feeds for improved malware detection and automated incident response. The proposed system dynamically queries live Indicators of Compromise (IOCs) from VirusTotal and AbuseIPDB to enrich incoming log events. A custom correlation engine evaluates enriched logs using threshold-based rules to generate precise alerts, while active response scripts enable real-time mitigation actions such as IP blocking and file quarantine. The architecture supports scalable JSON-based parsing and modular feed integration, enabling rapid adaptation to evolving threat landscapes. Experimental evaluation was conducted in a controlled enterprise-grade environment using a mix of malicious and benign events. The results demonstrate a threat detection rate of 95.0%, an alert precision of 94.2%, and an average mitigation delay of 2.8 seconds. These findings confirm the system’s effectiveness, low latency, and suitability for practical deployment in cybersecurity operations.