Automated Threat Intelligence Correlation
Automated Threat Intelligence Correlation
Embedded Files
The Goal: To address the challenge of "alert fatigue" in a Security Operations Center (SOC). My objective was to build a system that could automatically correlate internal network logs with external threat intelligence, transforming data into actionable alerts that allow analysts to focus on genuine threats.
The Setup: I deployed a virtual lab environment using VirtualBox. This included a Security Onion instance, which acted as my all-in-one Network Security Monitoring platform with an integrated Intrusion Detection System. A separate Ubuntu virtual machine served as the "victim" used to generate suspicious network traffic. The automation was developed in Python on my host machine.
The Process: I initiated a connection from the Ubuntu "victim" machine to a known malicious IP address sourced from a public threat intelligence feed (abuse.ch). This traffic was captured and flagged by Security Onion's IDS. Interestingly, the IDS rule that triggered was for a "Spotify P2P Client," not the expected malware signature. This shows a real world scenario where one indicator can match multiple, sometimes unexpected rules, highlighting the need for analyst investigation. The core of the project is a Python script I developed to automate this process. The script ingests a simulated firewall log, compares each entry against the list of malicious IPs, and upon finding a match, generates a "high-fidelity" alert.
What I Found: This project demonstrated that raw logs gain their value from context. A simple "allow" log is meaningless until it's correlated with threat intelligence, which turns it into a significant event. It also showed that IDS alerts are not always literal, they require an analyst to investigate the context, as seen with the "Spotify" alert. It proved how a simple Python script can automate a manual process, allowing security teams to scale detection capabilities.
Python | Automation | Threat Intelligence | Log Analysis | Network Security Monitoring (NSM) | IDS | SecurityOnion | Abuse.ch
Virtual Lab Environment Setup
Simulating a Connection to a Known-Malicious IP
Alert in Security Onion Console (SOC)
Example firewall.log the Script will Read From (usually automated)
Python Script for Automated Threat Intel Correlation
Successful Script Execution and Alert Generation
Page updated
Google Sites
Report abuse