threat intelligence

Automating IOC Enrichment

Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or automated IOC processing.

automationcortex-xsoarctienrichmentiocnist-csfsoarsplunk-soar
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • Building a SOAR playbook that automatically enriches SIEM alerts with threat intelligence context before routing to analysts
  • Creating a Python pipeline for bulk IOC enrichment from phishing email submissions
  • Reducing analyst mean time to triage (MTTT) by pre-populating alert context with VT, Shodan, and MISP data

Do not use this skill for fully automated blocking decisions without human review — enrichment automation should inform decisions, not execute blocks autonomously for high-impact actions.

Prerequisites

  • SOAR platform (Cortex XSOAR, Splunk SOAR, Tines, or n8n) or Python 3.9+ environment
  • API keys: VirusTotal, AbuseIPDB, Shodan, and at minimum one TIP (MISP or OpenCTI)
  • SIEM integration endpoint for alert consumption
  • Rate limit budgets documented per API (VT: 4/min free, 500/min enterprise)

Workflow

Step 1: Design Enrichment Pipeline Architecture

Define the enrichment flow for each IOC type:

SIEM Alert → Extract IOCs → Classify Type → Route to enrichment functions
  IP Address → AbuseIPDB + Shodan + VirusTotal IP + MISP
  Domain → VirusTotal Domain + PassiveTotal + Shodan + MISP
  URL → URLScan.io + VirusTotal URL + Google Safe Browse
  File Hash → VirusTotal Files + MalwareBazaar + MISP
→ Aggregate results → Calculate confidence score → Update alert → Notify analyst

Step 2: Implement Python Enrichment Functions

import requests
import time
from dataclasses import dataclass, field
from typing import Optional
 
RATE_LIMIT_DELAY = 0.25  # 4 requests/second for VT free tier
 
@dataclass
class EnrichmentResult:
    ioc_value: str
    ioc_type: str
    vt_malicious: int = 0
    vt_total: int = 0
    abuse_confidence: int = 0
    shodan_ports: list = field(default_factory=list)
    misp_events: list = field(default_factory=list)
    confidence_score: int = 0
 
def enrich_ip(ip: str, vt_key: str, abuse_key: str, shodan_key: str) -> EnrichmentResult:
    result = EnrichmentResult(ip, "ip")
 
    # VirusTotal IP lookup
    vt_resp = requests.get(
        f"https://www.virustotal.com/api/v3/ip_addresses/{ip}",
        headers={"x-apikey": vt_key}
    )
    if vt_resp.status_code == 200:
        stats = vt_resp.json()["data"]["attributes"]["last_analysis_stats"]
        result.vt_malicious = stats.get("malicious", 0)
        result.vt_total = sum(stats.values())
 
    time.sleep(RATE_LIMIT_DELAY)
 
    # AbuseIPDB
    abuse_resp = requests.get(
        "https://api.abuseipdb.com/api/v2/check",
        headers={"Key": abuse_key, "Accept": "application/json"},
        params={"ipAddress": ip, "maxAgeInDays": 90}
    )
    if abuse_resp.status_code == 200:
        result.abuse_confidence = abuse_resp.json()["data"]["abuseConfidenceScore"]
 
    # Calculate composite confidence score
    result.confidence_score = min(
        (result.vt_malicious / max(result.vt_total, 1)) * 60 +
        (result.abuse_confidence / 100) * 40, 100
    )
 
    return result
 
def enrich_hash(sha256: str, vt_key: str) -> EnrichmentResult:
    result = EnrichmentResult(sha256, "sha256")
    vt_resp = requests.get(
        f"https://www.virustotal.com/api/v3/files/{sha256}",
        headers={"x-apikey": vt_key}
    )
    if vt_resp.status_code == 200:
        stats = vt_resp.json()["data"]["attributes"]["last_analysis_stats"]
        result.vt_malicious = stats.get("malicious", 0)
        result.vt_total = sum(stats.values())
        result.confidence_score = int((result.vt_malicious / max(result.vt_total, 1)) * 100)
    return result

Step 3: Build SOAR Playbook (Cortex XSOAR)

In Cortex XSOAR, create an enrichment playbook:

  1. Trigger: Alert created in SIEM (via webhook or polling)
  2. Extract IOCs: Use "Extract Indicators" task with regex patterns for IP, domain, URL, hash
  3. Parallel enrichment: Fan-out to multiple enrichment tasks simultaneously
  4. VT Enrichment: Call !vt-file-scan or !vt-ip-scan commands
  5. AbuseIPDB check: Call !abuseipdb-check-ip command
  6. MISP Lookup: Call !misp-search for cross-referencing
  7. Score aggregation: Python transform task computing composite score
  8. Conditional routing: If score ≥70 → High Priority queue; if 40–69 → Medium; <40 → Auto-close with note
  9. Alert enrichment: Write enrichment results to alert context for analyst view

Step 4: Handle Rate Limiting and Failures

import time
from functools import wraps
 
def rate_limited(max_per_second):
    min_interval = 1.0 / max_per_second
    def decorator(func):
        last_called = [0.0]
        @wraps(func)
        def wrapper(*args, **kwargs):
            elapsed = time.time() - last_called[0]
            wait = min_interval - elapsed
            if wait > 0:
                time.sleep(wait)
            result = func(*args, **kwargs)
            last_called[0] = time.time()
            return result
        return wrapper
    return decorator
 
def retry_on_429(max_retries=3):
    def decorator(func):
        @wraps(func)
        def wrapper(*args, **kwargs):
            for attempt in range(max_retries):
                response = func(*args, **kwargs)
                if response.status_code == 429:
                    retry_after = int(response.headers.get("Retry-After", 60))
                    time.sleep(retry_after)
                else:
                    return response
        return wrapper
    return decorator

Step 5: Metrics and Tuning

Track pipeline performance weekly:

  • Enrichment latency: Target <30 seconds from alert trigger to enriched output
  • API success rate: Target >99% (identify rate limit or outage events)
  • True positive rate: Track analyst overrides of automated confidence scores
  • Cost: Track API call volume against budget (VT Enterprise: $X per 1M lookups)

Key Concepts

Term Definition
SOAR Security Orchestration, Automation, and Response — platform for automating security workflows and integrating disparate tools
Enrichment Playbook Automated workflow sequence that adds contextual intelligence to raw security events
Rate Limiting API provider restrictions on request frequency (e.g., VT free: 4 requests/minute); pipelines must respect these limits
Composite Confidence Score Single score aggregating signals from multiple enrichment sources using weighted formula
Fan-out Pattern Parallel execution of multiple enrichment queries simultaneously to minimize total enrichment latency

Tools & Systems

  • Cortex XSOAR (Palo Alto): Enterprise SOAR with 700+ marketplace integrations including VT, MISP, Shodan, and AbuseIPDB
  • Splunk SOAR (Phantom): SOAR platform with Python-based playbooks; native Splunk SIEM integration
  • Tines: No-code SOAR platform with webhook-driven automation; cost-effective for smaller teams
  • TheHive + Cortex: Open-source IR/enrichment platform with observable enrichment via Cortex analyzers

Common Pitfalls

  • Blocking on enrichment latency: If enrichment takes >5 minutes, analysts start working unenriched alerts, defeating the purpose. Set timeout limits and provide partial results.
  • No caching: Querying the same IOC 50 times generates unnecessary API costs. Cache enrichment results for 24 hours by default.
  • Ignoring API failures silently: Failed enrichment calls should be logged and trigger fallback logic, not silently produce empty results that appear as clean IOCs.
  • Automating blocks on enrichment score alone: Composite scores contain false positives; require human confirmation for blocking decisions against shared infrastructure.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md1.8 KB

API Reference: Automating IOC Enrichment

VirusTotal API v3

IP Lookup

import requests
resp = requests.get(
    "https://www.virustotal.com/api/v3/ip_addresses/1.2.3.4",
    headers={"x-apikey": VT_KEY},
)
stats = resp.json()["data"]["attributes"]["last_analysis_stats"]
print(stats["malicious"], "/", sum(stats.values()))

File Hash Lookup

resp = requests.get(
    f"https://www.virustotal.com/api/v3/files/{sha256}",
    headers={"x-apikey": VT_KEY},
)

Domain Lookup

resp = requests.get(
    f"https://www.virustotal.com/api/v3/domains/{domain}",
    headers={"x-apikey": VT_KEY},
)

AbuseIPDB API v2

resp = requests.get(
    "https://api.abuseipdb.com/api/v2/check",
    headers={"Key": ABUSE_KEY, "Accept": "application/json"},
    params={"ipAddress": "1.2.3.4", "maxAgeInDays": 90},
)
data = resp.json()["data"]
print("Confidence:", data["abuseConfidenceScore"])
print("Reports:", data["totalReports"])

Shodan API

import shodan
api = shodan.Shodan(SHODAN_KEY)
info = api.host("1.2.3.4")
print("Ports:", info.get("ports"))
print("Vulns:", info.get("vulns"))

STIX 2.1 Export

from stix2 import Indicator, Bundle
indicator = Indicator(
    pattern="[ipv4-addr:value = '1.2.3.4']",
    pattern_type="stix",
    valid_from="2025-01-01T00:00:00Z",
    confidence=85,
)
bundle = Bundle(objects=[indicator])

Rate Limits

API Free Tier Enterprise
VirusTotal 4 req/min 500 req/min
AbuseIPDB 1000 req/day 5000 req/day
Shodan 1 req/sec 10 req/sec

References

Scripts 1

agent.py7.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for automating IOC enrichment with VirusTotal, AbuseIPDB, and STIX."""

import os
import re
import json
import time
import argparse
from datetime import datetime
from dataclasses import dataclass, field

import requests
from stix2 import Indicator, Bundle


RATE_LIMIT_DELAY = 0.25


@dataclass
class EnrichmentResult:
    ioc_value: str
    ioc_type: str
    vt_malicious: int = 0
    vt_total: int = 0
    vt_threat_label: str = ""
    abuse_confidence: int = 0
    abuse_reports: int = 0
    shodan_ports: list = field(default_factory=list)
    confidence_score: int = 0


def classify_ioc(value):
    """Auto-detect IOC type from value."""
    if re.match(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$", value):
        return "ip"
    if re.match(r"^[a-fA-F0-9]{64}$", value):
        return "sha256"
    if re.match(r"^[a-fA-F0-9]{32}$", value):
        return "md5"
    if re.match(r"^https?://", value):
        return "url"
    return "domain"


def enrich_ip_virustotal(ip, api_key):
    """Enrich an IP address via VirusTotal API v3."""
    resp = requests.get(
        f"https://www.virustotal.com/api/v3/ip_addresses/{ip}",
        headers={"x-apikey": api_key},
        timeout=30,
    )
    if resp.status_code == 200:
        attrs = resp.json()["data"]["attributes"]
        stats = attrs.get("last_analysis_stats", {})
        return {
            "malicious": stats.get("malicious", 0),
            "total": sum(stats.values()),
            "country": attrs.get("country", ""),
            "asn": attrs.get("asn", 0),
            "as_owner": attrs.get("as_owner", ""),
        }
    return {}


def enrich_hash_virustotal(file_hash, api_key):
    """Enrich a file hash via VirusTotal API v3."""
    resp = requests.get(
        f"https://www.virustotal.com/api/v3/files/{file_hash}",
        headers={"x-apikey": api_key},
        timeout=30,
    )
    if resp.status_code == 200:
        attrs = resp.json()["data"]["attributes"]
        stats = attrs.get("last_analysis_stats", {})
        ptc = attrs.get("popular_threat_classification", {})
        return {
            "malicious": stats.get("malicious", 0),
            "total": sum(stats.values()),
            "threat_label": ptc.get("suggested_threat_label", ""),
            "type_description": attrs.get("type_description", ""),
        }
    return {}


def enrich_domain_virustotal(domain, api_key):
    """Enrich a domain via VirusTotal API v3."""
    resp = requests.get(
        f"https://www.virustotal.com/api/v3/domains/{domain}",
        headers={"x-apikey": api_key},
        timeout=30,
    )
    if resp.status_code == 200:
        attrs = resp.json()["data"]["attributes"]
        stats = attrs.get("last_analysis_stats", {})
        return {
            "malicious": stats.get("malicious", 0),
            "total": sum(stats.values()),
            "registrar": attrs.get("registrar", ""),
        }
    return {}


def enrich_ip_abuseipdb(ip, api_key):
    """Check an IP against AbuseIPDB."""
    resp = requests.get(
        "https://api.abuseipdb.com/api/v2/check",
        headers={"Key": api_key, "Accept": "application/json"},
        params={"ipAddress": ip, "maxAgeInDays": 90},
        timeout=30,
    )
    if resp.status_code == 200:
        data = resp.json()["data"]
        return {
            "abuse_confidence": data.get("abuseConfidenceScore", 0),
            "total_reports": data.get("totalReports", 0),
            "country": data.get("countryCode", ""),
            "isp": data.get("isp", ""),
        }
    return {}


def compute_confidence(vt_result, abuse_result=None):
    """Calculate composite confidence score from enrichment sources."""
    vt_score = 0
    if vt_result.get("total", 0) > 0:
        vt_score = (vt_result["malicious"] / vt_result["total"]) * 60
    abuse_score = 0
    if abuse_result:
        abuse_score = (abuse_result.get("abuse_confidence", 0) / 100) * 40
    return min(int(vt_score + abuse_score), 100)


def enrich_ioc(value, ioc_type, vt_key, abuse_key=None):
    """Enrich a single IOC through all available sources."""
    result = EnrichmentResult(ioc_value=value, ioc_type=ioc_type)
    vt_data = {}
    if ioc_type == "ip":
        vt_data = enrich_ip_virustotal(value, vt_key)
        time.sleep(RATE_LIMIT_DELAY)
        if abuse_key:
            abuse_data = enrich_ip_abuseipdb(value, abuse_key)
            result.abuse_confidence = abuse_data.get("abuse_confidence", 0)
            result.abuse_reports = abuse_data.get("total_reports", 0)
    elif ioc_type in ("sha256", "md5"):
        vt_data = enrich_hash_virustotal(value, vt_key)
        time.sleep(RATE_LIMIT_DELAY)
    elif ioc_type == "domain":
        vt_data = enrich_domain_virustotal(value, vt_key)
        time.sleep(RATE_LIMIT_DELAY)

    result.vt_malicious = vt_data.get("malicious", 0)
    result.vt_total = vt_data.get("total", 0)
    result.vt_threat_label = vt_data.get("threat_label", "")
    abuse_dict = {"abuse_confidence": result.abuse_confidence} if ioc_type == "ip" else None
    result.confidence_score = compute_confidence(vt_data, abuse_dict)
    return result


def export_stix_indicators(results, output_path):
    """Export enriched IOCs as STIX 2.1 indicators."""
    pattern_map = {
        "ip": lambda v: f"[ipv4-addr:value = '{v}']",
        "domain": lambda v: f"[domain-name:value = '{v}']",
        "sha256": lambda v: f"[file:hashes.'SHA-256' = '{v}']",
        "md5": lambda v: f"[file:hashes.MD5 = '{v}']",
        "url": lambda v: f"[url:value = '{v}']",
    }
    indicators = []
    for r in results:
        pattern_fn = pattern_map.get(r.ioc_type)
        if pattern_fn:
            ind = Indicator(
                name=f"{r.ioc_type}: {r.ioc_value}",
                pattern=pattern_fn(r.ioc_value),
                pattern_type="stix",
                valid_from=datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
                confidence=r.confidence_score,
            )
            indicators.append(ind)
    bundle = Bundle(objects=indicators, allow_custom=True)
    with open(output_path, "w") as f:
        f.write(bundle.serialize(pretty=True))
    return len(indicators)


def main():
    parser = argparse.ArgumentParser(description="IOC Enrichment Automation Agent")
    parser.add_argument("--vt-key", default=os.getenv("VT_API_KEY"), help="VirusTotal API key")
    parser.add_argument("--abuse-key", default=os.getenv("ABUSEIPDB_KEY"), help="AbuseIPDB API key")
    parser.add_argument("--ioc-file", help="File with IOCs (one per line)")
    parser.add_argument("--ioc", help="Single IOC to enrich")
    parser.add_argument("--output", default="enrichment_results.json")
    parser.add_argument("--stix-output", help="Export as STIX bundle")
    args = parser.parse_args()

    iocs = []
    if args.ioc:
        iocs.append(args.ioc)
    if args.ioc_file:
        with open(args.ioc_file) as f:
            iocs.extend(line.strip() for line in f if line.strip() and not line.startswith("#"))

    results = []
    for ioc_val in iocs:
        ioc_type = classify_ioc(ioc_val)
        print(f"  Enriching {ioc_type}: {ioc_val}...")
        result = enrich_ioc(ioc_val, ioc_type, args.vt_key, args.abuse_key)
        results.append(result)
        verdict = "MALICIOUS" if result.confidence_score >= 70 else "SUSPICIOUS" if result.confidence_score >= 40 else "CLEAN"
        print(f"    VT: {result.vt_malicious}/{result.vt_total} | Confidence: {result.confidence_score} | {verdict}")

    report = {
        "enriched_at": datetime.utcnow().isoformat(),
        "total_iocs": len(results),
        "results": [r.__dict__ for r in results],
    }
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    print(f"[+] Results saved to {args.output}")

    if args.stix_output:
        count = export_stix_indicators(results, args.stix_output)
        print(f"[+] Exported {count} STIX indicators to {args.stix_output}")


if __name__ == "__main__":
    main()
Keep exploring