In my last article I built a SOC pipeline that caught real hackers in 3 minutes. This time I'm adding automated threat intelligence enrichment — so every alert now tells me exactly who the attacker is before a human even looks at it.
The Problem With Raw Alerts
After my first article, my pipeline was working well. Real attackers were hitting the honeypot, Wazuh was firing level 15 alerts, Shuffle was processing them, and TheHive was creating cases.
But there was a gap.
Every case in TheHive looked like this:
Alert: SSH Brute Force on Honeypot
Attacker IP: 110.35.80.116
Agent: honeypot
Level: 15
That's useful. But it's not enough. An IP address alone doesn't tell you:
- Is this a known malicious actor?
- Is this a botnet, a VPN, or a targeted attacker?
- Has this IP been reported attacking other people?
- What country is it from?
- How dangerous is it — 1 engine flagged it or 80?
Without that context, every alert looks the same. You can't prioritise. You can't make intelligent decisions about how to respond.
The solution is threat intelligence enrichment — automatically looking up every attacker IP the moment an alert fires, and adding that intelligence to the case before an analyst even opens it.
What Is VirusTotal?
VirusTotal is a free threat intelligence platform owned by Google. It aggregates data from over 90 security vendors and lets you look up IPs, domains, URLs, and file hashes to check their reputation.
When you query an IP address, VirusTotal returns:
- Malicious votes — how many of 90+ engines flagged it as malicious
- Country and ISP — where the attacker is connecting from
- Tags — scanner, brute-force, malware, botnet
- Last seen — when this IP was last reported doing something malicious
- Reputation score — a number from -100 (very malicious) to +100 (trusted)
The free API gives you 500 lookups per day — more than enough for a personal SOC pipeline.
The Enriched Pipeline
Before enrichment:
Honeypot → Wazuh → Shuffle → TheHive
After enrichment:
Honeypot → Wazuh → Shuffle → VirusTotal lookup → TheHive
The difference in the TheHive case:
Before:
Attacker IP: 110.35.80.116
After:
Attacker IP: 110.35.80.116
VT Malicious: 12/90 engines
Country: China
ISP: Alibaba Cloud Computing
Tags: scanner, brute-force
Reputation: -25
Last reported: 2026-04-24
Now every case arrives pre-enriched with actionable intelligence. An analyst can immediately see whether this is a low-level scanner they can deprioritise or a high-confidence malicious actor that needs immediate attention.
Step 1 — Get a Free VirusTotal API Key
- Go to https://www.virustotal.com
- Click Sign In → Join us today
- Create a free account
- Go to your profile (top right) → API Key
- Copy your API key — it looks like a long string of letters and numbers
The free tier gives you:
- 500 lookups per day
- 4 lookups per minute
- Full API access
Step 2 — Update the Shuffle Workflow
Open your Shuffle instance and go to your Wazuh-TheHive workflow.
We need to add a new step between the Webhook trigger and the HTTP node that creates the TheHive alert.
Add a new HTTP node and connect it between Webhook 1 and Http 1:
Webhook 1 → VT Lookup (new) → Http 1 (TheHive)
Configure the VT Lookup node:
- Method: GET
- URL:
https://www.virustotal.com/api/v3/ip_addresses/$exec.body.data.srcip
- Headers:
x-apikey: YOUR_VIRUSTOTAL_API_KEY
This sends the attacker's source IP from the Wazuh alert to VirusTotal and returns the full reputation report.
Step 3 — Update the TheHive Case With Enriched Data
Now update your Http 1 (TheHive) node body to include the VirusTotal data:
{
"title": "[Wazuh] $exec.body.rule.description",
"description": "## Alert Details\n\nRule ID: $exec.body.rule.id\nAgent: $exec.body.agent.name\nLevel: $exec.body.rule.level\nTimestamp: $exec.body.timestamp\n\n## Attacker Intelligence\n\nIP: $exec.body.data.srcip\nVT Malicious Votes: $VT_Lookup.body.data.attributes.last_analysis_stats.malicious\nVT Harmless Votes: $VT_Lookup.body.data.attributes.last_analysis_stats.harmless\nCountry: $VT_Lookup.body.data.attributes.country\nReputation: $VT_Lookup.body.data.attributes.reputation\nASN: $VT_Lookup.body.data.attributes.asn\n\n## Raw Alert\n$exec.body",
"type": "wazuh",
"source": "wazuh",
"sourceRef": "$exec.body.id",
"severity": 3,
"tags": ["wazuh", "honeypot", "enriched"]
}
Step 4 — Add Conditional Severity
One of the most powerful things you can do with VirusTotal data is automatically adjust the severity of the TheHive case based on the malicious vote count.
In Shuffle, add a Condition node between VT Lookup and TheHive:
If VT malicious votes > 20:
severity = 3 (High)
Else if VT malicious votes > 5:
severity = 2 (Medium)
Else:
severity = 1 (Low)
Now TheHive cases are automatically prioritised. A known malicious IP with 60 vendor detections creates a High severity case. An unknown scanner with 0 detections creates a Low severity case. Analysts can triage instantly.
Real Example: What the Enriched Cases Look Like
Here are three real attackers that hit my honeypot, enriched with VirusTotal data:
Attacker 1 — High Severity
IP: 110.35.80.116
VT Malicious: 23/90
Country: China
ISP: Alibaba Cloud
Tags: scanner, brute-force
Severity: HIGH → Immediate investigation
Attacker 2 — Medium Severity
IP: 165.22.54.16
VT Malicious: 8/90
Country: Netherlands
ISP: DigitalOcean
Tags: scanner
Severity: MEDIUM → Monitor and log
Attacker 3 — Low Severity
IP: 193.32.162.145
VT Malicious: 1/90
Country: Russia
ISP: Unknown hosting
Tags: none
Severity: LOW → Auto-close after logging
Without enrichment, all three look identical. With enrichment, you know exactly how to respond to each one.
Taking It Further — Automatic IP Blocking
Once you have VirusTotal enrichment, you can add an automatic blocking step:
If VT malicious votes > 15:
→ Add to Wazuh block list
→ Run: ufw deny from $ATTACKER_IP
→ Create HIGH severity TheHive case
Known bad actors get blocked automatically. Unknown scanners get logged and monitored. The whole process takes milliseconds and requires no human intervention.
What This Adds to Your SOC
| Capability | Before | After |
|---|---|---|
| Alert context | IP only | IP + reputation + country + ISP |
| Case prioritisation | Manual | Automatic based on VT score |
| Analyst workload | Every alert equal | High confidence threats flagged |
| Response speed | Human triage required | Auto-block for known bad actors |
The Bigger Picture
Threat intelligence enrichment is what separates a basic monitoring setup from a professional SOC pipeline. Raw alerts are noise. Enriched alerts are intelligence.
By adding VirusTotal to the pipeline, every alert that reaches an analyst already contains the context they need to make a decision. No manual lookups. No context switching. Just actionable intelligence, automatically delivered.
The full updated pipeline — with VirusTotal enrichment — is available on GitHub:
github.com/agunna99/soc-honeypot-pipeline
What's Next
In the next article I'll cover:
- Adding AbuseIPDB as a second enrichment source
- Automatic IP blocking using Wazuh active response
- Email/Slack notifications for high severity cases
- Protecting a real web application with the same pipeline
Favour Nmosi is a cybersecurity engineer building open-source security automation tools.
GitHub: github.com/agunna99 | Medium: medium.com/@chrisnmosi
Tags: #cybersecurity #virustotal #threatintelligence #soc #wazuh #shuffle #thehive #infosec #blueteam #securityautomation
Top comments (0)