Automating Threat Intel: How I Built a Fast, Containerised IP Triage Tool

#python #cybersecurity #intelligence

🛡️ The Mission: Fighting "Analyst Fatigue"

As an aspiring Security Engineer, I learned quickly that triage is where most time is lost. When a firewall flags 50 suspicious connections, checking them one-by-one in a browser is slow and prone to error.

I built Sentinel-IP to solve this. It’s a Python tool that takes a list of IPs and instantly enriches them with threat intelligence, turning a 30-minute manual task into a 30-second automated one.

🛠️ The Tech Stack

Python: For the automation logic and API handling.
Docker: To ensure the tool works on any machine (Mac, Windows, or Linux) without setup headaches.
AbuseIPDB API: For crowdsourced reports on brute-force and spam activity.
AlienVault OTX API: For "Pulse" data—identifying if an IP is linked to known malware campaigns.

💡 Why I Pivoted from VirusTotal

Originally, I planned to include VirusTotal. However, their free tier allows only 4 requests per minute. For 50 IPs, the tool would have taken nearly 15 minutes to run!

By switching to AlienVault OTX, I removed the bottleneck. OTX allows for much higher request volumes, enabling the tool to scan dozens of IPs in seconds. This pivot taught me a vital lesson in Security Engineering: The best data is useless if it arrives too late to stop the attack.

💻 How It Works (The Code)

The tool uses a simple ips.txt file as input. It queries the APIs and generates a clean results.csv for the analyst to review.

The tool uses a simple ips.txt file as input. It queries the APIs and generates a clean results.csv for the analyst to review.


# snippet of the core logic
for ip in tqdm(ips, desc="Analyzing"):
    abuse_score = check_abuse_ip(ip) # Returns % confidence
    otx_pulses = check_alienvault(ip) # Returns count of threat pulses

    results.append({
        'IP': ip,
        'Abuse_Score%': abuse_score,
        'OTX_Pulses': otx_pulses
    })

🔍 Real-World Use Cases

The Firewall Log "Dump"

Scenario: A company firewall blocks hundreds of failed SSH attempts. Application: Copy the IPs from the logs into Sentinel-IP. Impact: You can instantly filter for IPs with a 100% Abuse Score. Instead of investigating every block, you focus your energy on the verified botnets.

Phishing Header Analysis

Scenario: A suspicious email is reported. You find a "Source IP" in the email header. Application: Run that IP through the tool. Impact: If AlienVault OTX shows 5 Pulses related to "Credential Harvesting," you have immediate proof that the email is malicious and can purge it from the network.

📈 Learning Outcomes

Building this project wasn't just about code; it was about understanding the SOC ecosystem:

API Resilience: Handling 404 Not Found errors (which often mean an IP is "Clean") versus 401 Unauthorized errors.
Containerization: Using Docker volumes to allow a container to write a CSV file directly to my Mac's desktop.
Data Correlation: Understanding that an IP with a high Abuse Score and multiple OTX Pulses is a "Critical" threat that requires immediate blocking.