A Python-based threat intelligence platform that aggregates IOCs, queries live reputation APIs, and provides a web dashboard for searching, adding, managing, and exporting threat indicators β built for SOC analyst workflows.
In a Security Operations Center, analysts constantly look up Indicators of Compromise (IOCs) β malicious IPs, domains, and file hashes β across multiple sources to determine threat risk.
This tool centralises that process. It stores IOCs in a local database, lets you search and filter them instantly, enriches indicators with live AbuseIPDB, VirusTotal, and AlienVault OTX reputation data simultaneously, and presents everything through a clean web dashboard.
This mirrors real-world SOC tooling like MISP, OpenCTI, and ThreatConnect β but built from scratch in Python.
Analyst submits IOC (IP / Domain / Hash)
β
βΌ
Auto-Detects IOC Format (Regex patterns)
β
βΌ
Search threats.db βββΊ Found? βββΊ Display result + risk score
β
βΌ
Triple API Enrichment (based on IOC type)
β β β
βΌ βΌ βΌ
AbuseIPDB Lookup VirusTotal Lookup AlienVault OTX Lookup
(IPs only) (IP / Domain / Hash) (IP / Domain / Hash)
abuse score malicious engines pulse counts
report count suspicious count pulse details
country origin total engines pulses description
β β β
ββββββββββββββββββββΌβββββββββββββββββββββββ
βΌ
Display unified intelligence report
β
βΌ
Export βββΊ Download full IOC list as CSV
All IOCs are stored with a type, category, and risk score. The dashboard shows live statistics and lets authenticated analysts add, search, edit, delete, or export indicators.
We have upgraded ThreatIntel to include enterprise-grade security and access controls:
- Flask-Login: The dashboard operates in a guest/read-only mode by default. Forms to add threats, edit entries, delete IOCs, or download CSV logs are hidden/disabled until an analyst logs in.
- Role-Based Security: Credentials are encrypted and hashed inside the database using Werkzeug's secure hashing algorithm (
pbkdf2:sha256orscrypt). - Seeded Admin Account: Comes pre-configured with a default analyst login (
admin/admin123) created by runninginit_db.py.
- Every administrative transaction is recorded to a local audit log file for SOC accountability, documenting:
- User Logins & Logouts
- Threat additions, modifications, and deletions
- CSV export file downloads
- Example log line:
[2026-07-02 07:45:12 UTC] User: admin | Action: ADD_THREAT | Indicator: 185.220.101.1
- Avoids connection lockups and descriptor leaks by binding database connections directly to the Flask request pipeline context (
flask.gand@app.teardown_appcontext).
- Replaced custom regex tag-stripping with safe HTML escaping (
html.escape), neutralizing malicious scripts entered in IOC category or indicator forms.
| Source | Indicator Types | What is Fetched |
|---|---|---|
| AbuseIPDB | IP Address | Abuse score %, total report count, country of origin, last reported date |
| VirusTotal | IP, Domain, Hash | Malicious/suspicious counts, total antivirus engine ratings |
| AlienVault OTX | IP, Domain, Hash | Total threat pulse counts, names, descriptions, and creation dates |
Note: OTX lookups run out-of-the-box and do not require an API key.
When an analyst searches under the "All" type, ThreatIntel automatically parses the indicator format to run the correct query dispatches:
- IP Address: Matches IPv4 or standard IPv6 formats.
- File Hash: Identifies MD5 (32 hex characters), SHA-1 (40 characters), or SHA-256 (64 characters) hash structures.
- Domain: Standard URL domain parsing (e.g.
domain.com).
1. Clone the repository
git clone https://github.com/SHAROZ221/ThreatIntel.git
cd ThreatIntel2. Install dependencies
pip install -r Requirements.txt
pip install flask-login pytest3. Set up your API keys
Create a .env file in the root directory:
ABUSEIPDB_API_KEY=your_abuseipdb_key_here
VIRUSTOTAL_API_KEY=your_virustotal_key_here
FLASK_SECRET_KEY=your_random_flask_secret_keyGet free API keys at:
4. Initialise the database & seed admin
This creates the tables and seeds your default analyst account (admin / admin123):
python init_db.py5. (Optional) Seed sample threat data
python seed_data.py6. Run the app
python app.py7. Run the test suite
Ensure all authentication, session routing, and CSV export tests pass successfully:
python -m pytest test.py8. Open the dashboard
http://localhost:5000/
The web dashboard provides:
- Live statistics β total IOC count, breakdown by IP / Domain / Hash
- Triple-source IOC enrichment β AbuseIPDB + VirusTotal + AlienVault OTX results displayed side by side
- Smart IOC search β auto-detects formats and queries the right API
- Analyst authentication β login and register portals
- Add new threats β submit indicator, type, category, and risk score (requires login)
- Edit/Delete indicators β modify or remove registry entries (requires login)
- Recent threats table β full IOC list ordered by most recently added
- IOC type chart β donut chart showing live breakdown of IP / Domain / Hash counts
- Export to CSV β download the full IOC list as a
.csvfile with one click (requires login)
ThreatIntel/
βββ app.py β Flask web server, routes, database contexts, and API clients
βββ init_db.py β Creates database tables & seeds admin user (admin/admin123)
βββ seed_data.py β Populates DB with sample IOCs for testing
βββ view_data.py β CLI utility to inspect database contents
βββ test.py β Test suite covering login flows and authenticated exports
βββ templates/
β βββ index.html β Main web dashboard UI (OTX pulses, charts, forms)
β βββ login.html β Sleek analyst login interface
β βββ register.html β SOC analyst registration portal
β βββ edit.html β Edit IOC form
βββ threats.db β SQLite IOC database (auto-generated)
βββ audit.log β Logs all analyst modifications and logins (auto-generated)
βββ .env β API keys (not committed β see .gitignore)
CREATE TABLE threats (
id INTEGER PRIMARY KEY AUTOINCREMENT,
indicator TEXT NOT NULL, -- The IOC value (IP, domain, hash)
type TEXT NOT NULL, -- 'IP', 'Domain', or 'Hash'
category TEXT NOT NULL, -- e.g. 'Malware', 'Phishing', 'C2'
risk_score INTEGER NOT NULL -- 0β100 severity rating
);CREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT UNIQUE NOT NULL,
password_hash TEXT NOT NULL, -- Encrypted credential hash
role TEXT DEFAULT 'analyst' -- 'admin' or 'analyst'
);- Flask β Web framework and routing
- Flask-Login β Access control and session manager
- SQLite3 β Thread-safe local database
- AbuseIPDB API β Live IP reputation, abuse score, reports, and country
- VirusTotal API β Multi-engine malware detection for IPs, domains, and file hashes
- AlienVault OTX API β Pulsed community threat indicators (IP, domain, hashes)
- python-dotenv β Secure API key management via
.env - Chart.js β Live donut chart on the dashboard
- HTML / CSS / JS β Dashboard frontend with CSV export