feat(tool_use): add threat intelligence enrichment agent cookbook#496
Conversation
Notebook ChangesThis PR modifies the following notebooks: 📓
|
There was a problem hiding this comment.
PR Review
Recommendation: APPROVE
Summary
This PR adds a well-structured threat intelligence enrichment agent cookbook that demonstrates Claude's tool-use capabilities for IOC investigation. The notebook covers IP, file hash, and domain lookups with simulated backends, MITRE ATT&CK mapping, and structured JSON report generation — a solid, practical pattern for security teams.
Actionable Feedback (3 items)
-
tool_use/threat_intel_enrichment_agent.ipynb(in cell withresponse_text = response.content[0].text) — Assumes the first content block is always text. If the model returns a different block type first, this will raise anAttributeError. Safer:next((b.text for b in response.content if hasattr(b, 'text')), '')— the same pattern already used in the agent loop. -
tool_use/threat_intel_enrichment_agent.ipynb(in cell withdef process_tool_call) — The handler lambdas have no error handling. If a tool backend raises an unexpected exception, the whole agent loop will crash. A simpletry/except Exception as e: return json.dumps({"error": str(e)})wrapper would make it production-hardened. -
authors.yaml—jannet-parkentry is missing thewebsitefield present on most other authors. If intentional (no public GitHub to link), no change needed — just worth confirming.
Detailed Review
Code Quality
The notebook is cleanly structured with a clear six-step progression. The agentic loop pattern (tool dispatch → results → follow-up reasoning → end_turn) is idiomatic and well-commented. The MAX_TURNS = 10 guard is a good practice. Tool schemas have rich descriptions that give Claude enough context to choose the right intelligence source — a strong teaching point. The fuzzy fallback in get_mitre_techniques is a nice touch.
Security
- IP addresses use RFC 5737 TEST-NET ranges (
203.0.113.x,198.51.100.x,192.0.2.x) — correct practice for documentation examples. - API key loaded via
dotenv/os.environ, never hardcoded. - No shell injection or SQL concerns (pure dict lookups).
Suggestions
- The closing "Harden structured output" suggestion correctly identifies the free-text JSON parsing as a limitation. The current
generate_structured_reportcould usetool_usewith a schema-constrained tool to avoid the parse-fence-strip logic entirely — noting it as a follow-up is fine for a cookbook. - The
hash_typefield inlookup_file_hashis required by the schema but the simulated backend ignores it (keys only on the hash string). A brief comment clarifying this would help readers implementing real API calls.
Positive Notes
- Model ID
claude-sonnet-4-6is correct (non-dated alias per CLAUDE.md). - Notebook outputs are preserved, as required by project rules.
- The "production-ready" next steps section is excellent — it explains real APIs to swap in, async scaling, STIX export, and confidence calibration. Readers can immediately see the path from demo to production.
- Registry and
authors.yamlentries are properly formatted.
|
Model Check Results - File reviewed: tool_use/threat_intel_enrichment_agent.ipynb - No issues found. The notebook uses claude-sonnet-4-6 (line 91), which is a valid, current, non-dated model alias. No deprecated, dated, or non-public model IDs were detected. |
|
All looks good! Only thing is if we wanted to change the publish date to today. No issue either way. Thank you! |
Ports the threat intelligence enrichment agent cookbook from the private repo (anthropics/claude-cookbooks-private#40, authored by @jannet-park).
Adds:
tool_use/threat_intel_enrichment_agent.ipynb— agent that investigates IOCs across multiple threat intel sources, cross-references findings, maps to MITRE ATT&CK, and produces structured reports for SIEM/SOAR integrationjannet-parkentry inauthors.yamlregistry.yaml