NtsikaTech/IOC-Enrichment-Threat-Intelligence-Engine-SOC-Simulation-Tool-
GitHub: NtsikaTech/IOC-Enrichment-Threat-Intelligence-Engine-SOC-Simulation-Tool-
Stars: 0 | Forks: 0
# 🛡️ IOC Enrichment & Threat Intelligence Engine
## 📌 Overview
The **IOC Enrichment & Threat Intelligence Engine** is a Python-based SOC simulation project that processes Indicators of Compromise (IOCs), enriches them using a simulated threat intelligence database, classifies threat severity, maps them to MITRE ATT&CK techniques, correlates them into attack campaigns, and generates structured SOC-style reports.
## 🎯 Key Features
| Feature | Description |
|---|---|
| 🔍 IOC Processing | Supports IPs, domains, and file hashes loaded from JSON |
| 🧠 TI Enrichment | Simulated threat intel database with context, tags, and reputation scores |
| ⚔️ MITRE ATT&CK Mapping | Maps IOCs to tactics and techniques for adversary classification |
| 📊 Risk Scoring | Calculates weighted scores and classifies threats by severity |
| 🔗 Campaign Detection | Groups high-risk IOCs into correlated attack campaigns |
| 📄 SOC Report Generation | Exports structured JSON reports with full analysis output |
## 🏗️ Architecture
IOC Input → Enrichment Engine → MITRE Mapper → Risk Scoring → Classification → Correlation Engine → SOC Report
## 📁 Project Structure
ioc-enrichment-engine/ │ ├── main.py # Engine entry point ├── requirements.txt # Dependencies ├── README.md # Project documentation │ ├── src/ │ ├── ioc_input.py # IOC loading and parsing │ ├── enrichment_engine.py # Threat intelligence enrichment │ ├── threat_db.py # Simulated threat database │ ├── classifier.py # Risk classification logic │ ├── mitre_mapper.py # MITRE ATT&CK mapping │ ├── correlation_engine.py # Campaign correlation logic │ └── report_exporter.py # JSON report generation │ ├── data/ │ └── sample_iocs.json # Sample IOC dataset │ └── reports/ # Generated SOC reports ## 🚀 Getting Started ### 1. Clone the repository git clone https://github.com/your-username/ioc-enrichment-engine.git cd ioc-enrichment-engine ### 2. Install dependencies pip install -r requirements.txt ### 3. Run the engine python main.py ## 📊 Example Output IOC : 185.220.101.45 Status : KNOWN THREAT Risk Score : 95 Classification : CRITICAL MITRE : T1090 — Command and Control Campaign : APT-CLUSTER-03 detected Report : reports/ioc_report_2024.json exported ## 🧭 MITRE ATT&CK Coverage | Technique ID | Name | Tactic | |---|---|---| | T1090 | Command and Control | Command and Control | | T1566 | Phishing | Initial Access | | T1003 | OS Credential Dumping | Credential Access | ## 🔎 Threat Classification Levels | Level | Risk Score Range | Description | |---|---|---| | 🟢 LOW | 0 – 39 | Minimal threat, monitor only | | 🟡 MEDIUM | 40 – 69 | Elevated risk, investigate | | 🔴 HIGH | 70 – 89 | Active threat, respond promptly | | ⛔ CRITICAL | 90 – 100 | Confirmed threat, immediate action | ## 🧠 SOC Skills Demonstrated - ✅ Threat intelligence analysis and IOC enrichment - ✅ MITRE ATT&CK framework mapping - ✅ Security risk scoring and classification - ✅ Incident and campaign correlation - ✅ SOC reporting and documentation ## 📌 Use Cases This project is designed for: - 🎯 SOC Analyst and Threat Intelligence portfolio development - 📚 Cybersecurity learning and hands-on practice - 🖥️ SIEM and TIP workflow simulation - 💼 Interview demonstrations and assessments ## 📸 Screenshots ### 🧠 IOC Enrichment Output The output is split into two sections due to console length.   ### 📄 SOC JSON Threat Report The JSON report is split due to length for readability.   ## ⚠️ Disclaimer This project is a simulated SOC threat intelligence tool built for **educational and cybersecurity portfolio purposes only**. It does not interact with any real or production security systems.