The Goal
To address the challenge of "alert fatigue" in a Security Operations Center (SOC). My objective was to build a system that could automatically correlate internal network logs with external threat intelligence, transforming data into actionable alerts that allow analysts to focus on known genuine threats.
The Setup
I deployed a virtual lab environment using VirtualBox. This included a Security Onion instance, which acted as my all-in-one Network Security Monitoring platform with an integrated Intrusion Detection System. A separate Ubuntu virtual machine served as the "victim" used to generate suspicious network traffic. The automation was developed in Python on my host machine.
The Process
I initiated a connection from the Ubuntu "victim" machine to a known malicious IP address sourced from a public threat intelligence feed (abuse.ch). This traffic was captured and flagged by Security Onion's IDS. Interestingly, the IDS rule that triggered was for a "Spotify P2P Client," not the expected malware signature. This shows a real world scenario where one indicator can match multiple, sometimes unexpected rules, highlighting the need for analyst investigation. The core of the project is a Python script I developed to automate this process. The script ingests a simulated firewall log, compares each entry against the list of malicious IPs, and upon finding a match, generates a "high-fidelity" alert.
What I Found
This project demonstrated that raw logs gain their value from context. A simple "allow" log is meaningless until it's correlated with threat intelligence, which turns it into a significant event. It also showed that IDS alerts are not always literal; they require an analyst to investigate the context, as seen with the "Spotify" alert. It proved how a simple Python script can automate a manual process, allowing security teams to scale detection capabilities.
Project Gallery & Step-by-Step Process
Click any image to view a full-screen slideshow with detailed explanations:
