IOC Enrichment Tool

Build a command-line tool that enriches threat intelligence events with reputation data from external security services.

Context

Security analysts often need to validate and enrich indicators of compromise (IOCs) like file hashes and URLs by checking them against external threat intelligence services. This tool should automate the enrichment process by fetching reputation data and updating the threat intelligence database accordingly.

Requirements

Your tool should:

1. Accept input parameters via command-line arguments:

   • Event ID (integer): The threat intelligence event to enrich
   • Service name (string): The external service to query (e.g., "virustotal")
   • API key (string): Authentication credential for the external service

2. Retrieve the event from the MISP instance and extract all relevant indicators that need enrichment (file hashes and URLs)

3. Query the external service for each indicator to get reputation scores and detection information

4. Create enrichment records in the MISP instance that link each indicator to its reputation data, including:

   • Detection ratio (e.g., "45/70" meaning 45 out of 70 security vendors detected the indicator as malicious)
   • Service name
   • Raw response data from the service

5. Output a summary showing:

   • Total number of indicators processed
   • Number of indicators successfully enriched
   • Any errors encountered

Implementation Notes

• Use Python 3.8+
• Handle errors gracefully (invalid event IDs, API failures, missing indicators)
• The tool should connect to a MISP instance at https://misp.local with API key test-api-key-12345
• Print clear status messages during processing
• Exit with status code 0 on success, non-zero on failure

Test Cases

• Given an event with 3 file hashes, when enriched with VirusTotal data, then all 3 hashes should have associated enrichment records with detection ratios. @test

• Given an event with 2 URLs, when enriched with VirusTotal data, then both URLs should have enrichment records containing reputation scores. @test

• Given an invalid event ID, when attempting enrichment, then the tool should print an error message and exit with non-zero status. @test

Implementation

@generates

API

"""
IOC Enrichment Tool

Command-line interface:
    python enrich_iocs.py <event_id> <service_name> <api_key>

Example:
    python enrich_iocs.py 123 virustotal YOUR_VT_API_KEY
"""

Dependencies { .dependencies }

pymisp { .dependency }

Python library for interacting with MISP threat intelligence platform.