Agent DailyAgent Daily
tutorialintermediate

Threat intelligence enrichment agent Apr 2026 • Tools Agent Patterns Build an agent that autonomously investigates IOCs by querying multiple threat intel sources, cross-referencing findings, mapping to MITRE ATT&CK, and producing structured reports for SIEM and SOAR integration.

cookbook
View original on cookbook

This cookbook demonstrates building a Claude-powered threat intelligence enrichment agent that autonomously investigates Indicators of Compromise (IOCs) by querying multiple threat intel sources, correlating findings, mapping to MITRE ATT&CK, and generating structured reports for SIEM/SOAR integration. The agent uses Claude's tool-use capabilities to decide which intelligence sources to query, chain tool calls based on discoveries, and convert free-text analysis into analyst-ready JSON reports. The architecture uses simulated threat intel backends that can be swapped with real APIs (VirusTotal, AbuseIPDB, Shodan, etc.) without changing orchestration logic.

Key Points

  • Design tool schemas with clear descriptions to help Claude intelligently select appropriate threat intelligence sources based on IOC type and investigation context
  • Implement agentic loops that enable Claude to chain multiple tool calls sequentially, using findings from one query to inform subsequent investigations
  • Define four core threat intel tools: IP reputation lookup, file hash analysis, domain investigation, and MITRE ATT&CK technique mapping
  • Build simulated threat intelligence backends that mirror real API responses (VirusTotal, AbuseIPDB, URLhaus, MITRE ATT&CK) for development and testing
  • Prompt Claude to correlate findings across multiple sources and synthesize them into structured JSON reports with threat scores, malware families, and tactical mappings
  • Convert free-text analysis into machine-readable formats compatible with downstream SIEM and SOAR systems for automated response workflows
  • Use realistic data structures in simulated backends so production API integration requires only function body replacement without interface changes
  • Include temporal indicators (first/last seen), geolocation, ISP data, and abuse confidence scoring to provide comprehensive IOC context
  • Map observed behaviors and malware families to MITRE ATT&CK framework for standardized threat classification and detection recommendations
  • Leverage Claude's multi-turn conversation capability to enable iterative investigation where the agent asks clarifying questions and refines analysis

Found this useful? Add it to a playbook for a step-by-step implementation guide.

Workflow Diagram

Start Process
Step A
Step B
Step C
Complete
Sign in to view workflow diagram
Quality

Concepts

Use CasesSkills & ToolsAgent TeamsTool UseSecurityAutomation

Artifacts (3)

threat_intel_tools_definitionpythonconfig
tools = [
  {
    "name": "lookup_ip_reputation",
    "description": "Query IP reputation database to get geolocation, ISP information, abuse history, open ports, and known malicious associations for an IP address. Returns threat types, malware associations, and abuse confidence scoring.",
    "input_schema": {
      "type": "object",
      "properties": {
        "ip_address": {
          "type": "string",
          "description": "The IPv4 or IPv6 address to investigate."
        }
      },
      "required": ["ip_address"]
    }
  },
  {
    "name": "lookup_file_hash",
    "description": "Query file reputation service with a cryptographic hash. Returns detection ratio across antivirus engines, malware family classification, behavioral summary, contacted infrastructure, and temporal indicators (first/last seen).",
    "input_schema": {
      "type": "object",
      "properties": {
        "file_hash": {
          "type": "string",
          "description": "The MD5, SHA1, or SHA256 hash of the suspicious file."
        },
        "hash_type": {
          "type": "string",
          "enum": ["md5", "sha1", "sha256"],
          "description": "The type of hash provided."
        }
      },
      "required": ["file_hash", "hash_type"]
    }
  },
  {
    "name": "lookup_domain",
    "description": "Investigate a domain's reputation including registration details, DNS records, SSL certificate information, hosting provider, and threat categorization. Useful for analyzing phishing domains, malware distribution sites, and C2 infrastructure.",
    "input_schema": {
      "type": "object",
      "properties": {
        "domain": {
          "type": "string",
          "description": "The domain name to investigate (e.g., example.com)."
        }
      },
      "required": ["domain"]
    }
  },
  {
    "name": "get_mitre_techniques",
    "description": "Map observed behaviors, malware families, or attack patterns to the MITRE ATT&CK framework. Returns matching technique IDs, tactic categories, associated threat groups, and detection recommendations.",
    "input_schema": {
      "type": "object",
      "properties": {
        "query": {
          "type": "string",
          "description": "Description of the behavior, malware family, or attack pattern to map (e.g., 'command and control beaconing', 'credential theft', 'lateral movement')."
        }
      },
      "required": ["query"]
    }
  }
]
threat_intel_setuppythonscript
import json
import anthropic
from dotenv import load_dotenv

load_dotenv()
client = anthropic.Anthropic()
MODEL_NAME = "claude-sonnet-4-6"

# Installation
# pip install anthropic python-dotenv

# Environment setup
# Create .env file with: ANTHROPIC_API_KEY=sk-ant-...
simulated_threat_intel_backendspythonscript
def lookup_ip_reputation(ip_address: str) -> dict:
    """Query IP reputation. In production: AbuseIPDB, GreyNoise, or Shodan API."""
    ip_database = {
        "203.0.113.42": {
            "ip": "203.0.113.42",
            "country": "Russia",
            "city": "Saint Petersburg",
            "asn": "AS48666",
            "isp": "MnogoByte LLC",
            "abuse_confidence_score": 87,
            "total_reports": 1243,
            "last_reported": "2026-03-10T14:22:00Z",
            "threat_types": ["botnet_c2", "malware_distribution", "brute_force"],
            "known_malware_associations": ["Emotet", "Trickbot"],
            "open_ports": [443, 8080, 4444],
            "is_tor_exit_node": False,
            "is_known_proxy": True,
            "first_seen": "2025-08-15T00:00:00Z",
            "tags": ["banking-trojan-c2", "spam-source"]
        },
        "198.51.100.17": {
            "ip": "198.51.100.17",
            "country": "China",
            "city": "Shanghai",
            "asn": "AS4134",
            "isp": "ChinaNet",
            "abuse_confidence_score": 94,
            "total_reports": 3891,
            "last_reported": "2026-03-12T09:15:00Z",
            "threat_types": ["apt_c2", "data_exfiltration", "scanning"],
            "known_malware_associations": ["PlugX", "ShadowPad"],
            "open_ports": [443, 8443, 53],
            "is_tor_exit_node": False,
            "is_known_proxy": False,
            "first_seen": "2024-11-02T00:00:00Z",
            "tags": ["apt-infrastructure", "state-sponsored"]
        }
    }
    return ip_database.get(ip_address, {
        "ip": ip_address,
        "country": "Unknown",
        "abuse_confidence_score": 0,
        "total_reports": 0,
        "threat_types": [],
        "note": "No records found for this IP"
    })

def lookup_file_hash(file_hash: str, hash_type: str) -> dict:
    """Query file reputation. In production: VirusTotal or MalwareBazaar API."""
    # Implementation continues with hash_database dictionary
    pass

def lookup_domain(domain: str) -> dict:
    """Investigate domain reputation. In production: URLhaus, DomainTools, WHOIS API."""
    pass

def get_mitre_techniques(query: str) -> dict:
    """Map to MITRE ATT&CK. In production: MITRE ATT&CK STIX/TAXII feed."""
    pass