Threat Intelligence Aggregator + Mini-SIEM
ThreatStack is a cybersecurity portfolio project that demonstrates how a threat intelligence platform and lightweight SIEM can be built using modern Python technologies. The system ingests threat intelligence feeds, stores Indicators of Compromise (IOCs), processes log events, and generates alerts based on correlations between threat intelligence and observed activity.
This project showcases skills in API development, threat intelligence ingestion, data modeling, and security monitoring workflows.
ThreatStack provides a backend API for collecting and analyzing security intelligence data. The platform is designed to simulate core capabilities found in real-world SOC tooling such as:
- Threat intelligence aggregation
- IOC management
- Log ingestion and analysis
- Alert generation
- Vulnerability intelligence tracking
The application is built using FastAPI, PostgreSQL, and SQLAlchemy, providing a scalable and modern architecture suitable for deployment in cloud environments.
-
Store Indicators of Compromise such as:
- Malicious IP addresses
- Domains
- File hashes
-
Track source and confidence score
-
Search and filter indicators
-
Integration with external intelligence sources including:
- CISA Known Exploited Vulnerabilities (KEV)
- IP reputation feeds
-
Automated ingestion scripts populate the database with real threat data.
- Log ingestion and storage
- Event parsing and enrichment
- Detection of suspicious activity based on known IOCs
- Alerts triggered when log events match known malicious indicators
- Severity classification
- Link alerts to both log events and threat indicators
Tracks vulnerabilities from the CISA KEV catalog, including:
- CVE ID
- Vendor and product
- Vulnerability description
- Patch deadlines
- Ransomware exploitation indicators
ThreatStack follows a modular architecture:
ThreatStack
│
├── app
│ ├── database.py # Database connection
│ ├── models.py # SQLAlchemy models
│ ├── schemas.py # Pydantic schemas
│ ├── routers # API endpoints
│ │ ├── iocs.py
│ │ ├── logs.py
│ │ ├── alerts.py
│ │ └── cves.py
│ └── feeds # Threat intelligence ingestion
│ ├── abuseipdb.py
│ ├── otx.py
│ └── ingest_cisa_kev.py
│
├── requirements.txt
└── README.md
| Technology | Purpose |
|---|---|
| Python | Backend development |
| FastAPI | High-performance API framework |
| PostgreSQL | Threat intelligence database |
| SQLAlchemy | ORM for database interaction |
| Pydantic | Data validation and schema modeling |
| Uvicorn | ASGI server |
POST /api/iocs
GET /api/iocs
GET /api/iocs/search
GET /api/logs
GET /api/alerts
GET /api/cves/kev
Interactive API documentation is available via Swagger UI:
http://127.0.0.1:8000/docs
git clone https://github.com/3dcphillips/ThreatStack.git
cd ThreatStack
python -m venv venv
Activate the environment:
Windows
venv\Scripts\activate
Linux / macOS
source venv/bin/activate
pip install -r requirements.txt
Ensure PostgreSQL is running locally.
Create the database:
createdb threatstack
Configure your database connection in .env:
DATABASE_URL=postgresql://postgres:password@localhost/threatstack
Start the FastAPI application:
python -m uvicorn app.main:app --reload
Open the API documentation:
http://127.0.0.1:8000/docs
Populate the platform with vulnerability intelligence:
python -m app.feeds.ingest_cisa_kev
This imports the CISA Known Exploited Vulnerabilities catalog into the database.
Example IOCs that can be added through the API:
1.2.3.4
185.220.101.45
maliciousdomain.com
Planned enhancements for ThreatStack include:
- Web dashboard interface
- Automated threat feed updates
- IOC enrichment from reputation services
- Detection rule engine
- Visualization of alerts and threat activity
- Cloud deployment support
Daniel C. Phillips Cybersecurity Analyst | Threat Detection | Security Operations
GitHub: https://github.com/3dcphillips
This project is provided for educational and portfolio purposes.