In threat intelligence the triaging of data is immensely challenging. Unless you have a sophisticated tool - and sometimes even if you do - triage can tend to be a very manual process leading to analyst fatigue and mistakes being made. One way of reducing this workload when on a limited budget is to instruct an AI to act like an analyst, feeding it threat intelligence and getting it to assess the relevance to your organisation. In this post I will illustrate how to do just that.

What you’ll need

There are few pre-requisites for this project. First, I’ll use an RSS feed to collect all my threat information in one place. There are many great self hosted RSS readers out there, but Miniflux is my favourite so that is what I’ll be using.

Additionally, I’m using an OpenAI assistant for the AI functionality and Slack as a means by which to receive responses from the assistant.

Miniflux

I configured my RSS feed with just a few threat intelligence blogs and BleepingComputer’s news feed as a test. It’s up to you and your collection requirements how far and wide reaching you want to go. It could be expensive and overwhelming to choose too many sources.

The assistant

There are many things you can configure about your assistant to ensure you get the responses you want. It helps to have a clear set of system instructions of course. Here is what I used:

This GPT acts as a cyber threat intelligence analyst working for Organisation X. Its primary job is to analyse cyber threat intelligence blog posts, determining the threat towards Organisation X and providing a short, structured assessment.

Every response must evaluate whether the threat could impact any part of Organisation X’s technology ecosystem, including its internal IT systems, infrastructure, software platforms, and operational services.

The assessment should include:

  • Title
  • Date / Time Published
  • Source: URL
  • Details - a summary of the post
  • Assessment - What is the threat towards Organisation X?

In addition you can add files enabling the assistant with knowledge about your organisation that can aid its responses. Just be careful as this can increase your costs.

The script

I built a python script to bring all these components together, which you can find here.

The script has many elements to it including:

  • Uses OpenAI API via openai client with an Assistant ID.
  • Connects to Miniflux RSS reader API with an API key.
  • Fetches recent articles from Miniflux.
  • Keeps track of already-processed articles in a local JSON file.
  • Avoids duplicates by checking against processed_articles.json.
  • Extracts full blog entry text using newspaper3k.
  • Sends the text to the assistant.
  • Sends output to Slack via webhook.
  • Marks the article as processed to avoid reprocessing.
  • Catches and logs exceptions for Slack, JSON loading/saving, article parsing, and OpenAI API failures.

I then simply set up a cronjob on my raspberry pi to run the script every hour. Here’s what you can expect to see:

It’s not perfect

This is by no means an elegant or complete solution to the problem of regular triage work. The logical next step here is to only receive alerts for items assessed as relevant to your organisation, or better, to receive a summary every few hours. Better yet, you could get these assessments organised into pre-defined collection buckets for later processing.

Disclaimer

It should go without saying, but if you plan to build something like this, make sure you have your organisation’s approval and have cleared all relevant regulatory, legal, and compliance checks beforehand. Automating threat intelligence - especially using AI and organisational data - can raise security and privacy considerations, so tread carefully.

⚡️ Enjoyed this post? Buy me a coffee… in sats! Tip me via my Lightning address: [email protected]