Skip to content

Herculis411/threat-detection-demo

Repository files navigation

Automated Threat Detection Pipeline

DevNet Automation in Cybersecurity — VMware Demo Lab

Python catches an attacker in under 10 seconds. No human in the loop. No enterprise budget required.


What This Demo Does

A live cybersecurity pipeline that:

  1. Monitors an authentication log in real time
  2. Detects failed SSH login attempts (brute-force pattern)
  3. Queries AbuseIPDB to identify known malicious IPs
  4. Fires a formatted Slack alert with full threat details — automatically

This is the same principle behind Splunk SOAR, Microsoft Sentinel Playbooks, and Palo Alto XSOAR — built in Python for free.


Demo Environment

Component Details
Host Windows or Mac laptop
Hypervisor VMware Workstation / VMware Fusion
Guest OS Ubuntu 22.04 LTS
VM Network NAT — shares laptop internet
Runtime Python 3 virtual environment
APIs AbuseIPDB (free) + Slack (free)

Project Structure

threat-detection-demo/ │ ├── README.md # This file ├── requirements.txt # Python dependencies (requests) ├── config.example.py # Safe config template — copy to config.py │ ├── threat_detector.py # Main pipeline — Terminal 1 ├── simulate_attack.py # Attack simulator — Terminal 2 ├── test_slack.py # Pre-demo Slack test │ └── docs/ └── architecture.md # Component diagram and data flow

Note: config.py is in .gitignore — your API keys are never committed to this repository.


Prerequisites

On Your Laptop (before VM setup)

  • VMware Workstation (Windows) or VMware Fusion (Mac) installed
  • Ubuntu 22.04 LTS ISO downloaded from ubuntu.com/download/server
  • AbuseIPDB free account — abuseipdb.com/register
  • Slack free workspace with #threat-alerts channel
  • Slack Incoming Webhook URL — api.slack.com/apps

Inside the VM

  • Python 3.8+
  • pip and venv
  • git
  • curl
  • Internet access via NAT

VMware VM Setup

Create the VM

VMware → New Virtual Machine Name: threat-demo-vm OS: Ubuntu 64-bit RAM: 2048 MB minimum (4096 MB recommended) CPU: 2 cores Disk: 20 GB Network: NAT

Install Ubuntu 22.04

Profile: name=Stephen | hostname=threat-demo-vm | user=ubuntu Password: your choice SSH: Install OpenSSH Server = YES

Enable VMware Clipboard Sharing

VMware Workstation: VM → Settings → Options → Guest Isolation → tick both clipboard options VMware Fusion: Virtual Machine → Settings → Isolation → Allow copy and paste

Take Snapshots

# After clean install:   Snapshot → clean-install
# After apt upgrade:     Snapshot → updated-clean
# After full demo setup: Snapshot → demo-ready

Installation Inside the VM

1 — Clone the repository

# Inside the VM terminal
git clone https://github.com/Herculis411/threat-detection-demo.git
cd threat-detection-demo

2 — Create virtual environment

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

3 — Configure API keys

cp config.example.py config.py
nano config.py

Replace the placeholder values:

ABUSEIPDB_API_KEY = 'your-real-abuseipdb-key'
SLACK_WEBHOOK_URL = 'https://hooks.slack.com/services/your/real/webhook'
LOG_FILE          = '/tmp/demo_auth.log'

4 — Create the demo log file

touch /tmp/demo_auth.log

5 — Test Slack webhook

python3 test_slack.py
# Expected: SUCCESS: Test alert sent — check #threat-alerts

6 — Test AbuseIPDB API

python3 -c "
from config import ABUSEIPDB_API_KEY
import requests
r = requests.get(
    'https://api.abuseipdb.com/api/v2/check',
    headers={'Accept':'application/json','Key':ABUSEIPDB_API_KEY},
    params={'ipAddress':'8.8.8.8','maxAgeInDays':90}
)
print('Status:', r.status_code)
print('Score:', r.json()['data']['abuseConfidenceScore'])
"
# Expected: Status: 200 | Score: 0

Running the Demo

Before you start

  • Open Slack #threat-alerts on your phone AND in a browser tab
  • Open two terminal windows inside the VM — both in the project folder
  • Increase terminal font size to 16pt — audience must read the output

Terminal 1 — Start the detector

cd ~/threat-demo
source venv/bin/activate
python3 threat_detector.py

Expected output:

2026-05-22 10:00:00 [INFO] Threat detector started — watching: /tmp/demo_auth.log 2026-05-22 10:00:00 [INFO] Alert threshold: 3 failed attempts 2026-05-22 10:00:00 [INFO] Waiting for suspicious activity...

Terminal 2 — Launch the attack

cd ~/threat-demo
source venv/bin/activate
python3 simulate_attack.py

Expected output (one line per 0.8 seconds):

Simulating attack from: 185.220.101.42 (This IP scores 100% on AbuseIPDB) [SIMULATOR] Attempt 1/8: Failed password for root from 185.220.101.42 port 22 [SIMULATOR] Attempt 2/8: Failed password for admin from 185.220.101.42 port 2222 [SIMULATOR] Attempt 3/8: Failed password for ubuntu from 185.220.101.42 port 22

Watch Terminal 1 react

2026-05-22 10:01:05 [INFO] Failed login from 185.220.101.42 — attempt #1 2026-05-22 10:01:06 [INFO] Failed login from 185.220.101.42 — attempt #2 2026-05-22 10:01:07 [WARNING] THRESHOLD REACHED for 185.220.101.42 2026-05-22 10:01:07 [INFO] AbuseIPDB score: 100% 2026-05-22 10:01:08 [INFO] Slack alert sent — Level: CRITICAL

Slack alert arrives

The #threat-alerts channel receives a CRITICAL alert containing:

  • Attacker IP
  • Threat level
  • Abuse confidence score
  • Country and ISP
  • Total reports from AbuseIPDB
  • Recommended action

Reset Between Runs

# Stop detector: Ctrl+C in Terminal 1
> /tmp/demo_auth.log          # clear log
> threat_detector.log         # clear detector log
python3 threat_detector.py    # restart
python3 simulate_attack.py    # re-run attack in Terminal 2

VMware Snapshot Restore

If anything breaks mid-demo:

VMware Workstation: VM → Snapshot → Snapshot Manager → demo-ready → Restore VMware Fusion: Virtual Machine → Snapshots → demo-ready → Restore

Full restore in under 30 seconds.


Advanced — Monitor Real Auth Log

Switch from simulated to real SSH monitoring:

# Edit config.py
LOG_FILE = '/var/log/auth.log'

# Run with elevated permissions
sudo ~/threat-demo/venv/bin/python3 threat_detector.py

Any real failed SSH login on the VM will trigger the pipeline.


Configuration Reference

Variable Description Source
ABUSEIPDB_API_KEY Threat intel API key abuseipdb.com/account/api
SLACK_WEBHOOK_URL Slack incoming webhook api.slack.com/apps
LOG_FILE Log file to monitor Default: /tmp/demo_auth.log
ALERT_THRESHOLD Attempts before alert fires Default: 3 (in threat_detector.py)
ABUSEIPDB_MIN_SCORE Score to confirm threat Default: 25 (in threat_detector.py)

Troubleshooting

Issue Fix
Slack alert not arriving Check SLACK_WEBHOOK_URL starts with https://hooks.slack.com/services/
AbuseIPDB returns 401 API key wrong — verify at abuseipdb.com/account/api
AbuseIPDB returns 429 Rate limit — free tier 1000/day — wait or use different IP
ModuleNotFoundError: requests Run: source venv/bin/activate
No detector output Confirm /tmp/demo_auth.log exists: touch /tmp/demo_auth.log
VM has no internet VMware network adapter must be set to NAT — not Host-only
Clipboard paste not working VM Settings → Guest Isolation → enable clipboard sharing

The Security Lesson

This demo illustrates three foundational SOAR principles:

1. Automated detection — the pipeline checks every log line, every time, without fatigue or delay. A human analyst triaging 10,000 alerts per day cannot match this consistency.

2. Threat intelligence enrichment — a raw IP address becomes rich context: geographic origin, ISP, abuse history, confidence score. Context is what turns an alert into actionable intelligence.

3. Automated response — the alert fires in under 10 seconds. An enterprise SOC team averages 28 minutes for initial detection. Automation eliminates that gap.


Built During the DevOps Micro-Internship

Mentor: Pravin Mishra (Lead) — CloudAdvisory Programme: DevNet Automation in Cybersecurity

Join the community: https://lnkd.in/euNeyWnr


License

MIT — free to use, adapt, and share.

About

Automated Threat Detection Pipeline - Python + AbuseIPDB + Slack | VMware Demo Lab | DevNet Automation in Cybersecurity

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages