Skip to content

xdrew87/iris

BranchesTags

Repository files navigation

IRIS — Threat Intelligence Correlator & Alert Engine

Python License Platform Version

IRIS is an automated threat intelligence aggregation, correlation, and alerting platform built for red teams and security operations. It pulls from 8+ industry TI feeds, cross-references indicators against your target scope, correlates findings across sources, and generates actionable alerts.

Features

  • Multi-Feed Aggregation — VirusTotal, Shodan, AbuseIPDB, URLhaus, abuse.ch, Phishtank, Tor Exit Nodes, Censys
  • Correlation Engine — detect shared ASNs, registrants, infrastructure across feeds; confidence-scored results
  • Continuous Monitoring — watch targets in the background; alert on new findings
  • Historical Database — SQLite (default) or PostgreSQL; full indicator history and trend analysis
  • Rich CLI — colorized output, tables, progress bars
  • Multi-Channel Alerting — Email, Slack, Discord, syslog
  • Web Dashboard — optional browser UI for real-time feed status, alerts, correlation visualization
  • Flexible Scope — JSON/YAML scope files with IPs, CIDRs, domains, hashes

Installation

git clone https://github.com/xdrew87/iris.git
cd iris
pip install -r requirements.txt

Quick Start

# Initialize your workspace (creates config.yaml)
python src/main.py init

# Scan a single indicator
python src/main.py scan 1.2.3.4
python src/main.py scan malware.example.com
python src/main.py scan d41d8cd98f00b204e9800998ecf8427e

# Correlate a scope file
python src/main.py correlate --scope scope.json

# Watch targets continuously
python src/main.py watch --scope scope.json

# Generate a report
python src/main.py report --format json --output report.json

# Launch web dashboard
python src/main.py dashboard --port 8080

Configuration

Copy config.yaml and fill in your API keys — or set them as environment variables (recommended):

Feed Environment Variable
VirusTotal IRIS_VT_API_KEY
Shodan IRIS_SHODAN_API_KEY
AbuseIPDB IRIS_ABUSEIPDB_API_KEY
Censys IRIS_CENSYS_API_ID + IRIS_CENSYS_API_SECRET
Slack Alert IRIS_SLACK_WEBHOOK
Discord IRIS_DISCORD_WEBHOOK

URLhaus, abuse.ch, Phishtank, and Tor exit nodes require no API key.

Scope File Format

{
  "targets": [
    {"type": "ip",     "value": "1.2.3.4",                              "label": "C2 Server"},
    {"type": "domain", "value": "evil.example.com"},
    {"type": "hash",   "value": "d41d8cd98f00b204e9800998ecf8427e",     "label": "Malware Sample"}
  ]
}

Output Example

╔══════════════════════════════════════════════╗
║        IRIS Threat Intelligence Report        ║
╚══════════════════════════════════════════════╝

Target: 1.2.3.4
─────────────────────────────────────────────
 Feed          Status     Confidence  Flags
 VirusTotal    MALICIOUS  92%         Malware C2
 AbuseIPDB     MALICIOUS  87%         SSH Brute Force
 Shodan        INFO       —           Port 22,80,443
 Tor Exit      FLAGGED    100%        Known Exit Node

 Correlation: AbuseIPDB + VirusTotal = Same ASN AS12345
 Overall Confidence: 89% — HIGH RISK

Docker

docker-compose up

Contributing

See CONTRIBUTING.md.

Security

See SECURITY.md to report vulnerabilities.

License

MIT © 2026 xdrew87

About

Automated threat intelligence aggregation, correlation, and alerting platform for red teams and security operations.

Topics

ioc automation osint monitoring incident-response cybersecurity threat-hunting soc red-team network-security security-automation threat-intelligence reconnaissance security-research blue-team osint-framework threat-detection security-operations intel-platform ioc-correlation

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages