Automating Threat Intel: A Python Playbook for SOC Analysts

SOC analysts burn out when they are forced to do repetitive tasks. In this guide, we'll build a simple Python script to query the DarkLake API and alert on new findings.

Prerequisites

You'll need Python 3.8+ and a DarkLake API key. Install the requests library: pip install requests.

The Script

This script checks for leaked credentials for a specific domain:

import requests

API_KEY = "your_api_key"
DOMAIN = "example.com"

def check_leaks(domain):
    url = f"https://api.darklake.global/v1/leaks?domain={domain}"
    headers = {"Authorization": f"Bearer {API_KEY}"}
    response = requests.get(url, headers=headers)
    return response.json()

results = check_leaks(DOMAIN)
print(f"Found {len(results)} leaks for {DOMAIN}")
      

You can schedule this script to run hourly and integrate it with Slack or Microsoft Teams for real-time alerts.