Threat Intelligence on Demand

The Scenario

Your firewall blocked connections to 185.220.101.42 ten times in the last hour. Is this a known malicious IP? What threat actor uses it? Should you escalate or ignore? Instead of searching 5 different threat intel sites, ask AI.

---

The Prompt

I see repeated blocked connections from my network to 185.220.101.42 on port 443. Give me:
1. What is known about this IP? (threat intel context)
2. Is it associated with any threat actors or malware families?
3. Is it a known Tor exit node, VPN, or hosting provider?
4. What should I investigate on my internal network? (which host is trying to connect)
5. Recommended actions: block, monitor, or escalate?

Also suggest 3 free online tools where I can verify this information myself.

---

What AI Gives You

• Context on the IP (e.g., known Tor exit node used by various threat actors)
• Suggested tools: VirusTotal, AbuseIPDB, Shodan, GreyNoise
• Internal investigation steps: check which host initiated the connection, look for beaconing patterns
• Clear recommendation based on risk level

---

Review and Validate

• AI knowledge has a cutoff — always verify on live threat intel platforms
• VirusTotal and AbuseIPDB are free — cross-reference AI's assessment
• The internal host matters more — even if the external IP is benign, why is your device reaching out?

---

Try It Yourself

Check your firewall's deny logs for the top 5 blocked external IPs. Run each through AI for a quick threat assessment.