Module 7: Threat Intelligence — Know Your Enemy

Don't investigate blind. Use intel to move faster and smarter.

Tools:MISP + ATT&CK Navigator
5
Lessons
4
Hands-on Labs

Lessons

1

IOC Types & Lifecycle

IPs, domains, hashes, freshness

2

Threat Feeds & Sharing

Open feeds, ISACs, TLP

3

MISP for SOC Analysts

Events, attributes, tags

4

Pivoting: From One IOC to Many

IP → domain → hash → campaign

5

Intel-Driven Triage

IOCs change triage decisions

Labs

Lab 7.1 — IOC Lookup

Search 5 IOCs from a simulated SIEM alert in MISP — determine threat attribution, confidence levels, and produce a structured IOC lookup report.

Intermediate

Lab 7.2 — Pivot and Expand

Start from one Wazuh alert, pivot through MISP, and chain IOCs (IP → domain → hash → campaign) to build a complete threat profile.

Advanced

Lab 7.3 — Feed the SIEM

Take 3 confirmed malicious IOCs from MISP, search Wazuh for historical hits, and produce a structured IOC Presence Report with timestamps, affected hosts, and recommended response actions.

Intermediate

Lab 7.4 — Campaign Mapping

Extract IOCs from a ransomware threat intel report, search MISP for matches, map ATT&CK techniques, and write an executive 'Are We Affected?' briefing.

Advanced