Module 6: Intel-Driven Detections
Turn threat intelligence into detections — decompose reports, choose IOC vs behavioral approaches, and write structured threat briefs.
Lessons & Labs
Lesson 6.1 — From Threat Report to Detection
Decomposing threat reports into detectable behaviors — entity extraction, technique mapping, and detection gap identification.
Lab 6.1 — Threat Report to Sigma Rule
Decompose a simulated threat report, extract detectable behaviors, write a Sigma rule, and validate it fires on shared Wazuh data.
Lesson 6.2 — IOC-Based vs Behavioral Detection
When to use each approach, IOC lifecycle, expiration policies, and the Pyramid of Pain for detection selection.
Lab 6.2 — IOC Lifecycle Exercise
Track IOCs through their lifecycle in the shared Wazuh environment — from initial detection to expiration, measuring detection value over time.
Lesson 6.3 — Writing Structured Threat Briefs
Converting analysis into actionable detection requirements — brief templates, stakeholder communication, and prioritization frameworks.