CyberBlue Academy — Blue Team & SOC Training

What You'll Learn

Search for Indicators of Compromise (IOCs) in MISP using the web interface
Correlate IOCs against curated threat events to determine malware family attribution
Interpret MISP metadata including threat level, TLP marking, confidence tags, and galaxy clusters
Differentiate between known (matched) and unknown (no-hit) IOCs and explain the implications of each
Produce a structured IOC lookup report suitable for inclusion in a SOC incident ticket

Lab Overview

Detail	Value
Lab Profile	`lab-misp`
Containers	misp-core, mysql, redis, misp-modules
Estimated Time	45–50 minutes
Difficulty	Intermediate
Browser Access	MISP Web UI
Pre-Loaded Data	5 threat events with ~116 IOC attributes (APT29/SolarWinds, LockBit 3.0, Emotet, Cobalt Strike, DNS Tunneling/DGA)
Credentials	admin@admin.test / CyberBlue2026!
Deliverable	IOC lookup report with findings for all 5 investigated IOCs

ℹ

Why IOC Lookup Matters. When a SIEM fires an alert, the first question is always: "Is this indicator known-bad?" MISP is the platform SOC teams use to answer that question. A fast, accurate IOC lookup turns a vague alert into an actionable finding with malware family, threat actor, and confidence level — everything the incident responder needs to prioritize and contain.

The Scenario

Your SIEM has flagged suspicious network activity over the past 24 hours. The Tier 1 analyst extracted 5 IOCs from the alert data and escalated them to you for threat intelligence enrichment. Your task is to look up each IOC in your organization's MISP instance, determine whether it matches any known threat, and produce a structured report.

The 5 IOCs from the alert:

#	IOC Value	IOC Type
1	`203.0.113.50`	IP address
2	`198.51.100.23`	IP address
3	`update-service.darkoperator.com`	Domain
4	`e99a18c428cb38d5f260853678922e03`	MD5 hash
5	`7a4b8c3d9e2f1a5b6c8d0e3f4a7b9c1d2e5f8a0b3c6d9e1f4a7b0c3d6e9f2a`	SHA-256 hash

For each IOC you will: search MISP, determine if it's known or unknown, identify the associated threat (if any), and assess the confidence level.

Part 1: Accessing MISP and Orientation

Step 1: Log In to MISP

Once your lab environment is running, open the MISP web UI. Log in with:

Email: admin@admin.test
Password: CyberBlue2026!

Step 2: Explore the Pre-Loaded Events

Navigate to Event Actions → List Events from the top menu. You should see 5 pre-loaded threat events:

#	Event Name	Threat Level	Attributes
1	APT29 / SolarWinds Supply Chain	High	~30 IOCs
2	LockBit 3.0 Ransomware Campaign	High	~25 IOCs
3	Emotet Botnet Distribution	Medium	~22 IOCs
4	Cobalt Strike Beacon Infrastructure	High	~20 IOCs
5	DNS Tunneling / DGA Activity	Medium	~19 IOCs

💡

Understanding MISP Events. Each event represents a threat campaign or incident. Events contain attributes (the individual IOCs — IPs, domains, hashes, etc.) and are enriched with tags (TLP markings, confidence levels) and galaxy clusters (MITRE ATT&CK mappings, threat actor profiles). Click into any event to see its full structure.

Step 3: Understand the Search Interface

Click Event Actions → Search Attributes (or use the global search bar at the top). This is where you'll perform your IOC lookups. The search interface lets you filter by:

Value — the IOC itself (IP, hash, domain)
Type — restrict to ip-dst, domain, md5, sha256, etc.
Category — Network activity, Payload delivery, etc.

Part 2: IOC Lookup — Step by Step

IOC #1: IP Address `203.0.113.50`

Go to Event Actions → Search Attributes
In the Value field, enter: 203.0.113.50
Click Search (or press Enter)

Record your findings:

Did MISP return a match? (Yes/No)
If yes: which event? What threat does it relate to?
What is the attribute type? (ip-dst, ip-src, etc.)
What tags are attached to the parent event? (Look for TLP and threat-level tags)
What galaxy clusters are linked? (MITRE ATT&CK techniques, threat actor)

⚠

No Match ≠ Safe. If MISP returns zero results for an IOC, it does NOT mean the indicator is benign. It means your threat intel feeds haven't seen it yet. Document "No match — requires further investigation" and consider submitting it to external sources (VirusTotal, AbuseIPDB) as a next step.

IOC #2: IP Address `198.51.100.23`

Repeat the same search process:

Search for 198.51.100.23 in the attribute search
Note which event it belongs to (if any)
Record the attribute category, type, and any related attributes in the same event
Check for galaxy clusters — does MISP link this IP to a specific threat actor or technique?

IOC #3: Domain `update-service.darkoperator.com`

Search for update-service.darkoperator.com
This is a domain IOC — pay attention to the attribute type (domain, hostname, or url)
If matched, click into the parent event and look for correlations — other IOCs in the same event that might appear in your network logs

💡

Pivoting in MISP. When you find a match, don't stop at the single IOC. Click into the parent event and review ALL attributes. If a domain is linked to a C2 campaign, the event will also contain the IP addresses that domain resolves to, file hashes dropped by the malware, and email addresses used for phishing. These related IOCs should be searched in your SIEM immediately.

IOC #4: MD5 Hash `e99a18c428cb38d5f260853678922e03`

Search for the hash value: e99a18c428cb38d5f260853678922e03
If matched, note the malware family from the event name or galaxy cluster
Check the IDS flag — is this attribute marked for IDS signature generation?
Look at the comment field for analyst notes about the sample

IOC #5: SHA-256 Hash

Search for: 7a4b8c3d9e2f1a5b6c8d0e3f4a7b9c1d2e5f8a0b3c6d9e1f4a7b0c3d6e9f2a
Record match/no-match
If matched, compare the confidence level on this event vs. the others you've found

Part 3: Interpreting MISP Results

For each matched IOC, you need to extract and understand several metadata fields. Here's what to look for:

Threat Level

MISP assigns one of four threat levels to each event:

Level	Meaning	SOC Response
High	Sophisticated threat actor, active campaign	Immediate escalation, containment
Medium	Known malware, widespread distribution	Standard IR workflow, block IOCs
Low	Commodity malware, low impact	Monitor, add to blocklists
Undefined	Not yet assessed	Treat as Medium until assessed

TLP (Traffic Light Protocol)

Look for TLP tags on events — they control how you can share the intelligence:

TLP	Sharing Rule
TLP:RED	Named recipients only — do NOT share outside your team
TLP:AMBER	Your organization only
TLP:GREEN	Community sharing allowed (ISACs, partner orgs)
TLP:WHITE	Public — no restrictions

Confidence Tags

MISP events may include confidence indicators. Combine the source reliability with the data confidence to assess how much weight to give the IOC.

Galaxy Clusters

Galaxy clusters map threat intelligence to structured frameworks:

MITRE ATT&CK — techniques used by the threat actor (T1566 Phishing, T1059 Command Execution, etc.)
Threat Actor — named groups (APT29, FIN7, Lazarus, etc.)
Malware — named malware families (Emotet, Cobalt Strike, LockBit, etc.)

Part 4: Build Your IOC Lookup Report

Using your findings, complete the following report template. This is the format a SOC analyst would attach to an incident ticket.

IOC LOOKUP REPORT
═════════════════════════════════════════
Analyst: [your name]
Date: [today's date]
Source: SIEM Alert Escalation (Tier 1)
Platform: MISP (CyberBlue Lab Instance)

IOC #1: 203.0.113.50 (IP Address)
  Status:       [KNOWN / UNKNOWN]
  Matched Event: [event name or "No match"]
  Malware Family: [family or "N/A"]
  Threat Level:  [High / Medium / Low / N/A]
  TLP:           [RED / AMBER / GREEN / WHITE / N/A]
  Confidence:    [assessment]
  ATT&CK Techniques: [T-codes or "N/A"]
  Recommendation: [block / monitor / investigate further]

IOC #2: 198.51.100.23 (IP Address)
  Status:       [KNOWN / UNKNOWN]
  Matched Event: [event name or "No match"]
  Malware Family: [family or "N/A"]
  Threat Level:  [High / Medium / Low / N/A]
  TLP:           [RED / AMBER / GREEN / WHITE / N/A]
  Confidence:    [assessment]
  ATT&CK Techniques: [T-codes or "N/A"]
  Recommendation: [block / monitor / investigate further]

IOC #3: update-service.darkoperator.com (Domain)
  Status:       [KNOWN / UNKNOWN]
  Matched Event: [event name or "No match"]
  Malware Family: [family or "N/A"]
  Threat Level:  [High / Medium / Low / N/A]
  TLP:           [RED / AMBER / GREEN / WHITE / N/A]
  Confidence:    [assessment]
  ATT&CK Techniques: [T-codes or "N/A"]
  Recommendation: [block / monitor / investigate further]

IOC #4: e99a18c428cb38d5f260853678922e03 (MD5)
  Status:       [KNOWN / UNKNOWN]
  Matched Event: [event name or "No match"]
  Malware Family: [family or "N/A"]
  Threat Level:  [High / Medium / Low / N/A]
  TLP:           [RED / AMBER / GREEN / WHITE / N/A]
  Confidence:    [assessment]
  ATT&CK Techniques: [T-codes or "N/A"]
  Recommendation: [block / monitor / investigate further]

IOC #5: 7a4b8c3d...6e9f2a (SHA-256)
  Status:       [KNOWN / UNKNOWN]
  Matched Event: [event name or "No match"]
  Malware Family: [family or "N/A"]
  Threat Level:  [High / Medium / Low / N/A]
  TLP:           [RED / AMBER / GREEN / WHITE / N/A]
  Confidence:    [assessment]
  ATT&CK Techniques: [T-codes or "N/A"]
  Recommendation: [block / monitor / investigate further]

SUMMARY
  Total IOCs Investigated: 5
  Known (Matched):        [count]
  Unknown (No Match):     [count]
  Highest Threat Level:   [level]
  Recommended Actions:    [summary of blocking/monitoring recommendations]

Deliverable Checklist

Before completing the lab, ensure you have:

5 IOC lookups completed — each searched in MISP with results documented
Match/no-match determination for every IOC with justification
Threat metadata extracted — threat level, TLP, galaxy clusters for each matched IOC
Event pivoting performed — at least 2 matched IOCs explored via their parent event to find related indicators
Completed IOC Lookup Report — the full template filled out with all 5 IOCs

Key Takeaways

IOC lookup is the bridge between detection (SIEM alert) and intelligence (knowing what you're dealing with)
MISP stores IOCs inside events that represent campaigns — always explore the full event, not just the single matched attribute
Metadata matters as much as the match itself: threat level tells you urgency, TLP tells you sharing rules, galaxy clusters tell you the threat actor and techniques
"No match" is a finding too — it means the IOC isn't in your threat intel feeds yet and requires alternative enrichment (VirusTotal, OSINT)
A structured IOC report is how you communicate intelligence to incident responders, management, and partner organizations

What's Next

In Lab 7.2 — Feed Correlation, you'll go beyond manual lookups and configure MISP's automated threat intelligence feeds. Instead of searching one IOC at a time, you'll connect external feed sources and let MISP correlate incoming IOCs against your event database automatically — the way production SOC teams handle thousands of indicators per day.

Lab Challenge: IOC Lookup

10 questions · 70% to pass

Search for IP address '203.0.113.50' in MISP. Which threat event does this IOC belong to?

Search for the MD5 hash 'e99a18c428cb38d5f260853678922e03' in MISP. What malware family is this hash associated with?

Click into the APT29/SolarWinds event and examine its attributes. What type of supply chain attack does this event document?

You searched for '198.51.100.23' and found a match. What is the threat level assigned to the parent event?

When you find a matched IOC in MISP, you notice a TLP:AMBER tag on the event. What does this mean for how you can share the intelligence?

You searched for domain 'update-service.darkoperator.com' and found it in MISP. After clicking into the parent event, what should you do NEXT as a SOC analyst?

One of the 5 IOCs returns zero results in MISP. What is the correct interpretation?

Examine the LockBit 3.0 event in MISP. What galaxy cluster category links this event to the MITRE ATT&CK framework?

After completing all 5 IOC lookups, your report shows 4 matched and 1 unknown. What should the 'Recommended Actions' section of your report prioritize?

0/10 answered

Lab 7.2 — Pivot and ExpandNext Lab

Lab 7.1 — IOC Lookup