What You'll Learn
- Pivot from a single IOC in one tool to related indicators in another to build a complete threat picture
- Search Wazuh alerts for suspicious IPs, domains, and file hashes identified during an investigation
- Correlate Wazuh alert data with MISP threat intelligence events to confirm attribution and context
- Chain multiple pivots (IP → domain → hash → campaign) to map the full scope of an intrusion
- Document a pivot chain as a one-page threat profile suitable for incident escalation
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-wazuh-misp |
| Containers | Wazuh Manager, Wazuh Indexer, Wazuh Dashboard, MISP |
| Estimated Time | 60 minutes |
| Difficulty | Intermediate |
| Browser Access | Wazuh Dashboard (Web UI) + MISP (Web UI) |
| Pre-Loaded Data | Wazuh alerts with matching MISP IOCs forming an interconnected pivot chain |
| Deliverable | One-page threat profile showing the full pivot chain from IP → domain → hash → campaign |
Why Pivoting Matters. A single alert tells you something happened. Pivoting tells you what happened, how it connects, and how far it spread. Real SOC investigations never stop at the first IOC — every indicator is a door to more context. This lab teaches the cross-tool investigation workflow that separates alert processors from threat analysts.
The Scenario
Your SOC dashboard shows a new Wazuh alert: outbound network traffic to a suspicious external IP address from one of your monitored endpoints. The alert alone gives you an IP and a timestamp — not enough to act on.
Your mission: start from that single IP, pivot between Wazuh and MISP, and uncover the full attack picture — the domain it resolves to, the malicious file that triggered the connection, and the threat campaign behind it all.
Every pivot adds a piece to the puzzle. By the end, you'll have a complete threat profile ready for escalation.
Part 1: Start in Wazuh — Find the Suspicious IP
Step 1: Open the Wazuh Dashboard
Navigate to the Security Events section of the Wazuh Dashboard. Set the time range to cover the pre-loaded alert window (last 24 hours).
Step 2: Identify the Initial Alert
Search for alerts with high severity (rule level >= 10) related to outbound network connections. Look for alerts that reference an external IP address outside your internal network ranges.
rule.level: >= 10 AND NOT data.srcip: 10.* AND NOT data.srcip: 192.168.*
Record the following from the alert:
- Source agent (which endpoint triggered the alert)
- Destination IP address (the suspicious external IP)
- Rule ID and description
- Timestamp
Start Broad, Then Narrow. Your first query should cast a wide net for high-severity external-facing alerts. Once you identify the suspicious IP, all subsequent queries will use it as an anchor point.
Step 3: Search for All Activity Involving This IP
Now query Wazuh for every alert involving the suspicious IP:
data.srcip: <SUSPICIOUS_IP> OR data.dstip: <SUSPICIOUS_IP>
Document the total alert count, the agents involved, and the time span. This tells you how long the IP has been active in your environment and which endpoints are affected.
Part 2: First Pivot — Wazuh → MISP (IP Lookup)
Step 4: Search MISP for the Suspicious IP
Open MISP in a new browser tab. Navigate to the Event Index page and use the search function to look up the suspicious IP address you found in Wazuh.
- Go to Event Actions → Search Attributes
- Enter the IP address in the search field
- Select attribute type:
ip-dstor search across all types
Record from MISP:
- Which MISP event(s) contain this IP
- The event title and threat level
- The associated tags (TLP, threat actor, campaign name)
- Any related attributes in the same event
Step 5: Discover the Related Domain
Within the MISP event that contains your suspicious IP, look at the other attributes. You should find a domain name linked to the same event — this is the domain the IP resolves to (or was used alongside in the campaign).
Record:
- The domain name
- Its attribute type (domain, hostname, etc.)
- Any comments or context attached to it
Trust but Verify. MISP tells you the domain is related to the IP. But "related in threat intelligence" doesn't mean "active in your environment." Your next step is to go back to Wazuh and check whether this domain appears in YOUR logs.
Part 3: Second Pivot — MISP → Wazuh (Domain Search)
Step 6: Search Wazuh for the Domain
Return to the Wazuh Dashboard and search for the domain you discovered in MISP:
full_log: *<DOMAIN_NAME>* OR data.url: *<DOMAIN_NAME>*
If results appear, this confirms the domain is active in your environment — not just in threat intelligence feeds.
Record:
- Number of alerts referencing this domain
- Which agents are affected
- What type of activity the alerts describe (DNS query, HTTP request, etc.)
- Any file hashes or filenames mentioned in the same alerts
Step 7: Extract the File Hash
Examine the Wazuh alerts referencing the domain. Look for alerts that include file integrity monitoring (FIM) data or process execution logs that reference a file hash (MD5, SHA1, or SHA256).
data.url: *<DOMAIN_NAME>* AND (syscheck.md5_after: * OR syscheck.sha256_after: *)
If FIM alerts aren't present, check process creation events for hashes in the command line or parent process fields.
Record:
- The file hash (and hash type)
- The filename associated with it
- The path where the file was found
Part 4: Third Pivot — Wazuh → MISP (Hash Lookup)
Step 8: Search MISP for the File Hash
Return to MISP and search for the file hash you extracted from Wazuh:
- Event Actions → Search Attributes
- Enter the hash value
- Search across attribute types:
md5,sha1,sha256
Record from MISP:
- Which event(s) contain this hash
- Is it the SAME event as the IP, or a DIFFERENT one?
- The malware family or tool name (if tagged)
- Any additional IOCs in this event you haven't seen yet
Step 9: Map the Complete Chain
At this point you should have a chain of at least 4 connected IOCs:
[Wazuh Alert] → Suspicious IP
↓ (pivot to MISP)
[MISP Event] → IP + Related Domain
↓ (pivot back to Wazuh)
[Wazuh Alert] → Domain activity + File Hash
↓ (pivot to MISP)
[MISP Event] → Hash + Malware Family + Campaign
Each arrow is a pivot. Each pivot added context that wasn't visible from the starting point.
Part 5: Build the Threat Profile
Document Your Pivot Chain
Using the data from all four pivots, create a one-page threat profile:
THREAT PROFILE — Pivot & Expand Investigation
═══════════════════════════════════════════════
Date: [today's date]
Analyst: [your name]
Starting Point: Wazuh alert — outbound traffic to suspicious IP
PIVOT CHAIN
───────────
1. INITIAL IOC (Wazuh)
IP Address: [suspicious IP]
Source Agent: [agent name]
Alert Rule: [rule ID — description]
First Seen: [timestamp]
2. FIRST PIVOT → MISP
MISP Event: [event title]
Threat Level: [high/medium/low]
Related Domain: [domain found in same event]
Campaign Tags: [any campaign/actor tags]
3. SECOND PIVOT → Wazuh
Domain Active in Environment: [yes/no]
Affected Agents: [list]
Activity Type: [DNS/HTTP/process execution]
File Hash Extracted: [hash value]
4. THIRD PIVOT → MISP
Hash Match: [yes/no — same or different event]
Malware Family: [if identified]
Additional IOCs: [any new indicators found]
ASSESSMENT
──────────
Scope: [number of affected endpoints]
Confidence: [high/medium/low — based on number of confirmed pivots]
Recommended Action: [block IOCs / isolate host / escalate to IR team]
Confidence Scoring. Each confirmed pivot raises your confidence level. One IOC match = low confidence (could be a false positive). Two cross-tool confirmations = medium. Three or more pivots confirming the same campaign = high confidence — escalate immediately.
Deliverable Checklist
Before completing the lab, ensure you have:
- Initial Alert Documented — IP address, agent, rule ID, and timestamp from Wazuh
- First Pivot (IP → MISP) — MISP event details, related domain discovered
- Second Pivot (Domain → Wazuh) — Domain confirmed active in environment, file hash extracted
- Third Pivot (Hash → MISP) — Hash correlated to malware family or campaign
- Complete Threat Profile — One-page document with all four pivot points and assessment
Key Takeaways
- Pivoting transforms a single alert into a complete threat narrative by following IOC relationships across tools
- Wazuh provides detection and telemetry (what happened in YOUR environment); MISP provides intelligence context (what this means globally)
- Every pivot should be bidirectional — confirm MISP intelligence by searching for it in Wazuh, and enrich Wazuh detections by looking them up in MISP
- The pivot chain pattern (IP → domain → hash → campaign) is the most common cross-tool investigation workflow in real SOCs
- Document every pivot point — the chain of evidence is what gives your threat profile credibility during escalation
What's Next
In Lab 7.3 — Enrich and Contextualize, you'll take pivoting further by adding automated enrichment — using MISP's correlation engine and external feeds to automatically surface related IOCs, reducing the manual pivot work you did in this lab.
Lab Challenge: Pivot and Expand
10 questions · 70% to pass
You find a Wazuh alert for outbound traffic to a suspicious IP. What is your FIRST pivot action?
In MISP, you find the suspicious IP inside an event that also contains a domain attribute. What does this relationship tell you?
After finding a related domain in MISP, you search Wazuh for that domain. Why is this pivot back to Wazuh critical?
Which Wazuh query syntax would correctly search for a domain across multiple log fields?
You extract a file hash from a Wazuh alert related to the suspicious domain. You search MISP and find the hash in the SAME event as the original IP. What does this confirm?
How many pivots are in the standard cross-tool investigation chain: IP → domain → hash → campaign?
In your threat profile, what confidence level should you assign when all three pivots confirm IOCs in the same MISP event?
What is the primary role of Wazuh vs. MISP in a pivot-based investigation?
You complete your pivot chain and find 3 affected endpoints. What should your threat profile recommend as the next action?
Why should pivots be documented in order (IP → domain → hash → campaign) rather than just listing all IOCs?
0/10 answered