What You'll Learn
- Extract confirmed malicious IOCs (IPs, domains, hashes) from MISP events
- Translate IOC types into Wazuh-compatible search queries
- Search Wazuh historical logs for evidence of IOC presence in the environment
- Document findings in a structured IOC Presence Report with timestamps and affected hosts
- Determine appropriate response actions based on IOC hit context
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-wazuh-misp |
| Containers | Wazuh Manager, Wazuh Indexer, Wazuh Dashboard, MISP |
| Estimated Time | 50 minutes |
| Difficulty | Intermediate |
| Browser Access | Wazuh Dashboard (Web UI), MISP (Web UI) |
| Pre-Loaded Data | MISP: 3 confirmed malicious IOCs across 1 event · Wazuh: 505 alerts with matching historical hits |
| Deliverable | IOC Presence Report — table mapping each IOC to Wazuh evidence with timestamps, hosts, and actions |
Why This Matters. Threat intelligence is only valuable when it's operationalized. Having IOCs sitting in MISP doesn't protect your organization — hunting those IOCs in your SIEM data does. This lab teaches the exact workflow SOC analysts use daily: pull indicators from your threat intel platform, search your logs for historical hits, and produce an actionable report for incident response.
The Scenario
Your threat intelligence team has published a new event in MISP titled "Operation Midnight Relay" containing 3 confirmed malicious indicators of compromise. The IOCs were sourced from a partner organization that was breached last week using the same threat actor infrastructure.
Your task: take each IOC from MISP, search Wazuh for any historical evidence that these indicators have appeared in your environment, and produce a structured IOC Presence Report documenting which IOCs were found, when they appeared, which hosts were affected, and what response actions are recommended.
You have 50 minutes.
Part 1: Extract IOCs from MISP
Step 1: Log into MISP
Open the MISP web interface from your lab dashboard. Sign in with the pre-configured credentials shown on the lab landing page.
Step 2: Locate the Threat Intel Event
Navigate to Events in the top menu. You should see the event titled "Operation Midnight Relay". Click on it to view the full event details.
Step 3: Review the Event Metadata
Before extracting IOCs, note the event context:
- Threat Level: High
- Analysis Status: Completed
- Distribution: Your organisation only
- Tags: Review any TLP and MITRE ATT&CK tags attached
Context Is King. The event metadata tells you how confident the source is (analysis: completed), how widely the intel should be shared (TLP marking), and what attack techniques are involved (ATT&CK tags). Always review this before acting on the IOCs.
Step 4: Extract the IOCs
The event contains 3 attributes (IOCs). For each one, record:
IOC EXTRACTION WORKSHEET
═══════════════════════════
Event: Operation Midnight Relay
IOC #1
Type: [ip-src / domain / md5 / sha256 / etc.]
Value: [the actual indicator]
Category: [Network activity / Payload delivery / etc.]
Comment: [any analyst notes attached]
IOC #2
Type: [...]
Value: [...]
Category: [...]
Comment: [...]
IOC #3
Type: [...]
Value: [...]
Category: [...]
Comment: [...]
Don't Skip the Type. The IOC type determines which Wazuh field you'll search. An IP-src maps to data.srcip, a domain maps to DNS query fields, and a file hash maps to FIM or syscheck fields. Getting the type wrong means searching the wrong field and missing real hits.
Part 2: Translate IOCs to Wazuh Queries
Understanding Field Mapping
Different IOC types map to different Wazuh fields:
| IOC Type | Wazuh Field(s) | Example Query |
|---|---|---|
| ip-src | data.srcip | data.srcip: 185.220.101.42 |
| ip-dst | data.dstip, data.win.eventdata.ipAddress | data.dstip: 91.234.99.87 |
| domain | data.dns.question.name, full_log: *domain* | data.dns.question.name: evil.example.com |
| md5 / sha256 | syscheck.md5_after, syscheck.sha256_after | syscheck.md5_after: abc123... |
| url | data.url, full_log: *path* | full_log: */malicious/path* |
Step 5: Build Your Queries
For each IOC you extracted, write the corresponding Wazuh query:
QUERY MAPPING
═════════════
IOC #1 → Wazuh Query: [field: value]
IOC #2 → Wazuh Query: [field: value]
IOC #3 → Wazuh Query: [field: value]
Broad First, Then Narrow. For your first search on each IOC, use the broadest possible query (e.g., just the IP with no additional filters). If you get results, THEN narrow with time ranges or specific rule IDs. Starting too narrow risks missing legitimate hits.
Part 3: Search Wazuh for Historical Hits
Step 6: Open Wazuh Dashboard
Switch to the Wazuh Dashboard. Navigate to Security Events (or Discover under the OpenSearch menu for raw log access).
Step 7: Set Your Time Range
Expand the time range to cover the full dataset. Click the date picker in the top-right and select Last 7 days or a custom range that covers the pre-loaded data window. If you see zero results, widen the window further.
Step 8: Search IOC #1
Paste your first query into the search bar. Document what you find:
IOC #1 SEARCH RESULTS
═════════════════════
Query Used: [your query]
Total Hits: [count]
Time of First Hit: [timestamp]
Time of Last Hit: [timestamp]
Affected Host(s): [agent name(s)]
Rule ID(s): [Wazuh rules that fired]
Severity: [rule levels]
Key Observation: [what does this tell you?]
Step 9: Search IOC #2
Repeat for your second IOC. Pay attention to whether the results correlate with IOC #1 — same host? Same timeframe? Same attack chain?
Step 10: Search IOC #3
Repeat for your third IOC. By now you should be seeing a pattern across the three indicators.
Correlation Is Key. Individual IOC hits are data points. Multiple IOCs hitting the same host in the same timeframe is an incident. Always look for overlap between indicators — it tells you whether you're dealing with isolated noise or a coordinated attack.
Part 4: Build the IOC Presence Report
Step 11: Complete the Deliverable
Using your search results, fill in the IOC Presence Report table:
IOC PRESENCE REPORT
═══════════════════════════════════════════════════════════════════════════════════════
Intel Source: MISP — "Operation Midnight Relay"
Analyst: [your name]
Date: [today's date]
Environment: CyberBlue Lab (Wazuh)
┌─────────────────────┬──────────┬────────────────┬─────────────────────┬──────────────────┬──────────────────────────┐
│ IOC │ Type │ Found in Wazuh?│ Timestamp │ Affected Host │ Recommended Action │
├─────────────────────┼──────────┼────────────────┼─────────────────────┼──────────────────┼──────────────────────────┤
│ [value] │ [type] │ Yes / No │ [first seen] │ [agent name] │ [Block/Investigate/etc.] │
│ [value] │ [type] │ Yes / No │ [first seen] │ [agent name] │ [Block/Investigate/etc.] │
│ [value] │ [type] │ Yes / No │ [first seen] │ [agent name] │ [Block/Investigate/etc.] │
└─────────────────────┴──────────┴────────────────┴─────────────────────┴──────────────────┴──────────────────────────┘
SUMMARY
───────
Total IOCs Checked: 3
IOCs Found in Logs: [count]
IOCs Not Found: [count]
Hosts Affected: [list]
Earliest Activity: [timestamp]
Latest Activity: [timestamp]
Correlation Notes: [did multiple IOCs hit the same host/timeframe?]
Recommended Actions: [prioritized response steps]
Step 12: Determine Response Actions
For each IOC that had hits, determine the appropriate response:
| Finding | Recommended Action |
|---|---|
| External IP with multiple hits across hosts | Block at firewall immediately, investigate all affected hosts |
| Domain resolved by internal host | Block at DNS, check host for malware artifacts |
| File hash found on endpoint | Isolate host, collect forensic image, scan all endpoints |
| IOC found but in old logs only (>30 days) | Lower priority — historical exposure, verify current firewall rules |
| IOC not found | Document as "not present" — continue monitoring |
"Not Found" Is Still a Finding. If an IOC has zero hits, that's valuable intelligence — it means your environment hasn't been exposed to that specific indicator (yet). Document it anyway. The absence of evidence is not evidence of absence — the threat actor may use the IOC in the future.
Deliverable Checklist
Before completing the lab, ensure you have:
- IOC Extraction Worksheet — all 3 IOCs documented with type, value, and category from MISP
- Query Mapping — each IOC translated into a Wazuh-compatible search query
- Search Results — documented results for each IOC including hit counts, timestamps, and affected hosts
- IOC Presence Report — completed table with all 6 columns filled (IOC, Type, Found?, Timestamp, Host, Action)
- Summary Section — correlation notes and prioritized response actions
- Response Actions — justified recommendations for each IOC based on findings
Key Takeaways
- Threat intelligence is only useful when operationalized — IOCs in MISP must be hunted in your SIEM to have value
- IOC type determines which SIEM field to search — IPs map to
data.srcip, domains to DNS fields, hashes to syscheck fields - Always start with broad queries, then narrow based on initial results to avoid missing legitimate hits
- Correlation across multiple IOCs reveals whether you're dealing with isolated noise or a coordinated attack
- An IOC Presence Report is a standard SOC deliverable that bridges threat intelligence and incident response
- "Not found" is still a valid and important finding — document it for future reference
What's Next
In Lab 7.4 — Tag the Threat, you'll take the IOCs you've confirmed as present and enrich them in MISP with sighting data, tags, and correlation links — turning raw indicators into actionable threat intelligence that can be shared with partner organizations.
Lab Challenge: Feed the SIEM
10 questions · 70% to pass
You've logged into MISP and opened the 'Operation Midnight Relay' event. Where do you find the actual IOC values (indicators) within the event?
You extracted an IOC of type 'ip-src' with value '185.220.101.42' from MISP. Which Wazuh field should you search to find this indicator in your logs?
You search Wazuh for IOC #1 and get 15 hits. You then search IOC #2 and find 8 hits on the SAME host in the SAME timeframe. What does this correlation tell you?
You search Wazuh for an IOC of type 'domain' but get zero results using 'data.srcip: evil.example.com'. What went wrong?
Your IOC Presence Report shows 2 out of 3 IOCs found in Wazuh, with the third having zero hits. How should you document the 'not found' IOC?
You found a malicious IP hitting linux-web-01 with 12 events over a 3-hour window. What should be your FIRST recommended response action?
When building your Wazuh query for an IOC, why should you start with a broad query before narrowing down?
In your IOC Presence Report, you list timestamps for each hit. Why is recording the 'first seen' timestamp particularly important?
You found a file hash IOC in Wazuh's syscheck (file integrity monitoring) data on WIN-SERVER-01. What response action is MOST appropriate for a confirmed malicious file hash on an endpoint?
What is the PRIMARY purpose of an IOC Presence Report as a SOC deliverable?
0/10 answered