Skip to content

uliyach45/CTI-Lab2-MISP-Elastic-Integration

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 

Repository files navigation

CTI-Lab2-MISP-Elastic-Integration

Lab 2 for Cyber Threat Intelligence (CTI) — Integration of MISP with Elastic Stack for IoC ingestion, and deployment of Elastic Agents on Linux and Windows endpoints via Fleet Server for centralized log forwarding.

CTI Lab 2 — MISP & Elastic Stack Integration + Elastic Agent Deployment

Student: Uliya Fatima | Roll No: 232098
Course: Cyber Threat Intelligence (CTI) | Lab: 02
Date: March 6, 2026


Overview

This lab documents the integration of two core CTI platform components:

  1. MISP + Elastic Stack Integration — ingesting threat intelligence indicators (IoCs) from MISP into Elasticsearch/Kibana.
  2. Elastic Agent Deployment — installing and enrolling agents on both Linux and Windows endpoints for centralized log forwarding via Fleet Server.

Lab Environment

Component IP / Details
MISP Server 192.168.17.130 — Threat intelligence platform
Elastic Stack 192.168.17.129 — Elasticsearch, Kibana, Fleet Server
Linux Agent Host Ubuntu/Debian VM — forwarding syslog & auditd
Windows Agent Host Windows 10/Server VM — forwarding Windows Event Logs
Network Shared internal virtual network (same subnet)

Task 1 — MISP & Elastic Stack Integration

Objective

Configure MISP to export threat indicators via its REST API, and ingest them into Elasticsearch using Kibana's MISP Threat Intelligence integration module.

Steps

1. MISP Platform Configuration

  • Log into the MISP web interface
  • Navigate to Administration → My Profile → Auth Keys to generate an API key
  • Configure threat feeds and verify events are populated

2. Elastic Stack — Threat Intelligence Module

  • In Kibana, go to Integrations → search for MISP Threat Intelligence
  • Install and configure the module with:
    • MISP URL: http://192.168.17.130
    • API Key (generated above)
    • Polling interval for indicator ingestion

3. Verify Data in Elasticsearch

# Use Kibana Dev Tools to verify MISP IoCs are indexed
GET .ds-logs-ti_misp.threat-*/_search
  • Navigate to Kibana → Security → Threat Intelligence to view imported indicators (IPs, domains, hashes, URLs)

Task 2 — Elastic Agent Deployment (Linux & Windows)

Objective

Deploy Elastic Agent on Linux and Windows endpoints, enroll them in Fleet Server, and verify centralized log forwarding to Elasticsearch.

Fleet Server Setup

  • Navigate to Kibana → Fleet → Settings
  • Configure Fleet Server host URL and Elasticsearch output
  • Create an Agent Policy with integrations: System, Windows, Auditd

Linux Agent Installation

# Download Elastic Agent
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.x.x-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.x.x-linux-x86_64.tar.gz
cd elastic-agent-8.x.x-linux-x86_64

# Install and enroll with Fleet
sudo ./elastic-agent install \
  --url=https://192.168.17.129:8220 \
  --enrollment-token=<YOUR_ENROLLMENT_TOKEN>

Verification:

  • Check service: sudo systemctl status elastic-agent
  • Confirm agent appears as Healthy in Kibana Fleet dashboard
  • Verify syslog and auditd events in Kibana → Discover

Windows Agent Installation

# Run in PowerShell (Administrator)
$ProgressPreference = "SilentlyContinue"
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.x.x-windows-x86_64.zip -OutFile elastic-agent.zip
Expand-Archive .\elastic-agent.zip -DestinationPath .\
cd elastic-agent-8.x.x-windows-x86_64

.\elastic-agent.exe install `
  --url=https://192.168.17.129:8220 `
  --enrollment-token=<YOUR_ENROLLMENT_TOKEN>

Verification:

  • Check Windows Services (services.msc) for Elastic Agent status
  • Confirm agent appears as Healthy in Kibana Fleet dashboard
  • Verify Windows Event Logs (Security, System, Application) in Kibana → Discover

Validation Summary

Component Validation Check Status
MISP Platform Web interface accessible, API key generated ✅ Passed
MISP → Elastic Integration Threat indicators indexed in Elasticsearch ✅ Passed
Kibana Threat Intelligence MISP IoCs visible in Threat Intel view ✅ Passed
Kibana Dashboard Indicator visualization operational ✅ Passed
Linux Elastic Agent Agent enrolled, service healthy in Fleet ✅ Passed
Linux Log Forwarding Syslog/auditd events indexed in Kibana ✅ Passed
Windows Elastic Agent Agent enrolled, service healthy in Fleet ✅ Passed
Windows Log Forwarding Event Logs (Security/System) indexed ✅ Passed

Conclusion

This lab successfully demonstrated:

  • Integration of MISP with Elastic Stack for real-time threat intelligence ingestion
  • Fleet-managed Elastic Agent deployment on both Linux and Windows endpoints
  • Centralized log aggregation and MISP IoC correlation in a SOC-ready environment

References


Tools & Technologies

MISP Elastic Stack Elasticsearch Kibana Fleet Server Elastic Agent Logstash Docker Ubuntu Windows Threat Intelligence SIEM SOC CTI

About

Lab 2 for Cyber Threat Intelligence (CTI) — Integration of MISP with Elastic Stack for IoC ingestion, and deployment of Elastic Agents on Linux and Windows endpoints via Fleet Server for centralized log forwarding.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors