Lab 2 for Cyber Threat Intelligence (CTI) — Integration of MISP with Elastic Stack for IoC ingestion, and deployment of Elastic Agents on Linux and Windows endpoints via Fleet Server for centralized log forwarding.
Student: Uliya Fatima | Roll No: 232098
Course: Cyber Threat Intelligence (CTI) | Lab: 02
Date: March 6, 2026
This lab documents the integration of two core CTI platform components:
- MISP + Elastic Stack Integration — ingesting threat intelligence indicators (IoCs) from MISP into Elasticsearch/Kibana.
- Elastic Agent Deployment — installing and enrolling agents on both Linux and Windows endpoints for centralized log forwarding via Fleet Server.
| Component | IP / Details |
|---|---|
| MISP Server | 192.168.17.130 — Threat intelligence platform |
| Elastic Stack | 192.168.17.129 — Elasticsearch, Kibana, Fleet Server |
| Linux Agent Host | Ubuntu/Debian VM — forwarding syslog & auditd |
| Windows Agent Host | Windows 10/Server VM — forwarding Windows Event Logs |
| Network | Shared internal virtual network (same subnet) |
Configure MISP to export threat indicators via its REST API, and ingest them into Elasticsearch using Kibana's MISP Threat Intelligence integration module.
1. MISP Platform Configuration
- Log into the MISP web interface
- Navigate to Administration → My Profile → Auth Keys to generate an API key
- Configure threat feeds and verify events are populated
2. Elastic Stack — Threat Intelligence Module
- In Kibana, go to Integrations → search for MISP Threat Intelligence
- Install and configure the module with:
- MISP URL:
http://192.168.17.130 - API Key (generated above)
- Polling interval for indicator ingestion
- MISP URL:
3. Verify Data in Elasticsearch
# Use Kibana Dev Tools to verify MISP IoCs are indexed
GET .ds-logs-ti_misp.threat-*/_search- Navigate to Kibana → Security → Threat Intelligence to view imported indicators (IPs, domains, hashes, URLs)
Deploy Elastic Agent on Linux and Windows endpoints, enroll them in Fleet Server, and verify centralized log forwarding to Elasticsearch.
- Navigate to Kibana → Fleet → Settings
- Configure Fleet Server host URL and Elasticsearch output
- Create an Agent Policy with integrations: System, Windows, Auditd
# Download Elastic Agent
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.x.x-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.x.x-linux-x86_64.tar.gz
cd elastic-agent-8.x.x-linux-x86_64
# Install and enroll with Fleet
sudo ./elastic-agent install \
--url=https://192.168.17.129:8220 \
--enrollment-token=<YOUR_ENROLLMENT_TOKEN>Verification:
- Check service:
sudo systemctl status elastic-agent - Confirm agent appears as Healthy in Kibana Fleet dashboard
- Verify syslog and auditd events in Kibana → Discover
# Run in PowerShell (Administrator)
$ProgressPreference = "SilentlyContinue"
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.x.x-windows-x86_64.zip -OutFile elastic-agent.zip
Expand-Archive .\elastic-agent.zip -DestinationPath .\
cd elastic-agent-8.x.x-windows-x86_64
.\elastic-agent.exe install `
--url=https://192.168.17.129:8220 `
--enrollment-token=<YOUR_ENROLLMENT_TOKEN>Verification:
- Check Windows Services (
services.msc) for Elastic Agent status - Confirm agent appears as Healthy in Kibana Fleet dashboard
- Verify Windows Event Logs (Security, System, Application) in Kibana → Discover
| Component | Validation Check | Status |
|---|---|---|
| MISP Platform | Web interface accessible, API key generated | ✅ Passed |
| MISP → Elastic Integration | Threat indicators indexed in Elasticsearch | ✅ Passed |
| Kibana Threat Intelligence | MISP IoCs visible in Threat Intel view | ✅ Passed |
| Kibana Dashboard | Indicator visualization operational | ✅ Passed |
| Linux Elastic Agent | Agent enrolled, service healthy in Fleet | ✅ Passed |
| Linux Log Forwarding | Syslog/auditd events indexed in Kibana | ✅ Passed |
| Windows Elastic Agent | Agent enrolled, service healthy in Fleet | ✅ Passed |
| Windows Log Forwarding | Event Logs (Security/System) indexed | ✅ Passed |
This lab successfully demonstrated:
- Integration of MISP with Elastic Stack for real-time threat intelligence ingestion
- Fleet-managed Elastic Agent deployment on both Linux and Windows endpoints
- Centralized log aggregation and MISP IoC correlation in a SOC-ready environment
MISP Elastic Stack Elasticsearch Kibana Fleet Server Elastic Agent Logstash Docker Ubuntu Windows Threat Intelligence SIEM SOC CTI