CTI Series – Part 1: Visual Threat Intelligence Lab with ntopng, Wazuh, MISP, and Wazuh CTI
Author: Michelle Genevieve Roblero Amaya (https://www.linkedin.com/in/michelleroblero/) Note: Developed by Roblero Consulting as part of the Wazuh Ambassadors Program.
Combining real-time network monitoring, threat intelligence, and contextual enrichment for proactive detection.
Introduction
In cybersecurity, raw data is never enough. What teams truly need is correlation, context, and clarity.
This lab was designed to demonstrate how open-source technologies — when properly combined — can generate a visual and enriched threat detection system that goes beyond collecting logs. Using tools like ntopng for network visibility, MISP for structured threat intelligence, and Wazuh for event correlation and response, we’ll build a lab that not only detects suspicious behavior but explains why it's dangerous, using Wazuh CTI for contextual enrichment.
As part of my role at Roblero Consulting and the Wazuh Ambassadors Program, I created this hands-on lab to help defenders better understand the value of visualization, automation, and threat context in modern Blue Team operations.
Lab Objectives
Visualize live network traffic using ntopng.
Detect and correlate suspicious activity with IOCs from MISP.
Enrich alerts automatically using the Wazuh CTI module.
Trigger actionable alerts and enable Active Response in Wazuh.
Build a modular, open-source, and replicable threat intel lab.
Core Component
ntopng
Captures and visualizes real-time network flows. Highlights anomalies and suspicious destinations. Sends logs to Wazuh.
MISP
Stores and shares Indicators of Compromise (IOCs). Provides feeds for threat intelligence enrichment and correlation.
Wazuh
Analyzes logs, matches events against rules and IOCs, enriches data with CTI module, generates alerts, and executes responses.
Wazuh CTI
Performs real-time lookup and enrichment of IOCs from MISP and other sources. Adds context to alerts and enables IOC tagging.
Test Host
Generates suspicious traffic (e.g., to known-malicious IPs/domains) to validate the detection and enrichment flow.
Lab Topology

Lab Structure
This lab is divided into 4 main parts:
Part 1 – Environment Setup
Deploy Wazuh (Manager + Dashboard), ntopng, and MISP using Docker Compose.
Configure container networking and basic access.
Part 2 – ntopng Configuration
Enable traffic monitoring and flow export to Wazuh.
Set up log forwarding (syslog or JSON).
Verify flow visibility and log ingestion.
Part 3 – MISP & Wazuh CTI Integration
Load IOCs into MISP (manually or via public feeds).
Configure the Wazuh CTI module to connect to MISP.
Enable automatic enrichment for IPs, domains, and hashes in Wazuh events.
Part 4 – Detection, Correlation, and Response
Simulate malicious traffic from the test host.
Observe Wazuh generating enriched alerts with CTI context.
(Optional) Enable Active Response (block IPs, send notifications).
Objectives to Learn
How to correlate and visualize threat indicators in real time.
How to integrate network visibility (ntopng), threat intelligence (MISP), and contextual enrichment (Wazuh CTI).
How to simulate and detect threat scenarios using only open-source tools.
How to build your own modular and proactive detection lab from scratch.
Final Note
This lab shows that with the right combination of tools and a bit of creativity, defenders can replicate enterprise-grade visibility and threat detection without depending on expensive platforms.
Follow upcoming parts for:
Docker Compose template
Configuration walkthrough
Custom Wazuh rules
Sample detection scenarios
🔄 This article is Part 1 of the Roblero Consulting Visual CTI Series. Stay tuned for Part 2: IOC Correlation at Scale with Wazuh and MISP Feeds.
Last updated