Page cover

CTI Series – Part 1: Visual Threat Intelligence Lab with ntopng, Wazuh, MISP, and Wazuh CTI

Author: Michelle Genevieve Roblero Amaya (https://www.linkedin.com/in/michelleroblero/) Note: Developed by Roblero Consulting as part of the Wazuh Ambassadors Program.

Combining real-time network monitoring, threat intelligence, and contextual enrichment for proactive detection.

Introduction

In cybersecurity, raw data is never enough. What teams truly need is correlation, context, and clarity.

This lab was designed to demonstrate how open-source technologies — when properly combined — can generate a visual and enriched threat detection system that goes beyond collecting logs. Using tools like ntopng for network visibility, MISP for structured threat intelligence, and Wazuh for event correlation and response, we’ll build a lab that not only detects suspicious behavior but explains why it's dangerous, using Wazuh CTI for contextual enrichment.

As part of my role at Roblero Consulting and the Wazuh Ambassadors Program, I created this hands-on lab to help defenders better understand the value of visualization, automation, and threat context in modern Blue Team operations.

Lab Objectives

  • Visualize live network traffic using ntopng.

  • Detect and correlate suspicious activity with IOCs from MISP.

  • Enrich alerts automatically using the Wazuh CTI module.

  • Trigger actionable alerts and enable Active Response in Wazuh.

  • Build a modular, open-source, and replicable threat intel lab.

Core Component

Component
Purpose

ntopng

Captures and visualizes real-time network flows. Highlights anomalies and suspicious destinations. Sends logs to Wazuh.

MISP

Stores and shares Indicators of Compromise (IOCs). Provides feeds for threat intelligence enrichment and correlation.

Wazuh

Analyzes logs, matches events against rules and IOCs, enriches data with CTI module, generates alerts, and executes responses.

Wazuh CTI

Performs real-time lookup and enrichment of IOCs from MISP and other sources. Adds context to alerts and enables IOC tagging.

Test Host

Generates suspicious traffic (e.g., to known-malicious IPs/domains) to validate the detection and enrichment flow.

Lab Topology

Lab Structure

This lab is divided into 4 main parts:

Part 1 – Environment Setup

  • Deploy Wazuh (Manager + Dashboard), ntopng, and MISP using Docker Compose.

  • Configure container networking and basic access.

Part 2 – ntopng Configuration

  • Enable traffic monitoring and flow export to Wazuh.

  • Set up log forwarding (syslog or JSON).

  • Verify flow visibility and log ingestion.

Part 3 – MISP & Wazuh CTI Integration

  • Load IOCs into MISP (manually or via public feeds).

  • Configure the Wazuh CTI module to connect to MISP.

  • Enable automatic enrichment for IPs, domains, and hashes in Wazuh events.

Part 4 – Detection, Correlation, and Response

  • Simulate malicious traffic from the test host.

  • Observe Wazuh generating enriched alerts with CTI context.

  • (Optional) Enable Active Response (block IPs, send notifications).

Objectives to Learn

  • How to correlate and visualize threat indicators in real time.

  • How to integrate network visibility (ntopng), threat intelligence (MISP), and contextual enrichment (Wazuh CTI).

  • How to simulate and detect threat scenarios using only open-source tools.

  • How to build your own modular and proactive detection lab from scratch.

Final Note

This lab shows that with the right combination of tools and a bit of creativity, defenders can replicate enterprise-grade visibility and threat detection without depending on expensive platforms.

Follow upcoming parts for:

  • Docker Compose template

  • Configuration walkthrough

  • Custom Wazuh rules

  • Sample detection scenarios

🔄 This article is Part 1 of the Roblero Consulting Visual CTI Series. Stay tuned for Part 2: IOC Correlation at Scale with Wazuh and MISP Feeds.

Last updated