Lab 11 – Threat Intelligence Integration

This lab enhances your detection capabilities by integrating open‑source threat‑intelligence feeds into your SIEM and IDS/IPS. You’ll configure OTX, AbuseIPDB, and blocklists, then validate enriched alerts.

• Outcome 1: OTX and AbuseIPDB feeds integrated into SIEM.
• Outcome 2: IDS/IPS rules enriched with threat‑intel indicators.
• Outcome 3: Alerts correlated with external threat data.
• Outcome 4: Threat‑intel workflow documented.

• DL11.1: OTX API key configured in SIEM.
• DL11.2: AbuseIPDB lookups enabled.
• DL11.3: IDS/IPS rules enriched with threat‑intel indicators.
• DL11.4: Enriched alerts validated.
• DL11.5: Documentation updated with feed sources and workflow.

1. Create an OTX account and generate an API key.
2. In your SIEM, navigate to Threat Intelligence → Integrations.
3. Add your OTX API key and enable pulse synchronization.
4. Verify indicators appear in the threat‑intel dashboard.

1. Create an AbuseIPDB account and generate an API key.
2. Enable IP reputation lookups in SIEM and IDS/IPS.
3. Set thresholds for automatic tagging of malicious IPs.
4. Test lookup using a known malicious IP.

1. Add community blocklists (FireHOL, Spamhaus DROP, etc.).
2. Configure automatic updates for blocklists.
3. Import custom indicators (IPs, domains, hashes) into SIEM.
4. Verify indicators propagate to IDS/IPS rules.

1. Trigger a controlled scan or DNS query to a known malicious domain.
2. Verify SIEM alert includes:
   • Threat‑intel source
   • Reputation score
   • Indicator category
3. Confirm IDS/IPS generates a correlated alert.
4. Document enriched alert workflow.

• Context: How threat‑intel enriches raw alerts with external data.
• Correlation: How SIEM and IDS/IPS combine intel for stronger detections.
• Automation: How feeds keep your defenses current.

With threat‑intelligence integrated, your homelab now benefits from global visibility into malicious activity. In Week 12, you’ll simulate network attacks and validate IDS/IPS and SIEM correlation accuracy.