Lab 15 — Work Real Threat Intel¶
Hands-on lab · ← Back to the module concept
Setup¶
git clone https://github.com/plaintext-security/plaintext-labs
cd plaintext-labs/defensive/15-threat-intel
make up
This drops you into a Python container pre-loaded with enrich.py and a bundled
ThreatFox-format seed feed (threatfox_sample.csv). Run make demo to see
a full triage walkthrough. The feed uses the same CSV schema as the real
ThreatFox bulk export, so when you're ready to
enrich against current intel, run make fetch-data — it pulls today's live
ThreatFox recent-IOC CSV to
threatfox_recent.csv, which enrich.py then uses in place of the seed (see
data/PROVENANCE.md).
Scenario¶
Bring real threat intelligence to bear: ingest a feed, and use it to enrich an indicator and sharpen a detection.
Do¶
- [ ] Ingest a real indicator feed (abuse.ch ThreatFox or URLhaus) into MISP (or pull it directly).
- [ ] Take an indicator from your own hunt/detection (modules 04/05/12) and check it against the intel: known-bad? what's the context?
- [ ] Enrich a detection with the feed — e.g. alert on connections to known-bad infrastructure.
- [ ] Assess: which indicators are worth alerting on, and which are too noisy or stale?
Success criteria — you're done when¶
- [ ] You ingested a real feed and can query it.
- [ ] You enriched one of your own indicators with real context.
- [ ] You can justify which indicators are worth acting on (Pyramid of Pain).
Deliverables¶
threat-intel.md: the feed you used, the enrichment of your indicator, and your assessment of what's
actionable.
AI acceleration¶
Have a model extract structured IOCs from a threat report — then verify each against the feed/source and judge its confidence. Collection is easy; assessment is the skill.
Connects forward¶
Enriched intel sharpens detections (module 08) and drives the automated enrichment step in module 16 (SOAR).
Marketable proof¶
"I ingest real threat-intel feeds (MISP, abuse.ch), enrich indicators and detections with context, and assess what's actually worth acting on."
Automate & own it¶
Required. Script the enrichment — take an indicator, query the feed/MISP, return a verdict + context (AI drafts, you verify against the source); commit it. This becomes a building block of your SOAR playbook.
Stretch¶
- Auto-expire indicators by age, and explain why stale intel causes false positives.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).