You're reading from Effective Threat Investigation for SOC Analysts The ultimate guide to examining various threats and attacker techniques using security logs

Product type Paperback

Published in Aug 2023

Publisher Packt

ISBN-13 9781837634781

Length 314 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Mostafa Yahia

View More author details

Table of Contents (22) Chapters

Preface

1. Part 1: Email Investigation Techniques

2. Chapter 1: Investigating Email Threats FREE CHAPTER

3. Chapter 2: Email Flow and Header Analysis

4. Part 2: Investigating Windows Threats by Using Event Logs

5. Chapter 3: Introduction to Windows Event Logs

6. Chapter 4: Tracking Accounts Login and Management

7. Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs

8. Chapter 6: Investigating PowerShell Event Logs

9. Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs

10. Part 3: Investigating Network Threats by Using Firewall and Proxy Logs

11. Chapter 8: Network Firewall Logs Analysis

12. Chapter 9: Investigating Cyber Threats by Using the Firewall Logs

13. Chapter 10: Web Proxy Logs Analysis

14. Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs

15. Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats

16. Chapter 12: Investigating External Threats

17. Chapter 13: Investigating Network Flows and Security Solutions Alerts

18. Chapter 14: Threat Intelligence in a SOC Analyst’s Day

19. Chapter 15: Malware Sandboxing – Building a Malware Sandbox

20. Index

Why subscribe?

21. Other Books You May Enjoy

Investigating network flows

The flow, also commonly known as NetFlow, is network session information generated by network devices, such as routers and layer 3 switches, to aid network engineers during network issue troubleshooting. The flows have several names, based on the device vendor – for example, the used protocol for Cisco devices’ flow control is NetFlow (which is the most common and well-known flow protocol), Jupiter devices’ flow protocol is J-Flow, and HP devices’ flow protocol is Netstream.

Regardless of the name of the protocol used to generate the network session information, the generated information includes at least the following details:

Timestamps (start and finish)
A source IP
A destination IP
A source port
A destination port
Transferred bytes

Most SIEM solutions provide an integration capability to receive flows from different network devices. As an SOC analyst, you should take advantage of the network session information (NetFlow) generated from the network devices to detect and investigate the following:

Suspicious communications from/to blacklisted IPs
Suspicious communications over suspicious ports
A high number of transferred bytes between two IPs
Outbound communications during unusual times – for example, outside of working hours

You should now be aware of the information included in the generated network flows and how to utilize it to detect and investigate different cyber threats. In the next section, you will learn how to investigate IPS and IDS alerts.