{"id":18983,"date":"2025-12-14T15:17:14","date_gmt":"2025-12-14T06:17:14","guid":{"rendered":"https:\/\/aireviewirush.com\/?p=18983"},"modified":"2025-12-14T15:17:14","modified_gmt":"2025-12-14T06:17:14","slug":"new-analysts-soc-journey-xdr-endace-investigations","status":"publish","type":"post","link":"https:\/\/aireviewirush.com\/?p=18983","title":{"rendered":"New Analyst&#8217;s SOC Journey: XDR &#038; Endace Investigations"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><strong>Further Contributor:<\/strong> Pradnya Padaki<\/p>\n<p>Stepping right into a Safety Operations Centre (SOC) at <a href=\"https:\/\/www.ciscolive.com\/apjc.html\" target=\"_blank\" rel=\"noreferrer noopener\">Cisco Dwell Melbourne<\/a> for the primary time was an expertise charged with pleasure and barely nervous. Beforehand, my solely understanding of SOCs got here from listening to buyer tales and dealing with their challenges\u2014I had identified the stress, urgency, and teamwork required solely by means of their eyes, by no means having been in these footwear myself.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_53 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\" role=\"button\"><label for=\"item-69f0019730277\" ><span class=\"\"><span style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input aria-label=\"Toggle\" aria-label=\"item-69f0019730277\"  type=\"checkbox\" id=\"item-69f0019730277\"><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/aireviewirush.com\/?p=18983\/#Onboarding_Fast_and_Welcoming\" title=\"Onboarding: Fast and Welcoming\">Onboarding: Fast and Welcoming<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/aireviewirush.com\/?p=18983\/#Discovering_Endace\" title=\"Discovering Endace\">Discovering Endace<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/aireviewirush.com\/?p=18983\/#Candid_Conversations\" title=\"Candid Conversations\">Candid Conversations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/aireviewirush.com\/?p=18983\/#Day_1_Studying_the_Ropes\" title=\"Day 1: Studying the Ropes\">Day 1: Studying the Ropes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/aireviewirush.com\/?p=18983\/#Day_2_Main_My_Personal_Investigation\" title=\"Day 2: Main My Personal Investigation\u00a0\">Day 2: Main My Personal Investigation\u00a0<\/a><ul class='ez-toc-list-level-3'><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/aireviewirush.com\/?p=18983\/#Case_Research_Investigating_Suspicious_Community_Connections\" title=\"Case Research: Investigating Suspicious Community Connections\">Case Research: Investigating Suspicious Community Connections<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/aireviewirush.com\/?p=18983\/#Reflections_and_Takeaways\" title=\"Reflections and Takeaways\u00a0\">Reflections and Takeaways\u00a0<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-7d280e9067068765265a1875d6b437a9\" id=\"h-onboarding-quick-and-welcoming\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"Onboarding_Fast_and_Welcoming\"><\/span>Onboarding: Fast and Welcoming<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Opposite to my expectations of a drawn-out onboarding, the method was surprisingly swift (taking lower than 10-20 minutes). Due to Duo, I used to be shortly given entry to all of the important instruments: Cisco XDR, Splunk, firewall dashboards, and extra from the duo listing. This seamless entry calmed my nerves and made me really feel immediately welcome.<\/p>\n<p>After that, it was all about getting snug with the instruments and escalation processes. As a Tier 1\/Tier 2 analyst, my each day routine revolved round Cisco XDR, which introduced collectively incident alerts from each nook of the community. Every alert got here filled with context and intelligence, making investigations a lot much less overwhelming.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-d45f70a81493154aefc74abe31c81cc9\" id=\"h-discovering-endace\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"Discovering_Endace\"><\/span>Discovering Endace<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>One in every of my highlights was utilizing <a href=\"https:\/\/www.endace.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Endace<\/a> for the primary time. This instrument gave me the flexibility to dive into packet-level particulars, filter information quickly, and transition from high-level incidents to granular packet captures. Correlating metadata and community flows grew to become simple and even pleasing, serving to me remedy issues with rather more confidence.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-40afd82e5ee418a2d21d6795bf032428\" id=\"h-candid-conversations\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"Candid_Conversations\"><\/span>Candid Conversations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Through the occasion, I used to be ceaselessly placed on the spot to share my firsthand expertise of working in a SOC for the primary time, notably reflecting on my day two investigations. This inspired me to watch fastidiously and assume deeply concerning the operational realities. Many purchasers confirmed eager curiosity, recognizing that my expertise might quickly mirror their very own, which made these interactions particularly helpful and motivating.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-102163865e8dfd5c71f8924fc501709d\" id=\"h-day-1-learning-the-ropes\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"Day_1_Studying_the_Ropes\"><\/span>Day 1: Studying the Ropes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The primary day was all about orientation: understanding the workflow, attending to know the instruments, and creating the mindset wanted for efficient investigations. With assist from skilled colleagues, I realized to triage incidents, examine menace intel, dive into logs, and seek the advice of with the staff earlier than making selections. By the day\u2019s finish, my preliminary nervousness had remodeled into pleasure.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-f2040b2d552d4e32b5dc5c6a7a0530b9\" id=\"h-day-2-leading-my-own-investigation-nbsp\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"Day_2_Main_My_Personal_Investigation\"><\/span>Day 2: Main My Personal Investigation\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>On day two, I took on incidents independently, performing full triage and drafting escalation stories myself.<\/p>\n<h3 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-ab38295044f50e4b8e1d8e87f6430770\" id=\"h-case-study-investigating-suspicious-network-connections\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"Case_Research_Investigating_Suspicious_Community_Connections\"><\/span>Case Research: Investigating Suspicious Community Connections<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>Background<\/strong>: Throughout my preliminary SOC task, an alert was generated by Cisco XDR highlighting that an inside endpoint was making connections to a number of IP addresses identified for malicious exercise.<\/p>\n<p><strong>Detection:<\/strong> Cisco XDR flagged the suspicious conduct, visualizing the connections between one inside asset and several other high-risk exterior hosts. This raised quick issues about potential malware or command-and-control exercise (see Cisco XDR investigation beneath).<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1372\" height=\"780\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/12\/CLAPJ25_XDR_confirmed_threat.webp\" alt=\"\" class=\"lazy lazy-hidden wp-image-483310\" style=\"width:744px;height:auto\"><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1372\" height=\"780\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/12\/CLAPJ25_XDR_confirmed_threat.webp\" alt=\"\" class=\"wp-image-483310\" style=\"width:744px;height:auto\"><\/noscript><\/figure>\n<\/div>\n<p><strong>Investigation: <\/strong>To validate and additional analyze the incident, I used Endace for in-depth packet inspection. Filtering for the precise IP and software revealed a constant movement of visitors matching file switch patterns. Additional evaluation confirmed that the visitors was generated by a BitTorrent software working on the endpoint (see Endace screenshot beneath).<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1906\" height=\"1030\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/12\/endace-investigation.webp\" alt=\"endace investigation\" class=\"lazy lazy-hidden wp-image-482994\" style=\"width:737px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1906\" height=\"1030\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/12\/endace-investigation.webp\" alt=\"endace investigation\" class=\"wp-image-482994\" style=\"width:737px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1472\" height=\"806\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/12\/CLAPJ25_endac_investigation_2.webp\" alt=\"Cisco Live Melbourne 2025 Endace investigation\" class=\"lazy lazy-hidden wp-image-483315\" style=\"width:736px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1472\" height=\"806\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/12\/CLAPJ25_endac_investigation_2.webp\" alt=\"Cisco Live Melbourne 2025 Endace investigation\" class=\"wp-image-483315\" style=\"width:736px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<p><strong>Response motion:<\/strong> From the primary alert in Cisco XDR, I carried out a complete investigation to shortly confirm the violation of insurance policies. As a Tier 2 analyst, my response included correlating information from a number of sources, conducting packet captures with Endace to rule out malware, and assessing the broader influence on the atmosphere.\u202f As soon as the investigation confirmed Bittorrent utilization because the supply of suspicious visitors, the case was formally escalated to make sure acceptable follow-up, together with person training and enhanced community controls to mitigate recurrence. The affected endpoint was flagged for additional monitoring, and the applying was disabled to forestall ongoing peer-to-peer file sharing. An in depth incident report was compiled, outlining dangers similar to malware publicity, bandwidth consumption, and privateness vulnerabilities related to unauthorized Bittorrent exercise.<\/p>\n<p><strong>Final result &amp; Reflection:<em> <\/em><\/strong>Seeing the investigation by means of preliminary alert to root trigger willpower\u2014leveraging each Cisco XDR and Endace\u2014marked a serious milestone in my SOC journey. This end-to-end incident dealing with not solely bolstered procedural self-discipline however considerably boosted my confidence in dealing with real-world threats.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-f29e3ed8bb8bf24db37733442b35c300\" id=\"h-reflections-and-takeaways-nbsp\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"Reflections_and_Takeaways\"><\/span>Reflections and Takeaways\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>By the tip of the occasion, I noticed the actual essence of a SOC isn\u2019t nearly instruments or dashboards. It\u2019s about individuals: collaboration, belief, shared curiosity, and supporting one another. At the same time as a newcomer, I used to be welcomed, trusted, and inspired\u2014which made a world of distinction.<\/p>\n<p>In abstract, my first SOC expertise turned preliminary nerves into real confidence. I entered as an observer and left feeling like a part of the staff\u2014a journey outlined by assist, studying, and the joys of fixing real-world safety challenges.<\/p>\n<p>Take a look at the opposite blogs by my colleagues within the <a href=\"https:\/\/blogs.cisco.com\/security\/cisco-live-melbourne-2025-soc\" target=\"_blank\" rel=\"noopener\">Cisco Dwell Melbourne 2026 SOC<\/a>.<\/p>\n<hr class=\"wp-block-separator has-text-color has-light-gray-color has-alpha-channel-opacity has-light-gray-background-color has-background\"\/>\n<p class=\"has-text-align-center\" id=\"block-a1b11bef-8542-478b-95c4-6b43d582001b\"><em>We\u2019d love to listen to what you assume! Ask a query and keep linked with Cisco Safety on social media.<\/em><\/p>\n<p class=\"has-text-align-center\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-cisco-green-color\">Cisco Safety Social Media<\/mark><\/strong><\/p>\n<p class=\"has-text-align-center\" id=\"block-85b5e58a-7e0a-4b88-a1bd-54a5f658e51f\"><a href=\"https:\/\/www.linkedin.com\/showcase\/cisco-secure\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a><br \/><a href=\"https:\/\/www.facebook.com\/ciscosecure\/\" target=\"_blank\" rel=\"noreferrer noopener\">Fb<\/a><br \/><a href=\"https:\/\/www.instagram.com\/Ciscosecurity\/\" target=\"_blank\" rel=\"noreferrer noopener\">Instagram<\/a><br \/><a href=\"https:\/\/twitter.com\/CiscoSecure\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a><\/p>\n<\/p><\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><script async defer src=\"https:\/\/platform.instagram.com\/en_US\/embeds.js\"><\/script><br \/>\n<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Further Contributor: Pradnya Padaki Stepping right into a Safety Operations Centre (SOC) at Cisco Dwell Melbourne for the primary time was an expertise charged with pleasure and barely nervous. Beforehand, my solely understanding of SOCs got here from listening to buyer tales and dealing with their challenges\u2014I had identified the stress, urgency, and teamwork required [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":18985,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[],"class_list":{"0":"post-18983","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-iot"},"_links":{"self":[{"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/posts\/18983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=18983"}],"version-history":[{"count":1,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/posts\/18983\/revisions"}],"predecessor-version":[{"id":18984,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/posts\/18983\/revisions\/18984"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/media\/18985"}],"wp:attachment":[{"href":"https:\/\/aireviewirush.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=18983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=18983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=18983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}