How to investigate cybersecurity incidents like a pro?

Fast and thorough investigations are key to protecting assets, maintaining trust, and ensuring compliance. By mapping attack paths, responding effectively, and addressing vulnerabilities, SOC teams can turn raw logs and telemetry from multiple sources into actionable insights. Our demonstration highlighs with two scenarios: an IDS alert and a DMCA notification.

Network and security infrastructures generate diverse data such as Syslog, SNMP, SFlow/IPFIX, DPI, RADIUS, and API logs that can be centralized, correlated, and visualized using platforms like ELK, Splunk, LogRhythm, or Microsoft Sentinel.

ELK Stack: Data Collection, Processing, and Visualization

Core Components:

• Beats – lightweight agents that collect logs and metrics from devices, servers, and applications.
• Logstash – processes and enriches data by parsing, extracting fields, and adding context.
• Elasticsearch – a powerful search and indexing engine that correlates millions of events.
• Kibana – provides dashboards, charts, and tables to monitor incidents and analyze anomalies.

Investigation Scenarios

Scenario 1: Malware Detected by IDS In this scenario, an Intrusion Detection System (IDS) flags a compromised device inside the network. Once the alert is triggered, the Quarantine Manager automatically moves the infected endpoint into a restricted VLAN, effectively isolating it from the rest of the infrastructure while still allowing limited remediation access.

To enrich the investigation and assess the impact:

• RADIUS logs are leveraged to map the quarantined IP or MAC address to a specific user identity.
• DPI logs provide visibility into the applications and services the device was accessing prior to quarantine, enabling analysts to estimate potential data exposure.

• ELK dashboards correlate these multiple data points, presenting SOC teams with a unified view of the device, the user, and related network activity.

  The integration of RADIUS and DPI data into the ELK stack is fully automated through scripts, AAA policies, and OmniVista profiles, ensuring consistent, reliable, and traceable investigations without manual intervention.

Scenario 2: DMCA The second case begins with the receipt of a DMCA takedown notice, which typically provides only an external IP address and timestamp. Since enterprise networks often rely on NAT (Network Address Translation), the external IP alone does not reveal the internal user responsible.

The investigation proceeds as follows:

• Firewall logs (Syslog) are used to correlate the external IP with the corresponding internal IP at the specified time.
• By filtering on the internal IP and application field, the investigation narrows down to the exact user session.
• RADIUS logs then associate this internal IP with a user identity, while DPI logs reconstruct the detailed traffic flows, including the protocols, applications, and volume of data exchanged.

This layered approach allows analysts to not only identify the responsible user but also to assess the scale and nature of the activity with high precision.

Conclusion

Integrating network and security telemetry through the ELK stack transforms raw logs into clear, actionable intelligence. This unified approach enables SOC teams to react swiftly, contain incidents before they spread, and continuously improve resilience.

Beyond the technical benefits, the real value lies in the ability to protect critical assets, maintain compliance, and preserve trust showing that rapid and accurate investigations are not just about solving one incident, but about building lasting security maturity across the organization.