- My objective
- The role of NDR in SOC workflows
- Starting up the NDR system
- How AI complements the human response
- What else did I try out?
- What could I see with NDR that I wouldn’t otherwise?
- Am I ready to be a network security analyst now?
My objective
As someone relatively inexperienced with network threat hunting, I wanted to get some hands-on experience using a network detection and response (NDR) system. My goal was to understand how NDR is used in hunting and incident response, and how it fits into the daily workflow of a Security Operations Center (SOC).
Corelight’s Investigator software, part of its Open NDR Platform, is designed to be user-friendly (even for junior analysts) so I thought it would be a good fit for me. I was given access to a production version of Investigator that had been loaded with pre-recorded network traffic. This is a common way to learn how to use this type of software.
While I’m new to threat hunting, I do have experience looking at network traffic flows. I was even an early user of one of the first network traffic analyzers called Sniffer. Sniffers were specialized PCs equipped with network adapters designed to capture traffic and packets. These computers were the foundation on which more advanced network monitoring platforms were built. Back in the mid-1980s, these tools were expensive and required a lot of training. Interpreting the terse, cryptic data they produced was challenging, and knowing how to translate those insights into actionable next steps took patience and expertise. Now, almost forty years later, I wanted to see how security teams are conducting everyday network hunting when complex, fast attacks are the norm—and how quickly I could pick up the new tools.
The role of NDR in SOC workflows
Before I jump into my experience, let me explain how NDR integrates with the SOC.
NDR systems are most frequently used by mid- to elite-level security operations. In these environments, NDR is a key part of incident response and threat hunting workflows. The systems provide deep visibility across networks while also detecting intrusions and anomalies. This visibility is important not just for spotting more complex attacks, but also for uncovering misconfigurations or vulnerabilities that can lead to breaches or outages. NDR helps analysts triage events and can provide direction and related insights to determine the right response.
Integrating NDR with the SOC’s Security Information and Event Managers (SIEMs), endpoint detection and response (EDR) solutions, and firewalls enables analysts to gather, enrich, and correlate network data with widespread events. Together, these integrations let analysts respond faster and more efficiently by connecting network insights with alerts and actions from other tools, especially when finding more advanced attacks that can evade EDR, for example. Knowing NDR is a central component of the SOC, I was eager to see how the workflows functioned.
Starting up the NDR system
When you first open Investigator, you’re greeted by a dashboard that displays a ranked list of the latest highest risk detections, listed by IP address and their frequency of occurrence. Most investigations start because some suspicious activity on the network triggered an alert. This prompts an analyst to form a hypothesis about why the event appeared on the dashboard, then drill down into the alert’s details to validate or disprove the idea.
Clicking through the list, I could see robust details about the specific issues that were flagged. In my case, I was looking at evidence of a couple of exploit tools in use (including an old favorite of mine, NMAP). These were also using reverse command shells to execute malware, a dodgy DNS server, and a series of packets that documented a conversation between a suspicious pair of IP addresses. I saw right away how Investigator’s added context is important.
Rather than having to figure out network traffic patterns and their meaning, Investigator’s dashboard explained this for me and added even more context; each listing also showed which techniques from the MITRE ATT&CK® framework were involved, helping me understand the broader significance of the event. This level of detail is a great way to educate yourself about unfamiliar exploits, because you can quickly drill down into the specifics of each alert to gain deeper insights into the contents of the network packets involved.
This was also my chance to explore the GenAI features built into the tool. I could ask some pre-set questions, such as “ What type of attack is associated with this alert?” It would respond with a recommended course of action in step-by-step detail. For example, it advised me to search particular logs for telltale signs that a node was communicating with an external command-and-control server and to check if it had sent a particular malware payload. It explained how to see if the threat was moving laterally to some other part of the network.
It may sound complicated, but my explanation actually takes longer than it did to click around and get these details when I was inside the product. This investigative process is fundamental for any SOC analyst who must piece together fragments of information to form a coherent picture of what the adversary is doing. In this case, the GenAI was surfacing insights and actionable next steps, clarifying the investigation process and allowing me to focus on my analysis.
How AI complements the human response
Integrated AI is certainly not unique in today’s collection of security products, but this was a helpful feature. What I liked about the AI hints was that they were truly useful, and not annoying, as some of the consumer-grade chatbots can be. There are clear workflow steps, such as:
• Figure out the exploit timeline and use your various log files to correlate connected IP addresses
• Figure out the DNS origins
• Suss out HTTP requests and file transfers, and so forth.
These bulleted items were not just some dry features mentioned in marketing materials but actual elements of my threat hunting. Certainly, I knew—at least from afar—about why these were important and how these various pieces fit together from my previous experience using network analyzers. But having these workflows spelled out by the AI brought my own thoughts into focus and helped me build and explain the narrative of an attack. I saw how these AI-based suggestions could enable a human analyst to determine how to more quickly respond to the incident and begin mitigating its impact. For example, when seeing a file transfer, you can figure out the file’s destination as well as whether it contains malware or other suspicious content.
Also, the generated hints and explanations are located in just the right place on-screen so as to be a natural fit into an analyst’s workflow. Given the number of ways malware can enter a network, it is nice to have these tips and hints that can upskill analysts and serve as timely reminders on how to sift through various alerts. Again, the AI tool helps me understand the details associated with each alert, such as why it occurred, where it came from, and the potential damage it caused.
Finally, Corelight makes pains to state that Investigator “only shares data with the model when an analyst is investigating a threat, and we do not use customer data for training the AI model.” To that end, there are two distinct integrations: one for private data (like IP addresses and customer details) and one for public data (that doesn’t reveal anything specific about the underlying network traffic), which can be operated independently. To enable both of these integrations, you just go to the Settings page and simply turn them on.
What else did I try out?
Investigator comes with dozens of specialized dashboards that enable deeper analysis. For example, three dashboards are related to anomaly detection: one provides an overall summary, another offers detailed information, and a third displays the first time something has been observed on the network. This last display is particularly useful because it could show analysts novel techniques: signs of a new anomaly, for example. With this level of granularity, analysts have the data they need to determine whether an event is truly malicious, simply the result of a software misconfiguration, or just an unusual but harmless occurrence.
Another complementary approach I checked out was the Investigator’s built-in command line panel, where I could search for specific conditions. A good way to learn more about the syntax and use for this portion of the product can be found in Corelight’s Threat Hunting Guide, where you can cut and paste the sample command strings directly into your Investigator searches, and copy their syntax for your own purposes. This can help analysts become more familiar with the data so they can use it to threat hunt unknown attacks in the future.
What could I see with NDR that I wouldn’t otherwise?
An NDR platform provides two important benefits: enrichment and integration. Each network connection is enriched with data collected by the Investigator. This can include not just which IP address triggered an alert, but how the activity compares to your normal network baseline activity. Analyzing traffic from normal baseline periods is invaluable because it lets you quickly spot the difference between, say, everyday access to a SQL server and unusual activity flagged by the system. When something seems off, all the context you need is right at your fingertips. You don’t, for example, need to recall that port 123 is used for the Network Time Protocol, nor what kinds of exploits can happen if someone is messing with it.
Enrichment also helps to correlate a particular event with other related data points that explain what you’re seeing. This gets to its other benefit: integration with other security tools. Integrations are how the enriched metadata is collected and shared. For example, log files can be exported to a number of SIEMs for further correlation analysis. NDR insights can be combined with EDR tools like CrowdStrike Falcon® to block a particular server or host, or to block a particular IP address in combination with a firewall like Palo Alto Networks. Threat intelligence rules used in technologies such as Suricata® and Yara, and other indicators of compromise, can be added for further defense.
These integrations allow you to combine NDR’s network visibility with EDR, making it possible to identify which endpoints or hosts may be the source of suspicious activity or could be compromised by a bad actor. It’s particularly advantageous when tracking malware. Today, it’s common to see malware that moves across multiple threat domains (such as this recent exploit that used a burner email account, a compromised South African router, a phishing-as-a-service package, and infrastructure that connected machines in Russia, the US, and Croatia). Having this level of network visibility is crucial to understanding these complex relationships and threat movements.
More than 50 such integrations are possible using Corelight’s solution, so it can be used as a way to add information from many different detection sources, and these results can be exported to many products that offer resolution. Having a repository of common vulnerability details like these can be a ready reference for a SOC analyst who might have already seen that particular vulnerability or who is learning about new exploits. Adding these integrations is straightforward, too. For example, you can block traffic from specific IP addresses by adding them to Palo Alto’s External Dynamic Lists and simply exchanging cryptographic keys.
Am I ready to be a network security analyst now?
Not quite. While I like and want to stick with my day job (writing about security and testing new products), this experience brought me more in touch with what the day-to-day SOC analyst does for a living. By using Investigator, I was able to take my basic skills and network protocol knowledge and extend them into actionable tasks. It was also helpful in helping me learn about the inner operations of the various exploits that it found moving across my sample network. Think of Investigator as a force multiplier for your SOC’s middle-level staff, saving them time and providing more resources to figure out threats and mitigations.
This examination of the inner workings comes from being able to tie together an alert with other parts of the network — a custom DNS provider, a web host that shouldn’t be sending data somewhere, or an open cloud data store — that could lead towards the key to unwinding a particular exploit.
Without an NDR platform to collect and correlate all this information, I would be mostly scrambling to find the separate bits and pieces of data, or manually cutting and pasting data from one security program to another. This way, I had the entire data corpus at my fingertips, complete with the connection relationships and activity that the software automatically surfaces. I didn’t have to fumble around with the cut and paste of an IP address or a search string: instead, I just clicked on the particular element, and the software showed me the particular relationship.
Yes, things have changed since those early days of the Sniffer. But my day getting down and dirty with Corelight’s Investigator taught me valuable lessons on how to create threat hypotheses, understand how threats move about a network, and, more importantly, gave me an opportunity to learn more about how networks operate and how they can be defended in the modern era. To learn more about Corelight’s open NDR platform, visit corelight.com. If you are curious to learn more about how elite SOC teams use Corelight’s open NDR platform to detect novel attack types, including those leveraging AI techniques, visit corelight.com/elitedefense.
Note: This article was thoughtfully written and contributed for our audience by David Strom.
