XDR Security Playbook - Suspicious Target Communication

This playbook describes how to use the XDR Stories Workbench to investigate stories related to suspicious target communication.


This playbook outlines a systematic approach for SOC engineers to investigate potential security incidents related to suspicious target communication. It provides a framework for gathering initial information, analyzing network traffic, and drawing conclusions about the nature of the threat.

Gathering Initial Information about the Threat

Use the Details widget in the story to gather basic information about the potential threat. Review the Description of the story and other data to decide if further investigation is required. In addition, the Similar Stories section shows other stories that share similar indicators and observables.


Use the Source widget to review data about the device that is impacted by this suspicious traffic.


You can also use the Indications Catalog for more information (such as the Indication ID), and focus the investigation based on your query.

Analyzing Network Traffic

Attack Distribution

The Attack Distribution graph can help to understand the nature of the traffic, periodic attacks which resembles bot behavior, a one-time occurrence, or other characteristics.



The Targets section lets you examine the identified targets to learn more about their potential intent and the likelihood that the target is malicious:

  • Assess Cato's malicious score

  • Examine Cato's popularity

  • Consider associated Cato categories

  • Review the number of threat intelligence feeds linked to the target

Using Target Links to Search External Sources

By now, you should have a solid grasp of the activity captured in this story, the Target Links help you conduct an external search on reputable sources for historical context and signs of malicious behavior. Correlate this data to identify connections with other entities and possible links to known threat actors, campaigns, or techniques.

Target Actions

The Target Actions section can be used to verify if the security engines took responsive actions to the identified traffic.

  1. Use the Related Events to open the Events page and review the corresponding events for each target.

  2. In the event data, look for additional details regarding the specific IPS event and gather information regarding the nature of the IPS signature, client classification, threat type, and more.

Attack Related Flows

Use the Attack Related Flows section to examine unprocessed data flows related to the story.

  1. Assess traffic distribution to identify patterns and volume fluctuations.

  2. Analyze supplementary data points from these flows, including URLs, user-agents, file names, and other relevant attributes, and compare them to the findings from the previous investigation step to reveal potential correlations.

Conclusions from the Investigation

For investigations that focus on the target, these are some examples of threat types that are suspicious communications in a story:

  • Adware

  • Malware

  • Browser extension

  • PuP (Potentially Unwanted Program)

  • Unsecured Network Activity (Suspicious)

  • Policy Violation (Suspicious)

Was this article helpful?

1 out of 1 found this helpful


Add your comment