Brands

Hot News

Unmasking Attacks With Cisco XDR at the GovWare SOC
Publish Time: 02 Dec, 2025

Cisco XDR served as the Tier-1 & 2 detection and response platform for the GovWare SOC, playing a pivotal role throughout the operations. Integrated with Splunk, Endace, Secure Network Analytics (SNA), Secure Malware Analytics (SMA), Cisco Secure Firewall, Cisco Secure Access (CSA), and third-party intelligence sources, it enabled real-time correlation and analysis to quickly identify potential security risks and incidents. This integration significantly reduced both the Mean Time to Detect (MTTD) and the Mean Time to Respond (MTTR).

During the GovWare SOC operation, Cisco XDR detected a total of 39 incidents. Among them, 12 incidents had a direct impact on GovWare's security posture, while the remaining 27 were classified as low-risk events that posed no immediate threat. Confirmed threats accounted for 30.7% of all detected incidents. The SOC team conducted in-depth analysis and response actions for each case, and the more critical incidents were promptly reported to the GovWare NOC.

The following is a list of the 12 confirmed incidents that posed a direct threat to GovWare.

A closer analysis of these incidents reveals that their sources originated from the Network, SNA, Secure Firewall, Endace, Secure Access, and other platforms, including integration with Splunk. Through XDR's correlation and analysis, these incidents were identified and can be categorized into the following attack types:

  • Malicious port scanning
  • Malicious domain access
  • Malicious internet IP address access
  • Passwords transmitted in clear text for critical applications and assets
  • Email vulnerability exploitation
  • Suspected data loss

The following provides an in-depth analysis of two particularly representative attack cases, serving as case studies and lessons learned.

Case Study 1: Threat Hunting Unencrypted Critical File Transmission

Investigation Steps

  1. Integration and Network Context: Endace captures the SPAN traffic. It can extract files and generate Zeek logs. The Zeek logs are sent to Splunk. The extracted files are sent to Cisco Secure Malware Analytics (SMA) via Splunk Attack Analyzer, which is integrated with Cisco XDR.
  2. Incident Initiation: An automated workflow in Cisco XDR continuously monitors events from SMA. Whenever a critical file is detected being transmitted over an unencrypted protocol, it automatically generates an incident alert and sends it to the SOC analyst.
  3. Searching Key Indicators in Splunk: By running an SPL search in Splunk, we can find the logs that matches this file transmission. From the logs with the same file UID, we identified the real source IP address for the incident.
  4. Deep Dive with Packet Capture: We searched and filtered traffic by source and destination IP addresses, and located the original session related to this incident in Endace. We retrieved the original files and examined the detailed session and packet content with the Wireshark in Endace.
  5. Takeaway and Response: Through the investigation in XDR, SMA, Splunk, and Endace, we identified the source IP, destination IP, URL, file name, and protocol. We confirmed this was a high-risk incident involving the unencrypted transmission of critical business files. The incident has been reported to the GovWare Team. Attendees were reminded to avoid using unencrypted protocols when transmitting critical business files, to reduce the risk of data leakage.

Case Study 2: Hunting Malicious Scans Targeting the Internet Gateway

Investigation Steps

  1. Integration and Network Context: The SPAN traffic from the attendees is sent to the Cisco Telemetry Broker (CTB). CTB converts the traffic into NetFlow and sends it to Secure Network Analytics (SNA) and XDR Analytics. At the same time, the firewall sends its connection and event logs to XDR. SNA analyzes the NetFlow data and can generate port scan events. XDR Analytics analyzes both the NetFlow and log data, and it can generate an Internal Port Scanner event.
  2. Incident Initiation: These events are correlated by the XDR engine to create an incident related to a malicious scan. The data sources for this incident include SNA and XDR Network. Although the priority is marked as low, after correlation, the incident is already highly accurate, so the potential impact should be considered high.
  3. Investigate in Secure Network Analytics (SNA): In the SNA Host Posture interface, we could see the asset group that the host belonged to, the internal groups and Internet locations it accessed, and a security event clearly indicating a port scan from this host.
  4. Investigate in XDR Analytics: We observed that it also triggered an Internal Port Scanner alert in XDR Analytics. The three IP addresses performing the malicious scans were correlated and grouped together. Their targets were the same Internet Gateway addressed on the Cisco Secure Firewall. It was observed that the same source IP sent a large number of connection attempts to multiple ports on the Internet Gateway. Even though no response packets were received, the IP kept trying new ones, clearly showing malicious scanning behavior.
  5. Takeaway and Response: The Internet gateway is the Cisco Secure Firewall that successfully blocked the malicious scan attempts. Still, such scans can impact the network, so we reported the incident to the GovWare NOC Team for continued monitoring.

Beyond the two detailed investigations above, XDR also detected other incidents such as passwords transmitted in clear text, malicious domain access, and malicious Internet IP address access. These Incidents have been escalated to Tier3 team, they are going to conduct the investigations and reports.

Final Thoughts

As an automated and intelligent security detection and response platform, Cisco XDR played a critical role in the GovWare SOC operations. It enabled SOC analysts to detect and investigate real incidents in real time.

While investigating incidents within XDR, analysts could review the attack chain, add notes to the worklog, update the incident status, and escalate to Splunk, Endace, Firewall, Secure Access teams and Talos teams when further action was required.

Throughout the SOC operation, XDR's automation, correlation, workflow, and intelligence significantly improved the SOC's detection, investigation, and response capabilities, and effectively safeguarded the GovWare conference.

Check out the other blogs by my colleagues in the GovWare SOC.

About GovWare

GovWare Conference and Exhibition is the region's premier cyber information and connectivity platform, offering multi-channel touchpoints to drive community intel sharing, training, and strategic collaborations.

A trusted nexus for over three decades, GovWare unites policymakers, tech innovators, and end-users across Asia and beyond, driving pertinent dialogues on the latest trends and critical information flow. It empowers growth and innovation through collective insights and partnerships.

Its success lies in the trust and support from the cybersecurity and broader cyber community that it has had the privilege to serve over the years, as well as organisational partners who share the same values and mission to enrich the cyber ecosystem.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X

From Detection to Deep Dive: Splunk Attack Analyzer and Endace for GovWare 2025 Security Splunk SOAR in Action at the GovWare: Zero-Touch Clear Text Password Response
Cisco Breach Protection Cisco Secure Access Cisco Security Cloud Cisco Talos Cisco User Protection Cisco XDR GovWare Network Operations Center (NOC) Security Operations Center (SOC)
I’d like Alerts: