3.13 Security Operations & Threat Response
| Field |
Value |
| Document ID |
SDWAN-SEC-3.13 |
| Version |
1.0 |
| Last Updated |
December 2025 |
| Author |
Network Architecture Team |
| Classification |
Internal Use |
1. Executive Summary
This section documents the Security Operations Center (SOC) integration and threat response procedures for Abhavtech's SD-WAN deployment. It covers the integration between SD-WAN security telemetry and SOC tools, incident response workflows, forensic capabilities, and coordination with broader enterprise security operations.
1.1 Security Operations Architecture
+------------------------------------------------------------------+
| SECURITY OPERATIONS ARCHITECTURE |
+------------------------------------------------------------------+
| |
| Data Sources: |
| +------------------+ +------------------+ +------------------+ |
| | SD-WAN Telemetry | | SD-Access Logs | | Cloud Security | |
| | - NetFlow | | - Auth logs | | - CloudTrail | |
| | - UTD Alerts | | - SGACL logs | | - GuardDuty | |
| | - Syslog | | - Stealthwatch | | - Security Hub | |
| +--------+---------+ +--------+---------+ +--------+---------+ |
| | | | |
| +---------------------+---------------------+ |
| | |
| +------v------+ |
| | SIEM | |
| | (Splunk) | |
| +------+------+ |
| | |
| +---------------------+---------------------+ |
| | | | |
| +--------v---------+ +--------v---------+ +--------v---------+ |
| | Threat Intel | | Security Analytics| | Case Management | |
| | (ThreatGrid) | | (SecureX) | | (ServiceNow) | |
| +------------------+ +------------------+ +------------------+ |
| |
| +-------------+ |
| | SOC | |
| | Operations | |
| +-------------+ |
| |
+------------------------------------------------------------------+
1.2 SOC Integration Points
| Integration |
Purpose |
Protocol |
Frequency |
| vManage → SIEM |
Security events |
Syslog/CEF |
Real-time |
| WAN Edge → SIEM |
Traffic logs |
NetFlow v9 |
1 minute |
| UTD → SIEM |
Threat alerts |
Syslog |
Real-time |
| ISE → SIEM |
Auth events |
pxGrid |
Real-time |
| SIEM → SOAR |
Automation |
API |
Event-driven |
2. SIEM Integration
2.1 Log Collection Architecture
+------------------------------------------------------------------+
| LOG COLLECTION ARCHITECTURE |
+------------------------------------------------------------------+
| |
| Branch Sites Data Centers |
| +------------------+ +------------------+ |
| | WAN Edge | | WAN Edge | |
| | - Syslog | | - Syslog | |
| | - NetFlow | | - NetFlow | |
| +--------+---------+ +--------+---------+ |
| | | |
| | | |
| +----------------+--------------------+ |
| | |
| +------v------+ |
| | Log Forwarder| |
| | (Splunk UF) | |
| +------+------+ |
| | |
| +------v------+ |
| | Log Indexer | |
| | (Splunk) | |
| +------+------+ |
| | |
| +------v------+ |
| | Search Head | |
| | Cluster | |
| +-------------+ |
| |
+------------------------------------------------------------------+
2.2 Syslog Configuration
! WAN Edge Syslog Configuration
logging host 10.254.1.50 vrf Mgmt transport udp port 514
logging host 10.254.1.51 vrf Mgmt transport tcp port 6514 secure
logging source-interface Loopback0
logging trap informational
logging facility local7
! Structured Logging (CEF Format)
logging discriminator CEF-EVENTS severity includes 4 5 6
logging host 10.254.1.50 discriminator CEF-EVENTS
! UTD Specific Logging
utd engine standard
logging host 10.254.1.50
logging level info
alert
severity critical action syslog snmp-trap email
severity high action syslog snmp-trap
severity medium action syslog
!
!
2.3 NetFlow Configuration
! NetFlow v9 for Security Analytics
flow record SECURITY-RECORD
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match interface input
match flow direction
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name
flow exporter SIEM-EXPORT
destination 10.254.1.60
source Loopback0
transport udp 2055
export-protocol netflow-v9
template data timeout 60
flow monitor SECURITY-MONITOR
record SECURITY-RECORD
exporter SIEM-EXPORT
cache timeout active 60
cache timeout inactive 15
interface GigabitEthernet0/0/1
ip flow monitor SECURITY-MONITOR input
ip flow monitor SECURITY-MONITOR output
!
3. Security Analytics
3.1 Detection Use Cases
+------------------------------------------------------------------+
| SECURITY DETECTION USE CASES |
+------------------------------------------------------------------+
| |
| Use Case | Detection Method | Response |
| ------------------------+---------------------+-----------------|
| Malware Download | UTD + AMP | Block + Alert |
| C2 Communication | UTD + DNS Security | Block + Isolate |
| Data Exfiltration | NetFlow Anomaly | Alert + Invest |
| Lateral Movement | SGACL Violations | Block + Alert |
| Brute Force | Auth Log Analysis | Block + Alert |
| Policy Violation | DLP + URL Filter | Alert + Log |
| Unauthorized Access | SGACL + ACL | Block + Alert |
| DDoS Attack | Traffic Analysis | Mitigate + Alert|
| |
+------------------------------------------------------------------+
3.2 Splunk Detection Rules
! Splunk Search: Malware Detection
index=sdwan sourcetype=utd_alerts severity=critical OR severity=high
| stats count by src_ip, dest_ip, threat_name, action
| where count > 0
! Splunk Search: Data Exfiltration Detection
index=sdwan sourcetype=netflow
| stats sum(bytes) as total_bytes by src_ip, dest_ip
| where total_bytes > 1073741824
| lookup internal_ips ip as src_ip OUTPUT internal
| where internal="true"
| lookup internal_ips ip as dest_ip OUTPUT internal as dest_internal
| where dest_internal!="true"
! Splunk Search: Unauthorized Access Attempts
index=sdwan sourcetype=syslog "SGACL" "deny"
| stats count by src_sgt, dest_sgt, src_ip, dest_ip
| where count > 10
! Splunk Search: Brute Force Detection
index=sdwan sourcetype=syslog "authentication" "failure"
| stats count by src_ip, username
| where count > 5
3.3 Alert Correlation
+------------------------------------------------------------------+
| ALERT CORRELATION RULES |
+------------------------------------------------------------------+
| |
| Rule: Compromised Endpoint Detection |
| +----------------------------------------------------------+ |
| | Condition 1: Malware alert from UTD | |
| | AND | |
| | Condition 2: Unusual outbound traffic pattern | |
| | AND | |
| | Condition 3: DNS queries to suspicious domains | |
| | = | |
| | Action: Create P1 incident, initiate quarantine | |
| +----------------------------------------------------------+ |
| |
| Rule: Insider Threat Detection |
| +----------------------------------------------------------+ |
| | Condition 1: Access to sensitive resources (SGT 11/12) | |
| | AND | |
| | Condition 2: Outside normal working hours | |
| | AND | |
| | Condition 3: Large data transfer | |
| | = | |
| | Action: Alert security team, enable enhanced logging | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
4. Incident Response
4.1 Incident Classification
| Severity |
Description |
Response Time |
Examples |
| P1 Critical |
Active breach, data loss |
15 minutes |
Ransomware, active exfil |
| P2 High |
Confirmed threat, potential impact |
1 hour |
Malware detection, C2 |
| P3 Medium |
Suspicious activity |
4 hours |
Policy violations |
| P4 Low |
Informational |
24 hours |
Failed auth attempts |
4.2 Incident Response Workflow
+------------------------------------------------------------------+
| INCIDENT RESPONSE WORKFLOW |
+------------------------------------------------------------------+
| |
| Phase 1: Detection & Triage (0-15 min) |
| +----------------------------------------------------------+ |
| | 1. Alert received in SIEM/SOC | |
| | 2. SOC analyst validates alert (false positive check) | |
| | 3. Classify severity (P1/P2/P3/P4) | |
| | 4. Create incident ticket | |
| +----------------------------------------------------------+ |
| |
| Phase 2: Containment (15-60 min) |
| +----------------------------------------------------------+ |
| | 1. Isolate affected systems (SGT change, port shutdown) | |
| | 2. Block malicious IPs/domains | |
| | 3. Preserve evidence (packet captures, logs) | |
| | 4. Notify stakeholders | |
| +----------------------------------------------------------+ |
| |
| Phase 3: Investigation (1-24 hours) |
| +----------------------------------------------------------+ |
| | 1. Determine root cause | |
| | 2. Identify scope of compromise | |
| | 3. Collect forensic evidence | |
| | 4. Document timeline | |
| +----------------------------------------------------------+ |
| |
| Phase 4: Eradication & Recovery (24-72 hours) |
| +----------------------------------------------------------+ |
| | 1. Remove threat from environment | |
| | 2. Patch vulnerabilities | |
| | 3. Restore systems from backup if needed | |
| | 4. Verify clean state | |
| +----------------------------------------------------------+ |
| |
| Phase 5: Post-Incident (1-2 weeks) |
| +----------------------------------------------------------+ |
| | 1. Conduct lessons learned | |
| | 2. Update detection rules | |
| | 3. Improve defenses | |
| | 4. Close incident | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
4.3 Containment Actions
! Immediate Containment - Quarantine Endpoint
! Via ISE pxGrid ANC
POST /ise/eps/config/anc/endpoint
{
"macAddress": "AA:BB:CC:DD:EE:FF",
"policyName": "QUARANTINE"
}
! Block Malicious IP at WAN Edge
ip access-list extended EMERGENCY-BLOCK
deny ip host 192.0.2.100 any log
deny ip any host 192.0.2.100 log
permit ip any any
interface GigabitEthernet0/0/1
ip access-group EMERGENCY-BLOCK in
!
! Block Domain via Umbrella
! (Via Umbrella API)
POST /policies/v2/destinationlists/{listId}/destinations
{
"destination": "malicious-domain.com",
"comment": "Blocked - Incident #12345"
}
! Disable User Account
! (Via ISE Guest API)
PUT /ers/config/guestuser/{userId}/suspend
5. Forensic Capabilities
5.1 Evidence Collection
+------------------------------------------------------------------+
| FORENSIC EVIDENCE SOURCES |
+------------------------------------------------------------------+
| |
| Evidence Type | Source | Retention |
| ---------------------+---------------------+-------------------|
| Traffic Captures | WAN Edge (EPC) | 7 days |
| NetFlow Records | SIEM | 90 days |
| Authentication Logs | ISE | 2 years |
| Config Changes | vManage Audit | 1 year |
| Threat Alerts | UTD/AMP logs | 1 year |
| DNS Queries | Umbrella | 30 days |
| URL Access | URL Filter logs | 90 days |
| |
+------------------------------------------------------------------+
5.2 Packet Capture Configuration
! Embedded Packet Capture (EPC) on WAN Edge
monitor capture FORENSIC-CAPTURE interface GigabitEthernet0/0/1 both
monitor capture FORENSIC-CAPTURE access-list CAPTURE-FILTER
monitor capture FORENSIC-CAPTURE buffer size 50
monitor capture FORENSIC-CAPTURE limit duration 3600
ip access-list extended CAPTURE-FILTER
permit ip host 172.16.10.50 any
permit ip any host 172.16.10.50
! Start capture
monitor capture FORENSIC-CAPTURE start
! Export capture
monitor capture FORENSIC-CAPTURE export tftp://10.254.1.100/captures/incident-12345.pcap
! Stop and clear
monitor capture FORENSIC-CAPTURE stop
no monitor capture FORENSIC-CAPTURE
5.3 Log Export for Forensics
! Export logs for forensic analysis
! SD-WAN Manager API
GET /dataservice/device/log/file?deviceId={deviceId}&logType=security
! Response: Download link for log bundle
! ISE Log Export
GET /admin/API/mnt/Session/EndPointIPAddress/{ipAddress}
! Umbrella Activity Export
GET /reports/v2/activity?from={timestamp}&to={timestamp}&ip={ipAddress}
6. SOAR Integration
6.1 Automated Response Playbooks
+------------------------------------------------------------------+
| SOAR PLAYBOOK: MALWARE RESPONSE |
+------------------------------------------------------------------+
| |
| Trigger: UTD malware alert (severity >= high) |
| |
| Step 1: Enrich Alert |
| +----------------------------------------------------------+ |
| | - Query ISE for user/device details | |
| | - Query ThreatGrid for malware details | |
| | - Query CMDB for asset information | |
| +----------------------------------------------------------+ |
| |
| Step 2: Automated Containment |
| +----------------------------------------------------------+ |
| | - If confirmed malware: Quarantine via ISE ANC | |
| | - Block file hash across all endpoints | |
| | - Block C2 domain in Umbrella | |
| +----------------------------------------------------------+ |
| |
| Step 3: Create Incident |
| +----------------------------------------------------------+ |
| | - Create ServiceNow incident | |
| | - Attach enrichment data | |
| | - Assign to security team | |
| +----------------------------------------------------------+ |
| |
| Step 4: Notify |
| +----------------------------------------------------------+ |
| | - Send Slack notification to #security-alerts | |
| | - Page on-call if P1 | |
| | - Email affected user's manager | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
6.2 SOAR API Integration
# SOAR Playbook: Quarantine Endpoint via ISE
import requests
def quarantine_endpoint(mac_address, incident_id):
"""Quarantine endpoint via ISE pxGrid ANC"""
ise_url = "https://ise.abhavtech.com/ers/config/ancendpoint"
payload = {
"ErsAncEndpoint": {
"macAddress": mac_address,
"policyName": "QUARANTINE"
}
}
headers = {
"Content-Type": "application/json",
"Accept": "application/json"
}
response = requests.post(
ise_url,
json=payload,
headers=headers,
auth=("api_user", "api_password"),
verify=True
)
if response.status_code == 201:
log_action(incident_id, f"Quarantined {mac_address}")
return True
else:
log_error(incident_id, f"Quarantine failed: {response.text}")
return False
7. Metrics and Reporting
7.1 Security KPIs
| Metric |
Target |
Measurement |
| MTTD (Mean Time to Detect) |
< 15 minutes |
Alert timestamp - event timestamp |
| MTTR (Mean Time to Respond) |
< 1 hour |
Containment timestamp - alert timestamp |
| False Positive Rate |
< 5% |
FP alerts / total alerts |
| Incidents per Month |
Trending down |
Count of P1/P2 incidents |
| Threat Block Rate |
> 99% |
Blocked / (blocked + allowed) |
7.2 SOC Dashboard
+------------------------------------------------------------------+
| SOC OPERATIONAL DASHBOARD |
+------------------------------------------------------------------+
| |
| Current Status: |
| +----------------------------------------------------------+ |
| | Active Incidents: 3 (P1: 0, P2: 1, P3: 2) | |
| | Alerts (24h): 1,247 | Blocked Threats: 156 | |
| | Analyst Queue: 12 pending review | |
| +----------------------------------------------------------+ |
| |
| Threat Trends (7 days): |
| +----------------------------------------------------------+ |
| | Malware: ████████░░ 156 (↓12%) | |
| | Phishing: ██████░░░░ 89 (↑5%) | |
| | DDoS: ██░░░░░░░░ 12 (↓50%) | |
| | Policy Viol: ████░░░░░░ 45 (→ stable) | |
| +----------------------------------------------------------+ |
| |
| Performance Metrics: |
| +----------------------------------------------------------+ |
| | MTTD: 8 min (Target: 15 min) ✅ | |
| | MTTR: 45 min (Target: 60 min) ✅ | |
| | FP Rate: 3.2% (Target: 5%) ✅ | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
8. Best Practices Summary
8.1 SOC Integration Best Practices
- Centralize all security logs in SIEM
- Use consistent log formats (CEF/LEEF)
- Enable real-time alerting for critical events
- Maintain 90+ days of searchable logs
8.2 Incident Response Best Practices
- Document all IR procedures
- Test playbooks quarterly
- Maintain current contact lists
- Conduct tabletop exercises
8.3 Forensic Best Practices
- Preserve evidence chain of custody
- Enable packet capture capability
- Maintain adequate log retention
- Document all forensic procedures
References
| Document |
Description |
Location |
| NIST SP 800-61 |
Incident Response Guide |
nist.gov |
| Cisco SecureX Guide |
XDR integration |
cisco.com |
| Splunk SD-WAN App |
SIEM integration |
splunkbase.com |
| Abhavtech IR Playbook |
Internal IR procedures |
SharePoint |
Document Version: 1.0
Last Updated: December 2025
Classification: Internal Use
Document ID: SDWAN-SEC-3.13