No PCAP or NetFlow Data Available

There is no packet capture, NetFlow, or network metadata available for the timeframe of interest. Without network data it is difficult to confirm data exfiltration volumes, C2 channel details, or lateral movement paths.

Signals

•Network engineering confirms no span port, TAP, or full-packet capture was active on the relevant segment
•NetFlow/IPFIX export was not configured on the core or distribution switches
•NSM tools (Zeek, Suricata) were not deployed or were not covering the affected VLAN

Pivot Actions

1.Immediately deploy a temporary capture (tcpdump, Wireshark, Zeek) on the affected segment to catch ongoing activity
2.Extract connection-level data from firewall session logs (source, dest, port, bytes, duration)
3.Use DNS query logs from resolvers or DNS sinkhole to map C2 domains and resolution patterns
4.Correlate proxy/web gateway logs to reconstruct HTTP/S connections to external hosts
5.Query EDR network telemetry for per-process connection records on the endpoint

Alternate Evidence Sources

•Firewall session/connection logs with byte counts and duration
•DNS resolver query logs or passive DNS feeds
•Web proxy logs (Zscaler, Bluecoat, Squid) for HTTP/S traffic details
•EDR network telemetry showing per-process socket activity

Related Procedures

Network Isolation of Compromised Systems

contain

Lateral Movement Analysis and Mapping

analyze

EDR Telemetry Collection

collect