A first-hand account of a real SOC investigation at Cisco Live Amsterdam 2026, where a malicious RAR archive containing a .bat file was delivered via an unencrypted POP3 email as a Business Email Compromise lure. The investigation walks through the full detection-to-resolution pipeline: initial alert in Cisco XDR, multi-engine analysis in Splunk Attack Analyzer (scoring 98/100), sandbox detonation in Cisco Secure Malware Analytics revealing extension obfuscation and shellcode injection behaviors, and packet-level confirmation via Endace and Wireshark. Key takeaways include the risks of unencrypted POP3, the continued effectiveness of archive-wrapped payloads and extension obfuscation, and how integrated tooling reduced triage time to minutes with minimal manual intervention.
Table of contents
1. Introduction: The SOC at the Heart of Cisco Live2. The Incident: First Contact in Cisco XDR3. Triage in Splunk Attack Analyser4. Deep Dive: SMA Analysis5. Following the Trail: Splunk and the Email Delivery Chain6. Packet-Level Confirmation: Wireshark via Endace7. XDR Indicators: The Full Picture8. Tools Used in This Investigation9. Key Takeaways for the SOC Community10. ConclusionSort: