Analyzing Network Traffic for Incidents When to Use - SIEM alerts on anomalous network traffic patterns requiring deeper investigation - C2 beaconing is suspected and needs confirmation through packet-level analysis - Data exfiltration volume or destination must be quantified from network evidence - Lateral movement between systems needs to be traced through network connections - An IDS/IPS alert requires packet-level validation to confirm or dismiss Do not use for host-based forensic analysis (process execution, file system artifacts); use endpoint forensics tools instead. Prerequisites - Fu…