Use Case Playbooks

Operational Use Case Playbooks

Practical guides for security operators showing how to use WireTrace v1.2.4 for specific operational scenarios. Each playbook covers the objective, the WireTrace features involved, the workflow, and the expected outcome. Includes 21 AI query tools, ransomware kill chain detection, file activity monitoring, active enrichment, and change management capabilities.

OT Security

OT Incident Investigation

When suspicious activity is detected on an OT network - a ransomware kill chain alert, an unexpected PLC command, unauthorized engineering station access, or an OT isolation violation - use WireTrace to investigate with full protocol-level context.

Workflow

  • Navigate to the asset in question in Asset Inventory - review its classification, communication peers, and protocol history
  • Check Security Insights for related findings: unauthorized commands, behavioral deviations, zone violations
  • Review the asset's communication timeline - which devices it communicated with, over which protocols, and when
  • Examine protocol-level detail: Modbus function codes and register values, S7Comm parameters, DNP3 commands
  • Cross-reference with Threat Detection for ransomware kill chain alerts (12 rules), IoC matches, or behavioral anomalies on the same asset
  • Check File Activity for suspicious file operations - mass writes, ransomware extensions, ransom note delivery across SMB, FTP, or NFS
  • Use the AI agent to ask natural language questions: "What commands did this PLC receive in the last 24 hours?" - answers from real data in under 200ms
  • Check Change Management for recent changes to the asset - firmware updates, IP reassignments, classification changes

Outcome: Protocol-level forensic evidence for the incident - what commands were sent, by whom, when, and whether they deviate from established baselines. AI-generated summary for executive briefing.

Healthcare

Clinical Device Audit

Biomed teams need an accurate inventory of every medical device on the network for accreditation surveys, procurement planning, and risk assessments. Use WireTrace to generate a live audit in minutes instead of weeks.

Workflow

  • Navigate to Asset Inventory - filter by device type: ventilators, patient monitors, infusion pumps, imaging systems, lab analyzers
  • Review each device's classification: manufacturer, model family, clinical function, firmware details
  • Check communication patterns: which EMR/PACS/gateway systems each device communicates with
  • Validate network segmentation: confirm devices are on their designated clinical VLANs
  • Enable SNMP active polling to enrich devices with hardware model, serial number, and firmware version
  • Export the inventory as CSV or use the AI agent - ask "Generate a HIPAA device inventory report" for a streaming compliance-ready report

Outcome: A complete, continuously updated clinical device inventory with manufacturer, model, function, firmware, serial number, and network behavior - generated from traffic and active enrichment, not manual spreadsheets.

Enterprise IT

TLS Certificate Hygiene Review

Expired, self-signed, and weak TLS certificates create blind spots and attack surface. Use WireTrace to audit every certificate observed on the network without scanning a single host.

Workflow

  • Navigate to Security Insights - select the TLS category to see all certificate-related findings
  • Review self-signed certificates: identify which services use them and assess whether they are expected or problematic
  • Check expiring certificates: sort by expiry date to prioritize renewals before service disruptions
  • Examine weak cipher negotiations: identify connections using deprecated TLS versions or weak cipher suites
  • Use Asset Details to see the full certificate chain per device - subject, issuer, validity, and key strength

Outcome: A complete TLS certificate inventory derived from observed traffic - with self-signed, expired, and weak certificates identified for remediation without active scanning.

wiretrace.io | [email protected]Page 1 of 2
Use Case Playbooks
Compliance

Compliance Audit Preparation

Preparing for IEC 62443, HIPAA, ISO 27001, NCA ECC, or NCA OTCC audits typically requires weeks of manual evidence collection. Use WireTrace to generate audit-ready evidence from live traffic in hours instead of weeks. The AI agent with 21 query tools generates streaming compliance reports on demand - executive summary appears first, other sections follow. File activity audit trails provide forensic evidence for data handling requirements.

Workflow

  • Asset Inventory: Export a complete asset inventory with vendor, model, OS, firmware, and network role for the framework's asset management requirement
  • Communication Flows: Document which devices communicate with which systems, over which protocols - for access control and network security requirements
  • Security Insights: Gather encryption posture evidence - TLS usage, cleartext protocol detection, certificate health - for cryptography and transmission security requirements
  • Segmentation: Provide cross-zone communication evidence showing whether segmentation policies are enforced in practice
  • Change Records: Show network change history - new devices, removed devices, new services - for operations security and change management requirements

Outcome: Audit-ready evidence package generated from observed traffic - asset inventories, communication flows, encryption posture, segmentation proof, and change records - without manual evidence collection.

OT Security

OT Network Segmentation Assessment

Verify whether Purdue model segmentation policies are enforced in practice. Use WireTrace to identify cross-zone communications that violate intended isolation between OT levels.

Workflow

  • Open the Purdue Swim Lane View for a visual topology with device-type icons and horizontal bands per level
  • Review Asset Inventory to verify Purdue level assignments for PLCs (Level 1), HMIs (Level 2), and engineering stations (Level 3) - automatic Purdue level assignment across all device types
  • Check Security Insights for cross-zone communication findings - Level 1 devices communicating directly with Level 3 systems
  • Investigate unexpected communication peers: engineering station IPs appearing in PLC communication logs
  • Review protocol-level detail: are these legitimate operational commands or unauthorized access attempts?
  • Document findings for IEC 62443 zone/conduit mapping requirements

Outcome: Evidence-based segmentation assessment showing actual cross-zone communications from observed traffic - not theoretical firewall rule reviews.

Enterprise IT

Shadow IT and Unmanaged Device Sweep

Identify every device communicating on the network that does not appear in the corporate CMDB or asset register. Use WireTrace to find shadow IT, rogue endpoints, and forgotten infrastructure.

Workflow

  • Navigate to Asset Inventory - sort by discovery date to find recently appeared devices
  • Filter by device types commonly associated with shadow IT: consumer IoT, smart TVs, personal devices, unauthorized servers
  • Review network announcement data to identify device make and model
  • Check network discovery protocol data to determine physical switch port location for each unknown device
  • Cross-reference with CMDB: any device in WireTrace but not in the CMDB is an unmanaged asset

Outcome: A complete list of unmanaged and shadow devices with vendor, type, physical location, and communication behavior - for remediation or CMDB reconciliation.

Built for Security Operations, Not Just Auditors

Every WireTrace capability is designed for daily operational use - not just compliance checkboxes.   [email protected]

wiretrace.io | [email protected]Page 2 of 2