CloudShark

Overview

Designed for networking and security teams, CS Enterprise is a collaboration platform focused on network packet capture (PCAP) analysis. CS Enterprise delivers secure storage, organization, access control, and powerful analysis tools in an elegant, responsive browser-based interface.

Use Cases

  • Upload a network capture for analysis in your browser
  • Collaborate on network pcap analysis by easily sharing captures with others via a URL
  • Collect meta-information about a capture file
  • Manage and organize capture files in CS Enterprise

To set up CS Enterprise to work with Demisto

You will need the following before setting up the CS Enterprise integration on Demisto:
  • CS Enterprise URL The URL of your CS Enterprise instance
  • API Token : An API Token from CloudShark with upload, info, download, and delete permissions enabled on it

Configure the CS Enterprise Integration on Demisto

  1. Go to Settings > Integrations > Servers & Services
  2. Search for CloudShark
  3. Click Add instance to create and configure a new integration instance
    • Name: a textual name for the integration instance
    • CS Enterprise URL: The URL of your CS Enterprise Instance
    • API Token: Your API token
  4. Click Test to validate the URL

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. cloudshark-upload: cloudshark-upload
  2. cloudshark-info: cloudshark-info
  3. cloudshark-download: cloudshark-download
  4. cloudshark-delete: cloudshark-delete

1. cloudshark-upload


Upload a capture file into CS Enterprise

Base Command

cloudshark-upload

Input
Argument Name Description Required
file EntryID of the capture to upload Required
additional_tags A comma-separated list of tags to apply to the capture file Optional
filename The filename of the capture in CS Enterprise Optional

Context Output
Path Type Description
URL.Data string URL of the capture file in CS Enterprise
CloudShark.CaptureID string Capture ID of the capture in CS Enterprise

Command Example

!cloudshark-upload file=494@1e6024f1-485b-4d1a-8ee3-b6bf51e8ca1a filename=demisto.pcapng additional_tags=demisto,cloudshark,test

Context Example
{
    "CloudShark": {
        "CaptureID": "5277a3a64076"
    },
    "URL": {
        "Data": "CLOUDSHARK_URL/captures/5277a3a64076"
    }
}
Human Readable Output

[Open Capture in CloudShark]($CLOUDSHARK_URL/captures/5277a3a64076)

2. cloudshark-info


Retrieve meta-information about a capture file from CS Enterprise

Base Command

cloudshark-info

Input
Argument Name Description Required
capture_id Capture ID of the capture in CS Enterprise Required

Context Output
Path Type Description
CloudShark.CaptureInfo unknown Meta-information of capture file

Command Example

!cloudshark-info capture_id=ccaa62cbbb06

Context Example
{
    "CloudShark": {
        "CaptureInfo": {
            "avg_packet_rate": "3.24",
            "avg_packet_size": "70.19",
            "cap_file_id": 165174,
            "comments": "",
            "created_at": "2019-11-06T21:18:30+00:00",
            "data_bit_rate": "1817.36",
            "data_byte_rate": "227.17",
            "data_size": 4071908,
            "disable_autodelete": false,
            "duration": "17924.501967",
            "encapsulation": "Ethernet",
            "end_time": "2019-07-26T23:20:44+00:00",
            "file": "/var/www/cloudshark/current/uploads/2019/11/05/16/13172ab4-61a7-4439-aa27-292306c062c0.cap",
            "file_source": "upload",
            "file_type": "Wireshark/tcpdump/... - pcap",
            "filename": "capture.pcapng",
            "group": "",
            "group_write?": false,
            "id": "ccaa62cbbb06",
            "last_accessed": "2019-11-07T15:42:07+00:00",
            "num_packets": 58009,
            "public?": false,
            "sha1_hash": "e871eee9d85a9898d1f7aec37f22f291fb1d1971",
            "size": 5000076,
            "start_time": "2019-07-26T18:22:00+00:00",
            "tag_list": "",
            "truncated": "No",
        }
    }
}
Human Readable Output

Capture file info

avg_packet_rate avg_packet_size cap_file_id comments created_at data_bit_rate data_byte_rate data_size disable_autodelete duration encapsulation end_time file file_source file_type filename group group_write? id last_accessed num_packets public? sha1_hash size start_time tag_list truncated user
3.24 70.19 165174 2019-11-06T21:18:30+00:00 1817.36 227.17 4071908 false 17924.501967 Ethernet 2019-07-26T23:20:44+00:00 /var/www/cloudshark/current/uploads/2019/11/05/16/13172ab4-61a7-4439-aa27-292306c062c0.cap upload Wireshark/tcpdump/... - pcap capture.pcapng false ccaa62cbbb06 2019-11-07T15:42:07+00:00 58009 false e871eee9d85a9898d1f7aec37f22f291fb1d1971 5000076 2019-07-26T18:22:00+00:00 No

3. cloudshark-download


Download a capture file from CS Enterprise

Base Command

cloudshark-download

Input
Argument Name Description Required
capture_id Capture ID of the capture in CS Enterprise Optional

Context Output
Path Type Description
File unknown File downloaded from CloudShark

Command Example

!cloudshark-download capture_id=ccaa62cbbb06

Human Readable Output

4. cloudshark-delete


Delete a capture file from CS Enterprise

Base Command

cloudshark-delete

Input
Argument Name Description Required
capture_id Delete a capture file from CS Enterprise Optional

Context Output
Path Type Description
CloudShark.Result unknown Result of delete command

Command Example

!cloudshark-delete capture_id=ccaa62cbbb06

Context Example
{
    "CloudShark": {
        "Result": {
            "id": "5277a3a64076",
            "message": "Capture deleted successfully.",
            "status": 200
        }
    }
}
Human Readable Output

Result

Response
id: ccaa62cbbb06
status: 200
message: Capture deleted successfully.