Moloch

Overview


Use the Moloch integration to store and index network traffic in standard PCAP format.

This integration was integrated and tested with Moloch v1.5.1.

Configure Moloch on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Moloch.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1 )
    • Username
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Retrieve connections data in JSON: moloch_connections_json
  2. Retrieve connections data in CSV: moloch_connections_csv
  3. Return a list of files: moloch_files_json
  4. Retrieve session data in JSON: moloch_sessions_json
  5. Retrieve session data in CSV: moloch_sessions_csv
  6. Retrieve session data in PCAP: moloch_sessions_pcap
  7. Retrieve Spigraph data in JSON: moloch_spigraph_json
  8. Retrieve Spiview data in JSON: moloch_spiview_json
  9. Retrieve unique data for a field in JSON: moloch_unique_json

1. Retrieve connections data in JSON


Retrieve the connections data in JSON format.

Base Command

moloch_connections_json

Input
Argument Name Description Required
date The number of hours to return data for (-1 returns all data) Optional
dstField The source database field name (Default: a2) Optional
expression The expression string Optional
iDisplayLength Number of items to return (Default: 5000, Max: 2000000) Optional
iDisplayStart The entry to start from (Default: 0) Optional
length The number of items to return (Default: 5000, Max: 2000000) Optional
srcField The source database field name (Default: a1) Optional
start The entry to start from (Default: 0) Optional
startTime If the date parameter is not set, this is the start time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
stopTime If the date parameter is not set, this is the stop time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
strictly When this argument is used, the entire session must be within the date range to be observed, otherwise if it overlaps it is displayed Optional
view The view name to apply before the expression Optional
Context Output

There is no context output for this command.

Command Example

!moloch_connections_json startTime="2014/02/26 10:27:57"

Human Readable Output
{
    "health": {
        "_timeStamp": 1534839251551,
        "active_primary_shards": 380,
        "active_shards": 380,
        "active_shards_percent_as_number": 100,
        "cluster_name": "Moloch",
        "delayed_unassigned_shards": 0,
        "initializing_shards": 0,
        "molochDbVersion": 51,
        "number_of_data_nodes": 1,
        "number_of_in_flight_fetch": 0,
        "number_of_nodes": 1,
        "number_of_pending_tasks": 0,
        "relocating_shards": 0,
        "status": "green",
        "task_max_waiting_in_queue_millis": 0,
        "timed_out": false,
        "unassigned_shards": 0,
        "version": "5.6.4"
    },
    "links": [
        {
            "by": 136284,
            "db": 121356,
            "node": {
                "demo": 1
            },
            "pa": 1866,
            "source": 0,
            "target": 1,
            "value": 4
        },
        {
            "by": 8999,
            "db": 8231,
            "node": {
                "demo": 1,
                "ip-10-97-23-168": 1
            },
            "pa": 96,
            "source": 2,
            "target": 3,
            "value": 4
        }
    ],
    "nodes": [
        {
            "by": 136284,
            "cnt": 1,
            "db": 121356,
            "id": "1.1.1.1",
            "pa": 1866,
            "pos": 0,
            "sessions": 4,
            "type": 1
        },
        {
            "by": 136284,
            "cnt": 1,
            "db": 121356,
            "id": "2.2.2.2",
            "pa": 1866,
            "pos": 1,
            "sessions": 4,
            "type": 2
        }
    ],
    "recordsFiltered": 145724
}

2. Retrieve connections data in CSV: moloch_connections_csv


Retrieve the connections data in CSV format.

Base Command

moloch_connections_csv

Input
Argument Name Description Required
date The number of hours to return data for (-1 returns all data) Optional
dstField The source database field name (Default: a2) Optional
expression The expression string Optional
iDisplayLength The number of items to return (Default: 5000, Max: 2000000) Optional
iDisplayStart The entry to start from (Default: 0) Optional
length The number of items to return (Default: 5000, Max: 2000000) Optional
srcField The source database field name (Default: a1) Optional
start The entry to start at (Default: 0) Optional
startTime If the date parameter is not set, this is the start time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
stopTime If the date parameter is not set, this is the stop time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
strictly When this argument is used, the entire session must be within the date range to be observed, otherwise if it overlaps it is displayed Optional
view The view name to apply before the expression Optional
Context Output

There is no context output for this command.

Command Example

!moloch_connections_csv date="-1"

Human Readable Output

screen shot 2018-08-21 at 11 32 06

3. Return a list of files


Return a list of files in the Moloch database.

Base Command

moloch_files_json

Input
Argument Name Description Required
iDisplayLength The number of items to return (Default: 500, Max: 10000) Optional
iDisplayStart The entry to start from (Default: 0) Optional
length The number of items to return (Default: 500, Max: 10000) Optional
start The entry to start at (Default: 0) Optional
Context Output

There is no context output for this command.

Command Example

!moloch_files_json length="10"

Human Readable Output
{
    "data": [
        {
            "filesize": 15819,
            "first": 1273057060,
            "id": "demo-1",
            "locked": 1,
            "name": "/moloch/1filtered.cap",
            "node": "demo",
            "num": 1
        },
        {
            "filesize": 2514,
            "first": 1249662076,
            "id": "demo-2",
            "locked": 1,
            "name": "/moloch/20090807_portal_prod_io0_01.cap",
            "node": "demo",
            "num": 2
        }
    ],
    "recordsFiltered": 434,
    "recordsTotal": 434
}

4. Retrieve session data in JSON


Retrieve the session data in JSON format.

Base Command

moloch_sessions_json

Input
Argument Name Description Required
date The number of hours to return data for (-1 returns all data) Optional
expression The expression string Optional
facets Also include the aggregation information for maps and time graphs Optional
iDisplayLength The number of items to return (Default: 100, Max: 2000000) Optional
iDisplayStart The entry to start from (Default: 0) Optional
length The number of items to return (Default: 100, Max: 2000000) Optional
start The entry to start at (Default: 0) Optional
startTime If the date parameter is not set, this is the start time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
stopTime If the date parameter is not set, this is the stop time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
strictly When this argument is used, the entire session must be within the date range to be observed, otherwise if it overlaps it is displayed Optional
view The view name to apply before the expression Optional
Context Output

There is no context output for this command.

Command Example

!moloch_sessions_json stopTime="2014/02/26 11:27:57"

Human Readable Output

image

5. Retrieve session data in CSV


Retrieve the session data in CSV format.

Base Command

moloch_sessions_csv

Input
Argument Name Description Required
date The number of hours to return data for (-1 returns all data) Optional
expression The expression string Optional
facets Also include the aggregation information for maps and time graphs Optional
iDisplayLength The number of items to return (Default: 100, Max: 2000000) Optional
iDisplayStart The entry to start from (Default: 0) Optional
length the number of items to return (Default: 100, Max: 2000000) Optional
start The entry to start at (Default: 0) Optional
startTime If the date parameter is not set, this is the start time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
stopTime If the date parameter is not set, this is the stop time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
strictly When this argument is used, the entire session must be within the date range to be observed, otherwise if it overlaps it is displayed Optional
view The view name to apply before the expression Optional
Context Output

There is no context output for this command.

Command Example

!moloch_sessions_csv

Human Readable Output

image

6. Retrieve raw session data in PCAP


Retrieve the raw session data in PCAP format.

Base Command

moloch_sessions_pcap

Input
Argument Name Description Required
date The number of hours to return data for (-1 returns all data) Optional
expression The expression string, used if ids not set Optional
ids The list of ids to return Optional
iDisplayLength The number of items to return (Default: 100, Max: 2000000) Optional
iDisplayStart The entry to start from (Default: 0) Optional
length The number of items to return (Default: 100, Max: 2000000) Optional
segments When set return linked segments Optional
start The entry to start at (Default: 0) Optional
startTime If the date parameter is not set, this is the start time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
stopTime If the date parameter is not set, this is the stop time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
strictly When this argument is used, the entire session must be within the date range to be observed, otherwise if it overlaps it is displayed Optional
view The view name to apply before the expression Optional
Context Output

There is no context output for this command.

Command Example

!moloch_sessions_pcap startTime="1520542248" stopTime="1533329500"

Human Readable Output

image

7. Retrieve Spigraph data in JSON


Retrieve the Spigraph data in JSON format.

Base Command

moloch_spigraph_json

Input
Argument Name Description Required
date The number of hours to return data for (-1 returns all data) Optional
expression The expression string Optional
field The database field name to spigraph on Optional
size The number of unique values to return Optional
startTime If the date parameter is not set, this is the start time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
stopTime If the date parameter is not set, this is the stop time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
strictly When this argument is used, the entire session must be within the date range to be observed, otherwise if it overlaps it is displayed Optional
view The view name to apply before the expression Optional
Context Output

There is no context output for this command.

Command Example

!moloch_spigraph_json startTime=1520542248 stopTime=1533329500

Human Readable Output

image
image

8. Retrieve Spiview data in JSON


Retrieve the Spiview data in JSON format.

Base Command

moloch_spiview_json

Input
Argument Name Description Required
date The number of hours of data to return (-1 returns all data) Optional
expression The expression string Optional
spi A comma-separated list of fields to return data for Optional
startTime If the date parameter is not set, this is the start time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
stopTime If the date parameter is not set, this is the stop time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
strictly When this argument is used, the entire session must be within the date range to be observed, otherwise if it overlaps it is displayed Optional
view The view name to apply before the expression Optional
Context Output

There is no context output for this command.

Command Example

!moloch_spiview_json startTime=1520542248 stopTime=1533329500

Human Readable Output

image

9. Retrieve unique data for a field in JSON


Retrieve unique data for a specified field in JSON format.

Base Command

moloch_unique_json

Input
Argument Name Description Required
date The number of hours of data to return (-1 returns all data) Optional
expression The expression string Optional
field The database field name to unique on Required
startTime If the date parameter is not set, this is the start time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
stopTime If the date parameter is not set, this is the stop time of the date to return. If an integer is used (the number of seconds since Unix EPOC), otherwise parsed using JavaScript Date parser. Usage example: !moloch_sessions_json startTime="2014/02/26 10:27:57" . For more  examples see here . Optional
strictly When set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed Optional
view The view name to apply before the expression Optional
Context Output

There is no context output for this command.

Command Example

!moloch_unique_json date="-1" field="https.status"