Endace Search Archive Download PCAP v2

This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager. The workflow accepts inputs like “the date and time of the incident or a timeframe”, “source or destination IP address of the incident”, “source or destination IP port of the incident”, “protocol of the incident” and name of archive file. Required Inputs - Either timeframe or start and timeframe or end and timeframe or start and end fields. Either src_host_list or dest_host_list or ip fields. Either src_port_list or dest_port_list or port fields. archive_filename field is required delete_archive field is required download_threshold field is required

The Workflow in this playbook :

  1. Finds the packet history related to the search items. Multiple Search Items in an argument field are OR'd. Search Items between multiple arguments are AND'd.
  2. A successful Search is followed by an auto archival process of matching packets on EndaceProbe which can be accessed from an investigation link on the Evidence Board and/or War Room board that can be used to start forensic analysis of the packets history on EndaceProbe.
  3. Finally Download the archived PCAP file to XSOAR system provided the file size is less than a user defined threshold say 10MB. Files greater than this threshold can be accessed or analyzed on EndaceProbe via "Download PCAP link" or "Endace PivotToVision link" displayed on Evidence Board.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

  • Endace

Scripts

  • IsGreaterThan
  • IsTrue
  • Set
  • AreValuesEqual
  • Print
  • AddEvidence

Commands

  • endace-create-archive
  • endace-create-search
  • endace-delete-archived-file
  • endace-get-archive-status
  • endace-download-pcap

Playbook Inputs


NameDescriptionDefault ValueRequired
startUTC StartTime in ISO 8601 format as in 2020-04-08T15:46:30Optional
endUTC EndTime in ISO 8601 format as in 2020-04-08T15:46:30Optional
timeframeEvent timeframe to search. Select one of the values from 30seconds, 1minute, 5minutes, 10minutes, 30minutes, 1hour, 2hours, 5hours, 10hours, 12hours, 1day, 3days, 5days, 1week. Timeframe works as search for last n seconds if start and end time is not provided. For example, by specifying 1h as the timeframe, analyst can schedule a search for last 3600s. If both start and end time is provided, timeframe value is ignored. If either start or end time is provided along with timeframe, the respective start or end time is calculated accordingly. Initial value of timeframe is 1hour.Optional
ipdirectionless ip address. For valid search either a IP or Src Host or a Dest Host value is requiredOptional
portdirectionless port.Optional
src_host_listList of comma delimited Source IP addresses to search with a maximum of 10 IP addresses per search. For valid search either a Src Host or a Dest Host value is required.Optional
dest_host_listList of comma delimited Destination IP addresses to search with a maximum of 10 IP addresses per search. For valid search either a Src Host or a Dest Host value is required.Optional
src_port_listList of comma delimited Source Port addresses to search with a maximum of 10 Port addresses per search.Optional
dest_port_listList of comma delimited Destination Port addresses to search with a maximum of 10 Port addresses per search.Optional
protocolIANA defined IP Protocol Name or Number. For example - either use TCP or tcp or 6 for tcp protocolOptional
archive_filenameName of the archive file. For example, archive_filename could be an event ID. To keep archive filename unique, value of epoch seconds at the time of execution of the command is appended to this filename argument. For example - if the event id is someid, then archive_filename is someid-epochtime.Required
delete_archivefalse/true. if set to false archived file created by this playbook is retained on EndaceProbe. Value of true deletes the archived file. Once deleted this archived file is not available for future investigation.Required
download_thresholdPCAP file download size limit in MegaBytes. For example for 10MB, value is 10. Minimum value is 1(MB).Required

Playbook Outputs


PathDescriptionType
Endace.Download.PCAP.FileNameName of the File to download from EndaceProbestring
Endace.Download.PCAP.FileSizeFile size in MegaBytesstring
Endace.Download.PCAP.FileUserUsername of the person who has permission to download this PCAP from EndaceProbe.string

Playbook Image


Endace Search Archive Download PCAP v2