Endace

Details
Content
Dependencies
Version History

This integration uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows

The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance.
EndaceProbes enables analysts to find and solve challenging security threats like lateral movement, spoofed DNS, Command and Control (C2), and data exfiltration.
Combining Endace’s InvestigationManager (which provides central search and data-mining across a fabric of EndaceProbes) and workflow integrations with Palo Alto Networks Panorama and Cortex XSOAR enables fast, in-context drilldown to relevant packet data for fast, accurate, enterprise-wide threat investigations.
This Endace Content Pack and Playbook leverages EndaceProbe APIs to search for, archive and download PCAP files from individual or multiple EndaceProbes to automatically import and preserve critical packet evidence for your security automation workflows.

What does this pack do?

The Playbook included in this pack helps you save time, preserve evidence and leverage unalterable network packet data in your XSOAR workflows and evidence boards. It automates the search and storage of critical packet data for security incident response.
Key functions this playbook provides include:

Search EndaceProbe Fabric for any traffic related to a specific security event or alert
Automated archiving of relevant network PCAPs for compliance or incident response
Links your evidence boards and war room to a one-click drill-down to packet data in EndaceVision for detailed forensic investigations

For a short video demo showing this Playbook in action visit the Endace Youtube Channel or Endace PaloAlto integration.

The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance.
EndaceProbes enables analysts to find and solve challenging security threats like lateral movement, spoofed DNS, Command and Control (C2), and data exfiltration.
Combining Endace’s InvestigationManager (which provides central search and data-mining across a fabric of EndaceProbes) and workflow integrations with Palo Alto Networks Panorama and Cortex XSIAM enables fast, in-context drilldown to relevant packet data for fast, accurate, enterprise-wide threat investigations.
This Endace Content Pack and Playbook leverages EndaceProbe APIs to search for, archive and download PCAP files from individual or multiple EndaceProbes to automatically import and preserve critical packet evidence for your security automation workflows.

What does this pack do?

Search EndaceProbe Fabric for any traffic related to a specific security event or alert
Automated archiving of relevant network PCAPs for compliance or incident response
Links your evidence boards and war room to a one-click drill-down to packet data in EndaceVision for detailed forensic investigations

For a short video demo showing this Playbook in action visit the Endace Youtube Channel or Endace PaloAlto integration.

Integrations

Name	Description
Endace (Partner Contribution)	The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network. This integration uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.

Name

Description

Endace (Partner Contribution)

The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network.

Playbooks

Name	Description
Endace Search Archive Download PCAP v2	This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager. The workflow accepts inputs like “the date and time of the incident or a timeframe”, “source or destination IP address of the incident”, “source or destination IP port of the incident”, “protocol of the incident” and name of archive file. Required Inputs - Either timeframe or start and timeframe or end and timeframe or start and end fields. Either src_host_list or dest_host_list or ip fields. Either src_port_list or dest_port_list or port fields. archive_filename field is required delete_archive field is required download_threshold field is required The Workflow in this playbook : Finds the packet history related to the search items. Multiple Search Items in an argument field are OR'd. Search Items between multiple arguments are AND'd. A successful Search is followed by an auto archival process of matching packets on EndaceProbe which can be accessed from an investigation link on the Evidence Board and/or War Room board that can be used to start forensic analysis of the packets history on EndaceProbe. Finally Download the archived PCAP file to XSOAR system provided the file size is less than a user defined threshold say 10MB. Files greater than this threshold can be accessed or analyzed on EndaceProbe via "Download PCAP link" or "Endace PivotToVision link" displayed on Evidence Board.
Endace Search Archive Download PCAP	Deprecated. This playbook has been deprecated. Use Endace Search Archive Download\ \ PCAP v2 instead. This playbook uses Endace APIs to search, archive and download\ \ PCAP file from either a single EndaceProbe or many via the InvestigationManager.\ \ The workflow accepts inputs like “the date and time of the incident or a\ \ timeframe”, “source or destination IP address of the incident”, “source or destination\ \ IP port of the incident”, “protocol of the incident” and name of archive file.\ \ \nThe Workflow in this playbook - \n1. Finds the packet history related to the\ \ search items. Multiple Search Items in an argument field are OR'd. Search Items\ \ between multiple arguments are AND'd. \n2. A successful Search is followed by\ \ an auto archival process of matching packets on EndaceProbe which can be accessed\ \ from an investigation link on the Evidence Board and/or War Room board that can\ \ be used to start forensic analysis of the packets history on EndaceProbe.\n3.\ \ Finally Download the archived PCAP file to XSOAR system provided the file size\ \ is less than a user defined threshold say 10MB. Files greater than 10MB can be\ \ accessed or analyzed on EndaceProbe via \"Download PCAP link\" or \"Endace PivotToVision\ \ link\" displayed on Evidence Board.\n
Endace Search Archive and Download	Deprecated. No available replacement. This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.

Integrations

Name	Description
Endace (Partner Contribution)	The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network. This integration uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.

Name

Description

Endace (Partner Contribution)

Playbooks

Name	Description
Endace Search Archive and Download	Deprecated. No available replacement. This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.
Endace Search Archive Download PCAP	Deprecated. This playbook has been deprecated. Use Endace Search Archive Download\ \ PCAP v2 instead. This playbook uses Endace APIs to search, archive and download\ \ PCAP file from either a single EndaceProbe or many via the InvestigationManager.\ \ The workflow accepts inputs like “the date and time of the alert or a\ \ timeframe”, “source or destination IP address of the alert”, “source or destination\ \ IP port of the alert”, “protocol of the alert” and name of archive file.\ \ \nThe Workflow in this playbook - \n1. Finds the packet history related to the\ \ search items. Multiple Search Items in an argument field are OR'd. Search Items\ \ between multiple arguments are AND'd. \n2. A successful Search is followed by\ \ an auto archival process of matching packets on EndaceProbe which can be accessed\ \ from an investigation link on the Evidence Board and/or War Room board that can\ \ be used to start forensic analysis of the packets history on EndaceProbe.\n3.\ \ Finally Download the archived PCAP file to XSOAR system provided the file size\ \ is less than a user defined threshold say 10MB. Files greater than 10MB can be\ \ accessed or analyzed on EndaceProbe via \"Download PCAP link\" or \"Endace PivotToVision\ \ link\" displayed on Evidence Board.\n
Endace Search Archive Download PCAP v2	This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager. The workflow accepts inputs like “the date and time of the alert or a timeframe”, “source or destination IP address of the alert”, “source or destination IP port of the alert”, “protocol of the alert” and name of archive file. Required Inputs - Either timeframe or start and timeframe or end and timeframe or start and end fields. Either src_host_list or dest_host_list or ip fields. Either src_port_list or dest_port_list or port fields. archive_filename field is required delete_archive field is required download_threshold field is required The Workflow in this playbook : Finds the packet history related to the search items. Multiple Search Items in an argument field are OR'd. Search Items between multiple arguments are AND'd. A successful Search is followed by an auto archival process of matching packets on EndaceProbe which can be accessed from an investigation link on the Evidence Board and/or War Room board that can be used to start forensic analysis of the packets history on EndaceProbe. Finally Download the archived PCAP file to XSOAR system provided the file size is less than a user defined threshold say 10MB. Files greater than this threshold can be accessed or analyzed on EndaceProbe via "Download PCAP link" or "Endace PivotToVision link" displayed on Evidence Board.

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (6)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

1.1.12 - 938811 (April 7, 2024)

Integrations

Updated the Docker image to: demisto/python3:3.10.14.90585.

Related pull requests:
- 33641
- 33516
- 33519
- 33515
- 33329
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
- 33535
- 33534
- 33537
- 33552
- 33580
- 33553
- 33418
- 33583
- 33555
- 33556
- 33559
- 33560
- 33619
- 33591
- 33602
- 33600
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458

Download

1.1.11 - R6303396 (September 12, 2023)

Integrations

Endace

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27954

Download

1.1.10 - R5692327 (July 5, 2023)

Integrations

Endace

Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25971

Download

1.1.9 - R4718798 (March 1, 2023)

Integrations

Endace

Removed copyright section.
Updated the Docker image to: demisto/python3:3.10.4.31492.

Related pull requests:
- 19848

Download

1.1.8 - 2209401 (January 5, 2022)

Playbooks

Endace Search Archive and Download

Maintenance and stability enhancements.

Download

1.1.7 - R2146019 (December 21, 2021)

Integrations

Endace

Updated the Docker image to: demisto/python3:3.9.8.24399.

Download

1.1.6 - 7561139 (September 12, 2021)

Integrations

Endace

Updated the Docker image to: demisto/python3:3.9.7.24076.

Download

1.1.5 - R400461 (July 20, 2021)

Integrations

Endace

Upgraded the Docker image to: demisto/python3:3.9.5.21272.

Download

1.1.4 - 379915 (June 7, 2021)

Integrations

Endace

Upgraded the Docker image to: demisto/python3:3.9.5.20958.

Playbooks

Endace Search Archive and Download

Documentation and metadata improvements.

Download

1.1.2 - 356061 (May 13, 2021)

Playbooks

Endace Search Archive Download PCAP

Playbook was updated with the "deprecated" field.

Endace Search Archive and Download

Playbook was updated with the "deprecated" field.

Download

1.1.1 - R354205 (May 12, 2021)

Playbooks

Endace Search Archive and Download

Maintenance and stability enhancements.

Endace Search Archive Download PCAP

Maintenance and stability enhancements.

Download

1.1.0 - 91934 (August 20, 2020)

Integrations

Endace

Added Support for directionless Ip and Port Search.
Improved Error handling messages.
Parameter hostname is now mandatory.

Playbooks

Endace Search Archive and Download

This playbook is deprecated. Use Endace Search Archive Download PCAP instead.

Endace Search Archive Download PCAP

This playbook is deprecated. Use Endace Search Archive Download PCAP v2 instead.

Endace Search Archive Download PCAP v2

Added support for directionless ip and port search, user friendly timeframe values, updated input and output variables to the playbook and their definitions.

Download

1.0.0 - R71118 (July 22, 2020)

Endace

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	July 22, 2020
Last Release	April 7, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.