Can be a single protocol or a comma delimited list of protocols. The protocols to search for within the PCAP file. All UDP ports will be treated with the OR operator. Can be a single port or a comma delimited list of ports. The value of a UDP port number to search. All TCP ports will be treated with the OR operator. The value of a TCP port number to search. All IPs will be treated with the OR operator. Can be a single IP or a comma delimited list of IP addresses. The TCPPortsToSearch was defined as 445,443Īnd the QueryOperator was defined as "and" This input will specify if the inputs will be treated as an AND or an OR search for all the PCAP search filter. In case the playbook has several search inputs provided such as IPAddressToSearch, TCPPortsToSearch ,UDPPortsToSearch, ProtocolToSearch and AdvancedSearchFilter. This input value is used to provide a WPA (Wi-Fi Protected Access) password to decrypt encrypted 802.11 Wi-FI traffic. This input specifies the file entry ID for the RSA decrypt key if the user provided the key in the incident. Values can be true or any other value for false. This input specifies whether to run the file carving playbook.
This input specifies whether to run the parsing and enrichment playbook. This input specifies the file entry ID for the PCAP file if the user provided the file in the incident.
This playbook does not use any integrations. This playbook uses the following sub-playbooks, integrations, and scripts. In order to demonstrate the entire flow make sure that at least on of the following playbook inputs is configured in order for search results to exist. The playbooks is meant to be a demonstration of all the PCAP analysis capabilities however it is more likely to use each of the subplaybooks seperatly.
0 kommentar(er)
