Packetsled
This Integration is part of the Packetsled Pack.#
Overview
Use this integration to access the PacketSled playbook and command query.
Employ incidents and artifacts from an investigation, or a full packet capture, based on the perspective of a user or a host.
Use either the playbook or the individual commands to get the level of detail necessary for your investigation.
This integration was integrated and tested with PacketSled v5.3.2 and earlier.
Use Cases
- Extract incidents, files, or PCAP.
- Extract metadata for a specific host.
- Enumerate sensors.
Prerequisites
Make sure you have the following PacketSled information.
- Username and password for credential access
- Confirm firewall rules to enable access to PacketSled API
Configure PacketSled on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services.
- Search for PacketSled.
-
Click
Add instance
to create and configure a new integration instance.
- Name: textual name for the integration instance
- Server URL (https://<customer_id>.packetsled.com)
- If you want to Cortex XSOAR incidents to be created automatically from this integration instance, click Fetch Incidents.
- Credentials : PacketSled username
- Password: PacketSled password
- Click Test to validate credentials and configuration.
- Click Done to install integration.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Extract incidents: packetsled-get-incidents
- Enumerate sensors: packetsled-get-sensors
- Extract metadata for a specific host: packetsled-get-flows
- Extract files: packetsled-get-files
- Extract PCAP: packetsled-get-pcaps
Extract incidents: packetsled-get-incidents
Extracts all incidents that occurred from last time they were extracted.
Inputs
| Parameter | Description | Required |
| start_time |
Beginning of the time range to query, can be either epoch seconds or ISO formatted datetime (defaults to 1 hour ago) |
Optional |
| stop_time |
End of the time range to query, can be either epoch seconds or ISO formatted datetime (defaults to current time) |
Optional |
| envid |
Unique ID in PacketSled to identify a group of sensors that belong to a single customer (by default, all sensors are queried) |
Optional |
| probe |
Unique ID in an envid used to identify a single sensor (by default, all sensors are queried) |
Optional |
Raw Output
{
"name":"Source: Packetsled SENSOR: , ENTITY: ",
"rawJSON":{
}
}
Enumerate sensors: packetsled-get-sensors
Enumerates all attached sensors.
-NO FURTHER INFORMATION-
Extract metadata for a specific host: packetsled-get-flows
Finds flow metadata based on the specified parameters. The flows are posted as JSON files to the War Room.
Command Example
!packetsled-get-flows entity=192.168.0.110 limit=10000
Inputs
| Parameter | Description | Required |
| start_time |
Beginning of the time range to query, can be either epoch seconds or ISO formatted datetime (defaults to 1 hour ago) |
Optional |
| stop_time |
End of the time range to query, can be either epoch seconds or ISO formatted datetime (defaults to current time) |
Optional |
| envid |
Unique ID in PacketSled to identify a group of sensors that belong to a single customer (by default, all sensors are queried) |
Optional |
| probe |
Unique ID in an envid used to identify a single sensor (by default, all sensors are queried) |
Optional |
| entity |
IP address |
Optional |
| port | Port | Optional |
| geo | Geographical code | Optional |
| family | Protocol family (enumeration value) | Optional |
| proto | Protocol (enumeration value) | Optional |
Extract files: packetsled-get-files
Finds file artifacts based on the specified parameters. The files are posted to the War Room.
Inputs
| Parameter | Description | Required |
| start_time |
Beginning of the time range to query, can be either epoch seconds or ISO formatted datetime (defaults to 1 hour ago) |
Optional |
| stop_time |
End of the time range to query, can be either epoch seconds or ISO formatted datetime (defaults to current time) |
Optional |
| envid |
Unique ID in PacketSled to identify a group of sensors that belong to a single customer (by default, all sensors are queried) |
Optional |
| probe |
Unique ID in an envid used to identify a single sensor (by default, all sensors are queried) |
Optional |
| entity |
IP address |
Optional |
| port | Port | Optional |
| geo | Geographical code | Optional |
| family | Protocol family (enumeration value) | Optional |
| proto | Protocol (enumeration value) | Optional |
Extract PCAP: packetsled-get-pcaps
Finds full packet capture files based on the specified parameters. The PCAP files are posted to the War Room.
Command Example
!packetsled-get-pcaps entity=192.168.0.110
Inputs
| Parameter | Description | Required |
| start_time |
Beginning of the time range to query, can be either epoch seconds or ISO formatted datetime (defaults to 1 hour ago) |
Optional |
| stop_time |
End of the time range to query, can be either epoch seconds or ISO formatted datetime (defaults to current time) |
Optional |
| envid |
Unique ID in PacketSled to identify a group of sensors that belong to a single customer (by default, all sensors are queried) |
Optional |
| probe |
Unique ID in an envid used to identify a single sensor (by default, all sensors are queried) |
Optional |
| entity |
IP address |
Optional |
| port | Port | Optional |
| proto | A protocol (enumeration value) | Optional |