Endace#
When Endace integration is enabled, the following additional host inspection options become available after a report is run:
Endace - Pivot-to-Vision: Opens the Endace Vision view
Endace - Pivot-to-Packets: Downloads a packet capture with user-specified parameters (
*.pcap
or*.erf
)
These options can be accessed after clicking on an IP address or hostname in the report results view, under Other Options in the tray.
Note
It may be necessary to log in to EndaceProbe or InvestigationManager when pivoting to Vision for the first time.
Data will only be available for hosts/traffic seen on the EndaceProbe.
Configuration requirements#
The following details will be required to enable/configure Endace integration:
Endace server IP address (and DNS hostname, if desired)
Port to use to connect to the Endace server (typically 443 or 80)
Credentials to use for the Endace server
[Optional] Names of data sources configured on the Endace server
Configuring Endace Pivot-to-Packets#
To enable Endace integration, add the EndaceProbe or InvestigationManager by launching scrut_util and running the following at the SCRUTINIZER>
prompt:
Note
This command requires an IP address and will not work with a hostname.
endace add <ENDACE_IP_ADDRESS> <PORT> <USER> <PASSWORD>
For example:
SCRUTINIZER> endace add 10.11.12.13 443 adminuser adminuserpass
See this page for other scrut_util commands related to Endace integration.
Configuring Endace Pivot-to-Vision#
The Endace Pivot-to-Vision option can be configured as follows:
Note
The Pivot-to-Vision option can be configured independently of Pivot-to-Packets.
Data sources are defined in the EndaceProbe configuration. For example, to use all available rotation files, replace
DATA_SOURCES
below withtag%3Arotation-file
.When using port 80, it may be necessary to replace
https://
withhttp://
in the below URLs.
SSH to the Scrutinizer server as the
plixer
user.Configure the EndaceProbe IP address or hostname and data sources to use by adding the following lines to the end of
/home/plixer/scrutinizer/files/applications.cfg
:Endace - Pivot2Vision, https://<ENDACEPROBE_IP_OR_HOSTNAME>/vision2/pivotintovision/?datasources=<DATA_SOURCES>&title=Scrutinizer-Investigation&start=%zs&end=%ze&tools=trafficOverTime_by_app%2Cconversations_by_ipaddress&ip=%i, Endace Vision 2 - Investigation
Examples:
Endace - Pivot2Vision, https://endace-probe.company.com/vision2/pivotintovision/?datasources=tag%3Arotation-file&title=Scrutinizer-Investigation&start=%zs&end=%ze&tools=trafficOverTime_by_app%2Cconversations_by_ipaddress&ip=%i, Endace Vision 2 - Investigation