Endace#

When Endace integration is enabled, the following additional host inspection options become available after a report is run:

  • Endace - Pivot-to-Vision: Opens the Endace Vision view

  • Endace - Pivot-to-Packets: Downloads a packet capture with user-specified parameters (*.pcap or *.erf)

These options can be accessed after clicking on an IP address or hostname in the report results view, under Other Options in the tray.

Note

  • It may be necessary to log in to EndaceProbe or InvestigationManager when pivoting to Vision for the first time.

  • Data will only be available for hosts/traffic seen on the EndaceProbe.

Configuration requirements#

The following details will be required to enable/configure Endace integration:

  • Endace server IP address (and DNS hostname, if desired)

  • Port to use to connect to the Endace server (typically 443 or 80)

  • Credentials to use for the Endace server

  • [Optional] Names of data sources configured on the Endace server

Configuring Endace Pivot-to-Packets#

To enable Endace integration, add the EndaceProbe or InvestigationManager by launching scrut_util and running the following at the SCRUTINIZER> prompt:

Note

This command requires an IP address and will not work with a hostname.

endace add <ENDACE_IP_ADDRESS> <PORT> <USER> <PASSWORD>

For example:

SCRUTINIZER> endace add 10.11.12.13 443 adminuser adminuserpass

See this page for other scrut_util commands related to Endace integration.

Configuring Endace Pivot-to-Vision#

The Endace Pivot-to-Vision option can be configured as follows:

Note

  • The Pivot-to-Vision option can be configured independently of Pivot-to-Packets.

  • Data sources are defined in the EndaceProbe configuration. For example, to use all available rotation files, replace DATA_SOURCES below with tag%3Arotation-file.

  • When using port 80, it may be necessary to replace https:// with http:// in the below URLs.

  1. SSH to the Scrutinizer server as the plixer user.

  2. Configure the EndaceProbe IP address or hostname and data sources to use by adding the following lines to the end of /home/plixer/scrutinizer/files/applications.cfg:

    Endace - Pivot2Vision, https://<ENDACEPROBE_IP_OR_HOSTNAME>/vision2/pivotintovision/?datasources=<DATA_SOURCES>&title=Scrutinizer-Investigation&start=%zs&end=%ze&tools=trafficOverTime_by_app%2Cconversations_by_ipaddress&ip=%i, Endace Vision 2 - Investigation 
    

    Examples:

    Endace - Pivot2Vision, https://endace-probe.company.com/vision2/pivotintovision/?datasources=tag%3Arotation-file&title=Scrutinizer-Investigation&start=%zs&end=%ze&tools=trafficOverTime_by_app%2Cconversations_by_ipaddress&ip=%i, Endace Vision 2 - Investigation