endace.compage 1END_fp_end_xsoar_1.0_0620

© Copyright Endace Technology Limited, 2020. All rights reserved. Information in this data sheet may be subject to change.

FUSION PARTNER

Security teams are overloaded with alerts from security tools warning of Indicators of Attack (IOAs) and Indicators of Compromise (IOCs). Many of these tools lack integration to simplify workflows and save analysts time sifting through data to get from an indicator to concrete evidence. Attackers often use sophisticated reconnaissance and propagation techniques that may not be visible by examining the original indicator.And many modern threats include tools that can spoof activity and modify, or simply erase, log files and other traces of activity, making it hard to quantify the depth and breadth of an attack.

Cortex XSOAR combines security orchestration, incident management, and interactive investigation to serve security teams across the incident lifecycle. Cortex XSOAR can ingest alerts from multiple sources, and allows security teams to create and execute standardized, automatable playbooks for accelerated incident response.

The open EndaceProbe Analytics Platform provides 100% accurate, always-on recording of network-wide traffic and integrates to deliver rapid search capability inside solutions including:

• Palo Alto Networks Strata Panorama and Next Generation Firewalls

• Palo Alto Networks Cortex XSOAR

• A wide range of commercial and open-source security solutions such as IDSs, SIEMs, AI /ML tools as well as NPM/APM solutions.

EndaceProbes can also host virtualized third-party tools - IDSs, agents, sensors etc. - allowing monitoring coverage to be extended without additional hardware deployment.

Integrating Cortex XSOAR and EndaceProbeIntegrating Endace’s network history with Cortex XSOAR gives analysts rapid access to enterprise-wide network forensic data, providing rapid in-context drill-down for investigating, reporting on and resolving security threats, and automated archival of critical packet evidence.

Integration Features

• Simple playbooks provide in-context drill down from threat alarms to relevant recorded packet data from anywhere in your network

• Automate archival of packets of interest for reactive investigations, proactive threat hunting and business compliance

• Leverage hundreds of Cortex XSOAR third-party product integrations to coordinate response across security functions based on insights from Endace’s recorded network history.

• Run hundreds of commands (including for EndaceProbe) interactively via a ChatOps interface while collaborating with other analysts and Cortex XSOAR’s chatbot

PRODUCTS

Palo Alto Networks Cortex XSOAR

EndaceProbe

EndaceVision and Investigation Manager

BENEFITS

• Accelerated incident response with rapid access to accurate, in-context network history

• Automated archiving of definitive forensic evidence for all detected threats

• Triage, investigate and respond to threats with increased speed, reliability and confidence using comprehensive network-wide recorded traffic.

Palo Alto Networks and EndaceAutomated and Accelerated Incident Response with Cortex XSOAR and Network History

Use Case Example One

Accelerate Incident investigation with In-context drill-down to definitive network forensic data

Challenge: High volumes of alerts warning of potential attacks or data compromise take too long for analysts to sift through. Too many non-correlated evidence sources make it slow and cumbersome to separate real threats from false positives and to investigate and respond to real threats.

Solution: Deploying EndaceProbes across your network and integrating recorded network history into investigation workflows gives analysts in-context access to definitive forensic evidence right in Cortex XSOAR.

Links to EndaceVision and InvestigationManager allow advanced analysis of network traffic, including comprehensive filtering, application and flow breakdowns.

Endace’s high-speed, federated search returns relevant packet data to the XSOAR War Room or allows it to be tagged to an evidence board for joint investigations, streamlining the investigation process and dramatically improving the speed and accuracy of incident response.

Benefit: Analysts have, at their finger-tips, relevant network evidence from before, during and after all threat alarms. They can quickly dispense with false positives and confidently and accurately investigate and resolve real threats.

Full packet data is the only evidence that allows analysts to see definitively how far a threat spread, any associated command and control activity, whether data was stolen and what the exfiltrated payload contained.

endace.compage 2END_fp_end_xsoar_1.0_0620

© Copyright Endace Technology Limited, 2020. All rights reserved. Information in this data sheet may be subject to change.

FUSION PARTNER

Use Case Example Two

Automated Archival of Network History for Later Investigation or Compliance

Challenge: Alert overload means many security teams only have time to triage events and investigate the most critical ones, while less critical events are frequently never examined. Few SecOps teams are actively engaging in proactive threat hunting.

Solution: EndaceProbes continually record every network packet traversing across the infrastructure. When an alert of a particular type, class or severity is recorded, Cortex XSOAR can run a playbook

to archive a snapshot of the network evidence from before, during and after the event. This archive can later be accessed along with other relevant information such as application or system logs to do a comprehensive investigation.

Benefit: The ability to automatically archive rich, full packet evidence ensures that critical evidence is always on-hand when an analyst gets to investigating and responding to alerts even when that happens well after the event. It also ensures evidence is retained for reporting and compliance purposes.

Figure 1: Cortex XSOAR Playbooks can automatically retrieve packet data relating to an alert from wherever it was recorded by EndaceProbes using Endace’s network-wide rapid-search and data-mining capability

How it Works

Figure 2: The packet capture files can be accessed directly from the Cortex XSOAR War Room and/or Evidence Board for analysis using Wireshark or other packet analysis tools

endace.compage 3END_fp_end_xsoar_1.0_0620

© Copyright Endace Technology Limited, 2020. All rights reserved. Information in this data sheet may be subject to change.

FUSION PARTNER

Figure 3: Playbooks can also provide a link to automativally start an interactive investigation and retrieve the packets related to an event in EndaceVision.

Figure 4: In EndaceVision, analysts can visually zoom in or out to extend their investigation and look at associated activity before or after the event, and use EndaceVisions filters and tools to identify traffic of interest. Once they have done so, they can dowload the specic packets of interest for analysis in Wireshark.

endace.compage 4END_fp_end_xsoar_1.0_0620

© Copyright Endace Technology Limited, 2020. All rights reserved. Information in this data sheet may be subject to change.

For more information on the Endace portfolio of products, visit:

endace.com/products

For further information, email: info@endace.com

FUSION PARTNER

Endace™, the Endace logo, Provenance™ and DAG™ are registered trademarks in New Zealand and/or other countries of Endace Technology Limited. Other trademarks used may be the property of their respective holders. Use of the Endace products described in this document is subject to the Endace Terms of Trade and the Endace End User License Agreement (EULA).