A way for analysts without sensor creds to pull Strelka files? #9263
-
|
Security Onion 2.3.130 With our current setup, our sensor administrators pull alerted strelka files for the analysts using WinSCP or similar. Is there a current or built-in way for the analysts to grab those files themselves through the SOC or Kibana? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
One option would be to pivot to full packet capture and then extract the file: |
Beta Was this translation helpful? Give feedback.
-
|
Thank you Doug, I managed to extract the file from cyberchef and compared the hash with the alert ensuring it was the same file. Drafting up an SOP for our analysts now! |
Beta Was this translation helpful? Give feedback.
One option would be to pivot to full packet capture and then extract the file:
https://docs.securityonion.net/en/2.3/pcap.html