How detection PCAPs are generated

For details on Selective PCAP please see Using Vectra Packet Capture . This article covers PCAPs that are attached as evidence to detections.

Introduction

PCAP format is a standard file format for files that contain packet data. PCAP files are presented in some detections to enhance a security analyst's investigation into a triggered detection.

Approach

This is achieved using a “rolling buffer” where packets are written to disk in real-time. Packets are “rolled off” at the end of the buffer when storage limits are hit.

Depending on system load and traffic throughput, PCAP files will be stored and available for download for a minimum of 30 minutes and for as long as several hours.

To limit rolling buffer load and PCAP size, the rolling buffer stores up to 50 packets from the beginning of each flow. Certain protocols have additional packets stored into the rolling buffer. This strategy optimizes the use of the space and bandwidth available for the rolling buffer and ensures that a security analyst has the most useful data available when investigating detections while not saving data to the rolling buffer that a security analyst would not find useful.

When a detection fire or new activity is observed for a detection, Vectra will reach into the rolling buffer, identify the relevant packets, and form those packets into a detection-specific PCAP.  This PCAP will then be attached to the detection and made available to download.

Considerations

• Only network detections on hosts produce PCAPs.

  • Detections for Detect for M365, Azure AD, and AWS will not be able to produce PCAPs as the data source is log based.

  • Detections for accounts will not have PCAPs.

• Info detections and custom model detections based on Recall metadata will not have PCAPs.

• Depending on the timing of the detection, the protocol in use, and the traffic load on the appliance, it is possible for the PCAP to contain fewer packets than the full flow.

• In extreme cases, where the AI system has taken considerable time to identify the behavior or the detection occurred later in a packet stream, the PCAP may be absent entirely. This is normal behavior and not an indicator of a problem.

• In some cases, particular sensors with high system load may timeout capturing or transferring PCAPs for a detection. This is normal behavior and not an indicator of a problem.

• In some circumstances, customers may not want to have PCAPs generated at all, or from certain Sensors that may be deployed in areas with stricter privacy controls that don’t allow for PCAP.

  • Data Sources > Network > Brain Setup > PCAP Generation

    • Edit in this area to turn off PCAP generation entirely.

  • To turn off PCAP generation on an individual Sensor go to Data Sources > Network > Sensor, select the Sensor you wish to edit, click the edit pencil, and then deselect the “Capture PCAPs for this Sensor” checkbox and “Save” your setting.

• Customers requiring access to all packet data should investigate the use of the Vectra Stream or Recall products. These products extract metadata from the packets and save this data for longer periods, avoiding the burden of saving, indexing, and searching full packet data while maintaining a high-quality metadata source.

• In cases where the customer disabled PCAP capture or when PCAP are no available for other reasons listed above, The system will automatically grey out the option to click on download button for the PCAP file.