Instructions

Install dependencies: pip install requests
Configure Arkime viewer URL and credentials.
Run the agent to query Arkime sessions and analyze traffic:

Search sessions by IP, port, protocol, or expression
Download PCAP data for forensic analysis
Detect C2 beaconing via connection interval analysis
Identify DNS tunneling through query length statistics
Flag connections to known-bad TLS certificate issuers

python scripts/agent.py --arkime-url https://arkime.local:8005 --user admin --password secret --output arkime_report.json

Examples

Beaconing Detection

Source: 10.1.2.50 -> 185.220.101.34:443
Sessions: 288 over 24 hours
Avg interval: 300s, Jitter: 4.2%
Verdict: HIGH confidence C2 beaconing (jitter < 5%)

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.6 (System Boundaries), CC6.7 (Restriction on Transmission)
ISO 27001: A.13.1 (Network Security), A.13.2 (Information Transfer)
NIST 800-53: SC-7 (Boundary Protection), AC-17 (Remote Access), SI-4 (System Monitoring)
NIST CSF: PR.AC (Access Control), PR.PT (Protective Technology)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add implementing-network-traffic-analysis-with-arkime

# Or load dynamically via MCP
grc.load_skill("implementing-network-traffic-analysis-with-arkime")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Instructions

Install dependencies: pip install requests
Configure Arkime viewer URL and credentials.
Run the agent to query Arkime sessions and analyze traffic:

Search sessions by IP, port, protocol, or expression
Download PCAP data for forensic analysis
Detect C2 beaconing via connection interval analysis
Identify DNS tunneling through query length statistics
Flag connections to known-bad TLS certificate issuers

python scripts/agent.py --arkime-url https://arkime.local:8005 --user admin --password secret --output arkime_report.json

Examples

Beaconing Detection

Source: 10.1.2.50 -> 185.220.101.34:443
Sessions: 288 over 24 hours
Avg interval: 300s, Jitter: 4.2%
Verdict: HIGH confidence C2 beaconing (jitter < 5%)

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.6 (System Boundaries), CC6.7 (Restriction on Transmission)
ISO 27001: A.13.1 (Network Security), A.13.2 (Information Transfer)
NIST 800-53: SC-7 (Boundary Protection), AC-17 (Remote Access), SI-4 (System Monitoring)
NIST CSF: PR.AC (Access Control), PR.PT (Protective Technology)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add implementing-network-traffic-analysis-with-arkime

# Or load dynamically via MCP
grc.load_skill("implementing-network-traffic-analysis-with-arkime")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Implementing Network Traffic Analysis with Arkime

Instructions

Examples

Beaconing Detection

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Analyzing Network Flow Data with NetFlow

Analyzing Network Packets with Scapy

Analyzing Network Traffic with Wireshark

Conducting Man in the Middle Attack Simulation

Configuring Network Segmentation with Vlans

Configuring Pfsense Firewall Rules

Implementing Network Traffic Analysis with Arkime

Instructions

Examples

Beaconing Detection

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Analyzing Network Flow Data with NetFlow

Analyzing Network Packets with Scapy

Analyzing Network Traffic with Wireshark

Conducting Man in the Middle Attack Simulation

Configuring Network Segmentation with Vlans

Configuring Pfsense Firewall Rules