Analyze Docs

workflows

Analysis Workflows — PacketPilot Analyze

Creating a New Case

Via Web UI

  1. Log in to the Analyze web UI at http://localhost:3000
  2. Click New Case in the sidebar
  3. Enter a case name (e.g. Core-Switch-2025-05-10)
  4. Optionally tag the case with a device name or site
  5. Click Create

The case opens. Now upload artifacts.


Uploading Artifacts

Supported File Types

| Type | Extension | Notes | |------|----------|-------| | Packet capture | .pcap, .pcapng | Standard libpcap format | | NetFlow | .nfcapd, .flow | v5/v9 supported | | Syslog | .log, .txt | Plain-text syslog exports | | JSON findings | .json | Exported from Config |

Upload via Web UI

  1. Open a case
  2. Click Upload Artifact
  3. Drag files or click to browse
  4. Select one or more files
  5. Click Upload

Each file appears as a card in the case. You can upload multiple files per case.


Running Analysis

After uploading artifacts:

  1. Click Analyze in the case toolbar
  2. Analyze runs deterministic rules against all uploaded artifacts
  3. Findings appear in the Findings tab
  4. AI explanation appears in the AI Summary tab

What Happens During Analysis

Artifacts → Deterministic Rules → Findings + Severity
                          ↓
                    Ollama (local AI)
                          ↓
                    Plain-English Summary

The AI explanation is generated from the findings with the highest severity. Lower-severity findings are included but not individually explained unless there is capacity.


Understanding Findings

Findings are structured results from deterministic rules. Each finding has:

  • Rule ID — identifier for the rule that fired
  • Severity — Critical / High / Medium / Low / Info
  • Title — short description (e.g. "SNMP community string in plaintext")
  • Description — what the rule detected
  • Evidence — the specific packet or log line that triggered the rule
  • NIST/CIS mapping — which standard the finding relates to

Severity Definitions

| Severity | Meaning | |----------|---------| | Critical | Immediate security risk (e.g. plaintext password in capture) | | High | Significant vulnerability or misconfiguration | | Medium | Moderate risk, investigation recommended | | Low | Minor deviation from best practice | | Info | Informational, no immediate action needed |

Filtering Findings

Use the filter bar above the findings list to filter by:

  • Severity level
  • Artifact source
  • NIST/CIS category
  • Rule ID

AI Summary

The AI Summary tab shows a plain-English explanation of the most significant findings.

It includes:

  • What happened — what the data shows
  • Likely cause — why this might be occurring
  • What to check — concrete next steps
  • Confidence — Low / Medium / High

Note: AI explanations are generated by Ollama running locally inside the Docker stack. No data is sent to any external service.

Re-generating the AI Summary

If you upload additional artifacts or the findings change, click Re-analyze to regenerate the AI summary.


Exporting a Case

PDF Report

Click Export PDF in the case toolbar. The report includes:

  • Case metadata (name, date, device tags)
  • All findings grouped by severity
  • AI summary
  • Artifact list

JSON Export

Click Export JSON to download a structured export of:

  • Case metadata
  • All findings with full evidence
  • AI summary text

This format is suitable for integration with ticketing systems or SIEM tools.


Importing Config Findings

If you use PacketPilot Config, you can import findings directly:

  1. In Config: right-click a device → Export Findings → JSON
  2. In Analyze: open a case → Upload Artifact → select the JSON file
  3. Click Analyze

The JSON format from Config maps directly to Analyze's finding schema.


Case Management

Searching Cases

Use the search bar in the Cases list to search by:

  • Case name
  • Device tag
  • Date range

Case Tags

Add tags to cases to organize them by site, device, or incident type. Tags are free-form text. Click the tag icon on any case to add or edit tags.

Deleting a Case

Open a case and click Delete Case in the top-right menu. This removes the case and all its artifacts permanently. This action cannot be undone.


REST API Workflows

Analyze also exposes a REST API for programmatic use.

Base URL

http://localhost:8000/api

Authentication

All API calls require a Bearer token. Generate a token in the web UI at Settings → API Tokens.

Key Endpoints

| Method | Endpoint | Description | |--------|----------|-------------| | GET | /api/cases | List all cases | | POST | /api/cases | Create a new case | | GET | /api/cases/{id} | Get case details | | POST | /api/cases/{id}/artifacts | Upload artifact to case | | POST | /api/cases/{id}/analyze | Trigger analysis | | GET | /api/cases/{id}/findings | Get findings | | GET | /api/cases/{id}/report | Get PDF report |

Example: Upload and Analyze via API

# Create case
CASE=$(curl -s -X POST http://localhost:8000/api/cases \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "Core-Router-01", "tags": ["core", "router"]}')
CASE_ID=$(echo $CASE | jq -r '.id')

# Upload artifact
curl -s -X POST "http://localhost:8000/api/cases/$CASE_ID/artifacts" \
  -H "Authorization: Bearer $TOKEN" \
  -F "file=@capture.pcap"

# Trigger analysis
curl -s -X POST "http://localhost:8000/api/cases/$CASE_ID/analyze" \
  -H "Authorization: Bearer $TOKEN"

# Get findings
curl -s "http://localhost:8000/api/cases/$CASE_ID/findings" \
  -H "Authorization: Bearer $TOKEN"

Full API documentation is available at http://localhost:8000/docs (Swagger UI).