Hi
I use Firepower at work and security events are fed in Splunk and from the there we have set up an Event Actions Workflow (visiable within any event) and I can click on custom text " Get PCAP Text" and and api call I believer is made to Firepower to pull back the trigger PCAP in text base format.
Is there a max time setting for how long these trigger PCAPs can be stored on the device for? It is currently set to 2.5 days, so if there is an event older than 2.5 days I can't rely on the trigger pcaps straight out of FirePower to assist in making a determination.
Does anyone know what the max setting is or any other way around this?