NetWitness Community

DanielSpier · ‎2024-06-13

In this video, you'll learn how to interact with NetWitness core services and Respond via the API. Having programmatic access to your organization's raw data can enable automation of common or complex tasks to save time and address security challenges.

Links

1:15	NetWitness Training	https://community.netwitness.com/t5/netwitness-xdr-training/tkb-p/netwitness-xdr
1:15	Mozilla HTTP Training	https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages
1:15	curl Manual	https://github.com/curl/curl/blob/master/docs/MANUAL.md
5:02	Postman for NetWitness	https://community.netwitness.com/t5/netwitness-community-blog/postman-for-netwitness/ba-p/519615
5:18	Additional API Videos	https://www.youtube.com/@SecuredByRSA/videos
7:30	jq Utility	https://jqlang.github.io/jq/tutorial/
11:39	NetWitness Core Services API Guide	https://community.netwitness.com/t5/netwitness-platform-online/core-services-api-guide-for-11-7/ta-p/655327
13:32	CyberChef	https://gchq.github.io/CyberChef/#recipe=URL_Decode()
17:04	NetWitness nwconsole User Guide	https://community.netwitness.com/t5/netwitness-platform-online/nwconsole-user-guide-for-12-4/ta-p/709380
29:16	Postman for NetWitness	https://community.netwitness.com/t5/netwitness-community-blog/postman-for-netwitness/ba-p/519615

Timestamps

0:55	Introduction and Setup
5:31	Core Services Call Formatting
11:30	Core Services URL Encoding
14:11	SDK Call Intro
15:11	SDK-Packets
15:53	SDK-Content
17:40	SDK-Query
24:00	SDK-Values
26:41	SDK-Session
28:43	NW API (Respond) - Setup
32:26	NW API (Respond) - Workflow
35:00	NW API (Respond) - Data Handling
38:37	Summary

Sample Calls

SDK-Packets

curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk/packets?msg=packets&render=application/json&where=medium=32%26%26direction="inbound"%26%26time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"' > out.json

SDK-Content

curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk/content?msg=content&force-content-type=application/json&session=19&render=session-meta-file-list-json'

SDK-Query

No Aggregation:

curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=query&force-content-type=text/plain&size=12&query=select+org.dst,ip.dst+where+time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"%26%26org.dst+exists%26%26direction="outbound"'

With Aggregation:

curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=query&force-content-type=text/plain&size=10000&query=select+count(medium)+where+time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"%26%26org.dst+exists%26%26direction="outbound"%26%26org.dst="Google","Microsoft+Azure"+group+by+org.dst,ip.dst+order+by+count(medium)+DESC'

SDK-Values

curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=values&force-content-type=text/plain&fieldName=org.dst&flags=sessions,sort-total,descending&size=10&where=medium=1%26%26time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"'

SDK-Session

curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=session&force-content-type=text/plain&id1=617505&id2=617505'

EricSchwartz · ‎2024-06-13

Thank you for sharing.

J_Kerwin · ‎2024-07-03

Will there be a follow up on the Endpoint API?

DanielSpier · ‎2024-07-03

@J_Kerwin Not from me since my role is mostly focused in the NDR space. However, Josh has a few videos on Endpoint which might be helpful if you haven't seen them yet. Here's the first one: https://www.youtube.com/watch?v=NDaDkYiOCCY